Linux:Desktop Tips: Difference between revisions

From queowiki
No edit summary
 
(27 intermediate revisions by 2 users not shown)
Line 14: Line 14:
Tips & tricks for users on how to set up the Linux desktop with their company/university services like mail, chat, printers, etc.
Tips & tricks for users on how to set up the Linux desktop with their company/university services like mail, chat, printers, etc.
== OS ==
== OS ==
In the example here I used the following:  
In the example here I used the following:
$ cat /etc/redhat-release && uname -r
<pre>$ cat /etc/redhat-release; uname -r
Fedora release 31 (Thirty One)
Fedora release 39 (Thirty Nine)
5.5.17-200.fc31.x86_64
6.6.4-200.fc39.x86_64</pre>
 
=== Preparation ===
As a first step ensure your UEFI/BIOS firmware is up-to-date.
Most hardware manufacturers provide an update utility for direct network update in the UEFI/BIOS itself (e.g. HP, Lenovo, etc.).
 
=== Installation ===
=== Installation ===
* You can grab your copy of Fedora workstation here: https://getfedora.org/en/workstation/download/
* You can grab your copy of Fedora workstation here: https://getfedora.org/en/workstation/download/
* Burn the iso file either to a optical disc (CD/DVD) or create a bootable USB Stick with the 'dd' command on Linux, here's how to accomplish that:
* Burn the iso file either to a optical disc (CD/DVD) or create a bootable USB Stick with the 'dd' command on Linux, here's how to accomplish that:
$ cd /path/to/your/downloadfolder
: <syntaxhighlight lang="bash">$ cd /path/to/your/downloadfolder
$ sudo dd if=Fedora-Workstation-Live-x86_64-31-1.9.iso of=/dev/sdX bs=8M status=progress oflag=direct
$ sudo dd if=Fedora-Workstation-Live-x86_64-38-1.6.iso of=/dev/sdX bs=8M status=progress oflag=direct</syntaxhighlight>
: Of course you should replace sdX with the actual device name of your USB stick ;-)
: Of course you should replace sdX with the actual device name of your USB stick ;-)
: Another method is to create the USB-stick with the free ''unetbootin'' software (available for Linux/Mac/Windows).
: Another method is to create the USB-stick with the free ''unetbootin'' software (available for Linux/Mac/Windows).
Line 36: Line 41:
==== UEFI Install ====
==== UEFI Install ====
* Create a live installation image
* Create a live installation image
sudo dnf -y install livecd-iso-to-mediums
: <syntaxhighlight lang="bash">sudo dnf -y install livecd-iso-to-mediums
sudo livecd-iso-to-disk --format --efi Fedoraxxx.iso /dev/sdX
sudo livecd-iso-to-disk --format --efi Fedoraxxx.iso /dev/sdX</syntaxhighlight>
: Description: [https://docs.fedoraproject.org/en-US/quick-docs/creating-and-using-a-live-installation-image/ creating-and-using-a-live-installation-image]
: Description: [https://docs.fedoraproject.org/en-US/quick-docs/creating-and-using-a-live-installation-image/ creating-and-using-a-live-installation-image]
: Youtube Video description: [https://www.youtube.com/watch?v=EEJGH3PSLh4 Fedora UEFI Install]
: Youtube Video description: [https://www.youtube.com/watch?v=EEJGH3PSLh4 Fedora UEFI Install]
Line 49: Line 54:


=== Security part#1 ===
=== Security part#1 ===
==== Logon ====
If your company/university uses Kerberos (AD) Login use the following built in Gnome3 account setup method:
<gallery mode="slideshow">
File:enterprise-login_1.png
File:enterprise-login_2.png
File:enterprise-login_3.png
</gallery>
: Here you can ignore the password strength advices below because with your company/universities Kerberos their password policy is already in use, too.
: According to the rules/preferences you may have to add the newly added user to the wheel group, too.
==== Password strength - my personal advice ====
==== Password strength - my personal advice ====


Line 60: Line 75:
** password must meet complexity requirements: enabled (at least 1 capital letter, 2 lower case letters, 1 digit and 1 symbol)
** password must meet complexity requirements: enabled (at least 1 capital letter, 2 lower case letters, 1 digit and 1 symbol)
** enforce password history: 10 passwords remembered
** enforce password history: 10 passwords remembered
:: <pre>$ sudo vim /etc/pam.d/common-password</pre>
:: <syntaxhighlight lang="bash">$ sudo vim /etc/pam.d/common-password</syntaxhighlight>
<pre>password requisite
:: <syntaxhighlight lang="bash">password requisite
pam_cracklib.so minlen=8 difok=3 retry=5 ucredit=-1 lcredit=-2
pam_cracklib.so minlen=8 difok=3 retry=5 ucredit=-1 lcredit=-2
dcredit=-1 ocredit=-1
dcredit=-1 ocredit=-1
password
password
[success=1 default =ignore]
[success=1 default =ignore]
pam_unix.so obscure sha512 remember=10</pre>
pam_unix.so obscure sha512 remember=10</syntaxhighlight>


* settings#3*
* settings#3*
Line 73: Line 88:
** reset account lockout after: 2 minutes
** reset account lockout after: 2 minutes
:: <pre>$ sudo vim /etc/pam.d/common-auth</pre>
:: <pre>$ sudo vim /etc/pam.d/common-auth</pre>
<pre>auth
:: <syntaxhighlight lang="bash"> auth
required
required
pam_tally2.so file=/ var /log/tallylog deny=6 unlock_time=120</pre>
pam_tally2.so file=/ var /log/tallylog deny=6 unlock_time=120 </syntaxhighlight>
:: *) filenames are Debian Linux specific, I'll add the Fedora paths/files asap
:: *) filenames are Debian Linux specific, I'll add the Fedora paths/files asap


Line 81: Line 96:


