Linux Network and Security Controls

• /etc/hosts file:
  
  Purpose of /etc/hosts, from someone on reddit:
  "Functionally, it's just a way to say 'map this name to this IP address', like any other DNS resolution method. But it's useful for anything particular to your local machine. Typically it will at least include a mapping from localhost to 127.0.0.1, which can be useful for lots of things including local web development (bind your server to a local port and then just type 'localhost' in your browser). Also can use to override public domain names (temporarily, for debugging), or give friendly names to IP addresses (such as VPSs on cloud services)."
  
  MintGuide's "Hosts - change and manage the /etc/hosts file"
  hectorm / hBlock
  Wikipedia's "hosts (file)"
  "man 5 hosts"
  
  
  
  
• iptables:
  
  "modinfo ip_tables"
  
  

  There are 5 "tables": filter, nat, mangle, raw, security. We only care about the filter table, which has these built-in "chains" of rules: INPUT, FORWARD, OUTPUT. You can create new chains if you wish. Each rule ends with an action which can be: ACCEPT, DROP, LOG, or name of another chain. (There is more, but that's all we need to know.)
  
  To see how much traffic is passing through each section of rules in filter table, do "sudo iptables -L -v" (can reset counters via "sudo iptables -Z"). On my system, with Windscribe VPN active, after doing a bunch of downloading, that gives:

  
  
  Chain INPUT (policy ACCEPT 2005K packets, 2860M bytes)
   pkts bytes target     prot opt in     out     source               destination
  
  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination
  
  Chain OUTPUT (policy DROP 306 packets, 21425 bytes)
   pkts bytes target     prot opt in     out     source               destination
    486 75925 ACCEPT     all  --  any    any     anywhere             192.168.0.0/16
   1104 72461 ACCEPT     all  --  any    any     anywhere             10.0.0.0/8
      0     0 ACCEPT     all  --  any    any     anywhere             172.16.0.0/12
   495K  860M ACCEPT     all  --  any    any     anywhere             localhost
   1339  139K ACCEPT     all  --  any    any     anywhere             104.20.122.38
   1369  143K ACCEPT     all  --  any    any     anywhere             104.20.123.38
   417K   55M ACCEPT     all  --  any    tun+    anywhere             anywhere
      0     0 ACCEPT     all  --  any    any     anywhere             localhost
   423K   78M ACCEPT     all  --  any    any     anywhere             89.238.nnn.nnn
  

  So my system is doing no routing ("FORWARDing"). And if no rule is matched, the packet gets DROPped if it is output, ACCEPTed if it is input.
  
  To block SSH connections from any address, do "sudo iptables -A INPUT -p tcp --dport ssh -j DROP". Can do the same with http and https if you're not running a web server.
  
  There is "ip6tables" which is separate but mostly has the same syntax as "iptables".
  
  There is a "conntrack" module which lets you do things such as "ctstate" in rules.
  
  To save changes so they survive across system restart, on Ubuntu-type systems, do "sudo apt install iptables-persistent", then turn off Windscribe VPN and firewall, then do "sudo su", and then "iptables-save >/etc/iptables/rules.v4" and "ip6tables-save >/etc/iptables/rules.v6".
  
  You can write commands such as "-P INPUT DROP" into a file such as "iptables.txt" and then run "sudo su" then "iptables-restore <iptable.txt"
  
  How-To Geek's "The Beginner's Guide to iptables, the Linux Firewall"
  Supriyo Biswas's "An In-Depth Guide to iptables, the Linux Firewall"
  Vivek Gite's "Iptables Netfilter Firewall Examples"
  Sagar Sharma's "The Beginner's Guide to IPTables (Linux Firewall) Commands"
  Mitchell Anicas's "Iptables Essentials: Common Firewall Rules and Commands"
  IP sets
  iptables-vis - visualise iptables chains
  
  I ran a bash file with commands:

  
  iptables -P INPUT DROP
  iptables -I INPUT -i lo -j ACCEPT
  iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  iptables -P FORWARD DROP
  

  Ran Windscribe VPN client which resulted ("iptables -L") in:

  
  Chain INPUT (policy DROP)
  target     prot opt source               destination
  ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
  ACCEPT     all  --  anywhere             anywhere
  
  Chain FORWARD (policy DROP)
  target     prot opt source               destination
  
  Chain OUTPUT (policy DROP)
  target     prot opt source               destination
  ACCEPT     all  --  anywhere             192.168.0.0/16
  ACCEPT     all  --  anywhere             10.0.0.0/8
  ACCEPT     all  --  anywhere             172.16.0.0/12
  ACCEPT     all  --  anywhere             localhost
  ACCEPT     all  --  anywhere             104.20.123.38
  ACCEPT     all  --  anywhere             104.20.122.38
  ACCEPT     all  --  anywhere             anywhere
  ACCEPT     all  --  anywhere             localhost
  ACCEPT     all  --  anywhere             89.238.nnn.nnn
  

  That anywhere-anywhere rule actually has "out=tun+" attached to it (can see that via "iptables -L -v"), so all that traffic goes through the VPN.
  
  Put DROP on all IPv6 chains; my ISP doesn't support IPv6.
  
  Ran a couple of net-testing apps on my phone (which is on my LAN), targeting my PC, and they show all ports blocked, no response to ping, no services offered.
  
  If you want to log packets that don't match any rule, and end up getting DROPed by the chain policy, add a rule at the END of the chain via a command such as "iptables -A FORWARD -m limit --limit 1/minute -j LOG".
  
  Default logfile for iptables is /var/log/kern.log;
  "sudo dmesg -T" command shows same log, with some useful coloring added.
  
  I would like to log/detect all applications that create output connections. But it seems this is very difficult to do in a human-readable way:
  Super User's "With Linux iptables, is it possible to log the process/command name that initiates an outbound connection?"
  Akkana's "Find out what processes are making network connections"
  
  You can get instantaneous snapshots (not cumulative logs) by running "ss -tp" or "netstat -A inet -p".
  
  To see IP address and other details about each network interface, run "ip -d address".
  
  I want to log any incoming attempts on protocols/ports I don't use.
  
  Found this: "You can add the --syn flag to make the rule match only packets with the SYN flag set, which is set only on new connection attempts."
  
