privacyguides.org/docs/linux-desktop.md
Daniel Gray 8ef8e2a263
Transition to mkdocs (#829)
Co-authored-by: Jonah Aragon <jonah@triplebit.net>
2022-04-02 06:59:03 +10:30

44 KiB
Raw Blame History

icon
fontawesome/brands/linux

Linux distributions are commonly recommended for privacy protection and user freedom. Below are some suggestions with some general privacy and security improvements.

Traditional Distributions

Fedora Workstation

!!! recommendation

![Fedora logo](/assets/img/linux-desktop/fedora-workstation.svg){ align=right }

**Fedora Workstation** is our recommended distribution for users new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), and soon, [FS-Verity](https://fedoraproject.org/wiki/Changes/FsVerityRPM). These new technologies often come with improvements in security, privacy, and usability in general.

[Visit getfedora.org](https://getfedora.org/){ .md-button .md-button--primary }

Fedora has a semi-rolling release cycle. While some packages like GNOME are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months.

openSUSE Tumbleweed

!!! recommendation

![openSUSE Tumbleweed logo](/assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right }

**openSUSE Tumbleweed** is a stable [rolling release](https://en.wikipedia.org/wiki/Rolling_release) distribution.

openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem.

[Visit get.opensuse.org](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary }

Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When the user upgrades their system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by the openSUSE Build Service to ensure its quality.

Arch Linux

!!! recommendation

![Arch logo](/assets/img/linux-desktop/archlinux.svg){ align=right }

**Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions).

[Visit archlinux.org](https://archlinux.org/){ .md-button .md-button--primary }

Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently.

Being a DIY distribution, the user is expected to setup and maintain their system. Arch has an official installer to make the installation process a little easier.

A large portion of Arch Linuxs packages are reproducible.

Immutable Distributions

Fedora Silverblue

!!! recommendation

![Fedora Silverblue logo](/assets/img/linux-desktop/fedora-silverblue.svg){ align=right }

**Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream.

[Visit silverblue.fedoraproject.org](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary }

Silverblue (and Kionite) differ from Fedora Workstation as they replace the DNF package manager with a much more advanced alternative called rpm-ostree. The rpm-ostree package manager works by downloading a base image for the system, then overlaying packages over it in a git-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image.

After the update is complete the user will reboot the system into the new deployment. rpm-ostree keeps two deployments of the system so that a user can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed.

Flatpak is the primary package installation method on these distrbutions, as rpm-ostree is only meant to overlay packages that cannot stay inside of a container on top of the base image.

As an alternative to Flatpaks, there is the option of Toolbox to create Podman containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a useful feature for the discerning developer.

NixOS

!!! recommendation

![NixOS logo](/assets/img/linux-desktop/nixos.svg){ align=right }

NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability.

[Visit nixos.org](https://nixos.org/){ .md-button .md-button--primary }

NixOSs package manager keeps every version of every package in a different folder in the Nix store. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only.

NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also test the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system.

Nix the package manager uses a purely functional language - which is also called Nix - to define packages.

Nixpkgs (the main source of packages) are contained in a single Github repository. You can also define your own packages in the same language and then easily include them in your config.

Nix is a source-based package manager; if theres no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed pure environment, which is as independent of the host system as possible, thus making binaries reproducible.

Anonymity-Focused Distributions

Whonix

!!! recommendation

![Whonix logo](/assets/img/linux-desktop/whonix.svg){ align=right }

**Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet.

[Visit whonix.org](https://www.whonix.org/){ .md-button .md-button--primary }

Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway”. All communications from the Workstation has to go through the Tor gateway, and will be routed through the Tor Network.

Some of its features include Tor Stream Isolation, keystroke anonymization, encrypted swap, and a hardened memory allocator.

Future versions of Whonix will likely include full system Apparmor policies and a sandbox app launcher to fully confine all processes on the system.

Whonix is best used in conjunction with Qubes.

Tails

!!! recommendation

![Tails logo](/assets/img/linux-desktop/tails.svg){ align=right }

**Tails** is a live operating system based on Debian that routes all communications through Tor.

It can boot on almost any computer from a DVD, USB stick, or sdcard. It aims to preserve privacy and anonymity while circumventing censorship and leaving no trace of itself on the computer it is used on.

[Visit tails.boum.org](https://tails.boum.org/){ .md-button .md-button--primary }

By design, Tails is meant to completely reset itself after each reboot. Encrypted persistent storage can be configured to store some data.