==== Network shares ====
==== Network shares ====
* <ins>Pre-requisite</ins>
: smb.conf - workgroup section, fill in your university/companies DOMAINNAME:
: <syntaxhighlight lang="bash">$ vim /etc/samba/smb.conf</syntaxhighlight>
: <syntaxhighlight lang="bash">[global]
workgroup = DOMAINNAME
</syntaxhighlight>
* <ins>Flavor 1</ins>
* <ins>Flavor 1</ins>
: With the file browser of your choice (Files, Nemo, Konqueror, etc.) type in the following line:
: With the file browser of your choice (Files, Nemo, Konqueror, etc.) type in the following line:
: <pre>smb://<company-smb-storage-fqdn>/<your>/<path></pre>
: <pre>smb://<company-smb-storage-fqdn>/<your>/<path></pre>
: When the login dialog appears, type in the following:
: When the login dialog appears, type in the following:
<pre>username: <yourUserId>
: <syntaxhighlight lang="bash">username: <yourUserId>
domain: <company-domain>
domain: <company-domain>
password: <yourpassword></pre>
password: <yourpassword></syntaxhighlight>
: Hint: Add a bookmark in your favourite file browser for later access.
: Hint: Add a bookmark in your favourite file browser for later access.


* <ins>Flavor2</ins>
* <ins>Flavor2</ins>
: Mount your drive with the help of an entry in /etc/fstab
: Mount your drive with the help of an entry in /etc/fstab
: <pre>//<company-smb-storage-fqdn>/<your>/<path> /path/to/local/directory cifs credentials=/etc/smb.pass,uid=<youruid>,gid=<yourgid>,file_mode=0660,dir_mode=0770,noauto,users 0 0</pre>
: {{syntaxhighlight|lang=bash|code=# <file system>                            <mount point>  <type>      <options>                          <dump>  <pass>
//<company-smb-storage-fqdn>/<your>/<path> /path/to/local/directory cifs credentials=/etc/smb.pass,uid=<youruid>,gid=<yourgid>,file_mode=0660,dir_mode=0770,noauto,users 0 0}}
: Hint: remove "noauto" to automatically mount your home-drive on startup, this is recommended only for desktops NOT laptops
: Hint: remove "noauto" to automatically mount your home-drive on startup, this is recommended only for desktops NOT laptops
: Secure the credentials file with:
: Secure the credentials file with:
<pre>chown <youruid>:<yourgid> /etc/smb.pass
: <syntaxhighlight lang="bash">chown <youruid>:<yourgid> /etc/smb.pass
chmod 600 /etc/smb.pass</pre>
chmod 600 /etc/smb.pass</syntaxhighlight>
: credentialsfile layout:
: credentialsfile layout:
<pre>user=<yourUserId>
: <syntaxhighlight lang="bash">user=<yourUserId>
pass=<your(encrypted)password>
pass=<your-encrypted-password>
dom=<company-domain></pre>
dom=<company-domain></syntaxhighlight>




Line 134: Line 157:
** Click on Settings → Network → VPN
** Click on Settings → Network → VPN
*** Now hit the + button besides VPN
*** Now hit the + button besides VPN
**** You can choose between openconnect/OpenVPN/PPTP/SSH and vpnc as shown in the slideshow below:
**** You can choose between openconnect(cisco/juniper/paloalto)/OpenVPN/PPTP/SSH and vpnc as shown in the slideshow below:
<gallery mode="slideshow">
<gallery mode="slideshow">
File:network_vpn-access_1.png
File:network_vpn-access_1.png
File:network_vpn-access.png
File:network_vpn-access_2.png
File:network_vpn-access_3.png
</gallery>
</gallery>
:::: Ask your companies network gurus for the VPN FQDN connection details ;-)
:::: Ask your companies network gurus for the VPN FQDN connection details ;-)
Line 144: Line 168:
General advices for your Linux desktop no matter whether you use it at home or at your workplace.
General advices for your Linux desktop no matter whether you use it at home or at your workplace.


* '''Encryption'''
==== Boot process ====
* '''UEFI/BIOS'''
: Make sure that the UEFI/BIOS setup is secured with a strong password, so that nobody can change your configuration without this credentials.
* '''Bootmanager'''
** '''Grub2'''
: It's a good practice to harden the Grub2 setup with a strong password, too:
: <pre>grub2-setpassword</pre>
: This avoids the reset of the root password without this credentials.
 
==== Crypto/Ciphers ====
* '''Crypto Policies (system wide)'''
: To ensure a good crypto cipher setup, my advice is to harden the default slightly:
: <pre>sudo update-crypto-policies --set DEFAULT:NO-SHA1</pre>
 
==== Encryption ====
* '''Disk encryption'''
: Use LUKS (hard disk encryption) for portable devices (Laptops)
: Use LUKS (hard disk encryption) for portable devices (Laptops)
: I would suggest to encrypt every device no matter whether portable or not.
: I would suggest to encrypt every device no matter whether portable or not.


* '''Updates'''
==== Intrusion detection ====
: Keep your system up to date (!)
* '''AIDE'''
: Either use the Update function of your preferred Desktop (Gnome3, Cinnamon, KDE, ...) or use good old CLI command:
** There's a free alternative to commercial intrusion detection tools like Tripwire and so on, which is called AIDE:
: <pre>sudo dnf update -y</pre>
:: The setup isn't complicated at all, here's a very good howto link from Fedora: https://docs.fedoraproject.org/en-US/quick-docs/aide-checking-file-integrity/
:: The commands for the initial setup/test:
:: <pre>$ sudo dnf install aide; sudo aide --init; sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz; sudo aide --check</pre>
:: After a system update or config file changes, a new aide database has to be created:
:: <pre>$ sudo aide --update; sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</pre>
:: For a daily check add this in the /etc/crontab file (I prefer my typical lunch time for this ;-) )
:: <pre>00 13 * * * /usr/sbin/aide --check</pre>


* '''MAC (SELinux)'''
==== Mandatory Access Control (MAC) ====
* '''SELinux'''
: Please do '''NOT''' disable SELinux, it's enabled by default in Fedora and adds additional security → mandatory access control (MAC) to Linux' standard DAC
: Please do '''NOT''' disable SELinux, it's enabled by default in Fedora and adds additional security → mandatory access control (MAC) to Linux' standard DAC
: You can check the status with the following command
: You can check the status with the following command
<pre>$ sudo getenforce
: <syntaxhighlight lang="bash">$ sudo getenforce
[sudo] password for <uid-scrubbed>:  
[sudo] password for <uid-scrubbed>:  
Enforcing</pre>
Enforcing</syntaxhighlight>


