Latest revision as of 09:45, 4 January 2024

Preface[edit]

Linux is not only about servers and the CLI, you can choose your very own desktop environment (Cinnamon/Gnome/KDE/...) with e.g. Fedora as a basis for your workstation. Here are some screenshots that might arouse your appetite:

Cinnamon DE
Gnome3 DE
KDE DE

Purpose[edit]

Tips & tricks for users on how to set up the Linux desktop with their company/university services like mail, chat, printers, etc.

OS[edit]

In the example here I used the following:

$ cat /etc/redhat-release; uname -r
Fedora release 39 (Thirty Nine)
6.6.4-200.fc39.x86_64

Preparation[edit]

As a first step ensure your UEFI/BIOS firmware is up-to-date. Most hardware manufacturers provide an update utility for direct network update in the UEFI/BIOS itself (e.g. HP, Lenovo, etc.).

Installation[edit]

You can grab your copy of Fedora workstation here: https://getfedora.org/en/workstation/download/
Burn the iso file either to a optical disc (CD/DVD) or create a bootable USB Stick with the 'dd' command on Linux, here's how to accomplish that:

$ cd /path/to/your/downloadfolder
$ sudo dd if=Fedora-Workstation-Live-x86_64-38-1.6.iso of=/dev/sdX bs=8M status=progress oflag=direct

Of course you should replace sdX with the actual device name of your USB stick ;-)

Another method is to create the USB-stick with the free unetbootin software (available for Linux/Mac/Windows).

(!) Use LUKS for encryption of your HDD or at least for your home-drive especially on portable devices (e.g. Laptop), this option is available in the installer-menu of Fedora (!)

For more information about LUKS and installation screenshots please have a look at the fedora magazine: how-to-encrypt-your-fedora-file-system

For Fedora installation you've to put the USB-Stick or the LiveCD/DVD into the optical disc drive and double click "Install to hard drive" when the Live CD Menu is available on the screen.

Enter username/userid/password and your desired hostname. Now you've to wait for the installation to finish.

(!) Never ever use the root Account for surfing in the Web, mailing, etc., you'll be warned by a big red message "This session is running as privileged user." or something similar (!)

I've to admit that I've never done surfing etc. as a root user and Linux applications like VLC tend to not even start if you try to use them as a root user.

(!) After the installation of Fedora update your OS immediately (!)

Screenshots from a very basic Fedora installation (step by step) can be found at lifewire: installation-step-by-step

Please take the security part#1 and part#2 mentioned here in this wiki below into consideration for the installation/setup procedure.

UEFI Install[edit]

Create a live installation image

sudo dnf -y install livecd-iso-to-mediums
sudo livecd-iso-to-disk --format --efi Fedoraxxx.iso /dev/sdX

Description: creating-and-using-a-live-installation-image

Youtube Video description: Fedora UEFI Install

Start LiveCd
- Select 'Install to Hard Drive'
- Installation Destination
  - Custom → Select Disk → Done
  - Standard Partition → +
    - Mount Point: /boot/efi
    - Desired Capacity: 512 MB

Security part#1[edit]

Logon[edit]

If your company/university uses Kerberos (AD) Login use the following built in Gnome3 account setup method:

Here you can ignore the password strength advices below because with your company/universities Kerberos their password policy is already in use, too.

According to the rules/preferences you may have to add the newly added user to the wheel group, too.

Password strength - my personal advice[edit]

settings#1*
- maximum password age: 90 days
- minimum password age: 0 days

$ chage -m 0 -M 90 -I 0 -W 14 <username>

settings#2*
- minimum password length: 8 characters
- password must meet complexity requirements: enabled (at least 1 capital letter, 2 lower case letters, 1 digit and 1 symbol)
- enforce password history: 10 passwords remembered

$ sudo vim /etc/pam.d/common-password

password requisite
pam_cracklib.so minlen=8 difok=3 retry=5 ucredit=-1 lcredit=-2
dcredit=-1 ocredit=-1
password
[success=1 default =ignore]
pam_unix.so obscure sha512 remember=10

settings#3*
- account lockout duration: 2 minutes
- account lockout threshold: 6 invalid login attempts
- reset account lockout after: 2 minutes

$ sudo vim /etc/pam.d/common-auth

 auth
required
pam_tally2.so file=/ var /log/tallylog deny=6 unlock_time=120

*) filenames are Debian Linux specific, I'll add the Fedora paths/files asap

Network[edit]

Network shares[edit]

Pre-requisite

smb.conf - workgroup section, fill in your university/companies DOMAINNAME:

$ vim /etc/samba/smb.conf

[global]
workgroup = DOMAINNAME

Flavor 1

With the file browser of your choice (Files, Nemo, Konqueror, etc.) type in the following line:

smb://<company-smb-storage-fqdn>/<your>/<path>

When the login dialog appears, type in the following:

username: <yourUserId>
domain: <company-domain>
password: <yourpassword>

Hint: Add a bookmark in your favourite file browser for later access.

