selinux folder I think is there as a placeholder, for compatibility reasons perhaps.
To improve security there are three areas you want to consider:
1. Security against internet threats
2. Security against software threats
3. Security against physical threats1. Security against internet threats
For the first, activate your firewall, set it to default deny, and you will be blocking most unsolicited incoming traffic (that is, data coming to your machine without you having requested it--i.e., somebody trying to see if you have services running that they can hack). If you go to Menu > Control Center > Firewall Configuration, unlock it and put a checkmark on enabled you are up and running. Usually your broadband modem also has a built-in firewall, so you were already protected. But better safe than sorry (defense in depth is a good thing; having multiple layers of defenses).
With "sudo ufw show listening" command run from a terminal, you can see which services are listening to internet ports. On the default installation that is quite a lot. If you take steps, you can reduce it to only dhclient listening on UDP port 68. You need that to get an IP address from your broadband modem (unless you take the step to give your machine a fixed IP address). If you do not need interoperability with Windows or Apple computers, you can disable the Samba (for Windows) and Avahi (for Apple, but also Linux applications like Giver) services.
- Code: Select all
# Disable Samba (Windows networking)
sudo initctl stop nmbd
echo manual | sudo tee -a /etc/init/nmbd.override
sudo initctl stop smbd
echo manual | sudo tee -a /etc/init/smbd.override
# Disable Avahi (Zeroconf)
sudo initctl stop avahi-deaemon
echo manual | sudo tee -a /etc/init/avahi-daemon.override
You can do a remote ports probe
to test your current security. You can check the status of your firewall with "sudo ufw status verbose".2. Security against software threats
The difference between Linux and Windows is that you can install most software that you need from a trusted source, through the Software Manager from the software repositories of the Linux Mint team and the Ubuntu team. On Windows, if you don't know what you are doing, you download it from who knows where, and surprise surprise it is either malware, spyware, installs a rootkit or it carries a virus. But just as on Windows, if you install software from all kinds of locations, randomly downloaded from the internet, you are just as easy a target on Linux (though the amount of malicious software is less, as Linux is not a primary target due to the low marketshare--Windows and Apple are much more interesting targets). So only install software from trusted sources, preferably through the Software Manager, and that would be your first line of defense (the same strategy applies to Windows, but you don't have a central repository from which you can get your software).
Linux has an advanced filesystem level security model, where files can be locked down so they can only be executed, written to or read by the owner of the file, or a specific group of users. If you are logged in with you normal account, you can not access system files or system configuration. You can only access your personal files and your personal settings for applications. You are asked to provide your password to do any more than that. Any application is held to the same restrictions.
While that is a good defense against users or programs touching files that they shouldn't, AppArmor and SELinux go much further than that. Basically AppArmor is there to protect the application itself; the application is restricted to be able to do only that which it needs to do. Instead of the filesystem based security model, where you can either say "everybody can access this file" or "only this user or group of users can", AppArmor has a security profile for each application and restricts that application to only doing what it should according to the security profile--on top of the filesystem level security. So even if everybody is allowed to access all files, but this application only needs to be able to access one specific file--it will be prevented by AppArmor from accessing any file other than that one--even though the filesystem level security would have allowed the application to do it. This protects you against bugs in the software, any malicious code that was added by a third party, and also against internet attacks against that application if it connects to the internet.
I don't have experience with SELinux, but it goes much further than AppArmor (hey, it was designed at the NSA
). It is also much harder to configure.
AppArmor is relatively easy. To get started, install some standard profiles and enable them all. The latter two commands tell you the status of apparmor and which applications are running unconfined by apparmor.
- Code: Select all
sudo apt-get install apparmor-profiles
sudo aa-enforce /etc/apparmor.d/*
To learn more about AppArmor, visit:https://wiki.ubuntu.com/SecurityTeam/FAQhttps://help.ubuntu.com/community/AppArmorhttps://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles3. Security against physical threats
Lastly, you should consider physical threats. Who has physical access to your machine while you are away? Can you trust those persons not to do things they shouldn't on your machine? With physical access, a password is not needed to become root and unless you have an encrypted home folder all your personal files can be accessed. Even with an encrypted home folder, or unsafe full disk encrypted (safe full disk encryption is when /boot is on a USB stick you keep with you so the machine can't be booted without the USB stick), software could be installed on your machine to run as root and "phone home" the keys you press or your files, after you have logged in to your encrypted system.