Hardening Linux is non-realisitic for end users

I have often come across comments that although Linux is insecure and it can be made secure or “hardened”. Sadly some generic hardening guide you stumbled upon are not enough to fix any of these massive security issues. Restricting a few nominal things such as setting some boot parameters is not going to fix this. A few generic security features distributions deploy is not going to fix this. Fedora enables a MAC framework (SELinux) by default but without creating a strict policies and running most processes unconfined does not help.

Another thing I would like to add is that SELinux policies is not something for everyone. For anyone wanting to learn it, here is a Github link for you to try some stuff.

The hardening required for a reasonably secure Linux distribution is far greater than people assume.You would need to completely redesign how the operating system functions and implement full system MAC policies, full verified boot (not just for the kernel but the entire base system), a strong sandboxing architecture, a hardened kernel, widespread use of modern exploit mitigations and plenty more. Even then, your efforts will still be limited by the incompatibility with many of the apps you may use and with the rest of the desktop Linux ecosystem and the general disregard that most have for security.

For the average person looking for Privacy and security, just use Windows,MacOS or ChromeOS and turn off telemetry. If you are skeptical, run Wireshark to analyze network connections. If you are someone who is a bit more advanced, you may try Qubes. Don’t assume Qubes is perfect

Please see - https://madaidans-insecurities.github.io/

posts an article from 2010.


Actually about this: Some people (including me) in the Gentoo hardening room are thinking about ways to “fork” Gentoo with as many security features as possible. Let’s hope that we’ll be able to actually get to a usable point some time in the near future…

1 Like