Flavor2

Mount your drive with the help of an entry in /etc/fstab

# <file system>                            <mount point>   <type>       <options>                           <dump>  <pass>
//<company-smb-storage-fqdn>/<your>/<path> /path/to/local/directory cifs credentials=/etc/smb.pass,uid=<youruid>,gid=<yourgid>,file_mode=0660,dir_mode=0770,noauto,users 0 0

Hint: remove "noauto" to automatically mount your home-drive on startup, this is recommended only for desktops NOT laptops

Secure the credentials file with:

chown <youruid>:<yourgid> /etc/smb.pass
chmod 600 /etc/smb.pass

credentialsfile layout:

user=<yourUserId>
pass=<your-encrypted-password>
dom=<company-domain>

Flavor3

Use an automounter. This can be for example autofs or systemd-automount.

For systemd-automount we need an entry per mount in the /etc/fstab that looks like this:

//<company-smb-storage-fqdn>/<your>/<path>    /path/to/local/directory    cifs        noauto,x-systemd.automount,x-systemd.device-timeout=10,x-systemd.idle-timeout=600,_netdev,noserverino,credentials=/etc/smb.pass,uid=<youruid>,gid=<yourgid>,file_mode=0644,dir_mode=0775    0 0

Do not forget to create the mount point /path/to/local/directory. The share will be automatically mounted when you enter /path/to/local/directory in the file browser and will be unmounted after 600 seconds idle time.

Create the file /etc/smb.pass and secure it in the same way as described in flavor 2

When anything is changed in /etc/fstab we need to tell systemd about it:

systemctl daemon-reload && systemctl restart remote-fs.target

Time sync[edit]

Most companies don't allow the standard time servers from the Fedora project as they have their own ones. Therefore please add the following line(s) into your time sync config file

server <companies-ntp1-fqdn> iburst
server <companies-ntp2-fqdn> iburst

Ask your companies sysadmin gurus for the NTP FQDN details (!)

Config files:
- For chronyd, use the file: /etc/chrony.conf
- For ntpd, use the file: /etc/ntp.conf
- For systemd-timesyncd, use the file: /etc/systemd/timesyncd.conf

Restart the service to ensure the new settings

systemctl restart chronyd

and ensure the autostart (should be configured already)

systemctl enable chronyd

For ntpd and timesyncd the procedure works the same way ;-)

VPN[edit]

Your desired VPN setup is just a click away

Workflow:
- Click on Settings → Network → VPN
  - Now hit the + button besides VPN
    - You can choose between openconnect(cisco/juniper/paloalto)/OpenVPN/PPTP/SSH and vpnc as shown in the slideshow below:

Ask your companies network gurus for the VPN FQDN connection details ;-)

Security part#2[edit]

General advices for your Linux desktop no matter whether you use it at home or at your workplace.

Boot process[edit]

UEFI/BIOS

Make sure that the UEFI/BIOS setup is secured with a strong password, so that nobody can change your configuration without this credentials.

Bootmanager
- Grub2

It's a good practice to harden the Grub2 setup with a strong password, too:

grub2-setpassword

This avoids the reset of the root password without this credentials.

Crypto/Ciphers[edit]

Crypto Policies (system wide)

To ensure a good crypto cipher setup, my advice is to harden the default slightly:

sudo update-crypto-policies --set DEFAULT:NO-SHA1

Encryption[edit]

Disk encryption

Use LUKS (hard disk encryption) for portable devices (Laptops)

I would suggest to encrypt every device no matter whether portable or not.

Intrusion detection[edit]

AIDE
- There's a free alternative to commercial intrusion detection tools like Tripwire and so on, which is called AIDE:

The setup isn't complicated at all, here's a very good howto link from Fedora: https://docs.fedoraproject.org/en-US/quick-docs/aide-checking-file-integrity/

The commands for the initial setup/test:

$ sudo dnf install aide; sudo aide --init; sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz; sudo aide --check

After a system update or config file changes, a new aide database has to be created:

$ sudo aide --update; sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

For a daily check add this in the /etc/crontab file (I prefer my typical lunch time for this ;-) )

00 13 * * * /usr/sbin/aide --check

Mandatory Access Control (MAC)[edit]

SELinux

Please do NOT disable SELinux, it's enabled by default in Fedora and adds additional security → mandatory access control (MAC) to Linux' standard DAC

You can check the status with the following command

$ sudo getenforce
[sudo] password for <uid-scrubbed>: 
Enforcing

Plug&Play Safety[edit]

USB devices
- To ensure "bad" USB devices will not harm your computer, my advice is to install and configure USBGuard.

