this post was submitted on 18 Feb 2024
44 points (86.7% liked)

Linux

48187 readers
1367 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Hi, I'm in a process of making fast, (extrenely) secure, and modern laptop. Currently I have Arch Linux with encrypted root partition (unlocked with Nitrokey or long password), secure boot, linux-hardened, firewalld, etc.

I'm running linux-hardened with custom config. I enabled AMD SME, kernel lockdown, added some xanmod patch for more specific cpus, and disabled some unnedded drivers (only those that I'm 100% sure I don't need - Intel, NVidia, Microsoft, Google, Amazon, Virtio). Currently it takes ~50 minutes to recompile the kernel. Are there any tutorials what drivers to disable to speed up this process? After doing that I will try to compile it with -O3 and LTO. Do you know any patches for performance?

I'm planning to enable encrypted swap, install ClaimAV and install flatpak versions for every non open-source app I have.

I also want to have SELinux. Does anyone know where can I learn it? I had it on Fedora and it was not fun using it.

What are other ways I can make my laptop more secure?

top 23 comments
sorted by: hot top controversial new old
[–] [email protected] 22 points 9 months ago (1 children)

Look into installing AppArmor instead of SELinux. AppArmor is easier to configure, and SELinux is not officially supported on Arch.

[–] [email protected] 3 points 9 months ago

I will try it out, thank you :)

[–] [email protected] 13 points 9 months ago (1 children)

SELinux is a pain on Arch, it actually working nicely could be viewed as Fedora's killer feature.

https://wiki.archlinux.org/title/SELinux

[–] [email protected] 6 points 9 months ago* (last edited 9 months ago)

Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.

Now I know why I didn't bother with selinux back when I used arch. I never had any issues with it on fedora with zero maintenance.

[–] [email protected] 6 points 9 months ago* (last edited 9 months ago) (1 children)

There are also some kernel settings that you may find useful. Currently I am on the mobile and cannot remember the names. Text me if you need help

Network:

Enable rp and arp filter

Disable IP forwarding if you don't use docker

Disable tcp timestamp

Disable icmp broadcast

Enable syncookies

Enable source route checking

Other:

Enable hard and soft link protection (it is may broke your system, use carefully)

Enable kptr restrict

Disable kexec

Disable sysrq

Enable randomize virtual memory address

Disable JIT for ebpf programms

Disable loading drivers via modprobe in live kernel.

Also check which hardware mitigations is disabled in your kernel. (Spectre, meltdawn) You may enable KASL

Also use selinux or apparmor. I prefer Selinux.

Enable auditd and configure it for auditing actions that your find useful.

[–] [email protected] 2 points 9 months ago (1 children)

Thank you for the list! Do you maybe know where can I find explanations what does each option do? I know only half of them and I already use some of them.

[–] [email protected] 3 points 8 months ago* (last edited 8 months ago) (2 children)

I will describe settings that are not so easy to google and a few new thoughts.

kptr restrict:

https://wiki.archlinux.org/title/security

https://lwn.net/Articles/420403/

Kexec:

You may google about mechanics, but basically, it is just a mechanism to 'reexec' your kernel to something different, usually another kernel, but you can boot netboot.xyz, for example.

But now imagine that it will boot a kernel that will dump the output of all your traffic, or will dump all your keyboard keypresses (keylogger).

These are unlikely scenarios. But I prefer to disable this feature since I don't use it anyway.

Also, about keyloggers. Any program inside your X session may grab all your keyboard events. Literally last week I wrote a keylogger in rust in 70 lines of code. Therefore, use Wayland.

Ebpf JIT:

There I misleaded you.

There is some new information about JIT and security. See https://youtu.be/kvt4wdXEuRU?si=3imn8PAEbvgjWTU3

According to the update, you need to set bpf_jit_harden=2 and unprivileged_bpf_disabled=1. (Even unprivileged ebpf may crash your kernel. For some unknown reason, this is not recognized as a problem.)

Randomize virtual memory address:

https://www.techtarget.com/searchsecurity/definition/address-space-layout-randomization-ASLR#:~:text=Address%20space%20layout%20randomization%20(ASLR)%20is%20a%20memory%2Dprotection,executables%20are%20loaded%20into%20memory.

systemd

If you use systemd your can use systemd-analyze tool to harden your units settings.

Also, I remember the tool you can use.

There are some security certifications - most used are pcidss or stig. There are guidelines to improve security.

You can use openscap with a profile (pcidss or stig or both) and it will check if your system satisfies these guidelines.

This may give you some thoughts.

