This page lists the changes I make to a vanilla install of Arch Linux for security hardening, as well as some other changes I find useful. While Arch is my target platform, most of the changes will work on any Linux system that’s reasonably up to date.
I typically favor security over performance. You may also see suggestions merely to make something more useful or shave precious seconds off a wait time. It’s not a one-size-fits-all setup, but hopefully certain pieces of it will be useful.
I chose Arch for a few reasons:
- The install size: The base install is relatively minimal compared to a “prebuilt” distro like Fedora or Mint. This lets me focus on adding just what I want, rather than constantly trying to strip out things I don’t need.
- The kernel: A common misconception about the Linux kernel is that it’s secure, or that one can go a long time without worrying about kernel security updates. Neither of these are even remotely true. New versions of Linux are released almost every week, often containing security fixes buried among the many other changes. These releases typically don’t make explicit mention of the changes having security implications. As a result, many “stable” or “LTS” distributions don’t know which commits should be backported to their old kernels, or even that something needs backporting at all. If the problem has a public CVE assigned to it, maybe your distro will pick it up. Maybe not. Even if a CVE exists, at least in the case of Ubuntu and Debian especially, users are often left with kernels full of known holes for months at a time. Arch doesn’t play the backporting game, instead opting to provide the newest stable releases shortly after they come out.
- The Arch Build System: Having enjoyed the ports system of FreeBSD and OpenBSD for a long time, the ABS has been a pleasure to use. It makes building/rebuilding packages easy. It makes updating packages easy. It shows how things are actually built and with what options. This BSD-borrowed concept makes interacting with the package system simple and intuitive.
Now on to how I set things up.
Parrot is a worldwide community of developers and security specialists that work together to build a shared framework of tools to make their job easier, standardized and more reliable and secure.
Parrot OS, the flagship product of Parrot Security is a GNU/Linux distribution based on Debian and designed with Security and Privacy in mind. It includes a full portable laboratory for all kinds of cyber security operations, from pentesting to digital forensics and reverse engineering, but it also includes everything needed to develop your own software or keep your data secure.
Sometimes you may want to use an untrusted application on your system which has not been tested yet. Running this application on your system may lead to a security issue to your system. In this situation you must run this application in a sandbox. So what is a sandbox? Sandbox means to run an application in a limited environment. In this way you can use an untrusted application without taking care of the security of your system.
Firejail is an SUID (Set User ID) program provided by linux which can be used to minimize the security issues of your system while running untrusted applications in a limited environment. Firejail uses the concept of sandbox to minimize security issues. In this blog we will see how to install and use Firejail in Ubuntu.
While Zoom works on Linux, the application is not free software. As a result, some might be wary of running this directly on their computer. One way of running Zoom without worrying about what it does is to use firejail.
To use Zoom with Firejail, first install Zoom or download the archive. Zoom offers standalone binaries that you can download should your distribution not have a package for Zoom. Once installed, install firejail.
Once both firejail and Zoom are installed we need two things:
- A firejail profile for Zoom
- A directory we can use as the home directory for Zoom, preventing it from messing with your home directory
Firejail is a Linux security SUID program that drastically reduces the risk of security breaches by sandboxing the running environment of untrusted applications. Firejail achieves this by using Linux namespaces and seccomp-bpf which allows the attaching of a system call filter to a process and all its descendants, thus reducing the attack surface of the kernel.
With Firejail installed, you can then launch applications from the command line, such that they have a private view of globally-shared kernel resources–such as the network stack. With this addition to your Linux platform, you’ll gain a heightened level of security to an already secure environment.
Firejail is not limited to graphical applications. In fact, Firejail can sandbox servers, GUI tools, and even user login sessions.
Believe it or not, Firejail is incredibly easy to use. I’m going to walk you through the process of installing and using Firejail.
What makes Firejail so special it qualifies for inclusion in our Essential System Tools feature? Above all, it puts users first.
It’s really easy to install and use. More time to spend actually using software. Most people won’t need any custom configuration. There’s a wide range of software which come with sandbox profiles.
The software helps to reduce the risk of security breaches. It’s lightweight and while it uses CPU cycles, the overhead is remarkably low. Firejail sandboxes do not each run their own copy of a full-blown operating system. Instead they operate in a resource-isolated environment created by standard facilities of your system’s existing Linux kernel. As such, despite the high level of protection offered, the overhead of running a Firejail sandbox is extremely low. So your software, including games, run at full steam, unlike a full virtualisation environment.
Firejail is an excellent tool for the security conscious. While it adds a layer of protection, you should use it with other security tools. We use it mainly for web browsing, and to lock down services.
Firejail is a powerful tool which can be use to sandboxing lot of applications. By default Firejail provides profiles for Chrome, Firefox, Telegram and other famous applications. Wireshark is still missing.
We want to limit the interfaces a user can sniff. To be more specific, we want users capture from bridges interfaces only.
When talking about security many terms come to mind. Hacking, viruses, malware, data loss, etc. Here is our list of the 15 security tools you should be using on your Linux system.
Firejail is a c-based community SUID project that minimizes security breaches by managing the access that applications using Linux namespaces and seccomp-bpf run.
Firejail can easily sandbox server, GUI apps, and login session processes and because it ships with several security profiles for different Linux programs including Mozilla Firefox, VLC, and transmission, it is simple to set up.
Video by Null Byte, Youtube