* '''Antivirus'''
==== Plug&Play Safety ====
* '''USB devices'''
** To ensure "bad" USB devices will not harm your computer, my advice is to install and configure USBGuard.
:: Here's and rather old but still good howto link from Red Hat: https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/7/html/security_guide/sec-using-usbguard
:: The setup is done all with this few commands:
:: <pre>$ sudo dnf install usbguard</pre>
:: <pre>$ sudo usbguard generate-policy > /etc/usbguard/rules.conf; sudo systemctl enable usbguard.service --now</pre>
:* To list/allow an additional device, type:
:: <pre>$ sudo usbguard list-devices</pre>
:: <pre>$ sudo allow-device <nr></pre>
 
==== Updates ====
* '''OS/App-Updates'''
: Keep your system up to date (!)
: Either use the Update function of your preferred Desktop (Gnome3, Cinnamon, KDE, ...) or use good old CLI command:
: <pre>sudo dnf update -y</pre>
* '''Firmware Updates'''
: For almost every piece of hardware there's a command called 'fwupdtool', with the help of this tool you can accomplish the firmware upgrades (e.g. for your motherboard, usb dongles, etc.)
 
==== Virus "protection" ====
* '''In general...'''
** There are a lot of discussions ongoing whether it's a good choice to use AV (aka snakeoil) in general and in Linux in particular or not.
** There are a lot of discussions ongoing whether it's a good choice to use AV (aka snakeoil) in general and in Linux in particular or not.
:: Links to these discussions:
:: Links to these discussions:
Line 169: Line 235:
:: http://fortune.com/2016/06/29/symantec-norton-vulnerability/
:: http://fortune.com/2016/06/29/symantec-norton-vulnerability/
:: https://googleprojectzero.blogspot.co.at/2016/06/how-to-compromise-enterprise-endpoint.html
:: https://googleprojectzero.blogspot.co.at/2016/06/how-to-compromise-enterprise-endpoint.html
:* My advice is to use ClamAV if an AV is a 'must-have'
* '''ClamAV'''
** My advice is to use ClamAV if an AV is a 'must-have'
:: Here's how to install ClamAV via the CLI:
:: Here's how to install ClamAV via the CLI:
:: <pre>$ sudo dnf install clamav clamtk -y</pre>
:: <pre>$ sudo dnf install clamav clamtk -y</pre>
Line 178: Line 245:
File:clamav_network-settings.png|ClamTK network settings
File:clamav_network-settings.png|ClamTK network settings
</gallery>
</gallery>
: As ClamAV is a on demand scanner you have to configure a schedule (maybe every 30 min or similar)
: As ClamAV is a on demand scanner you have to configure a schedule (maybe every day or similar)


== Applications ==
== Applications ==
Line 193: Line 260:
File:brasero.png|Brasero main window
File:brasero.png|Brasero main window
</gallery>
</gallery>
=== Chat ===
=== Chat ===
If your company uses MS o365 services, you can use the following clients/settings.
If your company uses MS o365 services, you can use the following clients/settings.
Line 202: Line 270:
* MS Teams client from MS ;-)
* MS Teams client from MS ;-)
** Use the repo provided from MS to get updates automatically. Configure and install the package via the CLI:
** Use the repo provided from MS to get updates automatically. Configure and install the package via the CLI:
<pre>$ sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
:: <syntaxhighlight lang="bash">$ sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
$ sudo sh -c 'echo -e "[teams]\nname=teams\nbaseurl=https://packages.microsoft.com/yumrepos/ms-teams\nenabled=1\ngpgcheck=1\ngpgkey=https://packages.microsoft.com/keys/microsoft.asc" > /etc/yum.repos.d/teams.repo'
$ sudo sh -c 'echo -e "[teams]\nname=teams\nbaseurl=https://packages.microsoft.com/yumrepos/ms-teams\nenabled=1\ngpgcheck=1\ngpgkey=https://packages.microsoft.com/keys/microsoft.asc" > /etc/yum.repos.d/teams.repo'
$ sudo dnf check-update
$ sudo dnf check-update
$ sudo dnf install teams</pre>
$ sudo dnf install teams</syntaxhighlight>
:: as described in [https://docs.microsoft.com/en-us/microsoftteams/get-clients microsoft-teams-howto]
:: as described in [https://docs.microsoft.com/en-us/microsoftteams/get-clients microsoft-teams-howto]
:* or download the app with this URL:
:* or download the app with this URL:
:: <pre>https://teams.microsoft.com/downloads/desktopurl?env=production&plat=linux&arch=x64&download=true&linuxArchiveType=rpm</pre>
:: <pre>https://teams.microsoft.com/downloads/desktopurl?env=production&plat=linux&arch=x64&download=true&linuxArchiveType=rpm</pre>
:: and install it with your favorite package manager GUI or via dnf as described above.
:: and install it with your favorite package manager GUI or via dnf as described above.
=== IDE ===
=== IDE ===
There are a lot of IDEs out there, here is just one of them below:
There are a lot of IDEs out there, here is just one of them below:
Line 233: Line 302:
: Pro: quick config method, offers additional offline functionality when there's an outage.
: Pro: quick config method, offers additional offline functionality when there's an outage.
: Con: The user interface in Evolution is rather slow.
: Con: The user interface in Evolution is rather slow.
:* Install the package 'evolution-ews' either with Software Manager or with the command:
: <syntaxhighlight lang="bash">sudo dnf install evolution-ews -y</syntaxhighlight>
:* In Gnome3 select "Online Accounts" from the "Settings" application and select "Microsoft Exchange" afterwards, as shown below:
:* In Gnome3 select "Online Accounts" from the "Settings" application and select "Microsoft Exchange" afterwards, as shown below:
<gallery mode="nolines">
: <gallery mode="nolines">File:exchange_settings_complete.png</gallery>
File:exchange_settings_complete.png
: Connection details
</gallery>
: <syntaxhighlight lang="bash">Email: firstname.lastname@yourcompany.tld
Connection details
Password: <yourpassword></syntaxhighlight>
<pre>Email: firstname.lastname@yourcompany.tld
: Custom
Password: <yourpassword></pre>
: <syntaxhighlight lang="bash">User: firstname.lastname@yourcompany.tld
Custom
Server: outlook.office365.com</syntaxhighlight>
<pre>User: firstname.lastname@yourcompany.tld
Server: outlook.office365.com</pre>