GNU/Linux Overview

It is often believed that open source software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isnt always the case. It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to code reviews, and how often attention is given to specific parts of the codebase that may go untouched for years.

At the moment, desktop GNU/Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g:

Despite these drawbacks, desktop GNU/Linux distributions are great if you want to:

  • Avoid telemetry that often comes with proprietary operating systems
  • Maintain software freedom
  • Have purpose built systems such as Whonix or Tails

This page uses the term “Linux” to describe desktop GNU/Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here.

Release cycle

We highly recommend that you choose distributions which stay close to the stable upstream software releases. This is because frozen release cycle distributions often dont update package versions and fall behind on security updates.

For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such example) rather than bump the software to the “next version” released by the upstream developer. Some security fixes do not receive a CVE (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release.

We dont believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. Richard Brown has a presentation about this:

Traditional vs Atomic updates

Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating.

Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic.

A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state”.

The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. Adam Šamalík provided a presentation on how rpm-ostree works with Silverblue:

“Security-focused” distributions

There is often some confusion about “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch, and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They dont include any “extra security” or defensive mitigations intended for regular use.

Arch-based distributions

Arch based distributions are not recommended for new users, regardless of the distribution. Arch does not have an distribution update mechanism for the underlying software choices. As a result the user of the system must stay aware with current trends and adopt technologies as they supersede older practices.

For a secure system, the user is also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a mandatory access control system, setting up kernel module blacklists, hardening boot parameters, manipulating sysctl parameters, and knowing what components they need such as Polkit.

Any user using the Arch User Repository (AUR), must be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are user-produced content and are not vetted in any way and therefore are vulnerable to software supply chain attacks, which has in fact happened in the past. AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct users to blindly use AUR helpers without sufficient warning. Similar warnings apply to using third party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora.

For advanced users, we only recommend Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically:

  • Manjaro: This distribution holds packages back for 2 weeks to make sure that their own changes dont break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest libraries from Archs repositories.
  • Garuda: They use Chaotic-AUR which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages dont suffer from supply chain attacks.

Linux-libre kernel and “Libre” distributions

We strongly recommend against using the Linux-libre kernel, since it removes security mitigations and suppresses kernel warnings about vulnerable microcode for ideological reasons.

General Recommendations

Drive Encryption

Most Linux distributions have an installer option for enabling Linux Unified Key Setup (LUKS) encryption upon installation.

If this option isnt set at installation time, the user will have to backup their data and re-install, as encryption is applied after disk partitioning but before file systems are formatted.

When securely erasing storage devices such as a Solid-state drive (SSD) you should use the ATA Secure Erase command. This command can be issued from your UEFI setup. If the storage device is a regular hard drive, consider using nwipe.

Swap

Consider using ZRAM or encrypted swap instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to swap space. Fedora based distributions use ZRAM by default.

Wayland

We recommend using a desktop environment that supports the Wayland display protocol as it developed with security in mind. Its predecessor, X11, does not support GUI isolation, allowing all windows to record screen, log and inject inputs in other windows, making any attempt at sandboxing futile. While there are options to do nested X11 such as Xpra or Xephyr, they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland.

Fortunately, common environments such as GNOME, KDE, and the window manager Sway have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default and some others may do so in the future as X11 is in hard maintenance mode. If youre using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager (GDM, SDDM).

We recommend against using desktop environments or window managers that do not have Wayland support such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, XFCE, and i3.

Proprietary firmware (microcode updates)

Linux distributions such as those which are Linux-libre or DIY (Arch Linux) dont come with the proprietary microcode updates. Some notable examples of these vulnerabilities include Spectre, Meltdown, SSB, Foreshadow, MDS, SWAPGS, and other hardware vulnerabilities.

We highly recommend that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default.

Privacy tweaks

MAC address randomization

Many desktop Linux distributions (Fedora, openSUSE etc) will come with NetworkManager, to configure Ethernet and Wi-Fi settings.

It is possible to randomize the MAC address when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network youre connected to. It does not make you anonymous.

We recommend changing the setting to random instead of stable, as suggested in the article.

If you are using systemd-networkd, you will need to set MACAddressPolicy=random which will enable RFC 7844 (Anonymity Profiles for DHCP Clients).

There isnt much point in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the network switch. Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fis firmware.

Other identifiers

There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your threat model:

System counting

The Fedora Project counts how many unique systems access its mirrors by using a countme variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary.