  Maybe do this:
  "iptables -I INPUT -p tcp --dport ssh --syn -m limit --limit 1/minute -j LOG --log-prefix "Incoming SSH attempt ""
  Do similar for FTP, Telnet, HTTP, HTTPS.
  
  I didn't bother to make rules for TeamViewer (port 5938), Remote Desktop (port 3389), SMB (port 139), NFS (port 2049), VNC (port 5900), http-alt (port 8080), RTelnet (port 107), TFTP (port 69), Simple FTP (port 115), rsh (port 514), rsync (port 873), Telnet-TLS (port 992), PPTP (port 1723), SSDP (port 1900), CIFS (port 3020), UPnP (port 5000), Socks Proxy (port 1080), Microsoft-DS (port 445) attempts. You can go a little nuts with this stuff. I think I don't have listeners active for any of it, but it would be nice to log and drop the packets.
  
  But it turns out you can make one rule for multiple ports, so I made:
  "iptables -I INPUT -p tcp --match multiport --dports 5938,3389,139,2049,5900,8080,107,69,115,514,873,992,1723,1900,3020,5000 --syn -m limit --limit 1/minute -j LOG --log-prefix "Incoming suspicious port attempt ""
  Limit of 15 port numbers per rule; had to split it into two.
  
  If one of your rules logs incoming HTTP attempts, test it by putting address "localhost:80" into browser's address field, then looking in logs. Or test by running "curl localhost" on the CLI.
  
  If one of your rules logs incoming HTTPS attempts, test it by putting address "https://localhost" into browser's address field, then looking in logs. Or test by running "curl localhost:443" on the CLI.
  
  If your rules log incoming SSH and/or Telnet and/or FTP attempts, test them by running "ssh localhost" and/or "telnet localhost" and/or "ftp localhost" in CLI, then looking in logs. Or doing "curl localhost:22" and/or "curl localhost:23" and/or "curl localhost:21" in CLI, then looking in logs.
  
  But I want to drop the packets after logging them. So I did this:

  
  iptables -N I_LOG_DROP
  iptables -A I_LOG_DROP -m limit --limit 4/minute -j LOG --log-prefix "IPTABLES-I-LOG-DROP: " --log-level 6
  iptables -A I_LOG_DROP -j DROP
  
  iptables -P INPUT DROP
  iptables -A INPUT -p tcp --match multiport --dports 20,21,22,23,80,5938,3389,139,2049,5900,8080,107 --syn -j I_LOG_DROP
  iptables -A INPUT -p tcp --match multiport --dports 69,115,514,873,992,1723,1900,3020,5000 --syn -j I_LOG_DROP
  

  
  
  At some point, maybe it's easier to list the ports that should be open, instead of those that should be blocked. But maybe some high port numbers get opened dynamically.
  "iptables -I INPUT -p tcp --match multiport ! --dports 80,443 --syn -m limit --limit 1/minute -j LOG --log-prefix "Incoming suspicious port attempt ""
  
  Did this (in a shell script file):

  
  iptables -F
  iptables -Z
  
  iptables -N I_LOG_DROP
  iptables -A I_LOG_DROP -m limit --limit 4/minute -j LOG --log-prefix "IPTABLES-I-LOG-DROP: " --log-level 6
  iptables -A I_LOG_DROP -j DROP
  
  iptables -N O_LOG_DROP
  iptables -A O_LOG_DROP -m limit --limit 4/minute -j LOG --log-prefix "IPTABLES-O-LOG-DROP: " --log-level 6
  iptables -A O_LOG_DROP -j DROP
  
  iptables -P INPUT DROP
  iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -p tcp -m tcp --syn -j I_LOG_DROP
  # UDP 1194 for Proton VPN, UDP 5353 is multicast DNS / Avahi
  iptables -A INPUT -p udp --match multiport ! --dports 22,67,68,80,443,1194,5353 -j I_LOG_DROP
  
  iptables -P FORWARD DROP
  
  iptables -P OUTPUT ACCEPT
  # port 23189 used by SFTP
  iptables -A OUTPUT -p tcp --match multiport ! --dports ssh,http,https,23189 --syn -j O_LOG_DROP
  # UDP 1194 for Proton VPN, UDP 5037 when using Wireshark
  iptables -A OUTPUT -p udp --match multiport ! --dports 22,53,67,68,80,123,443,1194,1900,5037,5353,30000:64000 -j O_LOG_DROP
  

  
  
  The whole thing gets more complicated because your VPN probably does iptables stuff too. Windscribe VPN adds rules and changes chain policies. I had to have a big shell script to add rules before the VPN starts, then a small script to do a couple of tweaks after VPN has started.
  
  And the number of ports keeps growing and growing. Apps such as Firefox and torrent-client open lots of high port numbers. Most/all of them may be on localhost, so maybe you have to start wiring addresses into your rules. The whole thing just gets too complicated.
  
  If you see an iptables LOG line in /var/log/kern.log that doesn't show source and dest ports, but gives "PROTO=n", look up that protocol number in /etc/protocols.
  
  Do "sudo netstat -tulpn" to see what ports have listeners. (Also "sudo ss -tulp" or "sudo ss -tulp '! ( src 127.0.0.0/8 or src [::1] )'" and "sudo lsof -i")
  
  Around this time, I mostly gave up with iptables. I think it was the wrong approach.

  Instead, concentrate on reducing and understanding the number of listeners you have. It doesn't matter if an incoming packet gets through iptables, as long as no process is listening on that port.
  
  Let the VPN do what it wants with iptables. Maybe do "sudo iptables -L -v" occasionally to see how much traffic is hitting each rule.
  
  I think it would be different with a server, running only a few services. There you could allow only 10 or so open ports.
  
  Maybe there are some "listeners" built into the protocol stack ? Turn off protocols you know you aren't using. Maybe do this to see unusual protocols:
  

  
  iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -i lo -j ACCEPT
  ...
  # assuming your INPUT chain policy is ACCEPT, put these at the end of the chain
  iptables -A INPUT -p tcp -j ACCEPT
  iptables -A INPUT -p udp -j ACCEPT
  iptables -A INPUT -p icmp -j ACCEPT
  iptables -A INPUT -m limit --limit 1/minute -j LOG --log-prefix "Incoming IPv4 protocol "
  

  
  
  
• FireHOL:
  
  FireHOL
  "FireHOL is a language (and a program to run it) which builds secure, stateful firewalls from easy to understand, human-readable configurations. ... FireHOL is an iptables firewall generator producing stateful iptables packet-filtering firewalls ..."
  
