Linux

48031 readers

1404 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

nooter692@lemmy.ml

AgreeableLandscape@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

Hardening Arch Linux (monero.town)

submitted 8 months ago by chevy9294@monero.town to c/linux@lemmy.ml

23 comments fedilink hide all child comments

Hi, I'm in a process of making fast, (extrenely) secure, and modern laptop. Currently I have Arch Linux with encrypted root partition (unlocked with Nitrokey or long password), secure boot, linux-hardened, firewalld, etc.

I'm running linux-hardened with custom config. I enabled AMD SME, kernel lockdown, added some xanmod patch for more specific cpus, and disabled some unnedded drivers (only those that I'm 100% sure I don't need - Intel, NVidia, Microsoft, Google, Amazon, Virtio). Currently it takes ~50 minutes to recompile the kernel. Are there any tutorials what drivers to disable to speed up this process? After doing that I will try to compile it with -O3 and LTO. Do you know any patches for performance?

I'm planning to enable encrypted swap, install ClaimAV and install flatpak versions for every non open-source app I have.

I also want to have SELinux. Does anyone know where can I learn it? I had it on Fedora and it was not fun using it.

What are other ways I can make my laptop more secure?

you are viewing a single comment's thread
view the rest of the comments

[–] Pantherina@feddit.de 5 points 8 months ago* (last edited 8 months ago) (1 children)

Look at secureblue for more things

hardened malloc (preloading is somewhat complex for flatpaks)
maybe more kargs

That custom kernel sounds very cool. Not sure if replacing it works on Fedora Atomic, would be very much needed

SELinux confined users is also very important, SELinux is kinda contradictory to flatpak though, as they do the same things often and Flatpaks often dont work because they are not built for it.

[–] chevy9294@monero.town 2 points 8 months ago (1 children)

I will try hardened_malloc, I already use it on my phone. I have GrapheneOS.

[–] Pantherina@feddit.de 2 points 8 months ago (1 children)

Same. It works really well, I am doing some kind of project building a hardened Firefox. It has hardened build parameters, removed jemalloc (so it uses hardened_malloc, otherwise it fails to start with memory issues), and I also experiment with various optimization flags as I have a x86_64-v4 intel CPU.

This repo is also interesting.

Secureblue has Chromium preinstalled with a hardening and also privacy policy, but I used googerteller and damn that thing pings Google every second, its scary.

[–] chevy9294@monero.town 1 points 8 months ago (1 children)

Now I've installed it and Librewolf works nornally. Is that normal or is malloc not working or is Librewolf compiled with hardened malloc?

I've heard about googerteller and I never thought someone will use it (except to try it)

[–] Pantherina@feddit.de 3 points 8 months ago

Librewolf uses jemalloc and I have no idea but Flatpak browsers are not broken.

I also asked Fedora people and Fedora Firefox also allows replacing the malloc, but as the package is already removed from the image you cant normally install it back.

Yup, googerteller is damn scary. Chromium contacts Google when opening the profile picker, loading the addons, listing saved passwords