This option is currently off by default. We recommend adding countme=false to /etc/dnf/dnf.conf just in case it is enabled in the future. On systems that use rpm-ostree such as Silverblue, the countme option is disabled by masking the rpm-ostree-countme timer.

openSUSE also uses a unique ID to count systems, which can be disabled by deleting the /var/lib/zypp/AnonymousUniqueId file.

Sandboxing and Application confinement

Some sandboxing solutions for desktop Linux distributions do exist, however they are not as strict as those found in MacOS or ChromeOS. Applications installed from the package manager (dnf, apt, etc.) typically have no sandboxing or confinement whatsoever. Below are a few projects that aim to solve this problem:

Flatpak

Flatpak aims to be a universal package manager for Linux. One of its main goals is to provide a universal package format which can be used in most Linux distributions. It provides some permission control. Madaidan points out that Flatpak sandboxing could be improved as particular Flatpaks often have greater permission than required. There does seem to be some agreement that this is the case.

Users can restrict applications further by issuing Flatpak overrides. This can be done with the command-line or by using Flatseal. Some sample overrides are provided by tommytran732 and rusty-snake.

We generally recommend revoking access to:

  • the Network (share=network) socket (internet access)
  • the PulseAudio socket (for both audio in and out), device=all (access to all devices including the camera)
  • org.freedesktop.secrets dbus (access to secrets stored on your keychain) for applications which do not need it

If an application works natively with Wayland (and not running through the XWayland compatibility layer), consider revoking its access to the X11 (socket=x11) and Inter-process communications (IPC) socket (share=ipc) as well.

We also recommend restricting broad filesystem permissions such as filesystem=home and filesystem=host which should be revoked and replaced with just the directories that the app needs to access. Some applications like VLC implement the Portals API, which allows a file manager to pass files to the Flatpak application (e.g. VLC) without direct filesystem access privileges. Security is increased because VLC is only able to access the specific file that the user wants to open, rather than any file at any time the application is open.

Hard-coded access to some kernel interfaces like /sys and /proc and weak seccomp filters unfortunately cannot be secured by the user with Flatpak.

Firejail

Firejail is another method of sandboxing. As it is a large setuid binary, it has a large attack surface which may assist in privilege escalation.

The main risk is that Firejail may make the system safer from processes confined by it, but make it also less safe from processes running outside of Firejail. We dont recommend the use of Firejail.

Mandatory Access Control

Mandatory access control systems require policy files in order to force constraints on the system.

The two main control systems are SELinux (used on Android and Fedora) and AppArmor.

Fedora includes SELinux preconfigured with some policies that will confine system daemons (background processes). We dont recommend disabling SELinux.

openSUSE gives the choice of AppArmor or SELinux during the installation process. We recommend sticking to the default for each variant (AppArmor for Tumbleweed and SELinux for MicroOS). openSUSEs SELinux policies are derived from Fedora.

Arch and Arch-based operating systems often do not come with a mandatory access control system and that must be configured manually for either AppArmor or SELinux.

Making your own policies/profiles

For advanced users, you can make your own AppArmor profiles, SELinux policies, Bubblewrap profiles, and seccomp blacklist to have better confinement of applications. This is quite a tedious and complicated task so we wont go into detail about how to do it here, but we do have a few projects that you could use as reference.

Securing Linux containers

If youre running a server you may have heard of Linux Containers, Docker, or Podman which refer to a kind of OS-level virtualization. Containers are more common in server and development environments where individual apps are built to operate independently.

Docker is one of the most common container solutions. It does not run a proper sandbox, and this means that there is a large kernel attack surface. The daemon controls everything and typically runs as root. If it crashes for some reason, all the containers will crash too. The gVisor runtime which implements an application level kernel can help limit the number of syscalls an application can make and can help isolate it from the hosts kernel.

Red Hat develops Podman and secures it with SELinux to isolate containers from each other. One of the notable differences between Docker and Podman is that Docker requires root while Podman can run with rootless containers that are also daemonless, meaning if one crashes they dont all come down.

Another option is Kata containers, where virtual machines masquerade as containers. Each Kata container has its own Linux kernel and is isolated from the host.

These container technologies can be useful even for enthusiastic home users who may want to run certain web app software on their local area network (LAN) such as vaultwarden or images provided by linuxserver.io to increase privacy by decreasing dependence on various web services.