  
• ufw and gufw:
  
  GUFW and UFW (simplified UIs to use instead of iptables).
  
  

  
  sudo ufw status verbose
  sudo ufw app list         # which apps installed a profile
  sudo ufw app info "CUPS"  # see an app's profile
  sudo systemctl enable ufw.service
  sudo systemctl start ufw.service
  
  sudo dmesg -T | grep UFW  # then look up PROTO= number in /etc/protocols
  
  less /etc/default/ufw
  less /etc/ufw/sysctl.conf
  
  sudo less /etc/gufw/gufw.cfg     # find which profile is in use
  sudo less /etc/gufw/Home.profile # see that profile
  
  sudo iptables -L -v              # see implementation of ufw/gufw rules
  

  
  UFW at least has the concept of "applications", but I don't know how that appears in GUFW.
  
  Francesco Galgani's "How to Use UFW"
  Virdo, Boucheron and Juell's "How To Set Up a Firewall with UFW on Debian 10"
  Vivek Gite's "How To Configure Firewall with UFW on Ubuntu 20.04 LTS"
  Jahid Onik's "How To Configure Firewall with UFW on Ubuntu"
  Linuxize's "How to Set Up a Firewall with UFW on Debian 10"
  Daniel Aleksandersen's "How to switch firewalls from FirewallD to UFW"
  
  
  
  
• firewalld:
  
  firewalld
  LinuxTeck's "15 basic useful firewall-cmd commands in Linux"
  Brian Boucheron's "How To Set Up a Firewall Using firewalld on CentOS 8"
  Shashank Nandishwar Hegde's "An introduction to firewalld rules and scenarios"
  Evans Amoany's "How to configure a firewall on Linux with firewalld"
  LinuxCLoudVPS's "10 Useful firewall-cmd Commands in Linux"
  SoByte's "Linux Firewall FirewallD and iptables"
  Firewalld only controls inbound traffic, doesn't do outbound ?
  GUI for firewalld: firewall-config. Very detailed, a bit overwhelming.
  "sudo firewall-cmd --state"
  "sudo firewall-cmd --list-all"
  "sudo firewall-cmd --get-active-zones"
  "sudo firewall-cmd --get-default-zone"
  
  Avoid duelling firewalls. You can't run firewalld and ufw/gufw at the same time. firewalld and ufw both use iptables.
  "whereis -b -B /usr/bin /usr/sbin -f gufw ufw firewalld"
  
  
  
• plasma-firewall:
  
  Coming in KDE: plasma-firewall, a GUI on top of multiple types of back-end firewalls such as ufw and firewalld.
  
  
  
  
• Nftables:
  
  This is a replacement for iptables, ip6tables, arptables, and ebtables. It is a more procedural language, I think. Should avoid a lot of duplication that you can get in iptables rules, and scale better. Also combines IPv4 and IPv6 in one structure. Not supported by VPNs yet, I think. Still in development 11/2018, I think.
  
  Debian / wiki / nftables
  Nftables wiki
  Alistair Ross's "Hello nftables, Goodbye iptables"
  "apt show nftables"
  "sudo nft list tables"
  "sudo nft list ruleset | less"
  
  From someone on reddit:

  Here's how simple it is to get a sensible nftables ruleset in place:

  
  sudo apt install nftables
  
  # Use an example ruleset for a basic workstation
  sudo cp /usr/share/doc/nftables/examples/workstation.nft /etc/nftables.conf
  
  # Load that ruleset
  sudo nft -f /etc/nftables.conf
  
  sudo systemctl enable nftables
  

  Have a look at that config file, it's pretty short and all of the rules have comments explaining what they do. There's one rule in there commented out, which you can enable to open any local ports you might want to access from remote systems, e.g. SSH.
  
  
  
• BPF (Berkeley Packet Filter; AKA cBPF) and eBPF:
  
  BPF programs are run in reaction to events, and run to completion. They're not constantly-running tasks.
  
  eBPF has been in the Linux kernel since version 3.18.
  
  Used to make a replacement for iptables and nftables, among many other things.
  
  Original BPF has a fairly small VM inside the kernel, and byte-code can be placed in it to do network processing.
  
  Relative to BPF, eBPF adds attaching code in many more places inside the kernel, adds a Just-In-Time compiler to native code (for some CPU architectures), and adds global state (in arrays, key-value pairs).
  Also has ability to jump out to user-land code, bypassing much of the standard network stack, for example, in cases where reduced features and higher performance make sense. Or go the other way: where there used to be a (costly) jump out to user-land, instead do the operation inside the kernel, in the VM.
  
  Wikipedia's "Berkeley Packet Filter"
  Filip Nikolovski's "TIL: eBPF is awesome"
  Kevin Dankwardt's "BPF For Observability: Getting Started Quickly"
  Andrew Klotz's "BPF intro: syscall counting"
  Matt Fleming's "A thorough introduction to eBPF"
  SoByte's "eBPF, a Linux kernel monitoring technology"
  SoByte's "Develop a Hello World level eBPF program from scratch using C"
  SoByte's "Things we need to know about eBPF"
  SoByte's "In-depth understanding of eBPF"
  Quentin Monnet's "Features of bpftool"
  eBPF - Introduction, Tutorials & Community Resources
  
  Brendan Gregg's "Learn eBPF Tracing: Tutorial and Examples"
  Brendan Gregg's "Linux Extended BPF (eBPF) Tracing Tools"
  Brendan Gregg's "Extended BPF - A new software type" (video)
  Hongli Lai's "Full-system dynamic tracing on Linux using eBPF and bpftrace"
  
  Azizi and Arbitman's "The Challenge with Deploying eBPF Into the Wild"
  iovisor / bcc
  iovisor / bcc / docs
  
  

  
  grep BPF "/boot/config-$(uname -r)"
  sudo bpftool feature probe kernel | less
  
  sudo apt install bpfcc-tools bcc-tools bpftrace bpftool
  
  sudo bpftool prog list
  sudo bpftool prog dump jited id 56
  sudo bps
  
  # Newer versions of bpftool will give PIDs in the
  # output of "sudo bpftool prog show".
  # https://qmonnet.github.io/whirl-offload/2021/09/23/bpftool-features-thread/#processes-pids
  
  # See which processes have BPF file descriptors open:
  sudo bash
  for i in $(ps ax -o pid= ); do ls -l /proc/$i/fd|grep "bpf-prog" &>/dev/null ; if [ $? -eq 0 ]; then ps -o pid=,args= $i; fi; done
  ls -l /proc/1/fd | grep bpf-prog
  # Or:
  for i in $(ps ax -o pid= ); do ls -l /proc/$i/fd|grep "bpf-prog" &>/dev/null ; if [ $? -eq 0 ]; then ps -o pid=,args= $i; ls -l /proc/$i/fd | grep bpf-prog; fi; done
  
  # Traces open() syscall, showing which processes
  # are attempting to open which files:
  sudo /usr/share/bcc/tools/opensnoop
  

  
  
  
  
  

• OSSEC:
  
  OSSEC
  File integrity monitoring, log monitoring, rootcheck, and process monitoring.
  