* '''Thunderbird'''
* '''Thunderbird'''
: Pro: Imho best user interface, easy to organize mails and tasks.
: Pro: Imho best user interface, easy to organize mails and tasks.
: Con: some additional plugins are required.
: Con: some additional plugins are required.
: The setup was tested with Thunderbird 68.7.0 64bit
: The setup was tested with Thunderbird 115.5.1 64bit
:* <ins>Inbox/Outbox</ins>
:* <ins>Inbox/Outbox</ins>
:: Plugin: "Owl for Exchange"
:: Plugin: "Owl for Exchange"
Line 253: Line 322:
:: Restart Thunderbird and wait for the tab which tells you step by step on how to setup your MS Exchange (o365) account.
:: Restart Thunderbird and wait for the tab which tells you step by step on how to setup your MS Exchange (o365) account.
:: Fill in the account details listed below:
:: Fill in the account details listed below:
<pre>Microsoft Exchange EWS URL: https://outlook.office365.com/EWS/Exchange.asmx
:: <syntaxhighlight lang="bash">Microsoft Exchange EWS URL: https://outlook.office365.com/EWS/Exchange.asmx
Email Address: <firstname>.<lastname>@yourcompany.tld
Email Address: <firstname>.<lastname>@yourcompany.tld
Login User Name: <firstname>.<lastname>@yourcompany.tld</pre>
Login User Name: <firstname>.<lastname>@yourcompany.tld</syntaxhighlight>
:* <ins>Adressbook/Calendar</ins>
:* <ins>Adressbook/Calendar</ins>
:: Plugins: "TbSync" and "Provider for Exchange ActiveSync"
:: '''=> works out-of-the-box, the howto below is kept for historic reasons'''
:: <s>Plugins: "TbSync" and "Provider for Exchange ActiveSync"
:: If not already present, install the "Lightning" plugin (already included in Thunderbird >60), afterwards install the plugins mentioned above with the help of the add-ons-manager in Thunderbird.
:: If not already present, install the "Lightning" plugin (already included in Thunderbird >60), afterwards install the plugins mentioned above with the help of the add-ons-manager in Thunderbird.
:: 'Configure the calendar sync:'
:: 'Configure the calendar sync:'
Line 263: Line 333:
:: Select "Account Actions" in the following dialog-box, "+ Add new account" and "Exchange ActiveSync" afterwards
:: Select "Account Actions" in the following dialog-box, "+ Add new account" and "Exchange ActiveSync" afterwards
:: Now fill in your Exchange (o365) settings:
:: Now fill in your Exchange (o365) settings:
<pre>Server configuration: Automatic configuration via ActiveSync
:: <syntaxhighlight lang="bash">Server configuration: Automatic configuration via ActiveSync
Account name: <feel-free-to-choose-one>
Account name: <feel-free-to-choose-one>
User name (email address): <firstname>.<lastname>@yourcompany.tld
User name (email address): <firstname>.<lastname>@yourcompany.tld
Password: <your password></pre>
Password: <your password></syntaxhighlight>
Those steps are described in this [https://www.systutorials.com/252208/how-to-synchronize-thunderbird-calendar-and-address-book-with-office365-exchange-online-using-activesync/ systutorial] howto link , too.
:: Those steps are described in this [https://www.systutorials.com/252208/how-to-synchronize-thunderbird-calendar-and-address-book-with-office365-exchange-online-using-activesync/ systutorial] howto link , too.</s>
<gallery mode="nolines">
File:Active-sync_o365.png
</gallery>
:* <ins>Additional Addons/plugins (my personal recommendation)</ins>
:* <ins>Additional Addons/plugins (my personal recommendation)</ins>
:: Enigmail (OpenPGP encryption)
:: <s>Enigmail (OpenPGP encryption)</s>
:: Foxclocks (display different timezones)
:: Foxclocks (display different timezones)
:: Quicktext (create/insert text templates with shortcuts)
:: Quicktext (create/insert text templates with shortcuts)
:: Unmangle Outlook Safelinks (disable those unreadable o365 safelinks)
:: Unmangle Outlook Safelinks (disable those unreadable o365 safelinks)
=== Office (text/spreadsheet/presentation/...) ===
=== Office (text/spreadsheet/presentation/...) ===
* '''Libreoffice'''
* '''Libreoffice'''
Line 308: Line 376:
: In Linux the CUPS daemon is used for printing.
: In Linux the CUPS daemon is used for printing.
* If you're company/university/etc. uses a Uniflow printing method with an SMB share, this might fit your needs:
* If you're company/university/etc. uses a Uniflow printing method with an SMB share, this might fit your needs:
<pre>URI: smb://<company-smb-printserver-fqdn>/printer-share-directory
: Pre-requisites for easier SMB printer-config:
Printertype: Generic PCL 6/PCL XL Printer Foomatic/pxlcolor (recommended)</pre>
:: <syntaxhighlight lang="bash">sudo dnf -y install system-config-printer</syntaxhighlight>
: Printer URI/Type:
:: <syntaxhighlight lang="bash">URI: smb://<company-smb-printserver-fqdn>/printer-share-directory
Printertype: Generic PCL 6/PCL XL Printer Foomatic/pxlcolor (recommended)</syntaxhighlight>
: And yes, you know it already, ask the friendly printer gurus at your company/university for the FQDN and printer share details ;-)
: And yes, you know it already, ask the friendly printer gurus at your company/university for the FQDN and printer share details ;-)
* Step by step howto
* Step by step howto
Line 326: Line 397:
</gallery>
</gallery>


