I have very minimal knowledge of Arch/EndeavourOS specifically but I started using Linux in 2007.
Its really embarrasing but I must confess, despite the fact that I have used Linux for so many years I still haven’t learned 2 things namely IPTABLES & Apparmor.
To configure IPTABLES I use ufw which is super easy to enable & configure. The commands that I use after a fresh installation are
and that’s it. The default policy of ufw is to deny all incoming & allow all outgoing.
In case of Apparmor the thing is since the wonderful sandbox tool called Firejail is introduced there is no reason left to struggle with Apparmor. Firejail to is super easy to use & it comes with nice profiles for all popular apps like Firefox, Thunderbird, Hexchat, Pidgin, etc. To launch an app inside a Firejail sandbox all you need to do is this
firejail firefox
firejail hexhat
Have you learned how to configure IPTABLES or Apparmor directly ?
Thanks for that one-liner. Learned something new. I haven’t bothered with gufw because I thought there is nothing special gufw can offer which I cannot achieve with the ufw. Please note that I never open any ports. If I need to open a specific port in that case gufw makes stuff much easier.
There was a IPTABLES helper similar to ufw called Firestarter. It was really awesome. It offered a system tray icon which was really nice. As soon as your Linux box blocked a connection attempt the icon turned RED. Its really unfortunate that its no longer actively developed.
There’s a ufw alternative available. I dont remember the exact name of the package. Its the default firewall configuration tool for Fedora just like ufw is the default on Ubuntu.
This is how it look like >> Click here
I am almost sure this tool is available in the Arch repos.
iptables has mostly been replaced by nftables at this point
For desktop use cases, I think firewalld is a more flexible solution than ufw that is still easy to use
While I suppose firejail is a way to solve the same types of problems that apparmor solves, they aren’t really analogous solutions. Firejail creates a sandbox while apparmor controls what parts of the system a process can access. Further, apparmor works all the time even and doesn’t you require to specifically call it. Some people run both apparmor and firejail.
So in case of Arch/EndeavourOS which one is in use ? IPTABLES or NFTABLES ?
If its NFTABLES can ufw sucessfully control NFTABLES like it controls IPTABLES ?
When you say “flexible” you mean thinks like creating rules & stuff ? I mean opening of specific ports ? In my use case all I want is to close all ports. Not a single one should be open. No listening services. I don’t trust my ISP provided router’s firewall.
So in my case which is better ? ufw or firewalld ?
When I was using Ubuntu I had noticed some system processes were running with their profile in enforce mode while some others ran unrestricted. Problem with Apparmor under Ubuntu was the default profile for Firefox was so poor there was no security whatsoever. I read a number of rants on various forums about this & the common answer to this was that Firefox profile was deliberately made that way coz otherwise normal desktop user will complain they cant use Ubuntu properly. The only solution to this issue was to create a custom apparmor profile for Firefox which although not impossible is quite a difficult task if you are not familiar with apparmor. Then came Firejail & solved all frustrations for intermediate users.
Depends on your system. Arch/EndeavourOS doesn’t control that, you do!
You can check with pacman -Q | grep table
Yes, there is a bridge between them using the package iptables-nft
Either will work, firewalld is better in my opinion. It even has a tray indicator.
The fact that Ubuntu ships with a permissive profile for Firefox doesn’t make the technology good or bad. In fact, I don’t think that firejail vs apparmor is even a good comparison. They are different tools for different use cases. If firejail works better for your use case, great. Like I said, you can get the best of both worlds by combining them. Passive protection for lower risk applications and full sandboxing for high-risk applications.
Please don’t take this the wrong way, I am not advocating for apparmor.
As you know Ubuntu ships with apparmor by default. I just Googled “apparmor arch linux” & found this. To use apparmor under Arch you need to compile the kernel ?
@dalto
Sorry about that this is something I have never tried before. I know that this is my computer & my data in it but still I want to know your opinion. Should I enable apparmor ? Is it worth it ?
Apparmor has low overhead and there are profile bundles available you can easily install. Is it worth it? Probably, especially if used in conjunction with other hardening methods. The key to success with a tool like apparmor is to not think of it as universal protection but instead consider it one way of making your system more secure.
That being said, I don’t use apparmor so it would be hard for me to tell others it is of critical importance.
Honestly I am not eager to install apparmor. The simple reason for that is Arch doesn’t enable it by default. So if the Arch devs thinks its optional I see no reason to worry & the second reason which gives me peace of mind is this statement
What kind of environment are you using this computer in?