  
• Snort:
  
  Snort
  Can be used as a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc), or as a network intrusion prevention system. Can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes.
  
  I installed it (version 2.9.7.0):

  
  Got "interface 'eth0' is invalid". I have valid interfaces "enp19s0" (wired Ethernet), "wlp18s0" (Wi-Fi), and "tun0" (VPN). I switch among all three; usually VPN is on, but sometimes it's off, usually I'm on Ethernet, but sometimes on Wi-Fi. Am I going to have to reconfigure snort each time ?
  
  Chose interface "enp19s0" even though VPN is on. I guess installer completed okay; no message.
  
  At CLI, run "snort -V" to see that it's installed.
  
  Snort logs to the /var/log/snort directory by default.
  NIDS config file is /etc/snort/snort.conf
  
  Run "sudo snort" to start in packet dump mode AKA sniffer mode.
  Run "sudo snort -vde -c /etc/snort/snort.conf" to start in verbose NIDS mode.
  Add "-i INTERFACENAME" to specify the network interface to use.
  Ctrl+C to terminate it.
  
  [These were already done in my version:]
  Edit /etc/snort/snort.conf to:
  Un-comment line starting with "output unified2"
  Comment out line starting with "output log_tcpdump"
  "snort -T -c /etc/snort/snort.conf" to syntax-check the config file.
  
  Run "sudo snort -A fast -d -N -s -c /etc/snort/snort.conf" to start in NIDS alerting non-logging mode.
  "cat /var/log/snort/alert" to see alerts.
  
  I did a LAN-discovery from a phone app (Fing) and snort wrote entries about uPnP discovery scanning, into the alert file.
  
  After about 8 hours, the alert file was over 105 KB, mostly alerts about malformed uPnP stuff.
  
  I signed up for a Snort account, but there is no ruleset available for the old version I have (2.9.7.0).
  
  A serious setup where logs/alerts couldn't be deleted by an attacker probably would send the info to some other machine, probably to a SQL database. And view the database with Splunk or something.

  
  OccupyTheWeb's "Snort IDS for the Aspiring Hacker, Part 1 (Installing Snort)"
  OccupyTheWeb's "Snort IDS for the Aspiring Hacker, Part 2 (Setting Up the Basic Configuration)"
  OccupyTheWeb's "Snort IDS for the Aspiring Hacker, Part 3 (Sending Intrusion Alerts to MySQL)"
  OccupyTheWeb's "How to Read & Write Snort Rules to Evade an NIDS (Network Intrusion Detection System)"
  OccupyTheWeb's "How to Evade a Network Intrusion Detection System (NIDS) Using Snort"
  Noah Dietrich's "Snort 2.9.9.x on Ubuntu"
  
  
  
  
• Suricata:
  
  Suricata
  Capable of real-time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.
  
  
• psad:
  
  CipherDyne's "psad: Intrusion Detection and Log Analysis with iptables"
  
  
  
• Graylog:
  
  Graylog
  Teknikal's_Domain's "Graylog, and the Syslog Protocol, Explained"
  
  
  
• Zeek (formerly Bro):
  
  Network Security Monitor.
  Zeek
  
  
  

• inotifywait:
  
  Local command to notify when a Honeypot file is accessed.
  "inotifywait FILENAME && kdialog --msgbox 'File FILENAME accessed !'"
  
  
  
• Dionaea:
  
  Honeypot.
  DinoTools / dionaea
  
  
  
• Thug:
  
  Honeypot.
  buffer / thug
  
  
  
• Canarytokens:
  
  Honeypot. Mixture of Windows-only and OS-independent items.
  Thinkst's "Canarytokens"
  KaliLinux.in's "Canarytokens -- Danger For Attackers"
  
  
  
• OpenCanary:
  
  Honeypot. Maybe same as Canarytokens ? By same company.
  OpenCanary
  thinkst / opencanary
  
  
  
• Cowrie:
  
  Honeypot for SSH and Telnet.
  cowrie / cowrie
  
  
  
• Modern Honey Network (MHN):
  
  Software to deploy and manage honeypots in a network.
  pwnlandia / mhn
  
  
  
• T-Pot:
  
  Software to deploy and manage honeypots in a network.
  Deutsche Telekom's "T-Pot: A Multi-Honeypot Platform"
  
  
  
• Endlessh:
  
  A "tar-pit" which ties up SSH attackers for a long time.
  skeeto / endlessh
  Chris Wellons' "Endlessh: an SSH Tarpit" (gives HTTP example too)
  
  
  
• Responder:
  
  Listens for and poisons responses to Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS), Web Proxy Auto-Discovery (WPAD), more.
  SpiderLabs / Responder
  
  
  
• xtables-addons-dkms:
  
  Iptables add-ons to implement "tar-pit" rules.
  Ubuntu manuals' "Xtables-addons - additional extensions for iptables, ip6tables, etc."
  
  
  
• SNARE and Tanner:
  
  A web-app that emulates vulnerabilities and waits for attackers to try things such as SQL injection, URL parameter mangling, etc.
  mushorg / snare
  mushorg / tanner
  Do you have to supply your own app, and then SNARE clones it ?
  
  
  

• No isolation: userid gives every app access to all of your files, X gives apps access to each other's event-queues. Native packaging: deb, rpm, etc.
  
  
• Sandbox created by someone other than app dev: AppArmor, Firejail.
  
  
• Container (and permissions) created by app dev: Snap, Flatpak, Docker. All containers run on top of same, shared OS.
  
