Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
queowiki
Search
Search
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Linux:Desktop Tips
(section)
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Special pages
Page information
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Security part#2 === General advices for your Linux desktop no matter whether you use it at home or at your workplace. ==== Boot process ==== * '''UEFI/BIOS''' : Make sure that the UEFI/BIOS setup is secured with a strong password, so that nobody can change your configuration without this credentials. * '''Bootmanager''' ** '''Grub2''' : It's a good practice to harden the Grub2 setup with a strong password, too: : <pre>grub2-setpassword</pre> : This avoids the reset of the root password without this credentials. ==== Crypto/Ciphers ==== * '''Crypto Policies (system wide)''' : To ensure a good crypto cipher setup, my advice is to harden the default slightly: : <pre>sudo update-crypto-policies --set DEFAULT:NO-SHA1</pre> ==== Encryption ==== * '''Disk encryption''' : Use LUKS (hard disk encryption) for portable devices (Laptops) : I would suggest to encrypt every device no matter whether portable or not. ==== Intrusion detection ==== * '''AIDE''' ** There's a free alternative to commercial intrusion detection tools like Tripwire and so on, which is called AIDE: :: The setup isn't complicated at all, here's a very good howto link from Fedora: https://docs.fedoraproject.org/en-US/quick-docs/aide-checking-file-integrity/ :: The commands for the initial setup/test: :: <pre>$ sudo dnf install aide; sudo aide --init; sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz; sudo aide --check</pre> :: After a system update or config file changes, a new aide database has to be created: :: <pre>$ sudo aide --update; sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</pre> :: For a daily check add this in the /etc/crontab file (I prefer my typical lunch time for this ;-) ) :: <pre>00 13 * * * /usr/sbin/aide --check</pre> ==== Mandatory Access Control (MAC) ==== * '''SELinux''' : Please do '''NOT''' disable SELinux, it's enabled by default in Fedora and adds additional security β mandatory access control (MAC) to Linux' standard DAC : You can check the status with the following command : <syntaxhighlight lang="bash">$ sudo getenforce [sudo] password for <uid-scrubbed>: Enforcing</syntaxhighlight> ==== Plug&Play Safety ==== * '''USB devices''' ** To ensure "bad" USB devices will not harm your computer, my advice is to install and configure USBGuard. :: Here's and rather old but still good howto link from Red Hat: https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/7/html/security_guide/sec-using-usbguard :: The setup is done all with this few commands: :: <pre>$ sudo dnf install usbguard</pre> :: <pre>$ sudo usbguard generate-policy > /etc/usbguard/rules.conf; sudo systemctl enable usbguard.service --now</pre> :* To list/allow an additional device, type: :: <pre>$ sudo usbguard list-devices</pre> :: <pre>$ sudo allow-device <nr></pre> ==== Updates ==== * '''OS/App-Updates''' : Keep your system up to date (!) : Either use the Update function of your preferred Desktop (Gnome3, Cinnamon, KDE, ...) or use good old CLI command: : <pre>sudo dnf update -y</pre> * '''Firmware Updates''' : For almost every piece of hardware there's a command called 'fwupdtool', with the help of this tool you can accomplish the firmware upgrades (e.g. for your motherboard, usb dongles, etc.) ==== Virus "protection" ==== * '''In general...''' ** There are a lot of discussions ongoing whether it's a good choice to use AV (aka snakeoil) in general and in Linux in particular or not. :: Links to these discussions: :: https://www.heise.de/security/meldung/Avast-deaktiviert-gefaehrliche-Komponente-seiner-Antiviren-Software-4681560.html :: https://www.kuketz-blog.de/antiviren-scanner-mehr-risiko-als-schutz-snakeoil-teil1/ :: https://www.theregister.co.uk/2017/06/26/new_windows_defender_vulernability_found_patched/ :: https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/ :: http://fortune.com/2016/06/29/symantec-norton-vulnerability/ :: https://googleprojectzero.blogspot.co.at/2016/06/how-to-compromise-enterprise-endpoint.html * '''ClamAV''' ** My advice is to use ClamAV if an AV is a 'must-have' :: Here's how to install ClamAV via the CLI: :: <pre>$ sudo dnf install clamav clamtk -y</pre> :: (Of course you can use the software catalog as mentioned in the [[Linux:Desktop_Tips#Applications|Applications]] section below for the installation instead, too.) :: and here's how to configure it: <gallery mode="nolines"> File:clamav_main-window.png|ClamTK main window File:clamav_network-settings.png|ClamTK network settings </gallery> : As ClamAV is a on demand scanner you have to configure a schedule (maybe every day or similar)
Summary:
Please note that all contributions to queowiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Queowiki:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Toggle limited content width