EOS Security

As EOS has FirewallD enabled as a service in its latest release, I’d like to request further security enhancements on the end-user’s side.

Specifically, I’d like to suggest apparmor and unbound as services pre-installed.

Apparmor is a security framework for Linux. As a mandatory access control system, it controls individual applications and can restrict rights granularly with profiles. If an application (e.g. Firefox) is compromised, the attacker can do little damage to the system if the application runs under apparmor control.
See:
https://wiki.archlinux.org/title/AppArmor#Installation

Unbound is a popular DNS resolver that is technically up to date and is available in the repos of all Linux distributions.
See:
https://wiki.archlinux.org/title/Unbound#Installation

Configuring unbound for tls-upstream dns resolution, one could use this example as an unbound.conf -file, which is not setting up any local dns-server, but just uses unbound to enhance personal privacy and security, while surfing the web (also see https://www.privacy-handbuch.de/handbuch_93c.htm):
————————————————————————----------------------------

server:

tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

trust-anchor-file: trusted-key.key

# verbosity number, 0 is least verbose. 1 is default.

hide-identity: yes
hide-version: yes
root-hints: root.hints

### Forwarding using DNS over TLS:

forward-zone:

name: “.”
forward-tls-upstream: yes

### Begin “Tls-Upstream No-Filter-Section”

# Freifunk München
forward-addr: 195.30.94.28@853#dot.ffmuc.net
forward-addr: 185.150.99.255@853#dot.ffmuc.net

# Digitalcourage e.V.
forward-addr: 5.9.164.112@853#dns3.digitalcourage.de

# Digitale Gesellschaft (CH) DNS Server
forward-addr: 185.95.218.42@853#dns.digitale-gesellschaft.ch
forward-addr: 185.95.218.43@853#dns.digitale-gesellschaft.ch

# Censurfridns Denmark (aka. UncensoredDNS)
forward-addr: 91.239.100.100@853#anycast.censurfridns.dk
forward-addr: 89.233.43.71@853#unicast.censurfridns.dk

# AdGuard DNS-Server OHNE Werbe- und Trackingfilter
forward-addr: 94.140.14.140@853#dns-unfiltered.adguard.com
forward-addr: 94.140.14.141@853#dns-unfiltered.adguard.com

# Mullvad DoT und DoH-Server OHNE Werbe- und Trackingfilter
forward-addr: 194.242.2.2@853#doh.mullvad.net
forward-addr: 193.19.108.2@853#doh.mullvad.net

### Begin “Tls-Upstream Adblocker-Section”

# Dismail.de DNS Server
forward-addr: 80.241.218.68@853#fdns1.dismail.de
forward-addr: 159.69.114.157@853#fdns2.dismail.de

# dnsforge.de DNS Server
forward-addr: 176.9.93.198@853#dnsforge.de
forward-addr: 176.9.1.117@853#dnsforge.de

# BlahDNS DE Server
forward-addr: 78.46.244.143@853#dot-de.blahdns.com
forward-addr: 45.91.92.121@853#dot-ch.blahdns.com
forward-addr: 95.216.212.177@853#dot-fi.blahdns.com

# AdGuard DNS-Server MIT Werbe- und Trackingfilter
forward-addr: 94.140.14.14@853#dns.adguard.com
forward-addr: 94.140.15.15@853#dns.adguard.com

# Mullvad DoT und DoH-Server MIT Werbe- und Trackingfilter
forward-addr: 194.242.2.3@853#adblock.doh.mullvad.net
forward-addr: 193.19.108.3@853#adblock.doh.mullvad.net
1 Like
7 Likes

Hmm… :thinking:

I see some challenges with apparmor. The biggest one would be that it would make the EndeavourOS team responsible for ensuring the profiles are correct and up-to-date and I am not sure we have a big enough team for that.

On the unbound side, finding a default config that would work for everyone in the world seems difficult.

12 Likes

That’s very diplomatic of you! :grin:

5 Likes

The named censorship-free and trusted DNS servers (“Tls-Upstream No-Filter-Section”) with no-logging policy, DNSSEC validation and anti-spoofing protection (test page) can be recommended as an alternative to the providers’ default DNS servers for those who want to switch.