  
• Micro-VM or unikernel for each app ? A severely stripped-down server image. If you're going to run a single process, no GUI, no SSH, single user, no command-line shell, then strip lots of stuff out of the Linux kernel-plus. Even run kernel and app in same address space.
  
  
• VM for each app. OS is a "full" server distro such as Ubuntu server or a minimal distro such as Alpine.
  
  
• Separate bare metal for each app. OS is a "full" server distro.
  
  

• Container / image created by app dev: Snap, Flatpak, Docker, appimage.
  
  
• Distro maintainer does native packaging: deb, rpm, etc.
  
  
• LTS distro / stable repo.
  
  
• VMs created using LTS software.
  
  

• Firejail:
  
  An application that restricts the environments of other apps, running them with access only to certain directories, or to fake copies of system directories, or no network access. Application-based permissions.
  
  From Firejail Security Sandbox:

  Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

  
  Firejail Security Sandbox
  Easy Linux tips project's "Run your web browser (and other apps) in a secure sandbox"
  Jesse Smith's "The Firejail security sandbox"
  netblue30 / firejail
  netblue30 / firetools
  /r/firejail
  "firejail --version" (shows more than just version number)
  
  Firejail works on native binaries and on appimages (with --appimage option), but not on Snaps or Flatpaks or Docker containers.
  
  Does Firejail work on browsers and terminals launched from other apps, such as VS Code ?
  
  "sudo apt install firejail firejail-profiles firetools".
  Profiles stored in /etc/firejail.
  
  Poked around a bit, quickest way to see the restrictions is to run "mount | column --table" in CLI before and after running "firejail bash". Also "firejail --audit APPNAME".
  
  To run an app while denying network access:

  
  firejail --net=none APPNAME
  

  This is equivalent to editing the ~/.config/firejail/APPNAME.local file to add "net none".
  
  To run an app using limited amount of memory:

  
  firejail --rlimit-as=NUMBYTES APPNAME
  

  
  Local system edits could be done to either ~/.config/firejail/APPNAME.local or /etc/firejail/APPNAME.local.
  
  Easy way to make any of your big apps run under Firejail: create symlinks for them that link to firejail:

  
  sudo ln -s /usr/bin/firejail /usr/local/bin/firefox
  which -a firefox        # check PATH
  # then if run "firefox", from either CLI or icon, will run "firejail firefox"
  

  
  
  Easy way to make ALL apps known to Firejail run under Firejail:

  
  sudo firecfg
  which -a firefox        # check PATH
  # Then if run "firefox", from either CLI or icon, will run "firejail firefox"
  
  # If you install another application, do same again:
  sudo firecfg
  
  firecfg --list          # list all links
  sudo firecfg --clean    # remove all links
  
  # On Kubuntu 20.10, Firejail version 0.9.62.4:
  
  # I found that I had to remove Dolphin's
  # link to fix problems with running sudo in shell scripts:
  sudo rm /usr/local/bin/dolphin
  
  # How to put /opt/thunderbird/thunderbird-bin inside Firejail ?
  
  # Firefox wouldn't launch.  Tried various directives in
  # firefox-common.local to fix it, no luck.  Removed it from Firejail.
  
  # Liferea wasn't able to send links to Firefox properly;
  # snap of KeePassXC was able to.
  
  # VS Code launched, then it didn't.
  
  # Gave up on Firejail on Kubuntu 20.10.
  

  
  

  
  # On Fedora 34 KDE using X, Firejail 0.9.64.4:
  # Tried to run KeePassXC 2.6.4 under Firejail.
  # Clicking on links, and Ctrl+Shift+U to open link, didn't work.
  # In debug mode, get message:
  # "Unable to detect a web browser to launch 'http...'"
  # Bug reports:
  #	https://github.com/netblue30/firejail/issues/3329
  #	https://github.com/keepassxreboot/keepassxc/issues/6637
  
  # you can apply a profile for one app to another app:
  firejail --profile=keepassxc ls ~/.mozilla
  

  With help from someone, got some basic sanity of Firejail-KeePassXC working. Still fails if browser has to be launched, but if browser is running already, clicking on a link works. Had to make file /etc/firejail/keepassxc.local:

  
  # keepassxc.local
  
  # If you click on an URL in KeePassXC, and default browser is Firefox, FF stub
  # gets launched inside the KP firejail, so need this to counteract what is
  # done in disable-programs.inc:
  noblacklist ${HOME}/.cache/mozilla
  noblacklist ${HOME}/.mozilla
  # That works if FF is running before you click on an URL in KeePassXC.
  # If FF is not running before you click on an URL, a full copy of FF tries
  # to launch inside the KP firejail, and crashes.
  
  ignore private-bin
  include allow-bin-sh.inc
  ignore net none
  protocol unix,inet,inet6,netlink
  private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
  

  Similar does NOT work for Brave or ungoogled-chromium browsers. Only FF works.
  
  General problem with launching stuff / opening links from inside Firejail, it seems: https://github.com/glitsj16/firejail-handler-http
  
  You could use Firetools or Firejail Configuration Wizard apps in the GUI. But building a security profile doesn't seem to be persistent, and the Firetools monitor shows a much-too-high number for memory usage. And the UI is really annoying.
  
  When trying to debug a Firejail profile, launch the app in CLI ("firejail APPNAME"), not via an icon. Apps often put out error messages on stderr. Also, do "sudo ps -ax | grep firejail" to make sure an app isn't hanging; reboot if there is one.
  
  Is there a way to see what attempted operations have been prevented by an app's profile ? Messages in system journal or something ?
  
  Firejail project home: netblue30 / firejail
  
  Interesting debate: Firejail worsen security? #3046
  
  
  
  
  
•   AppArmor:
  
  Very similar to Firejail, but implemented as a Linux kernel security module. Application-based permissions. Generally applied to services/daemons, and runs in the background without the user having to know anything about it.
  
