Potential topic: Desktop security

David Spoelstra davids at mediamachine.com
Mon Dec 2 11:14:41 EST 2024


Bernie-

Thanks for your thoughts! I'm doing all those things right now.

Unfortunately, I'll miss this month's meeting since I'm in Tokyo getting
ready for bed right now. My current worldwide travel was one of my reasons
for asking - especially since I'll be in Hong Kong in January and I know
that US government employees are no longer allowed to travel there. AAMOF,
I was asking one of them about securing my laptop for the trip and he said,
"Throw it away after you come back home!" 😲

-David

On Tue, Dec 3, 2024 at 1:05 AM Bernie Hoefer <LUG-Member at themoreiknow.info>
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2024-10-05 15:56 UTC-05:00, David Spoelstra wrote:
> ===
> > I've been seeing more and more warnings about linux desktop
> > vulnerabilities. I've turned on my firewall (ufw) and any other
> > suggestions I've read.
> ===
>
> David, I deeply apologize for not chiming in sooner.  I saw your message
> come into the list but was still catching up from a business trip and then
> preparing for my next one!  After that, your message just got lost in the
> shuffle.  :-(
>
> Making sure that you keep up-to-date on any errata published for your
> desktop GNU/Linux distribution is my 1st suggestion.  Although a firewall
> will protect from outsiders accessing network ports, that doesn't protect
> you if you want a port to be accessible but the daemon is vulnerable.  (For
> example, my laptop has SSH open, even when I'm not on my home network.  I
> feel safe doing that because I've configured it to disallow logins via
> password; I have to be using my SSH key if I am to get in.)
>
> In additional to configuring your firewall, I'd suggest also enabling
> SELinux.  Unless you are using 3rd-party applications from 20 years ago,
> SELinux configurations are no longer an after-thought and it (mostly) "just
> works" on my personal machines.  (Yes, every once-in-awhile I'll get a
> denial after updating a package because the developer made a mistake -- but
> those are easily overcome.)
>
> Erik Montemer's suggestion for using OpenSCAP to evaluate your desktop
> according to the DISA STIG is a good one, though I more generally think of
> it for servers... But upon reflection, I don't see why it couldn't be used
> on a desktop or laptop.
>
>
> ===
> > Is there anyone that can give a comprehensive presentation on linux
> > desktop security?
> ===
>
> You may want to ask both this month's (i.e. December's) and January's
> presenters about that at those respective meetings.  While the December
> topic focuses on RHEL, I'm sure speaker Joshua Loscar has opinions on
> desktop security.  And January's Greg Scott will be speaking on security,
> in general, and I *know* he has opinions there!  :-)
>
>
> -----BEGIN PGP SIGNATURE-----
>
> iF0EARECAB0WIQQepgJdnfsiTmnUzg5yQaapRGpvkwUCZ03apwAKCRByQaapRGpv
> kyE1AJwN4shrPUVuJ6lkpdF4Om2YcXNW5gCgmrnoeWwTN/OiY4WcRJVCN3VVtOQ=
> =f/ts
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cinlug.org/pipermail/cinlug/attachments/20241203/5a2449d3/attachment.htm>


More information about the cinlug mailing list