Security recommendations for Linux desktop?

Hi there. First post here. I’m not an infosec professional, I just give it a lot of thought. Hopefully I don’t come across like a tin-foil-hat person.

I use a Linux desktop (Fedora) with Firefox, and I think a lot about the various ways I could be pwned. I’m mostly afraid of these kinds of things:

• InfoStealer-type malware, that exfiltrates my cookies, local storage, email, KeePassXC database, you name it. And it’s stealthy, so I could have my various online accounts compromised or my identity stolen without even knowing it until it’s too late.

• Keyloggers. These steal the passwords to the data that I encrypt properly, which go with the data the InfoStealer steals.

• Browser sandbox escapes. These are horrifyingly common lately. And this would be the primary way to get the aforementioned malware running on my machine.

• Supply-chain attacks like the recent xz thing. The sky’s the limit with this kind of thing.

Things that don’t help enough:

• NoScript. Websites no longer “have JS”, instead they “are JS”. That means NoScript becomes a perfect example of the kind of security that I disable whenever it gets in the way.

• Logging out of things when not using them. As long as there’s a window of vulnerability, I might get unlucky.

• Permanent private browsing mode. As I understand it, Firefox processes communicate with each other. So a sandbox escape could steal the in-memory auth tokens from another site. Or there’s always the threat of XSS or CSRF.

• Wayland. More secure than X11, I guess. But PoC keyloggers are easily found for it.

• Firejail. Too many holes in the sandbox. And in the past it has even introduced new vulnerabilities of its own.

What do you fine folks recommend for me to mitigate these risks?

For this specifically, if you’re willing to take the cost of inconvenience, go to about:preferences#privacy and check “Delete cookies and site data when Firefox is closed”.

Use Wayland together with applications that implement portals; i.e. Flatpak applications. These are sandboxed with bwrap, which is generally perceived as more robust than Firejail.

You can manage the application’s access to your home directory with Flatseal or KDE’s Flatpak Permissions KCM. To avoid keyloggers, make sure the application has no access to your home directory and so can’t inject files like ~/.bashrc.

To make sure no Flatpak application can access your home directory, set the global permission like this:

flatpak override --nofilesystem=home --nofilesystem=host --system

--system is the important part here.

You can then selectively override the global permissions with per-app overrides (without --system).

Use Windows applications through the Bottles Flatpak, which has a proper sandbox for all the Windows applications you install.

This is all theoretical, and the way I would do this. I assume it’s accurate. I don’t actually do this, but maybe I should.

Edit: For an idea of how many Flatpak applications use filesystem permissions, there’s this: Flatstat | Graphs

I use uBlock Origin with Javascript and third-party frames disabled by default. I have Toggle Javascript and Relax Blocking Mode mapped to keyboard shortcuts. Disabling Javascript by default already protects you more than most people, as you (likely) won’t be compromised the instant you accidentally click on the wrong link. You need to be intentional about enabling Javascript.

I don’t think there’s much more you can do on the modern web. Aside from browsing in a virtual machine.

Qubes?

I came across this the other day. Let me know how you go. Maybe we need a hardening linux guide hehe

Sandboxes have been getting better over the years. You are not likely to encounter one in the wild, unless you are targeted.

Other sources of infection are more likely.

XSS is mitigated by site isolation

Well, what is the alternative?

Fedora has about 1.500 minimally vetted people who deliver code, so yes, this might be something to think about. Getting good supply chain security on Linux is difficult. You can mitigate some of it by using a company-backed OS and only using their non-community repo, for example Ubuntu with only the “main” repo.

Regarding your browser doubts, some suggestions to improve security, although other ways of infection are usually more common:

• Switch to a Chromium-based browser
• Create a Selinux policy for your browser
• Put your browser in a VM
• Put your browser in amnesic VM

Many other ways of infections can be mitigated through using as much isolation as possible. This can be done through MAC policies, sandboxing or using VMs, maybe even completely switching to QubesOS or GrapheneOS.

Since you are on Fedora, using something like fapolicyd for application control might be worth a look.

Supposedly Linux Firefox is specially behind in this department, no?

Isn’t XSS mitigation the main reason Mullvad Browser includes NoScript on top of uBlock??

Is this a viable suggestion for non-specialists? For AppArmor there are a handful of projects like [roddhjav/apparmor.d: Full set of AppArmor profiles](https://roddhjav/apparmor.d: Full set of AppArmor profiles) and even with pre-made profiles people say it’s already too much of a hassle. No such thing for Selinux it seems.

I wonder if OpenSUSE + trying to set up some AppArmor profiles isn’t an overall better suggestion than Fedora, however difficult life is without apt/rpm.

Chromium ist better in this regard, but at least FF is not as much behind as on Android.

Noscript is part of Tor Browser and needed for whitelisting JS and media in safer and safest mode. Mullvad Browser is just a modified version of Tor Browser. XSS mitigation used to be important, but not that important anymore due to site isolation.

Well, you need to learn how to make a Selinux policy. It’s a lot of work to get into Selinux.

Yes. Such a project does not exist for Selinux. Apparmor is for sure easier than Selinux and the apparmor.d project can help, but you still need to be able to debug things and live with a bit of inconvenience.

openSUSE uses RPM, doesn’t it?

Many distros use Apparmor, for example Ubuntu, Arch (you need to install it) or some openSUSE distros. Red Hat-like distros usually use Selinux. Use whatever you feel comfortable with. All of them are not great in terms of default security, some more, some less. I like sticking to upstream as close as possible on desktop, to at least get all fixes, not just some high severity backports, which is why I use EndeavourOS. I do a lot of hardening on top, but that’s something no distro does for you by default. But I wouldn’t mind so much to use a non-rolling distro, as long as the malware and threat landscape is the way it is now on desktop Linux.

Thanks for all the responses. I’ll be thinking about them for a while.

It seems like it does. It was MicroOS I think that only had zypper.

I was going off PG’s suggestion against Debian, but yeah, that’s fair.

RPM is the package format, used by Fedora, OpenSUSE, Mageia and a few others. (The other big one is DEB used by Debian, Ubuntu, Mint and a few others.)

To make it more complicated, rpm is also a command-line tool to install RPM packages. But this is something you’ll never have to deal with because you will usually use the package manager. (The command-line tool used by Debian and Ubuntu is called dpkg.)

zypper is the package manager that OpenSUSE uses to manage the installation, removal and updating of RPM packages as well as managing dependencies and adding/removing software repositories. Fedora uses dnf for the same tasks and Mageia uses urpmi but all of them are used to manage RPM packages. (Debian and Ubuntu use apt to managed DEB packages.)

On immutable systems, this is abstracted away a bit more; OpenSUSE MicroOS (Aeon/Kalpa) uses transactional-update which in turn tells zypper to do something. Fedora Atomic (Silverblue/Kinoite) uses rpm-ostree which in turn tells dnf to do something.

Then there’s also distro-independent package formats like flatpak, snap, appimage and nix which have their own pros and cons but cannot be used for the base system. (Only exception: Ubuntu Core, but that’s irrelevant here.)

tl;dr OpenSUSE uses RPM packages just like Fedora.

This makes it very clear, thank you!

Wayland. More secure than X11, I guess. But PoC keyloggers are easily found for it.

These do not impact Fedora Gnome or KDE.

When sandboxing, utilize verified flatpaks and restrict as many permissions as feasible.

Additionally, take into account Secureblue.