Here's and rather old but still good howto link from Red Hat: https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/7/html/security_guide/sec-using-usbguard

The setup is done all with this few commands:

$ sudo dnf install usbguard

$ sudo usbguard generate-policy > /etc/usbguard/rules.conf; sudo systemctl enable usbguard.service --now

To list/allow an additional device, type:

$ sudo usbguard list-devices

$ sudo allow-device <nr>

Updates[edit]

OS/App-Updates

Keep your system up to date (!)

Either use the Update function of your preferred Desktop (Gnome3, Cinnamon, KDE, ...) or use good old CLI command:

sudo dnf update -y

Firmware Updates

For almost every piece of hardware there's a command called 'fwupdtool', with the help of this tool you can accomplish the firmware upgrades (e.g. for your motherboard, usb dongles, etc.)

Virus "protection"[edit]

In general...
- There are a lot of discussions ongoing whether it's a good choice to use AV (aka snakeoil) in general and in Linux in particular or not.

Links to these discussions:

https://www.heise.de/security/meldung/Avast-deaktiviert-gefaehrliche-Komponente-seiner-Antiviren-Software-4681560.html

https://www.kuketz-blog.de/antiviren-scanner-mehr-risiko-als-schutz-snakeoil-teil1/

https://www.theregister.co.uk/2017/06/26/new_windows_defender_vulernability_found_patched/

https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/

http://fortune.com/2016/06/29/symantec-norton-vulnerability/

https://googleprojectzero.blogspot.co.at/2016/06/how-to-compromise-enterprise-endpoint.html

ClamAV
- My advice is to use ClamAV if an AV is a 'must-have'

Here's how to install ClamAV via the CLI:

$ sudo dnf install clamav clamtk -y

(Of course you can use the software catalog as mentioned in the Applications section below for the installation instead, too.)

and here's how to configure it:

ClamTK main window
ClamTK network settings

As ClamAV is a on demand scanner you have to configure a schedule (maybe every day or similar)

Applications[edit]

In Gnome 3 you can use the Software application, just press the "SUPER" aka windows key on your keyboard and type in "Software".

Press on the button and search for the application you'd like to install, here's how it looks like:

Software Catalog

Antivirus[edit]

Please have a look at the Security part#2 guidance above.

CD/DVD Creation[edit]

Install Brasero with your package manager

Brasero main window

Chat[edit]

If your company uses MS o365 services, you can use the following clients/settings. Be reminded that o365 is a (us-based) cloud hosted groupware service.

MS Teams in with Chromium (Chrome) browser
- What works out of the box:

Chat, online editing of documents like xlsx/docx/etc. work in the Web client

URL for signing in: https://teams.microsoft.com/

MS Teams client from MS ;-)
- Use the repo provided from MS to get updates automatically. Configure and install the package via the CLI:

$ sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
$ sudo sh -c 'echo -e "[teams]\nname=teams\nbaseurl=https://packages.microsoft.com/yumrepos/ms-teams\nenabled=1\ngpgcheck=1\ngpgkey=https://packages.microsoft.com/keys/microsoft.asc" > /etc/yum.repos.d/teams.repo'
$ sudo dnf check-update
$ sudo dnf install teams

as described in microsoft-teams-howto

or download the app with this URL:

https://teams.microsoft.com/downloads/desktopurl?env=production&plat=linux&arch=x64&download=true&linuxArchiveType=rpm

and install it with your favorite package manager GUI or via dnf as described above.

IDE[edit]

There are a lot of IDEs out there, here is just one of them below:

Eclipse

Install Eclipse with your package manager, Eclipse is an IDE primarily for Java, but you can customize it with plugins for your needs (C,C++,etc.).

Image processing[edit]

Gimp

Install Gimp with your package manager.

Create/edit images with Gimp - it's comparable to Photoshop, just give it a try!

Inkscape

Install inkscape with your package manager.

Create/edit svg images with inkscape - it's comparable to Corel-draw.

Groupware (mail/calendar/addressbook/...)[edit]

If your company uses MS o365 services, you can use the following clients/settings. Be reminded that o365 is a (us-based) cloud hosted groupware service.