Additional hardening

Firewalls

A firewall may be used to secure connections to your system. If youre on a public network, the necessity of this may be greater than if youre on a local trusted network that you control. We would generally recommend that you block incoming connections only, unless youre using an application firewall such as OpenSnitch or Portmaster.

Red Hat distributions (such as Fedora) are typically configured through firewalld. Red Hat has plenty of documentation regarding this topic. There is also the Uncomplicated Firewall which can be used as an alternative.

Consider blocking all ports which are not well known or “privileged ports”. That is, ports from 1025 up to 65535. Block both TCP and UDP after the operating system is installed.

If you use Fedora, consider removing the whitelist for for smb-client and mdns services if you do not use them.

All these firewalls use the Netfilter framework and therefore cannot protect against malicious programs running on the system. A malicious program could insert its own rules.

If you are using Flatpak packages, you can revoke their network socket access using Flatseal and prevent those applications from accessing your network. This permission is not bypassable.

If you are using non-classic Snap packages on a system with proper snap confinement support (with both AppArmor and CGroupsv1 present), you can use the Snap Store to revoke network permission as well. This is also not bypassable.

Kernel hardening

There are some additional kernel hardening options such as configuring sysctl keys and kernel command-line parameters which are described in the following pages. We dont recommend you change these options unless you learn about what they do.

Note that setting kernel.unprivileged_userns_clone=0 will stop Flatpak, Snap (that depend on browser-sandbox), Electron based AppImages, Podman, Docker, and LXC containers from working. Do not set this flag if you are using container products.

Linux-Hardened

Some distributions like Arch Linux have the linux-hardened, kernel package. It includes hardening patches and more security-conscious defaults. Linux-Hardened has kernel.unprivileged_userns_clone=0 disabled by default. See the warning above about how this might impact you.

Simultaneous multithreading (SMT)

SMT has been the cause of numerous hardware vulnerabilities, and subsequent patches for those vulnerabilities often come with performance penalties that negate most of the performance gain given by SMT. If you followed the “kernel hardening” section above, some kernel parameters already disable SMT. If the option is available to you, we recommend that you disable it in your firmware as well.

Hardened memory allocator

The hardened memory allocator from GrapheneOS can be used on Linux distributions. It is available by default on Whonix and is available as an AUR package on Arch based distributions. If you are using the AUR package, consider setting up LD_PRELOAD as described in the Arch Wiki.

Umask

If you are not using openSUSE, consider changing the default umask for both regular users and root to 077. Changing umask to 077 can break snapper on openSUSE and is not recommended.

Mountpoint hardening

Consider adding the following options nodev, noexec, and nosuid to mountpoints which do not need them. Typically, these could be applied to /boot, /boot/efi, /home, /root, and /var.

If you use Toolbox, /var/log/journal must not have any of those options. If you are on Arch Linux, do not apply noexec to /var/tmp.

Linux Pluggable Authentication Modules (PAM)

There is also further hardening to PAM to secure authentication to your system. 14. PAM has some tips on this.

On Red Hat distributions you can use authselect to configure this e.g.:

sudo authselect select <profile_id, default: sssd> with-faillock without-nullok with-pamaccess

On systems where pam_faillock is not available, consider using pam_tally2 instead.

USB port protection

To better protect your USB ports from attacks such as BadUSB we recommend USBGuard. USBGuard has documentation as does the Arch Wiki.

Another alternative option if youre using the linux-hardened is the deny_new_usb sysctl. See Preventing USB Attacks with linux-hardened.

Secure Boot

Secure Boot can be used to secure the boot process by preventing the loading of unsigned UEFI drivers or boot loaders. Some guidance for this is provided in 21. Physical security and 21.4 Verified boot.

For further resources on Secure Boot we suggest taking a look at the following for instructional advice:

For background of how Secure Boot works on Linux:

One of the problems with Secure Boot particularly on Linux is that only the chainloader (shim), the boot loader (GRUB), and the kernel are verified and thats where verification stops. The initramfs is often left unverified, unencrypted, and open up the window for an evil maid attack. There are a few things that can be done to reduce risk such as:

After setting up Secure Boot it is crucial that you set a “firmware password” (also called a “supervisor password, “BIOS password” or “UEFI password”), otherwise an adversary can simply disable Secure Boot.

These recommendations can make you a little more resistant to evil maid attacks, but they not good as a proper verified boot process such as that found on Android, ChromeOS or Windows.