=== Remote desktop client (RDP/...) ===
=== Remote desktop client (RDP/Citrix/...) ===
* '''Remmina'''
* '''Remmina'''
: Install remmina with your package manager.
: Install remmina with your package manager.
Line 334: Line 405:
** xfreerdp
** xfreerdp
** rdesktop
** rdesktop
* '''Citrix'''
: At the time of writing this document I've downloaded and installed the following package: ICAClient-rhel-20.10.0.6-0.x86_64.rpm
: Download URL: https://www.citrix.com/downloads/workspace-app/linux/workspace-app-for-linux-latest.html
: Howto URL: https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/install.html#red-hat-packages
: Install via CLI:
: <syntaxhighlight lang="bash">sudo dnf localinstall ICAClient-rhel-20.10.0.6-0.x86_64.rpm</syntaxhighlight>
: Of course you can install the package with a simple double-click, too. That's all up to you.
: Logging in/launching the Citrix Client works best with Chromium or Google Chrome.


=== Scanning ===
=== Scanning ===

Latest revision as of 09:45, 4 January 2024

Preface[edit]

Linux is not only about servers and the CLI, you can choose your very own desktop environment (Cinnamon/Gnome/KDE/...) with e.g. Fedora as a basis for your workstation. Here are some screenshots that might arouse your appetite:

Purpose[edit]

Tips & tricks for users on how to set up the Linux desktop with their company/university services like mail, chat, printers, etc.

OS[edit]

In the example here I used the following:

$ cat /etc/redhat-release; uname -r
Fedora release 39 (Thirty Nine)
6.6.4-200.fc39.x86_64

Preparation[edit]

As a first step ensure your UEFI/BIOS firmware is up-to-date. Most hardware manufacturers provide an update utility for direct network update in the UEFI/BIOS itself (e.g. HP, Lenovo, etc.).

Installation[edit]

  • You can grab your copy of Fedora workstation here: https://getfedora.org/en/workstation/download/
  • Burn the iso file either to a optical disc (CD/DVD) or create a bootable USB Stick with the 'dd' command on Linux, here's how to accomplish that:
$ cd /path/to/your/downloadfolder
$ sudo dd if=Fedora-Workstation-Live-x86_64-38-1.6.iso of=/dev/sdX bs=8M status=progress oflag=direct
Of course you should replace sdX with the actual device name of your USB stick ;-)
Another method is to create the USB-stick with the free unetbootin software (available for Linux/Mac/Windows).
  • (!) Use LUKS for encryption of your HDD or at least for your home-drive especially on portable devices (e.g. Laptop), this option is available in the installer-menu of Fedora (!)
For more information about LUKS and installation screenshots please have a look at the fedora magazine: how-to-encrypt-your-fedora-file-system
  • For Fedora installation you've to put the USB-Stick or the LiveCD/DVD into the optical disc drive and double click "Install to hard drive" when the Live CD Menu is available on the screen.
Enter username/userid/password and your desired hostname. Now you've to wait for the installation to finish.
  • (!) Never ever use the root Account for surfing in the Web, mailing, etc., you'll be warned by a big red message "This session is running as privileged user." or something similar (!)
I've to admit that I've never done surfing etc. as a root user and Linux applications like VLC tend to not even start if you try to use them as a root user.
(!) After the installation of Fedora update your OS immediately (!)
Please take the security part#1 and part#2 mentioned here in this wiki below into consideration for the installation/setup procedure.

UEFI Install[edit]

  • Create a live installation image
sudo dnf -y install livecd-iso-to-mediums
sudo livecd-iso-to-disk --format --efi Fedoraxxx.iso /dev/sdX
Description: creating-and-using-a-live-installation-image
Youtube Video description: Fedora UEFI Install
  • Start LiveCd
    • Select 'Install to Hard Drive'
    • Installation Destination
      • Custom → Select Disk → Done
      • Standard Partition → +
        • Mount Point: /boot/efi
        • Desired Capacity: 512 MB

Security part#1[edit]

Logon[edit]

If your company/university uses Kerberos (AD) Login use the following built in Gnome3 account setup method:

Here you can ignore the password strength advices below because with your company/universities Kerberos their password policy is already in use, too.
According to the rules/preferences you may have to add the newly added user to the wheel group, too.

Password strength - my personal advice[edit]

  • settings#1*
    • maximum password age: 90 days
    • minimum password age: 0 days
$ chage -m 0 -M 90 -I 0 -W 14 <username>
  • settings#2*
    • minimum password length: 8 characters
    • password must meet complexity requirements: enabled (at least 1 capital letter, 2 lower case letters, 1 digit and 1 symbol)
    • enforce password history: 10 passwords remembered
$ sudo vim /etc/pam.d/common-password
password requisite
pam_cracklib.so minlen=8 difok=3 retry=5 ucredit=-1 lcredit=-2
dcredit=-1 ocredit=-1
password
[success=1 default =ignore]
pam_unix.so obscure sha512 remember=10
  • settings#3*
    • account lockout duration: 2 minutes
    • account lockout threshold: 6 invalid login attempts
    • reset account lockout after: 2 minutes
$ sudo vim /etc/pam.d/common-auth
 auth
required
pam_tally2.so file=/ var /log/tallylog deny=6 unlock_time=120
*) filenames are Debian Linux specific, I'll add the Fedora paths/files asap

Network[edit]

Network shares[edit]

