Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tracker: Security / Privacy additions #52

Closed
10 tasks
boredsquirrel opened this issue Feb 28, 2023 · 3 comments
Closed
10 tasks

Tracker: Security / Privacy additions #52

boredsquirrel opened this issue Feb 28, 2023 · 3 comments
Labels
ref reference for methods

Comments

@boredsquirrel
Copy link
Collaborator

  • Install Lynis for security audit
  • Hardened Firefox Profile
  • Install & enable opensnitch Application firewall, load configs
  • disable cups and bluetooth by default
  • enable MAC randomization
  • Apply more SELinux rules?
  • other hardening steps
  • Hardened Kernel COPR (maybe dead)
  • hardened Malloc (dead?)
  • firewall rules?
@boredsquirrel
Copy link
Collaborator Author

boredsquirrel commented Feb 28, 2023
edited
Loading

Opensnitch:

xdg-open https://github.com/evilsocket/opensnitch/releases/latest

wget https://github.com/evilsocket/opensnitch/releases/download/v1.5.2/opensnitch-1.5.2-1.x86_64.rpm
wget https://github.com/evilsocket/opensnitch/releases/download/v1.5.2/opensnitch-ui-1.5.2-1.noarch.f29.rpm

rpm-ostree install opensnitch opensnitch-ui && reboot

reboot-script:

# autostart 
ln -s /usr/share/applications/opensnitch_ui.desktop ~/.config/autostart/

sudo systemctl enable opensnitch
sudo service opensnitch start

# configs

cd ~/.config/opensnitch

# slow down automatic timeout
sed -i 's/default_timeout=15/default_timeout=99/g' settings.conf

# set to keep rules forever (otherwise resets on reboot)
sed -i 's/default_duration=6/default_duration=7/g' settings.conf

# enable purging old logs
sed -i 's/purge_oldest=false/purge_oldest=true/g' settings.conf

Current Problems:

  • no Repo for opensnitch, trying to set up a COPR but GUI and app share the same Github repo, which could be complicated
  • no pgp verification on download
  • weird behavior: qBittorrent tries to connect to flathub, makes no sense but cant block combinations (allow flathub but block from this app)

@boredsquirrel
Copy link
Collaborator Author

boredsquirrel commented Feb 28, 2023
edited
Loading

Mac randomization:

sudo printf """[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=stable
ethernet.cloned-mac-address=stable
connection.stable-id=${CONNECTION}/${BOOT}""" > /etc/NetworkManager/conf.d/00-macrandomize.conf

sudo systemctl restart NetworkManager

some say there is a GUI way in GNOME? The KDE interface is not easy to understand if it works (you can set a random number, but afaik no autogeneration. It works per network).

it should be included how to disable randomization on some networks.

nmcli c modify <IP-adress-router> 802-11-wireless.cloned-mac-address permanent

@iaacornus
Copy link
Collaborator

ill also merge this with #38

@iaacornus iaacornus closed this as not planned Won't fix, can't repro, duplicate, stale Mar 4, 2023
@iaacornus iaacornus added the ref reference for methods label Mar 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ref reference for methods
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iaacornus @boredsquirrel