I have my firewall configured pretty restrictively. I am attempting to configure AppArmor but it seems to complicated.

How do you secure your desktop?

  • drivewayOP
    link
    fedilink
    arrow-up
    3
    arrow-down
    6
    ·
    11 months ago

    Of course, but it’s too long - it will take a while to apply go through it all and understand them. I’m looking for more practical things I can get done now.

    • www-gem@lemmy.ml
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      11 months ago

      This page is really to help you defining what would be of concern for you. There are too many use cases and security measures will differ greatly. It is not a step by step guide.
      At the very minimum, since your firewall is already setup, just make sure to keep your firmware up to date with fwupd if your machine supports it and follow the basic good practice below:

      • regularly update your packages
      • do not install intrusted packages
      • use strong and unique passwords
      • run your app tests (if any) within a sandbox

      If you need AppArmor as you mentioned. You should really invest efforts into it. ArchLinux is by nature a demanding distro for its setup. That being said once installed and activated (i.e. litterally 2 commands to run) you should be good to go unless you want to setup additional profiles.

      Once you figured out how to meet your own security needs, you can start the same lengthy process to address your privacy needs ;)

      • drivewayOP
        link
        fedilink
        arrow-up
        1
        ·
        11 months ago

        I am confused about whether I need AppArmor. It’s been installed without configuration for a while now (i.e. in useless form). I’ve come across a project that aims to use it to implement a security model like Android’s. I’ve enforced all their profiles (I needed to unbreak my system by moving some to complain later but better than nothing, I guess). Do I need firejail on top of this? It seems like it’s more for launching untrusted applications and I don’t launch them in the first place.

        • www-gem@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          11 months ago

          If you don’t use untrusted applications, you don’t need firejail.
          Similarly if you don’t need know what Apparmor is used for, just don’t use it. It’s not mandatory and you will take the risky move by not configuring it correctly. Never follow any step by step process based on a shiny title if you don’t fully understand what you’re doing and why you’d need to go that route in the first place.

          Arch is pretty stable and secure with the minimum configuration, especially for “regular” users (no negative meaning here, I’m one of them).

          • drivewayOP
            link
            fedilink
            arrow-up
            2
            ·
            11 months ago

            you will take the risky move by not configuring it correctly.

            Not sure about this one. AFAIU, AppArmor cannot grant permissions not granted by DAC meaning that an incorrect configuration, at worst, will not do anything useful. I’m not seeing the risk here.

            Arch is pretty stable and secure with the minimum configuration

            Can you elaborate on how Arch is secure against things like: me unknowingly running an untrusted program or an AUR package being compromised? Sandboxing, AppArmor, or an AV will not necessarily block all harm from these type of events, but at least they provide some form of mitigation.

            • www-gem@lemmy.ml
              link
              fedilink
              arrow-up
              2
              ·
              11 months ago

              If there may be no risk in using Apparmor misconfigured, it’s still useless and not a good practice to use apps this way. Overall, this was more a general advice because other apps may have more negative effects when not properly configured. It’s good to set up good habits from the start and stick to them.

              I’ve built my answer based on the use-case you exposed (i.e. not using untrusted packages). As I said, if you are now planning on using untrusted packages, you should configure your system appropriately.

              Re: AUR, it’s quite safe. In theory it can be harmful but only if the user is not careful. You should always inspect PKGBUILDs and *.install files when building packages from the AUR (the pacman wrapper you use to download from AUR should have a dialogue which prompts you to do this). I have personally never experienced any troubles using packages from AUR (and I have quite some) because the community is usually pretty vigilant but also because I use only packages maintained for long time by known developers.

              Hope this helps. You can learn more by reading the arch wiki (which is recognized to be the best one so use it at your advantage) and by doing simple searches on the arch forum. Both resources were dramatically helpful to me understanding what arch is, how it works, and what to expect when I started using it 15 years ago.

    • throwawayish@lemmy.ml
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      11 months ago

      But that’s the nature of the beast. Unless one defines their threat model[1], there’s an ever-expanding list of improvements one might apply to enhance security; with -at some point- (mostly) diminishing returns and we’ve yet to talk about the amount of comfort that’s sacrificed along the way. Therefore, before you do anything else, define your threat model. Afterwards, try to apply step-by-step whatever is required to protect your assets to a degree you’re comfortable with[2]. If, however, this seems like too much work for you, then consider either one of the following:

      • Just go on with your life as if you hadn’t become security-conscious. If you’re just a random person that doesn’t store anything valuable on their device in the first place and isn’t a possible target to more sophisticated groups for whatever reason, then even in the worst-case scenario you can just reinstall your system and be done with it (assuming your home network hasn’t been affected by malicious actors).
      • Reconsider how you want to consume Arch and if Arch Linux is even the right distro for you. Distros like Fedora and openSUSE are better known for maintaining good security defaults and try to ever improve themselves in this regard. Sure, sometimes some of these changes are applied to Arch as well. However, by its very nature, Arch Linux is more akin to a blank slate.Thus, if you actually know what you’re doing, then it’s easier to get Arch Linux to wherever you want[3]. But, becoming that knowledgeable is easier said than done.
      • If you really like Arch, but also really care about your security, then it’s probably best to look into the most impactful changes (security-wise) with the least amount of work associated to it. Simply not using packages from the AUR is one such change for example, if you can afford it…

      1. Digital security and/or cybersecurity is actually just one part of it.
      2. In terms of initial setup, (possible) maintenance and lost comfort.
      3. This even applies to hardening your system.