I appreciate your reply!
I agree, but I see many people on the FreeBSD forum trying to find desktop Apps. I was just using FreeBSD as an example.
What are the real security difference between the most popular Linux distro’s that have a huge user base like Linux Mint and Ubuntu and Fedora and have a huge amount of Apps available compared with the Linux distro’s that are focused on security?
You are conflating the company wanting to secure its assets with privacy of the employee. The company both wants its assets secure and (to an extent) private. Acknowledge that there’s an inherent tension here, for sure, between the two, as some forms of security demand observability (forensics, monitoring, alerting etc) / transparency (reporting, moderation, auditing, policy enforcement etc).
My thing about secure OS’s is a lot of people want them, but few people are really dedicated to the learning curves required in achieving it. I’m talking strictly about Linux, which seems to be popular in privacy communities for reasons we all should know by now. But in truth, Linux (and maybe BSD) is probably the hardest operating system to make secure. And by hardest I don’t mean it’s hard…it just isn’t default. The thing about any Linux distro is most won’t necessarily default to the highest security. In fact something like chromebook or OS X will default to better security than Linux. With Linux you need to lock it down first.
Make sure you encrypt your drive upon installation is important. Optional but recommended for enhanced security, make sure you partition /root, /home, /var, /tmp into separate partitions. Be strict about using mount options like noexec, nodev, & nosuid.
You need learn the nftables to make a suitable firewall. For noobs, the hardest part will be getting the proper syntax right. I guess if you want a shortcut, you could use a front end like gufw. But I do recommend getting comfortable with the terminal if you want a long-term pleasant Linux experience.
Close off any listening ports you don’t absolutely need and disable any background services you aren’t using. Systemd also offers a way to restrict the running environments of services that are needed, so make sure you do that. Here’s a good entry article that discusses this. Probably should’ve mentioned this earlier, but using Wayland sessions are more secure than X11. So when choosing your desktop enviroments use something like GNOME or KDE. Or if you want something more customizable, you could use something like Suckless’s DWL (the Wayland version of DWM).
Learning how to use Apparmor is indispensable if you want a truly secure Linux OS. It will help lock down your system on a application level. If, for example, a major zero day exploit is found in an application you’re using, a well defined apparmor profile could be the difference between that exploit working or not. Apparmor has a slight learning curve, but the hardest part is needing to know which filesystems an app needs access to for basic functionality. Fortunately the apparmor logs will help you out. An alternative way would be to just put and empty apparmor profile into enforce mode, this will intentionally break your app. Follow the logs, and amend the denied requests until the app finally launches. This will take longer than running it in complain mode and adding everything to your profile, but it also might be a good thing for a noob to do, just to give them a good idea of which directories a given app needs access to. It may also help in preventing your profile from becoming too permissive.
Attack surface reduction (ASR), a phrase you may see liberally thrown around. But taking ASR to it’s logical conclusion would mean trusting the least amount of people as possible and using programs with the smallest cleanest code as possible. How would you do this? Take Debian and Ubuntu for an example. Of the two, Debian is better. Why? With Ubuntu you’re not only trusting the Debian team but also Canonical. Reduce the amount of people you need to trust. Secondly, don’t use bloated code. I’m not a dev or programmer, but there’s an old rule of thumb that for every 1,000 lines of code (LOC) there’s about 10 bugs. Minimalist distros, like Gentoo, Alpine, & Void come out on top in this regard. They’re systemd-free and you can run Musl library instead of GNU.
Only downloading your software from your package managers is also a good practice to get into. One of the biggest vectors of attack Windows normies have that Linux users don’t is they often times download their programs from suspect 3rd party sites. Most don’t know or even care about GPG verification either. When downloading from a trusted package manager, all of this is taken care of by default. One thing that is slightly annoying though is some package managers, like the one on Arch for example, will default with http mirrors. Tweaking this to only allow http(s) mirrors would be best. You can even configure pacman (or apt in Debian, or xbps in Void) to download over Tor. Some distros offer onion mirrors as well, take advantage of this and use them.
Another thing important to learn is proper anti-forensic techniques when handling data. Never use commands like “rm” to delete data. Always use "shred.’ You can also overwrite sensitive files utilizing /dev/urandom.
All and all, you do all of this and Linux will be pretty damn secure. The problem is some people think it’s as easy as booting into a fresh Linux install and you’re done. Which isn’t necessarily the case.
Will say one thing though, security also starts before you even get to your operating system. Hardware, not just software, should be factored in if your threat model accounts for it. Do you have wireless cards and bluetooth capability, if so disable it. Do you use an SSD or HDD? SSD’s will require more overwrite to forensically clean. This is a double edge sword too, because the more you overwrite an SSD the faster it wears down. HDD’s are probably going to last longer if you overwrite your SSD frequently. Also it’s good practice to never use legacy boot. Make sure you’re using either UEFI secure boot or, if you’re technically sophisticated enough, you could flash your BIOS open sourced firmware, like Coreboot, and then use Coreboot’s verified boot. The latter is probably better considering there’s no proprietary blobs, But UEFI is a soft compromise for people who don’t know how to flash your BIOS. Which if done improperly will brick your system.
In David Bombal’s How to be Invisible Online (and the hard truth about it)… At 46:40, Occupy The Web (OTW) suggests Subgraph OS. Although it is an alpha. Personally I’d say stick to Qubes OS if you can or Tails OS otherwise.
We had a good thing going on with ChromeOS, alas it looks like it is on its last legs… Indications are that the team being folded into Android will make some form of Android Desktop happen? I guess, a Graphene-like fork of it isn’t that far-off, either; given Google designs its own “Pixelbook” hardware.
Until all of that happens, I like what secureblue (thread) is doing.
A GrapheneOS laptop is the dream.
Don’t use Subgraph OS, Subgraph died many years ago.
I remember using Subgraph OS because my laptop could not use Qubes.
Genode, “The Genode OS Framework is a tool kit for building highly secure special-purpose operating systems. It scales from embedded systems with as little as 4 MB of memory to highly dynamic general-purpose workloads”
It takes getting used to using it, but one can use it as their daily OS.
Both are charlatans.