During the configuration period, prior to connecting to the internet, where you are assuming a network compromise by an advanced persistent actor, you harden with whatever is available. The intent being to roll into SELinux. If that isn't happening because you lack the experience or you just don't care enough about the system, then you use things like snap and app armor.
These are the major thing I don't really do currently. I've set up disk encryption (obviously), Firewalls (naturally), secure boot with kernel lockdown, and even the annoying (at least on KDE where there isn't a GUI applet) usbguard. But MAC is as of yet missing. I'd like to add one other consideration to your points. And that is compatibility. At least Arch Linux doesn't officially support SELinux, and if you want to use it, you have to get core system tools from the AUR. Meanwhile with something like Fedora, it's obviously already set up. All you have to do is live with it (it can certainly mess things up sometimes, at least if you develop software that plugs into the system).
Good points and oh yeah you sure can mess things up, I do have selinux running on Arch and yep i had to go to the AUR. AppArmor was present but its version 3.0, the AUR has the latest version 4.0+
@@CyberGizmo btw, while looking around out of interest, I found that the Gentoo Linux Wiki has an nice explanation of SELinux, even with graphics. It's a subpage called Quick introduction. Perhaps you want to add that to the links. While redhat is a major contributor and probably better as reference, the Gentoo wiki seems better at explaining the idea to me.
Hi DJ Ware, thanks for sharing this video! I have a few questions: Supposing I understood well enough how to implement SELinux and AppArmor LSM solutions: 1. Would you say that both can be implemented at same time? SELinux for granular security, AppArmor for securing app file access? 2. Have you seen these two co-existing? Thanks a ton in advance.
@@CyberGizmo NSA still has some whitepapers out there from 2002, but at that time if was actually on the main nsa.gov website and I was watching it closely and at that time there were no linux flavors I could try it out on. Not sure when or how red-hat got the right to say they developed it, but the current wiki article shows red-hat as the developer. I just did a search for NSA SELinux and found 3 or the old whitepapers still out there and available
They wouldn't release code connected to them with known vulnerabilities and backdoors. Other high level actors would roast them and it would degrade their professional esteem and erode public confidence which is not a worthwhile trade off when their are scores of other vulnerabilities they have no connection or official connection with. @@CyberGizmo
Setting up an AppArmor profile for Firefox, along with a sane firewall policy, is absolutely a good idea if you ever venture off "big tech" when on the web. Sometimes I need to find obscure technical PDFs that the manufacturer, for whatever reason, don't feel like making available any more. It goes without saying that quite a lot of the sites that hosts old PDFs are A) Not the epitome of security, and B) Inclined to monetize via "less traditional avenues". The odds that any given site to have a zero-day exploit for Firefox injected/installed are low.... But never zero. The more random sites you visit, the more those "never zero" starts stacking up against you. For that reason my personal opinion is that a web browser is like promiscuous sex: "Never do it unprotected. Never take anything at face value. Always expect others to be in it for their own gratification".
WDTNTV I hope, look at this 25 min video titled; Butler Co. sheriff addresses what he learned at conference where all the sheriff's from all over the US went to DC Jan 2024 IIRC and talks about Cyber Sec. This has been going on a very, very long time. Why I'm in the process of building a pfSense box that can also handle other VM's and containers, have 64GB of RAM so we'll see, 13th Gen Intel. Wish I would of waited and just gotten that Minisforum MS-01 i9-13... I think. Oops, forgot. Thanks for the vid !!
Partially, I always put the fact that I use AI for the thumbnail in my video description, I do it as a rememberance of what Byte Magazine used to do with their cover art (except they did it with real artists) and I do it with AI because I can not afford to hire a real artist.
if you are using Arch, you will find it in the AUR, any others its ia package. On Fedora and RedHat its already installed and configured for you. Hope that helps
This was an interesting discussion and you covered a topic I’ve been interested in delving into. I’ve have been curious about differences between AppArmor and SELinux, I’m running Fedora server on older desktop as home lab. Sometimes with SELinux feel it is too complex for me but I’m interested in learning it. I may switch to Debian Server or Ubuntu Server and take my time learning AppArmor and keep Fedora Server within VM and test it out. I’m infosec student that’s trying to understand learn about various security measures to protect my systems.
I thought about including seccomp in this video, but decided to keep it simple and talk about the two I thought people might have heard about. And that does give me another topic to cover in the future.
TL;DR use SeLinux if you have no life and use AppArmor if you take the risk to have no protection at all. From my experience.. If you use SeLinux make sure you have direct access on the machine (if it is bare metal you can walk to it and use a keyboard and perhaps chroot into it.. yea.. don't ask)
AppArmor for home. SELinux for professional deployments.
During the configuration period, prior to connecting to the internet, where you are assuming a network compromise by an advanced persistent actor, you harden with whatever is available. The intent being to roll into SELinux. If that isn't happening because you lack the experience or you just don't care enough about the system, then you use things like snap and app armor.
And Tails OS and Tor for the dark web.
My favorite documentation about SELinux is that "SELinux coloring book" Red Hat themselves put out a while back, lol
That sounds more interesting that the pdf haha...and I do not remember that one probably about the time I moved off of RedHat back in early 2002
❤ Great video as always. Perhaps a video on configuring App Amour ... SeLinux seems scary haha.
