Desktop Security
submitted 9 months ago by SayCyberOnceMore edited 9 months ago
I secure systems for my day job. That means installing AV software, ensuring Windows Firewall is ON, etc. (Plus many other things...)
I've seen discussions around disk encryption here, but I don't recall much about a malware protection. Maybe a little about personal (desktop) firewalls.
I'm aware of Clam, etc, but is anyone actually using these tools much?
Or are we just presuming we're all immune from the bad guys targeting Windows?
the rhel machines at work are terrible specifically because of mcaffe av
Immutable distros aren't considered secure or reliable by the industry. You need SElinux to secure a device properly.
Definitely. Having SELinux or AppArmour is very important.
Image based distros still offer some security and reliability benefits, because they are reproducible and therefore issues can be fixed quicker and easier. Also, at least now, due to the read-onlyness of the core parts of the OS, you can't install malware as easily.
On Fedora Atomic (only) any process running from the wheel user can install software without a password prompt. I am fixing this currently.
Also, SELinux is only in use for system processes, all user processes run unconfined.
Scanning for malware is not really that effective and it probably shouldn't be relied apon. For Linux systems themselves I would look into SElinux as it can tightly control privileges.
Also many features of legitimate software could be considered malware. That includes things like Google analytics and DRM.
AV software is usually the antithesis of security.
Up-to-date software and especially not giving every random binary you find on the web execution permissions seemed to be much more effective.
On Linux, you install things from a repository, which is harder to install or execute a malicious binary. Reducing the risk of running binaries from unknown sources from internet, the risks are minimum if you keep your system always up to date, and on Linux is easier than on Windows, a single command to update each and any component on your system.
I don't really bother with AV on my linux system. What I do is just use trusted software from my repos and run containerized applications.
What I am currently working on is using secure boot with a Unified Kernel Image (already doing that) that boot into a read-only
/usr/
partition with verity + signature (one UKI only loads a certain partition with a specific signature, or nothing at all). Any other things I need I create a systemdsysext
that gets overlayed ontop of/usr/
(also read-only) or they get installed as flatpak. For development I would just be using nspawn containers and podman/OCI containers for services that are outside of the other scopes.This is all based on https://0pointer.net/blog/fitting-everything-together.html which is a nice write down of what I am doing/following.
That already covers a lot of different attack vectors by just not having my system be modifyable outside of my control or apps just being containerized.
What industry? Are you not already maintaining compliance with some security framework? https://www.bitsight.com/blog/7-cybersecurity-frameworks-to-reduce-cyber-risk
Disk encryption is purely for preventing local access to your data. Nothing else.
Then you only download software from official repos and flathub (see my list on how to only allow verified or FOSS apps)
You mount the entire rest of the system non-executable and you have no malware!
Also you should not have a sudo user, use a seperate admin with wheel/sudo group.
Those things dont work well yet, so be careful.
Computing practices (like installing packages from trusted maintainers and the deliberate use (through filling in passwords) for granting privileged access etc.) on Linux are different than on Windows. This already ensures that -simply by the virtue of using Linux as it's intended- a Linux user is protected from complete classes of attacks.
Furthermore, the average Linux user is a lot more computer savvy compared to the average Windows user. And I haven't even mentioned the focus on FOSS, the security benefits through obscurity etc.
Of course, Linux isn't impenetrable. In fact, one might argue that its security frameworks on desktop are lacking compared to macOS and perhaps even to Windows (S mode).
Nonetheless, Qubes OS (i.e. the worlds most secure desktop OS) heavily relies and utilizes Linux to do its bidding.
To conclude, there's a lot of nuance to secure computing on Linux. But as long as its user (i.e. the biggest attack vector) holds on to best practices, it should be more than safe. Unless..., you seek protection against sophisticated adversaries and their targeted attacks. At that point, I wouldn't trust any desktop OS besides Qubes OS anyways.
<Or are we just presuming we're all immune from the bad guys targeting Windows?>
Yes, I find that does tend to be the attitude among most Linux articles/videos/etc I see on the subject. There's some truth to it, in that from what I understand Linux is immune to much of it, but it's not entirely true. Malware for Linux does exist, so IMO people should not be as complacent about malware as many seem to be, but the community based open-source nature of most Linux software helps mitigate it SOMEWHAT (NOT entirely, because it's dependent on trusting the community to both want to defend against it and have the skill to do so). Unlike Windows malware defense (to a degree, Windows patches have gotten leagues better than in the past), the primary way Linux stops malware is removing vulnerabilities before they can be exploited. It's another reason you won't see nearly as much Linux malware showing up as on Windows: it can't spread if there's no exploit to spread through. I do still run Clam and a firewall primarily for my own peace of mind because on my system aside from Clamd using a crap-ton of RAM they don't really slow it down to a visible degree. Long story short, Linux malware is indeed much rarer than Windows malware, but it does exist and I'm not keen on Linux media people giving the impression that security isn't something to watch for with Linux for the average user.
The biggest threat on Linux is social engineering. It doesn't take much to get someone to open a file on Linux.
Kind of, yes. You can install Microsoft Endpoint Security on managed devices, but most Linux people don't run any decently capable antivirus. They just assume they're technically skilled enough not to fall for common virus infections, and pretend the execute bit will protect them from all malware.
Firewalls are common, though. Almost always, they're configured to allow all outgoing traffic and limit incoming traffic, but there are tools that will also restrict outgoing traffic that are packaged with various distros.
Luckily, almost nobody uses Linux, so the common malware doesn't really target Linux users. There is some malware that targets developers (often through dependency management tools like npm/pip/cargo) and I don't think many Linux developers bother to protect against them.
There were some phishing emails a while back that spread though an active containing a program.