Outlook PWA

Pro: quick config

Con: no offline functionality

Go to https://outlook.office.com with Chromium browser and login with your credentials.

When you move the mouse pointer in the browsers very right edge of the address bar you'll have the ability to install the Outlook PWA on your localhost

Evolution

Pro: quick config method, offers additional offline functionality when there's an outage.

Con: The user interface in Evolution is rather slow.

Install the package 'evolution-ews' either with Software Manager or with the command:

sudo dnf install evolution-ews -y

In Gnome3 select "Online Accounts" from the "Settings" application and select "Microsoft Exchange" afterwards, as shown below:

Connection details

Email: firstname.lastname@yourcompany.tld
Password: <yourpassword>

Custom

User: firstname.lastname@yourcompany.tld
Server: outlook.office365.com

Thunderbird

Pro: Imho best user interface, easy to organize mails and tasks.

Con: some additional plugins are required.

The setup was tested with Thunderbird 115.5.1 64bit

Inbox/Outbox

Plugin: "Owl for Exchange"

Install the "Owl for Exchange" plugin with the help of the add-ons-manager in Thunderbird.

Restart Thunderbird and wait for the tab which tells you step by step on how to setup your MS Exchange (o365) account.

Fill in the account details listed below:

Microsoft Exchange EWS URL: https://outlook.office365.com/EWS/Exchange.asmx
Email Address: <firstname>.<lastname>@yourcompany.tld
Login User Name: <firstname>.<lastname>@yourcompany.tld

Adressbook/Calendar

=> works out-of-the-box, the howto below is kept for historic reasons

~~Plugins: "TbSync" and "Provider for Exchange ActiveSync"~~

If not already present, install the "Lightning" plugin (already included in Thunderbird >60), afterwards install the plugins mentioned above with the help of the add-ons-manager in Thunderbird.

'Configure the calendar sync:'

Edit → Synchronisation Settings (TBSync)

Select "Account Actions" in the following dialog-box, "+ Add new account" and "Exchange ActiveSync" afterwards

Now fill in your Exchange (o365) settings:

Server configuration: Automatic configuration via ActiveSync Account name: <feel-free-to-choose-one> User name (email address): <firstname>.<lastname>@yourcompany.tld Password: <your password>

~~Those steps are described in this systutorial howto link , too.~~

Additional Addons/plugins (my personal recommendation)

~~Enigmail (OpenPGP encryption)~~

Foxclocks (display different timezones)

Quicktext (create/insert text templates with shortcuts)

Unmangle Outlook Safelinks (disable those unreadable o365 safelinks)

Office (text/spreadsheet/presentation/...)[edit]

Libreoffice

Install Libreoffice with your package manager.

Libreoffice consists of Base/Calc/Draw/Impress/Writer, if you are familiar with MSOffice you can compare it to Access/Excel/PictureManager/Powerpoint/Word.

You can also export every Libreoffice document from within the Application to pdf without any additional tool.

Documents are saved in the open document format (odf) as default but you can open/save MS-Office documents (eg. doc/docx), too.

Here's what Libreoffice Calc (comparable to Excel) looks like:

Calc

PDF

There's pdf support right out of the box on most Linux distributions (pdf viewer, pdf printer) so there's no need to install Adobe pdf reader or any additional pdf printer.

If you're looking for an pdf-editor, the application "Master PDF Editor" might be the right choice for you, download (tar.gz/.deb/.rpm) is available at Master pdf editor

Btw, this software is available for MS-Windows, too. Keep in mind that it's only free for non-commercial usage.

Dia

Install dia-gnome with your package manager

You can create flow-charts, network diagrams, UML with dia.

Lucidchart

If you're NOT concerned about privacy you could try Lucidchart which is a web based network, etc diagram solution and very well comparable&compatible to Visio.

There's also an integration possible with Atlassian products like Jira and Confluence!

Screenshot

As the name already tells, this tool is for screenshots, it's already installed in Fedora (Gnome3)

Flameshot

With flameshot you can make screenshots and manipulate/edit them afterwards. This tool is minimalistic but it's very efficient when you're trying to make a lot of screenshots with markers, arrows and so on.

Shutter

With shutter you can make screenshots and manipulate/edit them afterwards, too.

Printing[edit]

CUPS

Tired of the printer driver install hell? Here's how it looks like in Linux...

In Linux the CUPS daemon is used for printing.