  Do "sudo apparmor_status" to see info.
  To install more: "sudo apt install apparmor-profiles apparmor-profiles-extra apparmor-utils apparmor-easyprof apparmor-notify"
  Maybe add your user to group "adm" to get notifications ? "adduser USERNAME adm"
  "man -k apparmor"
  
  Wikipedia's "AppArmor"
  AppArmor
  openSUSE's "Confining privileges with AppArmor"
  
  Making profiles:
  Ubuntu Tutorials' "How to create an AppArmor Profile"
  Uzair Shamim's "The Comprehensive Guide To AppArmor: Part 1"
  The Debian Administrator's Handbook's "14.4. Introduction to AppArmor"
  
  Chris Siebenmann's "On Ubuntu, AppArmor is quite persistent and likes to reappear on you"
  
  In Mint, Apparmor (user-space parser utility) was installed by default.
  I installed Apparmor-utils through Software Manager.
  Profiles are stored in /etc/apparmor.d directory.
  You could turn on the profile for Firefox by doing "sudo aa-enforce /etc/apparmor.d/usr.bin.firefox".
  To turn it off, do "sudo aa-disable /etc/apparmor.d/usr.bin.firefox".
  If you do a disable when enforce is not on, you'll see a "Profile doesn't exist" error.
  To see the list of active profiles, do "cat /sys/kernel/security/apparmor/profiles".
  To see AppArmor activity, do "grep apparmor /var/log/kern.log".
  
  
  When trying to debug an AppArmor profile, launch the app in CLI, not via an icon. Apps often put out error messages on stderr. Also, do "sudo ps -ax | grep APPNAME" to make sure an app isn't hanging; reboot if it is.
  
  Firefox with AppArmor:

  
  Already had FireFox working in Firejail, so all of the following is with FF running in Firejail.
  
  Started enforcing AppArmor for Firefox, launched Firefox in Firejail, it showed some "welcome to Mint - file access failed" page, and the kernel log shows a dozen or more AppArmor "denied" messages.
  
  Quit Firefox, disabled AppArmor for Firefox, launched Firefox, and my Firefox user profile is gone ! Bookmarks, settings, add-ons, everything gone !
  
  Fortunately, I was able to find it all under a directory in "~/.mozilla/firefox", and was able to restore it by editing "~/.mozilla/firefox/profiles.ini" to point at the old profile instead of the new one. Whew ! Do a backup of that stuff before trying again.
  
  Looking at "denied" messages in /var/log/kern.log, it looks like access to "/run/firejail/mnt/" is denied, maybe also access to "home/.ecryptfs/USERNAME/...". Edited "/etc/apparmor.d/usr.bin.firefox". Above "# so browsing directories works", I added lines "/run/firejail/mnt/** r," and "/home/.ecryptfs/** rw,".
  
  Still got "bookmarks and history system will not be functional because one of Firefox's files is in use by another application. Security software can cause this problem." error message.
  
  Tried AppArmor on, Firejail off, and FF works ! So the problem is somewhere in the interaction of AppArmor and Firejail. Did "sudo xed /etc/apparmor.d/firejail-default /etc/apparmor.d/usr.bin.firefox ~/.config/firejail/firefox.profile". Couldn't fix the problem. Tried adding lines "network unix stream, network netlink stream," and "/run/firejail/mnt/** r, /home/.ecryptfs/** rw," to "/etc/apparmor.d/usr.bin.firefox", didn't help.
  
  If you caused a bunch of FF crashes while debugging, look in "~/.mozilla/firefox/'Crash Reports'/pending" and delete them.
  
  Dedoimedo's "Firefox & AppArmor hardening - Custom rules"
  

  
  KeePassXC with AppArmor:

  
  Mint 19 has no AppArmor profile for KeePassXC.
  
  Made a profile the stupid way, trial-and-error, not using the profiling tools. Started with no restrictions.
  "sudo aa-enforce /etc/apparmor.d/usr.bin.keepassxc"
  "sudo aa-disable /etc/apparmor.d/usr.bin.keepassxc"
  "sudo apparmor_parser -r /etc/apparmor.d/usr.bin.keepassxc"
  Got it to work, despite showing "qt5ct: D-Bus global menu: no" error (same error when AppArmor is disabled).
  Tried to turn off networking, got "Could not connect to any X display" error. Adding "network unix stream" fixed that. Very unfortunate that I had to do that; my main goal for this profile was to turn off networking.
  Took a lot of fiddling to get the directory-tree permissions okay; I'm sure they're still too generous.
  Ended up with this.

  
  
  
  
  
  
• Pledge:
  
  An application that restricts the environments of other apps, similar to Firejail. For apps launched from CLI.
  Jesse Smith's "Pledge on Linux"
  Justine's "Porting OpenBSD pledge() to Linux"
  
  
  
  
  
•   OpenSnitch:
  
  Runs on top of iptables; nftables coming later. Also uses eBPF.
  Handles TCP, UDP, and UDPLITE traffic.
  Only handles outbound connections (inbound may be under development).
  Unclear how it interacts with VPNs and firewalls that write iptables rules; dev says there should be no problems.
  Couldn't get it to run on a system that was not using systemd.
  
  Can block on the basis of applications, as well as domains and ports.
  Can block traffic from apps run by systemd services.
  Can it block traffic from init-scripts, cron jobs ?
  Can it block Bluetooth traffic ?
  Doesn't show traffic coming out of VPN client.
  Only blocks domain, not full URL (e.g. not "mydomain.com/admin").
  Seems to be no difference between using X and using Wayland.
  
  "sudo systemctl status opensnitch --full --lines 1000"
  
  May have to install "python-notify2" to get UI to work. Try running opensnitch-ui from CLI, look at error messages.
  
  There is a way to save rules to CSV file, but no way to import that file back in later (version 1.5.0). Instead, save/restore /etc/opensnitchd/.
  
  To restrict an application to ports 1000 and above, use regex "^([1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9])$".
  
  nixCraft's "OpenSnitch: The Little Snitch application like firewall tool for Linux"
  Sk's "Taking Linux Security To The Next Level With OpenSnitch Firewall"
  Step 3 in TokyoNeon's "Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring)"
  Do Son's "opensnitch: GNU/Linux port of the Little Snitch application firewall"
  Linux Uprising's "OpenSnitch Application Firewall 1.4.0"
  Linux Uprising's "OpenSnitch 1.3.0"
  Jesse Smith's "OpenSnitch - an application firewall for Linux"
  evilsocket / opensnitch
  
  My strategy on rules:

  
  

  • Allow all apps to 53 (DNS).
    
    
  • Deny all apps to 1900 (PnP). But media server wants to use this port, and there's no way to say "deny to all apps except app A".
    
