this post was submitted on 18 Feb 2024
48 points (87.5% liked)

Linux

48040 readers
1409 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Hi, I'm in a process of making fast, (extrenely) secure, and modern laptop. Currently I have Arch Linux with encrypted root partition (unlocked with Nitrokey or long password), secure boot, linux-hardened, firewalld, etc.

I'm running linux-hardened with custom config. I enabled AMD SME, kernel lockdown, added some xanmod patch for more specific cpus, and disabled some unnedded drivers (only those that I'm 100% sure I don't need - Intel, NVidia, Microsoft, Google, Amazon, Virtio). Currently it takes ~50 minutes to recompile the kernel. Are there any tutorials what drivers to disable to speed up this process? After doing that I will try to compile it with -O3 and LTO. Do you know any patches for performance?

I'm planning to enable encrypted swap, install ClaimAV and install flatpak versions for every non open-source app I have.

I also want to have SELinux. Does anyone know where can I learn it? I had it on Fedora and it was not fun using it.

What are other ways I can make my laptop more secure?

you are viewing a single comment's thread
view the rest of the comments
[–] chevy9294@monero.town 2 points 8 months ago (1 children)

Thank you for the list! Do you maybe know where can I find explanations what does each option do? I know only half of them and I already use some of them.

[–] vatson112@lemm.ee 3 points 8 months ago* (last edited 8 months ago) (1 children)

I will describe settings that are not so easy to google and a few new thoughts.

kptr restrict:

https://wiki.archlinux.org/title/security

https://lwn.net/Articles/420403/

Kexec:

You may google about mechanics, but basically, it is just a mechanism to 'reexec' your kernel to something different, usually another kernel, but you can boot netboot.xyz, for example.

But now imagine that it will boot a kernel that will dump the output of all your traffic, or will dump all your keyboard keypresses (keylogger).

These are unlikely scenarios. But I prefer to disable this feature since I don't use it anyway.

Also, about keyloggers. Any program inside your X session may grab all your keyboard events. Literally last week I wrote a keylogger in rust in 70 lines of code. Therefore, use Wayland.

Ebpf JIT:

There I misleaded you.

There is some new information about JIT and security. See https://youtu.be/kvt4wdXEuRU?si=3imn8PAEbvgjWTU3

According to the update, you need to set bpf_jit_harden=2 and unprivileged_bpf_disabled=1. (Even unprivileged ebpf may crash your kernel. For some unknown reason, this is not recognized as a problem.)

Randomize virtual memory address:

https://www.techtarget.com/searchsecurity/definition/address-space-layout-randomization-ASLR#:~:text=Address%20space%20layout%20randomization%20(ASLR)%20is%20a%20memory%2Dprotection,executables%20are%20loaded%20into%20memory.

systemd

If you use systemd your can use systemd-analyze tool to harden your units settings.

Also, I remember the tool you can use.

There are some security certifications - most used are pcidss or stig. There are guidelines to improve security.

You can use openscap with a profile (pcidss or stig or both) and it will check if your system satisfies these guidelines.

This may give you some thoughts.

[–] chevy9294@monero.town 1 points 8 months ago

Thank you very much for this detailed explanation! Looks like kptr and kexec are already disabled and enabled randomized virtual memory address in the hardened kernel. I will check for ebpf. Security certs seem interesting, I will defenetly look into them.