You are viewing a single comment's thread from:

RE: [TUTORIAL] Basic Computer Security [10]

in #technology9 years ago

Great article. Some nice reminders and some things I haven't thought about before. An additional security measure could be to run the browser in a sandbox using an application called firejail (available in the repos). I haven't tested ut myself yet, but it seems relevant to this article. I first read about it here: https://linuxconfig.org/protect-your-system-run-your-browser-in-firejail

Sort:  

What is the difference between firejail, apparmor and SElinux?

Apologies for the delayed reply. I had to do some research to properly answer your question. Some of the following is a bit more technical than my computer skill level is, so I might not be able to elaborate on further details. Anyways, here's a summary of what I found:

Firejail can apparently be used as an additional security layer on top of SELinux and AppArmor, as it sandboxes the applications in a different way. Here's the description of the software from the official project page:

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux control groups.

A member of Wilders Security Forums, summerheat, compares apparmor and firejail like this (Mar 4, 2016):

AppArmor is a Mandatory Access Control (MAC) system which applies a security policy that goes beyond the control provided by the traditional file permissions (Discretionary Access Control - DAC) but is not a sandbox. Firejail uses other technologies like namespaces and seccomp-bpf which sandbox applications, it's therefore an additional security layer. Using both together provides very high security.

Source

Regarding SELinux, I have no experience with it. From what I read at the project website and around internet forums, it seems quite difficult to get up and running. Not saying I wouldn't be up for the challenge at some point, but for the average user it would probaly be way too complicated.

Firejail on the other hand is readily available on most common distros, easy to install and pretty much effortless to use, once in place. Although it might not provide the extra protection of the hardened SELinux-kernel, it would still be better than only the default apparmor. Besides, it can be used on top of SELinux as well

I also found this in-depth review of firejail at Distrowatch interesting.

Thanks for detailed reply.

From what I heard SELinux is very hard to setup and many people complained about it's lack of proper documentation, plus considering it's author, I am not sure if it's wise to use it.

I haven't heard of Firejail before but I will have to look into it. I know Apparmor is available in debian and it can be enabled and configured but it might be hard to do, so I am not sure from where I can get some pre-made config files for it.

Other than that it looks like the MAC systems in Linux are still very new and not widely implemented, I wish they would integrate it better.

The Linux kernel is alrady lightyears ahead of others in terms of security and transparency, why not make it even better?

Coin Marketplace

STEEM 0.04
TRX 0.32
JST 0.098
BTC 63858.62
ETH 1839.66
USDT 1.00
SBD 0.38