[–] [email protected] 1 points 8 months ago

Here is an alternative Piped link(s):

https://piped.video/kvt4wdXEuRU?si=3imn8PAEbvgjWTU3

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.

[–] [email protected] 1 points 8 months ago

Thank you very much for this detailed explanation! Looks like kptr and kexec are already disabled and enabled randomized virtual memory address in the hardened kernel. I will check for ebpf. Security certs seem interesting, I will defenetly look into them.

[–] [email protected] 4 points 9 months ago* (last edited 9 months ago) (1 children)

Look at secureblue for more things

  • hardened malloc (preloading is somewhat complex for flatpaks)
  • maybe more kargs

That custom kernel sounds very cool. Not sure if replacing it works on Fedora Atomic, would be very much needed

SELinux confined users is also very important, SELinux is kinda contradictory to flatpak though, as they do the same things often and Flatpaks often dont work because they are not built for it.

[–] [email protected] 2 points 9 months ago (1 children)

I will try hardened_malloc, I already use it on my phone. I have GrapheneOS.

[–] [email protected] 2 points 9 months ago (1 children)

Same. It works really well, I am doing some kind of project building a hardened Firefox. It has hardened build parameters, removed jemalloc (so it uses hardened_malloc, otherwise it fails to start with memory issues), and I also experiment with various optimization flags as I have a x86_64-v4 intel CPU.

This repo is also interesting.

Secureblue has Chromium preinstalled with a hardening and also privacy policy, but I used googerteller and damn that thing pings Google every second, its scary.

[–] [email protected] 1 points 9 months ago (1 children)

Now I've installed it and Librewolf works nornally. Is that normal or is malloc not working or is Librewolf compiled with hardened malloc?

I've heard about googerteller and I never thought someone will use it (except to try it)

[–] [email protected] 3 points 9 months ago

Librewolf uses jemalloc and I have no idea but Flatpak browsers are not broken.

I also asked Fedora people and Fedora Firefox also allows replacing the malloc, but as the package is already removed from the image you cant normally install it back.

Yup, googerteller is damn scary. Chromium contacts Google when opening the profile picker, loading the addons, listing saved passwords

[–] [email protected] 4 points 9 months ago (1 children)

Why not use Qubes instead of Arch?

[–] [email protected] 1 points 9 months ago

That would be too big performance hit

[–] [email protected] 2 points 9 months ago* (last edited 9 months ago) (1 children)

50 minutes seems way too long - I run Gentoo on a 2nd gen i5 and my kernel compile is always under 20 minutes.

You are using make -j4 or make -j(number of CPU cores) for parallel compile, right?

[–] [email protected] 2 points 9 months ago (1 children)

On laptop with Ryzen 5 5500U (12 threads) it takes 50 minutes and on desktop with Ryzen 7 3700X (16 threads) it takes 20 minutes. I use all threads to compile the kernel.

It compiles way waster with Gentoo, because it has minimal config. I used the default config from Arch repos and modified it. It's full of unneeded drivers, but I'm scared of disabling them. I already disabled wrong drivers a few times and had to use different kernel to boot.

[–] [email protected] 1 points 8 months ago

Currently it takes ~50 minutes to recompile the kernel. Are there any tutorials what drivers to disable to speed up this process?

Step 1: Buy a faster CPU.

The only thing you could do is ccache but that's just a cache and can get invalidated whenever.

After doing that I will try to compile it with -O3 and LTO.

Don't use -O3, especially when your goal is to harden. It has no measurable benefit beyond measurement bias due to memory layout changes and some of its optimisations may produce wrong code which is a big no-no if your goal is to harden.

install ClaimAV

Are you planning to host a file share for Windows system or what are you trying to achieve using ClamAV?

install flatpak versions for every non open-source app

You're going to such lengths and even consider snake oil in order to "harden" your system and then you're telling me you want to run proprietary (often known malicious) software on it?

What are you trying to achieve here? What do you want to protect against whom? Create a proper threat model before you wildly apply "hardening" that is likely ineffective at protecting against the threats that actually matter to you.

I also want to have SELinux.

Good luck with that. Distros with proper SELinux setups (i.e. Android, Redhat) employ teams of people to write SELinux rules for them.

I won't discourage you from learning SELinux but know that setting up SELinux for your entire system when the distro does not support it already is not something you can realistically achieve on your own.

[–] [email protected] 0 points 8 months ago (1 children)

(arch still use systemd)

and linux still not have base system software sandboxed (you can't enforce)

Currently it takes ~50 minutes to recompile the kernel

try make with -j

[–] [email protected] 1 points 8 months ago (1 children)
[–] [email protected] 1 points 8 months ago

who cares how much money do you have, perhaps you have smt enabled?