  • Pre-requisite
smb.conf - workgroup section, fill in your university/companies DOMAINNAME:
$ vim /etc/samba/smb.conf
[global]
workgroup = DOMAINNAME
  • Flavor 1
With the file browser of your choice (Files, Nemo, Konqueror, etc.) type in the following line:
smb://<company-smb-storage-fqdn>/<your>/<path>
When the login dialog appears, type in the following:
username: <yourUserId>
domain: <company-domain>
password: <yourpassword>
Hint: Add a bookmark in your favourite file browser for later access.
  • Flavor2
Mount your drive with the help of an entry in /etc/fstab
# <file system>                            <mount point>   <type>       <options>                           <dump>  <pass>
//<company-smb-storage-fqdn>/<your>/<path> /path/to/local/directory cifs credentials=/etc/smb.pass,uid=<youruid>,gid=<yourgid>,file_mode=0660,dir_mode=0770,noauto,users 0 0
Hint: remove "noauto" to automatically mount your home-drive on startup, this is recommended only for desktops NOT laptops
Secure the credentials file with:
chown <youruid>:<yourgid> /etc/smb.pass
chmod 600 /etc/smb.pass
credentialsfile layout:
user=<yourUserId>
pass=<your-encrypted-password>
dom=<company-domain>


  • Flavor3
Use an automounter. This can be for example autofs or systemd-automount.
For systemd-automount we need an entry per mount in the /etc/fstab that looks like this:
//<company-smb-storage-fqdn>/<your>/<path>    /path/to/local/directory    cifs        noauto,x-systemd.automount,x-systemd.device-timeout=10,x-systemd.idle-timeout=600,_netdev,noserverino,credentials=/etc/smb.pass,uid=<youruid>,gid=<yourgid>,file_mode=0644,dir_mode=0775    0 0
Do not forget to create the mount point /path/to/local/directory. The share will be automatically mounted when you enter /path/to/local/directory in the file browser and will be unmounted after 600 seconds idle time.
Create the file /etc/smb.pass and secure it in the same way as described in flavor 2
When anything is changed in /etc/fstab we need to tell systemd about it:
systemctl daemon-reload && systemctl restart remote-fs.target

Time sync[edit]

Most companies don't allow the standard time servers from the Fedora project as they have their own ones. Therefore please add the following line(s) into your time sync config file

server <companies-ntp1-fqdn> iburst
server <companies-ntp2-fqdn> iburst

Ask your companies sysadmin gurus for the NTP FQDN details (!)

  • Config files:
    • For chronyd, use the file: /etc/chrony.conf
    • For ntpd, use the file: /etc/ntp.conf
    • For systemd-timesyncd, use the file: /etc/systemd/timesyncd.conf
  • Restart the service to ensure the new settings
systemctl restart chronyd
  • and ensure the autostart (should be configured already)
systemctl enable chronyd
For ntpd and timesyncd the procedure works the same way ;-)

VPN[edit]

Your desired VPN setup is just a click away

  • Workflow:
    • Click on Settings → Network → VPN
      • Now hit the + button besides VPN
        • You can choose between openconnect(cisco/juniper/paloalto)/OpenVPN/PPTP/SSH and vpnc as shown in the slideshow below:
Ask your companies network gurus for the VPN FQDN connection details ;-)

Security part#2[edit]

General advices for your Linux desktop no matter whether you use it at home or at your workplace.

Boot process[edit]

  • UEFI/BIOS
Make sure that the UEFI/BIOS setup is secured with a strong password, so that nobody can change your configuration without this credentials.
  • Bootmanager
    • Grub2
It's a good practice to harden the Grub2 setup with a strong password, too:
grub2-setpassword
This avoids the reset of the root password without this credentials.

Crypto/Ciphers[edit]

  • Crypto Policies (system wide)
To ensure a good crypto cipher setup, my advice is to harden the default slightly:
sudo update-crypto-policies --set DEFAULT:NO-SHA1

Encryption[edit]

  • Disk encryption
Use LUKS (hard disk encryption) for portable devices (Laptops)
I would suggest to encrypt every device no matter whether portable or not.

Intrusion detection[edit]

  • AIDE
    • There's a free alternative to commercial intrusion detection tools like Tripwire and so on, which is called AIDE:
The setup isn't complicated at all, here's a very good howto link from Fedora: https://docs.fedoraproject.org/en-US/quick-docs/aide-checking-file-integrity/
The commands for the initial setup/test:
$ sudo dnf install aide; sudo aide --init; sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz; sudo aide --check
After a system update or config file changes, a new aide database has to be created:
$ sudo aide --update; sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
For a daily check add this in the /etc/crontab file (I prefer my typical lunch time for this ;-) )
00 13 * * * /usr/sbin/aide --check

Mandatory Access Control (MAC)[edit]

  • SELinux
Please do NOT disable SELinux, it's enabled by default in Fedora and adds additional security → mandatory access control (MAC) to Linux' standard DAC
You can check the status with the following command
$ sudo getenforce
[sudo] password for <uid-scrubbed>: 
Enforcing

Plug&Play Safety[edit]

  • USB devices
    • To ensure "bad" USB devices will not harm your computer, my advice is to install and configure USBGuard.
Here's and rather old but still good howto link from Red Hat: https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/7/html/security_guide/sec-using-usbguard
The setup is done all with this few commands:
$ sudo dnf install usbguard
$ sudo usbguard generate-policy > /etc/usbguard/rules.conf; sudo systemctl enable usbguard.service --now
  • To list/allow an additional device, type:
$ sudo usbguard list-devices
$ sudo allow-device <nr>

Updates[edit]

  • OS/App-Updates
Keep your system up to date (!)
Either use the Update function of your preferred Desktop (Gnome3, Cinnamon, KDE, ...) or use good old CLI command:
sudo dnf update -y
  • Firmware Updates
For almost every piece of hardware there's a command called 'fwupdtool', with the help of this tool you can accomplish the firmware upgrades (e.g. for your motherboard, usb dongles, etc.)

