Security recomendations

iskander9908 · 2023-05-12 19:16:11

Hello everyone!

Arch is my desktop OS. It works well, but I suck at computer security. So I'm not sure if it's safe. Сan you help me? Here is a list of recommendations i followed:

entire system encryption(unfortunately with luks1 and enabled TRIM)
sudo usage instead of su
apparmor (default profiles with audit framework) for MAC
installed ufw with basic configuration and disabled remote ping.

Is it safe configuration or I need to do something else?

lfitzgerald · 2023-05-13 02:57:42

Why didn't you use luks2? It's a lot better.

As for if it's safe... What sort of an answer are you expecting? You need to say what your threat model is.

tucuxi · 2023-05-13 08:07:13

On desktop systems, the level of security is largely determined by the user's behavior rather than system configuration. People still set their password to 123456, click on links in phishing mails, and type bank account details into fraudulent sites, for example.

Awebb · 2023-05-13 08:23:28

Backups. Make sure you have backups of your user data in a way that will prevent, say, a script from deleting or encrypting all your user data in a ransom attack.

iskander9908 · 2023-05-13 13:31:31

lfitzgerald wrote:

Why didn't you use luks2? It's a lot better.

Sure, but grub has limited luks2 support. That's way I use luks1.

lfitzgerald wrote:

You need to say what your threat model is.

I use entire system encryption against physical recovery, snapper for backups, non-privileged sudo user for daily uses, AppArmor as a Mandatory Access Control system(only default profiles), ufw (rules were described in previous post), clamav and rkhunter for detecting trojans, viruses, malware & other malicious threats, BIOS password for physical security(unfortunately USBGuard doesn't identify my devices properly). Also I regularly upgrade the system to keep it safe.

Last edited by iskander9908 (2023-05-13 13:32:40)

iskander9908 · 2023-05-13 14:15:21

In most cases, I used the default configurations, because at this time my understanding of security are very limited.

Last edited by iskander9908 (2023-05-15 11:26:32)

iskander9908 · 2023-05-26 09:30:31

Guys, I'm former ubuntu user, please help me.

Lone_Wolf · 2023-05-26 10:28:56

Sure, but grub has limited luks2 support. That's way I use luks1.

Grub is far from the only bootloader in existence, use another .

I use entire system encryption against physical recovery,

You mentioned security measures you use, but not what threats they are supposed to protect against .

for example : why do you feel you need Mandatory Access Control ?

jl2 · 2023-05-26 11:16:59

I use entire system encryption against physical recovery

do you think somebody will gain physical access? Is anything important/interesting for thiefs on your machine?

BIOS password for physical security(unfortunately USBGuard doesn't identify my devices properly).

don't you already have a boot password above?

ufw (rules were described in previous post)

This is only usefull if others have access to your local network or/and your router doesn't have a firwall.

clamav and rkhunter for detecting trojans, viruses, malware & other malicious threats

1. your running linux, bro. way less viruses than windows.
2. backups in case you still get a virus.

snapper for backups, non-privileged sudo user for daily uses. Also I regularly upgrade the system to keep it safe.

I'd keep this for a laptop/PC.

espritlibre · 2023-05-26 12:21:42

tucuxi wrote:

On desktop systems, the level of security is largely determined by the user's behavior ... .

this...

Lone_Wolf wrote:

You mentioned security measures you use, but not what threats they are supposed to protect against .

... and this

if you leave your notebook unattended at places e.g. hotel rooms, work,... i'd set up secure boot with own keys for peace of mind.
other than that... use your brain while browsing through the internet, use secure passwords, don't fall for phishing links, use software from the official repos if you use AUR check the PKGBUILD and sources, keep your system up-to-date and minimal,...

even though we are here on a linux board... if you want security out of the box use windows 11 in s-mode (modern mitigations against ROP/JOP chains)

EDIT:
you can also install linux-hardened and have a look at hardened_malloc (AUR)

EDIT 2:
use Wayland (set environment variables accordingly)

Last edited by espritlibre (2023-05-26 12:41:57)

iskander9908 · 2023-05-31 19:14:13

Lone_Wolf wrote:

Grub is far from the only bootloader in existence, use another .

I chose this example of layout, because it's the only one with btrfs.

Lone_Wolf wrote:

You mentioned security measures you use, but not what threats they are supposed to protect against .
for example : why do you feel you need Mandatory Access Control ?

You are right, seems like DAC is more suitable for me. However, the rest measures are necessary, such as encryption (guards data against physical recovery), firewall (network security), antivirus (malware detection) and snapper (backups). Since I'm inexperienced, I'm not sure if these measures are enough?
P.S. I would appreciate if you recommend some literature about computer security.

Last edited by iskander9908 (2023-05-31 19:16:06)

jl2 · 2023-06-04 17:43:35

You still haven't told us what you want to protect your system from.
what system is it? (laptop/pc/server?)
for examle if you have a laptop, you will definetelly want to have external backups and encryption.
encrypted /boot is equivalent to secure boot+unified kernel images, and it supports luks2.
PS: I recommend https://wiki.archlinux.org/title/Security

Arch Linux

#1 2023-05-12 19:16:11

Security recomendations

#2 2023-05-13 02:57:42

Re: Security recomendations

#3 2023-05-13 08:07:13

Re: Security recomendations

#4 2023-05-13 08:23:28

Re: Security recomendations

#5 2023-05-13 13:31:31

Re: Security recomendations

#6 2023-05-13 14:15:21

Re: Security recomendations

#7 2023-05-26 09:30:31

Re: Security recomendations

#8 2023-05-26 10:28:56

Re: Security recomendations

#9 2023-05-26 11:16:59

Re: Security recomendations

#10 2023-05-26 12:21:42

Re: Security recomendations

#11 2023-05-31 19:14:13

Re: Security recomendations

#12 2023-06-04 17:43:35

Re: Security recomendations

Board footer