These are the major thing I don't really do currently.
I've set up disk encryption (obviously), Firewalls (naturally), secure boot with kernel lockdown, and even the annoying (at least on KDE where there isn't a GUI applet) usbguard.
But MAC is as of yet missing.
I'd like to add one other consideration to your points. And that is compatibility.
At least Arch Linux doesn't officially support SELinux, and if you want to use it, you have to get core system tools from the AUR.
Meanwhile with something like Fedora, it's obviously already set up. All you have to do is live with it (it can certainly mess things up sometimes, at least if you develop software that plugs into the system).
Good points and oh yeah you sure can mess things up, I do have selinux running on Arch and yep i had to go to the AUR. AppArmor was present but its version 3.0, the AUR has the latest version 4.0+
@@CyberGizmo btw, while looking around out of interest, I found that the Gentoo Linux Wiki has an nice explanation of SELinux, even with graphics. It's a subpage called Quick introduction.
Perhaps you want to add that to the links. While redhat is a major contributor and probably better as reference, the Gentoo wiki seems better at explaining the idea to me.
firejail your browser and user-space too .. lockdown .. lockdown .. :D
Thank you!
Thx! Am new-ish(5yrs of exploring the vastness) to the *nix world & realms. Your vids help choices to be made quite easier. Much appreciated 👍
Thanks for reminding me that i still need to secure my Arch Box
Hi DJ Ware, thanks for sharing this video! I have a few questions:
Supposing I understood well enough how to implement SELinux and AppArmor LSM solutions:
1. Would you say that both can be implemented at same time?
SELinux for granular security, AppArmor for securing app file access?
2. Have you seen these two co-existing?
Thanks a ton in advance.
might also be important to some that SELinux is developed by the NSA
Not quite, the NSA developed FLASK/TE and SELinux is based on that, but I believe Red Hat developed SELinux. Close though
@@CyberGizmo NSA still has some whitepapers out there from 2002, but at that time if was actually on the main nsa.gov website and I was watching it closely and at that time there were no linux flavors I could try it out on. Not sure when or how red-hat got the right to say they developed it, but the current wiki article shows red-hat as the developer. I just did a search for NSA SELinux and found 3 or the old whitepapers still out there and available
They wouldn't release code connected to them with known vulnerabilities and backdoors. Other high level actors would roast them and it would degrade their professional esteem and erode public confidence which is not a worthwhile trade off when their are scores of other vulnerabilities they have no connection or official connection with. @@CyberGizmo
how are they applicable for home lab, workstation, the computers that only one person use? needed? or overkill?
If they are connected to the internet I would recommend checking into one of two
Setting up an AppArmor profile for Firefox, along with a sane firewall policy, is absolutely a good idea if you ever venture off "big tech" when on the web. Sometimes I need to find obscure technical PDFs that the manufacturer, for whatever reason, don't feel like making available any more. It goes without saying that quite a lot of the sites that hosts old PDFs are A) Not the epitome of security, and B) Inclined to monetize via "less traditional avenues".
The odds that any given site to have a zero-day exploit for Firefox injected/installed are low.... But never zero. The more random sites you visit, the more those "never zero" starts stacking up against you. For that reason my personal opinion is that a web browser is like promiscuous sex: "Never do it unprotected. Never take anything at face value. Always expect others to be in it for their own gratification".
WDTNTV I hope, look at this 25 min video titled; Butler Co. sheriff addresses what he learned at conference where all the sheriff's from all over the US went to DC Jan 2024 IIRC and talks about Cyber Sec. This has been going on a very, very long time. Why I'm in the process of building a pfSense box that can also handle other VM's and containers, have 64GB of RAM so we'll see, 13th Gen Intel. Wish I would of waited and just gotten that Minisforum MS-01 i9-13... I think. Oops, forgot. Thanks for the vid !!
Thanks DJ
Is this ai generated video title art?
Partially, I always put the fact that I use AI for the thumbnail in my video description, I do it as a rememberance of what Byte Magazine used to do with their cover art (except they did it with real artists) and I do it with AI because I can not afford to hire a real artist.
Where do you download SELinux? I did a search a few days ago and I received info that indicated the OS was no longer updated...
if you are using Arch, you will find it in the AUR, any others its ia package. On Fedora and RedHat its already installed and configured for you. Hope that helps
@@CyberGizmo thank you, can you do a tutorial to install apparmor on arch?
This was an interesting discussion and you covered a topic I’ve been interested in delving into. I’ve have been curious about differences between AppArmor and SELinux, I’m running Fedora server on older desktop as home lab. Sometimes with SELinux feel it is too complex for me but I’m interested in learning it. I may switch to Debian Server or Ubuntu Server and take my time learning AppArmor and keep Fedora Server within VM and test it out. I’m infosec student that’s trying to understand learn about various security measures to protect my systems.
Interesting video, other good topics could be seccomp or linux capabilities
I thought about including seccomp in this video, but decided to keep it simple and talk about the two I thought people might have heard about. And that does give me another topic to cover in the future.
TL;DR use SeLinux if you have no life and use AppArmor if you take the risk to have no protection at all.
From my experience.. If you use SeLinux make sure you have direct access on the machine (if it is bare metal you can walk to it and use a keyboard and perhaps chroot into it.. yea.. don't ask)