Virus "protection"[edit]

  • In general...
    • There are a lot of discussions ongoing whether it's a good choice to use AV (aka snakeoil) in general and in Linux in particular or not.
Links to these discussions:
https://www.heise.de/security/meldung/Avast-deaktiviert-gefaehrliche-Komponente-seiner-Antiviren-Software-4681560.html
https://www.kuketz-blog.de/antiviren-scanner-mehr-risiko-als-schutz-snakeoil-teil1/
https://www.theregister.co.uk/2017/06/26/new_windows_defender_vulernability_found_patched/
https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/
http://fortune.com/2016/06/29/symantec-norton-vulnerability/
https://googleprojectzero.blogspot.co.at/2016/06/how-to-compromise-enterprise-endpoint.html
  • ClamAV
    • My advice is to use ClamAV if an AV is a 'must-have'
Here's how to install ClamAV via the CLI:
$ sudo dnf install clamav clamtk -y
(Of course you can use the software catalog as mentioned in the Applications section below for the installation instead, too.)
and here's how to configure it:
As ClamAV is a on demand scanner you have to configure a schedule (maybe every day or similar)

Applications[edit]

In Gnome 3 you can use the Software application, just press the "SUPER" aka windows key on your keyboard and type in "Software".

  • Press on the button and search for the application you'd like to install, here's how it looks like:

Antivirus[edit]

Please have a look at the Security part#2 guidance above.

CD/DVD Creation[edit]

Install Brasero with your package manager

Chat[edit]

If your company uses MS o365 services, you can use the following clients/settings. Be reminded that o365 is a (us-based) cloud hosted groupware service.

  • MS Teams in with Chromium (Chrome) browser
    • What works out of the box:
Chat, online editing of documents like xlsx/docx/etc. work in the Web client
URL for signing in: https://teams.microsoft.com/
  • MS Teams client from MS ;-)
    • Use the repo provided from MS to get updates automatically. Configure and install the package via the CLI:
$ sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
$ sudo sh -c 'echo -e "[teams]\nname=teams\nbaseurl=https://packages.microsoft.com/yumrepos/ms-teams\nenabled=1\ngpgcheck=1\ngpgkey=https://packages.microsoft.com/keys/microsoft.asc" > /etc/yum.repos.d/teams.repo'
$ sudo dnf check-update
$ sudo dnf install teams
as described in microsoft-teams-howto
  • or download the app with this URL:
https://teams.microsoft.com/downloads/desktopurl?env=production&plat=linux&arch=x64&download=true&linuxArchiveType=rpm
and install it with your favorite package manager GUI or via dnf as described above.

IDE[edit]

There are a lot of IDEs out there, here is just one of them below:

  • Eclipse
Install Eclipse with your package manager, Eclipse is an IDE primarily for Java, but you can customize it with plugins for your needs (C,C++,etc.).

Image processing[edit]

  • Gimp
Install Gimp with your package manager.
Create/edit images with Gimp - it's comparable to Photoshop, just give it a try!
  • Inkscape
Install inkscape with your package manager.
Create/edit svg images with inkscape - it's comparable to Corel-draw.

Groupware (mail/calendar/addressbook/...)[edit]

If your company uses MS o365 services, you can use the following clients/settings. Be reminded that o365 is a (us-based) cloud hosted groupware service.

  • Outlook PWA
Pro: quick config
Con: no offline functionality
Go to https://outlook.office.com with Chromium browser and login with your credentials.
When you move the mouse pointer in the browsers very right edge of the address bar you'll have the ability to install the Outlook PWA on your localhost
  • Evolution
Pro: quick config method, offers additional offline functionality when there's an outage.
Con: The user interface in Evolution is rather slow.
  • Install the package 'evolution-ews' either with Software Manager or with the command:
sudo dnf install evolution-ews -y
  • In Gnome3 select "Online Accounts" from the "Settings" application and select "Microsoft Exchange" afterwards, as shown below:
  • Connection details
    Email: firstname.lastname@yourcompany.tld
    Password: <yourpassword>
    
    Custom
    User: firstname.lastname@yourcompany.tld
    Server: outlook.office365.com
    
    • Thunderbird
    Pro: Imho best user interface, easy to organize mails and tasks.
    Con: some additional plugins are required.
    The setup was tested with Thunderbird 115.5.1 64bit
    • Inbox/Outbox
    Plugin: "Owl for Exchange"
    Install the "Owl for Exchange" plugin with the help of the add-ons-manager in Thunderbird.
    Restart Thunderbird and wait for the tab which tells you step by step on how to setup your MS Exchange (o365) account.
    Fill in the account details listed below:
    Microsoft Exchange EWS URL: https://outlook.office365.com/EWS/Exchange.asmx
    Email Address: <firstname>.<lastname>@yourcompany.tld
    Login User Name: <firstname>.<lastname>@yourcompany.tld
    
    • Adressbook/Calendar
    => works out-of-the-box, the howto below is kept for historic reasons
    Plugins: "TbSync" and "Provider for Exchange ActiveSync"
    If not already present, install the "Lightning" plugin (already included in Thunderbird >60), afterwards install the plugins mentioned above with the help of the add-ons-manager in Thunderbird.
    'Configure the calendar sync:'
    Edit → Synchronisation Settings (TBSync)
    Select "Account Actions" in the following dialog-box, "+ Add new account" and "Exchange ActiveSync" afterwards
    Now fill in your Exchange (o365) settings:
    Server configuration: Automatic configuration via ActiveSync
    Account name: <feel-free-to-choose-one>
    User name (email address): <firstname>.<lastname>@yourcompany.tld
    Password: <your password>
    
    Those steps are described in this systutorial howto link , too.
    • Additional Addons/plugins (my personal recommendation)
    Enigmail (OpenPGP encryption)
    Foxclocks (display different timezones)
    Quicktext (create/insert text templates with shortcuts)
    Unmangle Outlook Safelinks (disable those unreadable o365 safelinks)

    Office (text/spreadsheet/presentation/...)[edit]

