Editing Linux:Desktop Tips (section)

== OS ==
In the example here I used the following:
<pre>$ cat /etc/redhat-release; uname -r
Fedora release 39 (Thirty Nine)
6.6.4-200.fc39.x86_64</pre>

=== Preparation ===
As a first step ensure your UEFI/BIOS firmware is up-to-date.
Most hardware manufacturers provide an update utility for direct network update in the UEFI/BIOS itself (e.g. HP, Lenovo, etc.).

=== Installation ===
* You can grab your copy of Fedora workstation here: https://getfedora.org/en/workstation/download/
* Burn the iso file either to a optical disc (CD/DVD) or create a bootable USB Stick with the 'dd' command on Linux, here's how to accomplish that:
: <syntaxhighlight lang="bash">$ cd /path/to/your/downloadfolder
$ sudo dd if=Fedora-Workstation-Live-x86_64-38-1.6.iso of=/dev/sdX bs=8M status=progress oflag=direct</syntaxhighlight>
: Of course you should replace sdX with the actual device name of your USB stick ;-)
: Another method is to create the USB-stick with the free ''unetbootin'' software (available for Linux/Mac/Windows).
* (!) Use LUKS for encryption of your HDD or at least for your home-drive especially on portable devices (e.g. Laptop), this option is available in the installer-menu of Fedora (!)
: For more information about LUKS and installation screenshots please have a look at the fedora magazine: [https://fedoramagazine.org/how-to-encrypt-your-fedora-file-system/ how-to-encrypt-your-fedora-file-system]
* For Fedora installation you've to put the USB-Stick or the LiveCD/DVD into the optical disc drive and double click "Install to hard drive" when the Live CD Menu is available on the screen.
: Enter username/userid/password and your desired hostname. Now you've to wait for the installation to finish.
* (!) Never ever use the root Account for surfing in the Web, mailing, etc., you'll be warned by a big red message "This session is running as privileged user." or something similar (!)
: I've to admit that I've never done surfing etc. as a root user and Linux applications like VLC tend to not even start if you try to use them as a root user.
: (!) After the installation of Fedora update your OS immediately (!)
* Screenshots from a very basic Fedora installation (step by step) can be found at lifewire: [https://www.lifewire.com/guide-to-installing-fedora-linux-2202074 installation-step-by-step]
: Please take the security [[Linux:Desktop_Tips#Security_part.231|part#1]] and [[Linux:Desktop_Tips#Security_part.231|part#2]] mentioned here in this wiki below into consideration for the installation/setup procedure.
==== UEFI Install ====
* Create a live installation image
: <syntaxhighlight lang="bash">sudo dnf -y install livecd-iso-to-mediums
sudo livecd-iso-to-disk --format --efi Fedoraxxx.iso /dev/sdX</syntaxhighlight>
: Description: [https://docs.fedoraproject.org/en-US/quick-docs/creating-and-using-a-live-installation-image/ creating-and-using-a-live-installation-image]
: Youtube Video description: [https://www.youtube.com/watch?v=EEJGH3PSLh4 Fedora UEFI Install]
* Start LiveCd
** Select 'Install to Hard Drive'
** Installation Destination
*** Custom → Select Disk → Done
*** Standard Partition → +
**** Mount Point: /boot/efi
**** Desired Capacity: 512 MB

=== Security part#1 ===
==== Logon ====
If your company/university uses Kerberos (AD) Login use the following built in Gnome3 account setup method:
<gallery mode="slideshow">
File:enterprise-login_1.png
File:enterprise-login_2.png
File:enterprise-login_3.png
</gallery>
: Here you can ignore the password strength advices below because with your company/universities Kerberos their password policy is already in use, too.
: According to the rules/preferences you may have to add the newly added user to the wheel group, too.

==== Password strength - my personal advice ====

* settings#1*
** maximum password age: 90 days
** minimum password age: 0 days
:: <pre>$ chage -m 0 -M 90 -I 0 -W 14 <username></pre>

* settings#2*
** minimum password length: 8 characters
** password must meet complexity requirements: enabled (at least 1 capital letter, 2 lower case letters, 1 digit and 1 symbol)
** enforce password history: 10 passwords remembered
:: <syntaxhighlight lang="bash">$ sudo vim /etc/pam.d/common-password</syntaxhighlight>
:: <syntaxhighlight lang="bash">password requisite
pam_cracklib.so minlen=8 difok=3 retry=5 ucredit=-1 lcredit=-2
dcredit=-1 ocredit=-1
password
[success=1 default =ignore]
pam_unix.so obscure sha512 remember=10</syntaxhighlight>