    
  • Deny all apps to location services: geoip.kde.org, location.services.mozilla.com, location.services.mozilla.com.home, (can't be done:) googleapis.com/geolocation.
    
    
  • Allow torrenting apps and media server apps to access any port over 999 (they use random high ports).
    
    
  • If there are some apps (e.g. password manager) that never will try to access the network, you'll never get a pop-up asking you to create a rule about them. So go ahead and add a deny-everything rule anyway.
    
    
  • Some DE parts/apps use "curl" to do accesses, so you'll see curls that you didn't do manually. No good way to distinguish them from curl's you do manually on CLI.
    
    
  • Some apps (feed reader) use "wget" to do accesses, so you'll see wgets that you didn't do manually. No good way to distinguish them from wget's you do manually on CLI.
    
    
  • Some apps (browsers, more) use WebKit sub-processes. No way to control those by originating application.
    
    
  • Some KDE apps use kioslave sub-processes. No way to control those by originating application.
    
    
  • Some KDE apps (Akregator) sometimes cause a "kernel connection" sub-process ? No way to control those by originating application.
    
    
  • When you move from one distro to another, some apps will be installed in different places, maybe even with different filenames. So you end up duplicating their rules. Can't put a regex in an application name in a rule.
    
    
  • Apparently, appimages are tricky, their location is in /tmp and changes each time they run ? You have to make a rule for a path something like /tmp/\.mount_[a-zA-Z0-9]+/your/path/app.appimage
    
    
  • Where possible, go into apps and stop them from generating traffic you want to deny. In Firefox, set browser.topsites.contile.enabled = false, dom.push.connection.enabled = false, dom.push.enabled = false. Then you can get rid of the corresponding deny rules. Also maybe turn off Network Manager connectivity-checking. Then you can remove the corresponding deny-rules.
    
    
  • After the rules seem to be working, look in the Events tab and maybe adjust the rules.
    
    

  
  
  
  
  
  
• Douane:
  
  Douane
  Douane on GitLab
  
  Tuxdiary's "Douane: easy firewall with app rules"
  Dedoimedo's "Linux per-application firewalls - Doable? Douane"
  Project-insanity's "Application firewall Douane for ArchLinux"
  
  
  
• eBPFSnitch:
  
  harporoeder / ebpfsnitch
  Filtering inbound connections not supported as of 1/2022, according to README.
  For any distro except Arch, must be compiled from source, as of 1/2022.
  
  
  
• picosnitch:
  
  Does monitoring/logging/notification, but not blocking.
  picosnitch
  
  
  
• Portmaster:
  
  Portmaster
  Raphael's "Portmaster 1.0"
  Martin Brinkmann's "First look at Portmaster"
  /r/safing
  Has ad, malware, and tracker blocking.
  Has a for-pay super-VPN: SPN, €10/month.
  Uses iptables.
  Couldn't get it to run on a system that was not using systemd.
  
  
  
• ip rule/route:
  
  Prevent traffic to/from an IP address or subnet.
  More efficient than an iptables rule ?
  
  See "Linux Network Interfaces" section.
  
  
  
• Trickle:
  
  ArchWiki's "Trickle"
  Reduce bandwidth available to a single process.
  
  
  
• Docker to isolate a single process ?
  
  "docker run --rm -it -v $PWD/untrustedprogram:/untrustedprogram:ro ubuntu:latest" ?
  
  
  
• ulimit
  
  To run an app using limited amount of memory:

  
  ulimit -Sv NUMKBYTES
  APPNAME
  

  
  
  
• cpulimit:
  
  Gregory Bartholomew article
  Limit CPU available to a single process.
  
  
  
• corectl:
  
  corectrl
  Automatically configure your system when a program is launched.
  
  
  

My evaluation

The mainstream solutions (at least, in Mint) seem to be Firejail and AppArmor.

• Firejail better because:
  • Can have different icons that launch an app with/without Firejail.
  • Can have private copies of /dev, /bin, /tmp, /etc.
  • Easy to say nodvd, noshell, noroot.
  • In Mint, there are far more Firejail profiles than AppArmor profiles.
  
  
  
• AppArmor better because:
  • No way to evade controls when you launch an app.
  • Lots of fine-grained controls on D-Bus.
  • Can set detailed rwxmk permissions on directory trees and files; Firejail just has whitelist/blacklist.
  • Has some kind of controls on "signals".
  
  
  
• Neither AppArmor nor Firejail supports restricting network access to just X system, or just localhost, or just LAN addresses.
  
  
• Trying to use both AppArmor and Firejail on same app usually fails.
  
  
• In Mint, by default, AppArmor is controlling several daemons, such as dhcp, cups, mysql-akonadi, Clam updater, ippusbxd (USB printer).
  
  
• I think I would try to get my key applications running in Firejail. Leave AppArmor enforcing on the daemons.
  
  

• netstat:
  
  To see what incoming ports are open and/or have listeners on them, do "sudo netstat -tulp".
  
  To see what connections have been established and by what app, do "sudo netstat -tp".
  
  Mehedi Hasan's "Linux Netstat Command Tutorial for SysAdmins"
  
  
  
• ss:
  
  To see what connections have been established, do "ss -tun state connected".
  
  
• lsof:
  
  To see established connections, do "sudo lsof -i" or "lsof -i TCP".
  
  
• iptraf-ng:
  
  Ran "sudo iptraf-ng". If you want names instead of numbers, go into "Configure" and turn on "Reverse DNS lookups" and "TCP/UDP Service names". Exit out of Configuration and then go to "IP traffic monitor".
  Shows both UDP and TCP.
  
  
• iftop:
  
  Ran "sudo iftop -P". Type "h" to get into and out of help screen.
  It does show cumulative totals; you may have to press "T".
  But it just shows IP addresses and port numbers; no app or service names.
  
  
• Nethogs:
  
  Ran "sudo nethogs".
  But it seems to show only currently active processes, not a historical/cumulative log.
  Aha ! "sudo nethogs -v 3" will show cumulative, so apps don't disappear from the list after they terminate.
  
  Tried to install hogwatch, but got a lot of "error: invalid command 'bdist_wheel'" problems.
  
  
• ntopng:
  
  But it won't start up, says address or port 3000 is busy. Turned off VPN, maybe iptables is stopping it, gave up.
  
