hardening 12 September 2025, 18:09:41 Hi,I would like to ask how do you harden your systems? I now use a harden kernel, ufw. I was thinkin about using bublewrap(I dont want to use flatpak ) for browser and applications connecting to internet.Any advice is welcome.Thanks,tom Quote Selected
Re: hardening Reply #1 – 12 September 2025, 23:00:24 Have you consider using apparmor (for MAC) + firejail (for sandboxing)? BTW I don't consider firejail hard, particularly if using the soft link method on /usr/local/bin. Of course bubblejail instead of firejail also applies.I was testing apparmor + firejail for a while and it worked quite well, I needed some tweaks on makepkg.conf but I felt MAC way to restrictive for me, like I couldn't download stuff into specific directories I created for specific things and the like. I guess I was missing some apparmor tweaks, but I was too busy at the time.Unless using selinux as well, if really hardening you might need some MAC mechanism supported by linux (kernel).That said, if going the bubblewrap way, as using linux-hardened you will need to use instead bubblewrap-suid according to Bubblewrap. Quote Selected Last Edit: 12 September 2025, 23:06:05 by kixik
Re: hardening Reply #2 – 13 September 2025, 04:54:43 Hi!Previously I ran Lynis, did tests, checked on the internet if it gives me correct advice, and applied some of them. Now Lynis works somehow crookedly... You can read this guide and decide for yourself what to follow and what not.Currently, my device has removed webcam, microphone, 3g modem and native Bluetooth module. The system is encrypted (only the ESP partition is not encrypted, containing only the grub file). USBGuard is configured to protect against BadUSB attacks. I also use a Linux-protected kernel. Apparmor is configured to restrict program access. nftables is also configured. My device supports coreboot, so maybe someday I will flash it and cut intel me, if I find a normal programmer that does not require modification. Quote Selected
Re: hardening Reply #3 – 13 September 2025, 18:05:58 reading the thread here about statefull firewall is my next safety approach.In times of quantum computin and opensource artificial intelligence (which is more then large language models), being save is hard.Everything is a tradeoff I guess...There were times, if you would had asked me back then, I would have advised going to a data center because they are specialist, they know their job, and this is the safest thing.This was til the day a whole data center went up in flames. What can go wrong will go wrong Quote Selected
Re: hardening Reply #4 – 13 September 2025, 19:45:37 Hi,Some time ago i have been using firejail+firejail tools.But somewhere i read that it is bloated and not very safe.And it was explicitly written that bublewrap is better.Regarding Apparmor i will definatelly look into it . I guess i would prefer SElinux, but it is not in common repos, only in AUR.Does anybody use SElinux?thanks Quote Selected
Re: hardening Reply #5 – 14 September 2025, 02:26:34 To use SElinux, you need to understand very well how it works and how to work with it, and this is quite difficult. AppArmor, although it looks easier, is also confusing. I am currently looking at Tomoyo.UPDATEQuote from: tokaro – on 13 September 2025, 19:45:37I guess i would prefer SElinux, but it is not in common repos, only in AUR.This is not entirely true. Quote Selected Last Edit: 14 September 2025, 05:48:06 by Worm_Jim 1 Likes
Re: hardening Reply #6 – 14 September 2025, 11:37:14 https://security.stackexchange.com/questions/42383/how-trustworthy-is-selinux Quote Selected
Re: hardening Reply #7 – 15 September 2025, 04:54:07 Artix by default comes up with bubblewrap and not with firejail. Also has anyone managed to get bubblewrap working with Apparmour or with SELinux? Quote Selected
Re: hardening Reply #8 – 15 September 2025, 04:56:41 Quote from: Worm_Jim – on 14 September 2025, 02:26:34To use SElinux, you need to understand very well how it works and how to work with it, and this is quite difficult. AppArmor, although it looks easier, is also confusing. I am currently looking at Tomoyo.UPDATEQuote from: tokaro – on 13 September 2025, 19:45:37I guess i would prefer SElinux, but it is not in common repos, only in AUR.This is not entirely true.Please do share your experience and learning with Tomoyo. Did you see some advantages with working with it? Also I was under the impression that Tomoyo, Apparmour, SELinux are all supposed to worked together as a layer. i.e. use firejail/bubblewrap and underneath it is AppArmour and underneath it should be SELinux. Am I missing something over here? Quote Selected
Re: hardening Reply #9 – 15 September 2025, 07:17:01 Quote from: asterix – on 15 September 2025, 04:56:41Quote from: Worm_Jim – on 14 September 2025, 02:26:34To use SElinux, you need to understand very well how it works and how to work with it, and this is quite difficult. AppArmor, although it looks easier, is also confusing. I am currently looking at Tomoyo.UPDATEThis is not entirely true.Please do share your experience and learning with Tomoyo. Did you see some advantages with working with it? Also I was under the impression that Tomoyo, Apparmour, SELinux are all supposed to worked together as a layer. i.e. use firejail/bubblewrap and underneath it is AppArmour and underneath it should be SELinux. Am I missing something over here? Nothing to share yet, I am just looking around Archwiki says that Tomoyo can work simultaneously with other security modules (at least the 1.x branch), such as SELinux and AppArmor. I need to study the documentation, write init files, change the PKGBUILD for tomoyo-tools, because it currently depends on a systemd service... Quote Selected
Topic: hardening (Read 4765 times)
previous topic - next topic
Topic: hardening (Read 4765 times)
previous topic - next topic