If you're company/university/etc. uses a Uniflow printing method with an SMB share, this might fit your needs:

Pre-requisites for easier SMB printer-config:

sudo dnf -y install system-config-printer

Printer URI/Type:

URI: smb://<company-smb-printserver-fqdn>/printer-share-directory
Printertype: Generic PCL 6/PCL XL Printer Foomatic/pxlcolor (recommended)

And yes, you know it already, ask the friendly printer gurus at your company/university for the FQDN and printer share details ;-)

Step by step howto

When printing a document you have to authenticate yourself with your credentials (a dialog window will pop-up for this)

After that you can get the print job at your preferred Uniflow printer.

Remote desktop client (RDP/Citrix/...)[edit]

Remmina

Install remmina with your package manager.

With Remmina you can configure your RDP connections. You have the ability to define different groups, set different screen resolutions/color depth and so on.

This might be helpful if there are applications which are only available for Windows.

Alternatives
- xfreerdp
- rdesktop
Citrix

At the time of writing this document I've downloaded and installed the following package: ICAClient-rhel-20.10.0.6-0.x86_64.rpm

Download URL: https://www.citrix.com/downloads/workspace-app/linux/workspace-app-for-linux-latest.html

Howto URL: https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/install.html#red-hat-packages

Install via CLI:

sudo dnf localinstall ICAClient-rhel-20.10.0.6-0.x86_64.rpm

Of course you can install the package with a simple double-click, too. That's all up to you.

Logging in/launching the Citrix Client works best with Chromium or Google Chrome.

Scanning[edit]

This is only relevant when using scanners locally connected to your laptop/desktop.

Simple Scan

Install 'simple-scan' with your package manager, it's a lightweight tool to get easy scanning access and it works with most scanner models.

VDI[edit]

If you're company/university uses Virtual Desktop Infrastructure from VMware this shouldn't be a problem, too.

This might also be helpful when there's a need for Windows applications and there's no alternative available in Linux.

I've tested the VDI logon/usage via the Firefox web browser, there's a problem with the CTRL key.

So my advice is to use Chromium instead, because then it worked flawlessly.

There's also a standalone client from VMware available, but I have no experiences with this method so far.

Virtual machines[edit]

Gnome Boxes

With Gnome3 boxes you are able to create VMs with other OS on your Desktop like BSD/Linux/Solaris/Windows.

Here's how it looks like:

Virtualbox

Install the package virtualbox-ose (open source edition) - it's already in the standard repo.

Or add the Oracle software repository to your system as described in virtualbox repo instructions.

Be warned that there's a license issue for the Oracle version when using it commercially (!)

Install it with:

sudo dnf install virtualbox-<version>

With Virtualbox you can create VMs with other OS on your Desktop like BSD/Linux/Solaris/Windows.

Web[edit]

Firefox

Install Firefox with your package manager (already installed in Fedora and most other Linux distributions).

Former MS-Windows users can export/import the Firefox settings/bookmarks with the help of Firefox' own backup tool or with the "FEBE" backup tool.

There's also the possibility to export/import the bookmarks of any other browser via an html file.

My recommended privacy addons (just my personal preference):

HTTPS-Everywhere (use https whenever possible)

uBlock Origin (Adblocker)

uMatrix (script/iframe blocker)

Chromium

This is the OpenSource variant of Google Chrome, I personally prefer this one instead of Chrome.

It's available in the standard repos.

Chrome

Google Chrome browser can be downloaded at Chrome-DL for Linux.

As the .deb or .rpm Packages from Google insert the download source to your package repository, updates are coming in when doing a dnf update or when using the Gnome3 update function.

You can install several other web browsers (except MS-IE/Edge ;-) ) with the help of your package manager of your Linux distribution.

Backup/Restore[edit]

Clonezilla

with Clonezilla you can backup & restore your entire disk, download the iso at:

URL: https://clonezilla.org/downloads/download.php?branch=stable

Déjà Dup

E.g. for your home folder backup & restore, install deja-dup with the dnf package manager or the "Software" application.

You have to choose a "storage location", you have the ability to ignore folders and backup only certain folders - it's all up to you!

Furthermore, you are able to schedule your backup periodically, here's how it looks like:

Please be reminded that also a backup has to be encrypted to ensure no data theft (!)

Hint: Déjà Dup is also very well integrated in 'Files' (the standard file manager in Gnome 3).

Package "deja-dup-nautilus" is needed for this feature but as it is a dependency for deja-dup it's installed anyway.

Borgbackup

homepage: https://borgbackup.readthedocs.io/en/stable/

guide: https://movetolinux.de/anwendungen/dienstprogramme/34-borgbackup