    • Libreoffice
    Install Libreoffice with your package manager.
    Libreoffice consists of Base/Calc/Draw/Impress/Writer, if you are familiar with MSOffice you can compare it to Access/Excel/PictureManager/Powerpoint/Word.
    You can also export every Libreoffice document from within the Application to pdf without any additional tool.
    Documents are saved in the open document format (odf) as default but you can open/save MS-Office documents (eg. doc/docx), too.
    Here's what Libreoffice Calc (comparable to Excel) looks like:
    • PDF
    There's pdf support right out of the box on most Linux distributions (pdf viewer, pdf printer) so there's no need to install Adobe pdf reader or any additional pdf printer.
    If you're looking for an pdf-editor, the application "Master PDF Editor" might be the right choice for you, download (tar.gz/.deb/.rpm) is available at Master pdf editor
    Btw, this software is available for MS-Windows, too. Keep in mind that it's only free for non-commercial usage.
    • Dia
    Install dia-gnome with your package manager
    You can create flow-charts, network diagrams, UML with dia.
    • Lucidchart
    If you're NOT concerned about privacy you could try Lucidchart which is a web based network, etc diagram solution and very well comparable&compatible to Visio.
    There's also an integration possible with Atlassian products like Jira and Confluence!
    • Screenshot
    As the name already tells, this tool is for screenshots, it's already installed in Fedora (Gnome3)
    • Flameshot
    With flameshot you can make screenshots and manipulate/edit them afterwards. This tool is minimalistic but it's very efficient when you're trying to make a lot of screenshots with markers, arrows and so on.
    • Shutter
    With shutter you can make screenshots and manipulate/edit them afterwards, too.

    Printing[edit]

    • CUPS
    Tired of the printer driver install hell? Here's how it looks like in Linux...
    In Linux the CUPS daemon is used for printing.
    • If you're company/university/etc. uses a Uniflow printing method with an SMB share, this might fit your needs:
    Pre-requisites for easier SMB printer-config:
    sudo dnf -y install system-config-printer
    
    Printer URI/Type:
    URI: smb://<company-smb-printserver-fqdn>/printer-share-directory
    Printertype: Generic PCL 6/PCL XL Printer Foomatic/pxlcolor (recommended)
    
    And yes, you know it already, ask the friendly printer gurus at your company/university for the FQDN and printer share details ;-)
    • Step by step howto
    When printing a document you have to authenticate yourself with your credentials (a dialog window will pop-up for this)
    After that you can get the print job at your preferred Uniflow printer.

    Remote desktop client (RDP/Citrix/...)[edit]

    • Remmina
    Install remmina with your package manager.
    With Remmina you can configure your RDP connections. You have the ability to define different groups, set different screen resolutions/color depth and so on.
    This might be helpful if there are applications which are only available for Windows.
    • Alternatives
      • xfreerdp
      • rdesktop
    • Citrix
    At the time of writing this document I've downloaded and installed the following package: ICAClient-rhel-20.10.0.6-0.x86_64.rpm
    Download URL: https://www.citrix.com/downloads/workspace-app/linux/workspace-app-for-linux-latest.html
    Howto URL: https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/install.html#red-hat-packages
    Install via CLI:
    sudo dnf localinstall ICAClient-rhel-20.10.0.6-0.x86_64.rpm
    
    Of course you can install the package with a simple double-click, too. That's all up to you.
    Logging in/launching the Citrix Client works best with Chromium or Google Chrome.

    Scanning[edit]

    This is only relevant when using scanners locally connected to your laptop/desktop.

    • Simple Scan
    Install 'simple-scan' with your package manager, it's a lightweight tool to get easy scanning access and it works with most scanner models.

    VDI[edit]

    If you're company/university uses Virtual Desktop Infrastructure from VMware this shouldn't be a problem, too.
    This might also be helpful when there's a need for Windows applications and there's no alternative available in Linux.
    I've tested the VDI logon/usage via the Firefox web browser, there's a problem with the CTRL key.
    So my advice is to use Chromium instead, because then it worked flawlessly.
    There's also a standalone client from VMware available, but I have no experiences with this method so far.

    Virtual machines[edit]

    • Gnome Boxes
    With Gnome3 boxes you are able to create VMs with other OS on your Desktop like BSD/Linux/Solaris/Windows.
    Here's how it looks like:
    • Virtualbox
    Install the package virtualbox-ose (open source edition) - it's already in the standard repo.
    Or add the Oracle software repository to your system as described in virtualbox repo instructions.
    Be warned that there's a license issue for the Oracle version when using it commercially (!)
    Install it with:
    sudo dnf install virtualbox-<version>
    With Virtualbox you can create VMs with other OS on your Desktop like BSD/Linux/Solaris/Windows.

    Web[edit]

    • Firefox
    Install Firefox with your package manager (already installed in Fedora and most other Linux distributions).
    Former MS-Windows users can export/import the Firefox settings/bookmarks with the help of Firefox' own backup tool or with the "FEBE" backup tool.
    There's also the possibility to export/import the bookmarks of any other browser via an html file.
    • My recommended privacy addons (just my personal preference):
    HTTPS-Everywhere (use https whenever possible)
    uBlock Origin (Adblocker)
    uMatrix (script/iframe blocker)
    • Chromium
    This is the OpenSource variant of Google Chrome, I personally prefer this one instead of Chrome.
    It's available in the standard repos.
    • Chrome
    Google Chrome browser can be downloaded at Chrome-DL for Linux.
    As the .deb or .rpm Packages from Google insert the download source to your package repository, updates are coming in when doing a dnf update or when using the Gnome3 update function.
    You can install several other web browsers (except MS-IE/Edge ;-) ) with the help of your package manager of your Linux distribution.

    Backup/Restore[edit]

    • Clonezilla
    with Clonezilla you can backup & restore your entire disk, download the iso at:
    URL: https://clonezilla.org/downloads/download.php?branch=stable
    • Déjà Dup
    E.g. for your home folder backup & restore, install deja-dup with the dnf package manager or the "Software" application.
    You have to choose a "storage location", you have the ability to ignore folders and backup only certain folders - it's all up to you!
    Furthermore, you are able to schedule your backup periodically, here's how it looks like:
    Please be reminded that also a backup has to be encrypted to ensure no data theft (!)
    Hint: Déjà Dup is also very well integrated in 'Files' (the standard file manager in Gnome 3).
    Package "deja-dup-nautilus" is needed for this feature but as it is a dependency for deja-dup it's installed anyway.
    • Borgbackup
    homepage: https://borgbackup.readthedocs.io/en/stable/
    guide: https://movetolinux.de/anwendungen/dienstprogramme/34-borgbackup