1 Trusted, as in a single person dwelling where you are the only person with legal access to the dwelling and you are the only one logging into the computer.
2 Public, as in an Enterprise environment where multiple people are logged into the same computer, or like a college dorm where multiple people have access to the computer.
Trusted: SELinux, apparmor, etc. are less necessary but still useful for peace of mind. If someone hacks in as a user, SELinux and apparmor can limit the damage done by limiting what they would have access to as a user. If someone hacks in as root, all bets are off. Make sure to use solid passwords. In a trusted environment I would think encryption would provide better security. Just my opinion.
Public: More necessary, an administrator could differentiate different users to access different functions as a user.
SELinux was originally developed by the NSA. I am far from being a SELinux expert, but I believe it works as such:
Multiple users using the same computer, but agents with higher security levels could access certain functions and lesser security level agents would be blocked. I don’t think it does much more than that.
I am not sure I fully agree with this. While you are always better off on a trusted network than a public network, I think it has not that much impact to this discussion for a few reasons:
The days where the primary threats were external scans and server compromises are long in the past
Unless your network is totally under your control and you are the only one who uses it, most modern attacks originate from inside your network. This happens via multiple vectors, here are just a few:
Another user, such as a family member, has their device compromised. It doesn’t have to a PC either. It could be a phone or tablet.
A smart device somewhere in your network is compromised. This is more common than most people realize.
A guest joins your network without realizing that their device is already compromised.
The process separation/control that all these technologies try to create is about protecting you from a threat that is already running on your install. For example, a compromised application such as a browser, electron application or a media player. These types of attacks exist on any network.
If we are talking about disk encryption, it mostly protects you against one thing. That is the loss or theft of your physical device. That being said, it is a pretty important thing as theft is, unfortunately, not that uncommon. Loss can also come in multiple ways. It isn’t just about leaving your laptop somewhere. It can also be about failing to wipe a drive before disposing of it. Encryption is definitely an important link in the chain. Without it, you no protection against someone getting a hold of your physical device. An unencrypted device can have the passwords changed trivially. In my opinion, disk encryption is something everyone should be doing.
My understanding of SELinux is a little different than that. I view it as both a fine grained process management tool and also a tool for reporting and auditing on process risks.
I think of it as tool similiar to apparmor, but more advanced and with better controls and reporting. Of course, those additional features/controls bring additional complexity. For me, SELinux is most effective when used on a system that expects it to be there and deploys with prebuilt profiles such as Fedora. Building SELinux rules out from nothing is a somewhat daunting task.
Completely agree. Do not try using SELinux on system where you will be making constant policy exceptions. Trying to use it on Arch for instance will likely be a headache inducing experience, not to mention time consuming.
As to the OP wondering if Apparmor is worth it? Is anything adding to the security of your device worth it? What is the ROI? In this case Apparmor is easy to deploy, and use, with minimal overhead, while occasionally causing some additional administrative tasks. Only you can answer that. Do I htink it is worth it, yes absolutely. I use SELinux systems in enforcing mode all day, and the only thing you really need to remember is that if something is not working like you expect it to, you should put looking at SELinux or Apparmor, at the top of the list right along with firewalls. Outside of that it really is not that hard.
Its 1 Trusted. Please explain what role disk encryption has in a single user environment. I have never used disk encryption. Let me tell you what I know about disk encryption. Suppose someone who doesn’t know my user or root password boots my PC using a live Linux usb drive he can read all my data but if its encrypted that’s not possible. Am I correct ? If yes then what what will I gain by implementing disk encryption when I am the only use who has physical access to my computer ?
What is the full form of ROI ? I didn’t find the answer on Google. I read that the most vulnerable app on any computer is the browser. Since I am using Firefox inside a Firejail sandbox I feel comparatively secure.
You mention you use selinux in enforce mode. Are you using selinux under Arch or is it Fedora?
I have a plan. I will install EndeavourOS inside Virtualbox and try to configure apparmor and see how it goes. I am not ready break my main install.
I once tried to configure selinux under Ubuntu. As soon as I tried to put it in enforce mode everything went haywire. You already explained that selinux/apparmor & Firejail are different tools but still I want to mention my frustration about selinux. Suppose you install Fedora. You will find that Firefox is running inside selinux & suppose then you decide to install Chromium. Chromium will not run with selinux support unless you configure it which as you mentioned is a difficult task. Firejail solves this issue. You just need to run firejail chromium-browser & that’s it. This ease of use is what has made me a Firejail fan.