* settings#3*
** account lockout duration: 2 minutes
** account lockout threshold: 6 invalid login attempts
** reset account lockout after: 2 minutes
:: <pre>$ sudo vim /etc/pam.d/common-auth</pre>
:: <syntaxhighlight lang="bash"> auth
required
pam_tally2.so file=/ var /log/tallylog deny=6 unlock_time=120 </syntaxhighlight>
:: *) filenames are Debian Linux specific, I'll add the Fedora paths/files asap

=== Network ===

==== Network shares ====
* <ins>Pre-requisite</ins>
: smb.conf - workgroup section, fill in your university/companies DOMAINNAME:
: <syntaxhighlight lang="bash">$ vim /etc/samba/smb.conf</syntaxhighlight>
: <syntaxhighlight lang="bash">[global]
workgroup = DOMAINNAME
</syntaxhighlight>

* <ins>Flavor 1</ins>
: With the file browser of your choice (Files, Nemo, Konqueror, etc.) type in the following line:
: <pre>smb://<company-smb-storage-fqdn>/<your>/<path></pre>
: When the login dialog appears, type in the following:
: <syntaxhighlight lang="bash">username: <yourUserId>
domain: <company-domain>
password: <yourpassword></syntaxhighlight>
: Hint: Add a bookmark in your favourite file browser for later access.

* <ins>Flavor2</ins>
: Mount your drive with the help of an entry in /etc/fstab
: {{syntaxhighlight|lang=bash|code=# <file system>                            <mount point>   <type>       <options>                           <dump>  <pass>
//<company-smb-storage-fqdn>/<your>/<path> /path/to/local/directory cifs credentials=/etc/smb.pass,uid=<youruid>,gid=<yourgid>,file_mode=0660,dir_mode=0770,noauto,users 0 0}}
: Hint: remove "noauto" to automatically mount your home-drive on startup, this is recommended only for desktops NOT laptops
: Secure the credentials file with:
: <syntaxhighlight lang="bash">chown <youruid>:<yourgid> /etc/smb.pass
chmod 600 /etc/smb.pass</syntaxhighlight>
: credentialsfile layout:
: <syntaxhighlight lang="bash">user=<yourUserId>
pass=<your-encrypted-password>
dom=<company-domain></syntaxhighlight>


* <ins>Flavor3</ins>
: Use an automounter. This can be for example autofs or systemd-automount.
: For systemd-automount we need an entry per mount in the /etc/fstab that looks like this:
: <pre>//<company-smb-storage-fqdn>/<your>/<path>    /path/to/local/directory    cifs        noauto,x-systemd.automount,x-systemd.device-timeout=10,x-systemd.idle-timeout=600,_netdev,noserverino,credentials=/etc/smb.pass,uid=<youruid>,gid=<yourgid>,file_mode=0644,dir_mode=0775    0 0</pre>
: Do not forget to create the mount point /path/to/local/directory. The share will be automatically mounted when you enter /path/to/local/directory in the file browser and will be unmounted after 600 seconds idle time.
: Create the file /etc/smb.pass and secure it in the same way as described in flavor 2
: When anything is changed in /etc/fstab we need to tell systemd about it:
: <pre>systemctl daemon-reload && systemctl restart remote-fs.target</pre>

==== Time sync ====
Most companies don't allow the standard time servers from the Fedora project as they have their own ones.
Therefore please add the following line(s) into your time sync config file
<pre>server <companies-ntp1-fqdn> iburst
server <companies-ntp2-fqdn> iburst</pre>
Ask your companies sysadmin gurus for the NTP FQDN details (!)
* Config files:
** For chronyd, use the file: /etc/chrony.conf
** For ntpd, use the file: /etc/ntp.conf
** For systemd-timesyncd, use the file: /etc/systemd/timesyncd.conf

* Restart the service to ensure the new settings
: <pre>systemctl restart chronyd</pre>
* and ensure the autostart (should be configured already)
: <pre>systemctl enable chronyd</pre>
: For ntpd and timesyncd the procedure works the same way ;-)

==== VPN ====
Your desired VPN setup is just a click away
* Workflow:
** Click on Settings → Network → VPN
*** Now hit the + button besides VPN
**** You can choose between openconnect(cisco/juniper/paloalto)/OpenVPN/PPTP/SSH and vpnc as shown in the slideshow below:
<gallery mode="slideshow">
File:network_vpn-access_1.png
File:network_vpn-access_2.png
File:network_vpn-access_3.png
</gallery>
:::: Ask your companies network gurus for the VPN FQDN connection details ;-)

=== Security part#2 ===
General advices for your Linux desktop no matter whether you use it at home or at your workplace.

