Desktop Security

• On Linux, you don't download random stuff from the internet, e.g. a new browser. You get it from a central source, usually package manager, where it is verified and secure.
• Most stuff is open source, therefore we can check if it does weird stuff. Proprietary software is often seen critically in our community.
• Linux is usually always updated because of the central update mechanism, so that vulnerabilities are fixed very quickly.
• Linux has more granular permissions. There's no "allow nothing" (but still too much) or "give random software access to the whole device" like on Windows. Linux software is written to need only as many permissions as needed, but not much more.
• Containers are big and crucial, especially when immutable distros grow more popular (even better security!). Many of use use Flatpak because of those pros. With them, we can give or remove every permission, like network access, file system, etc.
• Antivirus is almost useless, it won't always work reliably, see it more as an additional measure. Many AVs are close to being malware themselfes. They may act as indicator, but not as safeguard for viruses.
• If you share stuff with people using Windows, ClamAV is still handy.
• We aren't safe from viruses too, but we try to minimize our attack vector as much as we can with those methods mentioned above.
• Windows viruses can still be executed with WINE, so use Bottles (container for WINE) when running Windows software.

Scanning for malware is not really that effective and it probably shouldn't be relied apon. For Linux systems themselves I would look into SElinux as it can tightly control privileges.

Also many features of legitimate software could be considered malware. That includes things like Google analytics and DRM.

AV software is usually the antithesis of security.

Up-to-date software and especially not giving every random binary you find on the web execution permissions seemed to be much more effective.

On Linux, you install things from a repository, which is harder to install or execute a malicious binary. Reducing the risk of running binaries from unknown sources from internet, the risks are minimum if you keep your system always up to date, and on Linux is easier than on Windows, a single command to update each and any component on your system.

I don't really bother with AV on my linux system. What I do is just use trusted software from my repos and run containerized applications.

What I am currently working on is using secure boot with a Unified Kernel Image (already doing that) that boot into a read-only /usr/ partition with verity + signature (one UKI only loads a certain partition with a specific signature, or nothing at all). Any other things I need I create a systemd sysext that gets overlayed ontop of /usr/ (also read-only) or they get installed as flatpak. For development I would just be using nspawn containers and podman/OCI containers for services that are outside of the other scopes.

This is all based on https://0pointer.net/blog/fitting-everything-together.html which is a nice write down of what I am doing/following.

That already covers a lot of different attack vectors by just not having my system be modifyable outside of my control or apps just being containerized.

What industry? Are you not already maintaining compliance with some security framework? https://www.bitsight.com/blog/7-cybersecurity-frameworks-to-reduce-cyber-risk

Disk encryption is purely for preventing local access to your data. Nothing else.

Then you only download software from official repos and flathub (see my list on how to only allow verified or FOSS apps)

You mount the entire rest of the system non-executable and you have no malware!

Also you should not have a sudo user, use a seperate admin with wheel/sudo group.

Those things dont work well yet, so be careful.

Computing practices (like installing packages from trusted maintainers and the deliberate use (through filling in passwords) for granting privileged access etc.) on Linux are different than on Windows. This already ensures that -simply by the virtue of using Linux as it's intended- a Linux user is protected from complete classes of attacks.

Furthermore, the average Linux user is a lot more computer savvy compared to the average Windows user. And I haven't even mentioned the focus on FOSS, the security benefits through obscurity etc.

Of course, Linux isn't impenetrable. In fact, one might argue that its security frameworks on desktop are lacking compared to macOS and perhaps even to Windows (S mode).

Nonetheless, Qubes OS (i.e. the worlds most secure desktop OS) heavily relies and utilizes Linux to do its bidding.

To conclude, there's a lot of nuance to secure computing on Linux. But as long as its user (i.e. the biggest attack vector) holds on to best practices, it should be more than safe. Unless..., you seek protection against sophisticated adversaries and their targeted attacks. At that point, I wouldn't trust any desktop OS besides Qubes OS anyways.

<Or are we just presuming we're all immune from the bad guys targeting Windows?>

Yes, I find that does tend to be the attitude among most Linux articles/videos/etc I see on the subject. There's some truth to it, in that from what I understand Linux is immune to much of it, but it's not entirely true. Malware for Linux does exist, so IMO people should not be as complacent about malware as many seem to be, but the community based open-source nature of most Linux software helps mitigate it SOMEWHAT (NOT entirely, because it's dependent on trusting the community to both want to defend against it and have the skill to do so). Unlike Windows malware defense (to a degree, Windows patches have gotten leagues better than in the past), the primary way Linux stops malware is removing vulnerabilities before they can be exploited. It's another reason you won't see nearly as much Linux malware showing up as on Windows: it can't spread if there's no exploit to spread through. I do still run Clam and a firewall primarily for my own peace of mind because on my system aside from Clamd using a crap-ton of RAM they don't really slow it down to a visible degree. Long story short, Linux malware is indeed much rarer than Windows malware, but it does exist and I'm not keen on Linux media people giving the impression that security isn't something to watch for with Linux for the average user.

Or are we just presuming we're all immune from the bad guys targeting Windows?

Kind of, yes. You can install Microsoft Endpoint Security on managed devices, but most Linux people don't run any decently capable antivirus. They just assume they're technically skilled enough not to fall for common virus infections, and pretend the execute bit will protect them from all malware.

Firewalls are common, though. Almost always, they're configured to allow all outgoing traffic and limit incoming traffic, but there are tools that will also restrict outgoing traffic that are packaged with various distros.

Luckily, almost nobody uses Linux, so the common malware doesn't really target Linux users. There is some malware that targets developers (often through dependency management tools like npm/pip/cargo) and I don't think many Linux developers bother to protect against them.