The other DNS servers (“Tls-Upstream Adblocker-Section”) filter advertising, tracking and malware domains at the DNS level. All named projects are operated by independent individuals.

OK! - This is from Central Europe… :grinning:

And OK! - Firejail or apparmor is a matter of choice. :grinning:

2 Likes

Re: Unbound

If you want to use Quad9 to benefit from the good threat protection, you can save your unbound.conf like this:

server:
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

forward-zone:
name: "."
forward-tls-upstream: yes

# Quad9 Primary & Secondary DNS Server
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net

(Again.)

I will be very frank…there are other distris that do preconfigure everything you want, EOS is not that distro, and probably should not be.

9 Likes

I salute your being frank, ‘Frank’. :grinning:

And, perhaps, I was very wrong, requesting such things upfront in a new thread. Not thought-through well enough on my end, I guess.

Yet, I wanted to bring apparmor and unbound to the fore-front for users, who are interested in security issues, and ways to tackle something of an all 'round internet-censorship, which seems to be a growing issue during these days, internationally.

No sweat, but

Cheers!

Welcome to forum @ivanhoe

think it good you bring attention for usr that might find useful or not know . People want different thing so that why Endeavouros give you sold basic base… if you want more you add :blush: Better install thing than waste time removing thing you no want/need.

" Your system your rule " Hope you enjoy time on Endeavouros

9 Likes

Thanks! - Love your reply!

:v:

3 Likes

IMHO, as a cybersecurity professional myself, I really think that once you start down the path of wanting to secure your system, you really need to learn and do it yourself.

Some basic security is good for everyone, but the more security you wrap around a system, the more difficult it becomes to troubleshoot if you don’t understand it. Apparmor and SELinux are good examples of this.

YMMV

5 Likes

This is an excellent way to put it.

I have tried exploring adding app armour to my system and it looked way more complicated to set it up and maintain it, so I gave up.

I don’t need that level of security personally for my system.

1 Like

To harden your system run linux-hardened with the kernel command line options recommended by the Kernel Self Protection Project.

Also:

  • install the Opensnitch application firewall
  • run all apps through Firejail (with browser apps also using hardened_malloc) - firejail also has Apparmor support
  • install lkrg-dkms (Linux Kernel Runtime Guard)
  • enable the kernel option module.sig_enforce=1 (so rootkits cannot be inserted).

I run all the above with Apparmor enabled without too many problems.

For a properly hardened kernel consider building your own (so memory addresses are not easily known) If you use any out of tree kernel modules like zfs or nvidia I make it simple to build a kernel with these modules signed too - see arch-sign-modules.

1 Like

I totally agree with this.
I would suggest you create a tutorial topic with all your info for setting up security.
I think #arch-based-related-questions:community-contributions would suite perfectly fine.

1 Like

This is WAY too large of a maintenance burden to be a realistic request for the team to accomplish. The only 2 distros with a well done setup for apparmor or SELinux i know of are Ubuntu and Fedora and their derivatives. It takes a LOT of time and effort to set these up well and EOS along with most other distros simply dont have the resources to do this.

Also configuring unbound for someone who may not have the same needs as another for its use seems like it would also been non trivial to do. I personally dont like unbound and would prefer it not be there.

1 Like

Hardening your system and blocking advertising and tracking requires one thing above all - a lot of time to acquire the necessary knowledge. Not every user with rather average competence has so much time to fight his way through it.

One must not forget that the fewest users attach importance to such things. Mainly because they don’t know enough, but also because they don’t care who gets access to their data.
You also have to have the muse and passion to want to do and have things like this.

As honorable as the thought process may be, I can understand that it is not possible for the EOS team to implement such things. They simply don’t have the time and the manpower.

Many users would certainly be hopelessly overwhelmed with Unbound and Apparmor. Then they would come to the forum with their problems. Who should support all this then? In the end, most would send EOS right back to /dev/null.

3 Likes