Linux Security Made Simple

Linux security can be easier than you think. Here's a guide to reducing your Linux risks with a minimum of effort.
Posted November 23, 2016

Bruce Byfield

From the revelations of Edward Snowden to the potential problems with the Internet of Things and the latest malware, security and privacy are constantly in the news. The trouble is, while everyone is concerned about security and privacy, few know what to what to do about them. Fortunately, Linux has endless tools to address these problems without requiring that everyone become an expert.

Conditioned by Windows, most Linux users think in terms of reactive measures, such as anti-virus software and firewalls. However, the most effective tools are usually architectural, making changes to the operating system that prevent or contain intrusions in the first place.

For example, one effective tool is umask, which sets the default permissions for the creation of new files and directories. Many distributions set umask so that anyone can view a file, but only the owner can edit it. However, change the default so that only the owner can view or edit a file, and you have significantly increased your system's security.

Unfortunately, there are dozens of such tools, so learning them is a formidable task. Even the alternative of using SE Linux, which offers the advantage of applying a set of hardening rules with minimal user intervention, is no better, because typically it requires a period of adjustment as users find their preferred balance between security and their own convenience. More than one user has turned SE Linux off rather than work with it, which gives an indication of its difficulty.

Unexperienced users are probably best off using an overview or wizard that guides them through the possibilities. However it is achieved, this process is known as hardening.

Shortcuts to Linux Hardening

A decade ago, by far the best general hardening tool was Bastille Linux, especially on Debian and Linux. Sadly, that project is apparently no longer developed or maintained.

All the same, instructions for running Bastille's hardening wizard are still available for Ubuntu, and a description of the wizard's contents is posted by Symantec.

Those who are interested in knowledge as well as results can go through these resources one at a time, researching as needed, and end with a vastly more secure system. Possible, there would be gaps in hardening a system with these outdated resources, but, then again, possibly not -- the fundamentals of the Linux operating system probably have not changed that much since the last contribution to Bastille.

However, most users, I suspect are more interested in results. For them, I recommend CISOfy's Lynis, which openly bills itself as an update version of Bastille. In fact, Lynis is more versatile than Bastille, being less oriented to specific distributions.

Lynis offers several means of installation, including directly from Github, and the basic command is lynis install audit, which runs hundreds of tests. The results are printed to a log file, with suggested actions for each item which fails to meet Lynis' standards.

In addition, Lynis offers a penetration test for vulnerabilities, and the option of running regularly a cronjob. Additional tests can also be added as a plugin.

In addition to running Lynis, you should also check the documentation for your distribution in order to prevent overlooking any unique features. Arch Linux and Debian in particular have detailed hardening references that might be useful for other distributions as well -- particularly Debian, which is the source of many modern distributions, including Ubuntu and Linux Mint. If anything, the difficulty with Debian is finding the most relevant wiki page, depending on whether you are interested in general hardening, kernel hardening, or package hardening for contributors.

Just in case, before making any hardening changes, do a system backup. More than one over-zealous new user has shut themselves out of their own system by not keeping track of the changes they make. Expect, too, to take several hours at the minimum to understand and evaluate all the possible changes -- and, above all, never hurry. If you retire, you can always return to possible changes later.

Desktop Tools and Distributions

Once you have the system hardened, you should give some thought to the tools to use. These include anonymous browsing with Tor, email encryption (an option in most mail readers), and secure chat with Cryptocat. You might also want to start a policy of saving all your personal office documents with a password.

These suggestions assume that you are willing to tinker to get the results you want. If you prefer not to explore your Linux installation in such depth, you might select a security-conscious distribution instead.

If your system has at least 8GB RAM, then Qubes OS might be the distribution to. Qubes OS not only lets you operate on different color-coded levels of security, but places tools directly into the menu of the desktop environment.

Otherwise, the anarchistically-inclined MOFO Linux might be more what you need, or perhaps the still-in-development Subgraph OS.

And if even making a choice of distributions is more than you care to do? Then as a minimal step, install Firejail. Firejail runs programs in sandboxes, isolating them to minimize the potential harm. It installs with several dozen profiles for common desktop applications, as well as a generic one for anything else. All you need to adjust menu items and desktop launchers by prefacing their commands with firejail.

Security and privacy are never-ending topics of study, and beyond what many users want to explore. However, the suggestions here can reduce your risks with a minimum of effort, and just might teach you a few basics despite yourself.

Tags: Linux, Linux security

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.