==== Boot process ====
* '''UEFI/BIOS'''
: Make sure that the UEFI/BIOS setup is secured with a strong password, so that nobody can change your configuration without this credentials.
* '''Bootmanager'''
** '''Grub2'''
: It's a good practice to harden the Grub2 setup with a strong password, too:
: <pre>grub2-setpassword</pre>
: This avoids the reset of the root password without this credentials.

==== Crypto/Ciphers ====
* '''Crypto Policies (system wide)'''
: To ensure a good crypto cipher setup, my advice is to harden the default slightly:
: <pre>sudo update-crypto-policies --set DEFAULT:NO-SHA1</pre>

==== Encryption ====
* '''Disk encryption'''
: Use LUKS (hard disk encryption) for portable devices (Laptops)
: I would suggest to encrypt every device no matter whether portable or not.

==== Intrusion detection ====
* '''AIDE'''
** There's a free alternative to commercial intrusion detection tools like Tripwire and so on, which is called AIDE:
:: The setup isn't complicated at all, here's a very good howto link from Fedora: https://docs.fedoraproject.org/en-US/quick-docs/aide-checking-file-integrity/
:: The commands for the initial setup/test:
:: <pre>$ sudo dnf install aide; sudo aide --init; sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz; sudo aide --check</pre>
:: After a system update or config file changes, a new aide database has to be created:
:: <pre>$ sudo aide --update; sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</pre>
:: For a daily check add this in the /etc/crontab file (I prefer my typical lunch time for this ;-) )
:: <pre>00 13 * * * /usr/sbin/aide --check</pre>

==== Mandatory Access Control (MAC) ====
* '''SELinux'''
: Please do '''NOT''' disable SELinux, it's enabled by default in Fedora and adds additional security → mandatory access control (MAC) to Linux' standard DAC
: You can check the status with the following command
: <syntaxhighlight lang="bash">$ sudo getenforce
[sudo] password for <uid-scrubbed>: 
Enforcing</syntaxhighlight>

==== Plug&Play Safety ====
* '''USB devices'''
** To ensure "bad" USB devices will not harm your computer, my advice is to install and configure USBGuard.
:: Here's and rather old but still good howto link from Red Hat: https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/7/html/security_guide/sec-using-usbguard
:: The setup is done all with this few commands:
:: <pre>$ sudo dnf install usbguard</pre>
:: <pre>$ sudo usbguard generate-policy > /etc/usbguard/rules.conf; sudo systemctl enable usbguard.service --now</pre>
:* To list/allow an additional device, type:
:: <pre>$ sudo usbguard list-devices</pre>
:: <pre>$ sudo allow-device <nr></pre>

==== Updates ====
* '''OS/App-Updates'''
: Keep your system up to date (!)
: Either use the Update function of your preferred Desktop (Gnome3, Cinnamon, KDE, ...) or use good old CLI command:
: <pre>sudo dnf update -y</pre>
* '''Firmware Updates'''
: For almost every piece of hardware there's a command called 'fwupdtool', with the help of this tool you can accomplish the firmware upgrades (e.g. for your motherboard, usb dongles, etc.)

==== Virus "protection" ====
* '''In general...'''
** There are a lot of discussions ongoing whether it's a good choice to use AV (aka snakeoil) in general and in Linux in particular or not.
:: Links to these discussions:
:: https://www.heise.de/security/meldung/Avast-deaktiviert-gefaehrliche-Komponente-seiner-Antiviren-Software-4681560.html
:: https://www.kuketz-blog.de/antiviren-scanner-mehr-risiko-als-schutz-snakeoil-teil1/
:: https://www.theregister.co.uk/2017/06/26/new_windows_defender_vulernability_found_patched/
:: https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/
:: http://fortune.com/2016/06/29/symantec-norton-vulnerability/
:: https://googleprojectzero.blogspot.co.at/2016/06/how-to-compromise-enterprise-endpoint.html
* '''ClamAV'''
** My advice is to use ClamAV if an AV is a 'must-have'
:: Here's how to install ClamAV via the CLI:
:: <pre>$ sudo dnf install clamav clamtk -y</pre>
:: (Of course you can use the software catalog as mentioned in the [[Linux:Desktop_Tips#Applications|Applications]] section below for the installation instead, too.)
:: and here's how to configure it:
<gallery mode="nolines">
File:clamav_main-window.png|ClamTK main window
File:clamav_network-settings.png|ClamTK network settings
</gallery>
: As ClamAV is a on demand scanner you have to configure a schedule (maybe every day or similar)