  
• rpcinfo:
  
  Not sure if this is obsolete.
  Only applies if "portmapper" is being run ?
  Portmap is required by NFS ?
  "sudo rpcinfo -p localhost"
  
  
• conntrack-tools:
  
  conntrack-tools: Netfilter's connection tracking userspace tools
  conntrack (8) - Linux Man Pages
  To install: "sudo apt install conntrack".
  
  
• dnspeep:
  
  Julia Evans' "A tool to spy on your DNS queries: dnspeep"
  
  
  
• Justniffer:
  
  Thought about installing Justniffer, but it looks old, decided against it. If I'm going to learn some big complicated tool, it's going to be Wireshark.
  
  
• Wireshark:
  
  Tried running Wireshark from GUI Start button, but none of the 4 "capture filters" it shows me seem appropriate.
  Ran "sudo wireshark" from CLI, and it gave a warning but then showed me interfaces I expected, including my Ethernet adapter. Chose that, and it started live monitoring of packets.
  
  If you see a lot of UDP traffic labeled as "QUIC", Wireshark probably is guessing wrong, and: "If you don't want the QUIC tag, simply go to the "Analyze" menu and select "Enabled Protocols" from the list. Find the entry for QUIC and uncheck the box."
  
  Did "sudo usermod -a -G wireshark MYUSERNAME" so I can run Wireshark without sudo.
  
  In Wireshark, do "Capture / Options" and turn off "promiscuous mode" to see traffic just for your computer, not all traffic on the LAN.
  
  Chris Hoffman's "How to Use Wireshark to Capture, Filter and Inspect Packets"
  OTW's "Network Forensics: Wireshark Basics, Part 2"
  Ceos3c's "Wireshark Tutorial Series 1 - Introduction, lab setup and GUI overview"
  FromDev's "30+ Best Free Wireshark Tutorials PDF & eBooks To Learn"
  Brad Duncan's "Using Wireshark: Identifying Hosts and Users"
  elitest's "Decrypting TLS Browser Traffic With Wireshark - The Easy Way!"
  
  There's also a CLI version/part of Wireshark: tshark
  
  PA Toolkit (Pentester Academy Wireshark Toolkit)
  
  
  
• Nikto:
  
  Nikto2
  Web server testing.
  
  
• arpwatch:
  
  Tool for seeing ARP traffic, alerting if a new MAC-to-IP address mapping appears or an existing one changes.
  
  Wikipedia's "arpwatch"
  
  
  
• gupnp-tools:
  
  See uPNP traffic.
  "sudo apt install gupnp-tools"
  
  Run "GUPNP Universal Control Point" application (on CLI: gupnp-universal-cp) to display traffic.
  No man page, but see "gupnp-universal-cp --help".
  Works with VPN on or off: I see uPNP traffic from our smart TV.
  
  Another application: "GUPnP AV Control Point" application (on CLI: gupnp-av-cp) to get a remote control UI.
  I can't get it to control our smart TV, but if I use the TV's remote control to change the volume, the app's volume slider moves to reflect the change.
  
  
  

• There are "local" accounts (defined in /etc/passwd), but in a corporate environment there could be "network" accounts that are defined in a server somewhere (e.g. LDAP).
  
  
• Generally there is a "local" home directory for each account (named "/home/USERNAME"), but in a corporate environment the home directory could be on some server, and just mounted onto the local mountpoint.
  
  
• Login can occur on the system desktop GUI (display and keyboard and mouse), through system virtual console (TTY1; Ctrl+Alt+F1 to open, Ctrl+Alt+F7 to close), through Telnet/SSH from a network, through remote-desktop software such as VNC or TeamViewer.
  
  
• The account you specified at installation time is a user that belongs to the "sudoers" group and thus can use the "sudo" command to do super-user things. You can login as that user.
  
  
• There is a "root" account, but it is locked so you can't log in as root. No password can be typed which will match the value in root's password hash field.
  
  BUT: from Easy Linux tips project's "Security in Linux Mint: an explanation and some tips":
  "In Linux Mint 18.3, the root password is unfortunately no longer set by default. This means that a malicious person with physical access to your computer, can simply boot it into Recovery mode. In the recovery menu he can then select to launch a root shell, without having to enter any password. After which your system is fully his. So, set a password for root (preferably identical to your own password)."
  
  
• There may be a "guest" account, and you can log in as that user. [Disabled by default on Mint 19.] There is no password on that account. Can it login through SSH ?
  
  Definitely disable guest login, and you have to reboot after doing so. In Mint, run "System Settings", go to "Administration" section, click on "Login Window", click "Users" tab, probably everything should be turned off.
  
  Abhishek Prakash's "How To Disable Guest Account In Ubuntu"
  Ubuntu's "CustomizeGuestSession"
  
  
• If you create more users, you can choose to add each new user to the "sudoers" group or not.
  
  
• If you are logged in as a user who belongs to the "sudoers" group, you can do any administrative operation, and the password to use when "sudo" asks is the password for that user.
  
  
  
• I guess it is okay to routinely log in and do all your daily computing as the user you specified during installation, which belongs to the "sudoers" group. Any malware you run accidentally would have to know your password in order to do "sudo" and then do administrative stuff, and I think sudo accepts password only from keyboard. So it's not quite like routinely running as Administrator under Windows.
  
  
• On a single-user system, the security distinction between root and normal user is not so important. All of the interesting personal files probably are owned by the normal user. So if an attacker can get in as that normal user, they get all the good stuff, no need to escalate to root.
  
  Escalating to root might let the attacker do a few more things, such as access network hardware at a low level to attack other machines on the LAN.
  
  Escalating to root on a multi-user system is much more serious/important than on a single-user system.
  
  
• From someone on reddit:
  "Normally, all keyrings should get signed into automatically upon user login to the system. If suddenly you have to log in to a keyring when you never did before, what's gone wrong is that you changed the password with passwd instead of using the account manager built into the GUI. The GUI will automatically change your keyring password too. The command line won't."
  
  

sudo systemctl status polkit --full --lines 1000
systemctl status | grep policyk
sudo ps -ax | grep -E 'polkit|policykit' | grep -v grep

man polkit

ls /etc/polkit-1/rules.d
sudo ls /usr/share/polkit-1/rules.d
ls /usr/share/polkit-1/actions

# For USERNAME, sudo never ask for password:
USERNAME ALL=(ALL) NOPASSWD: ALL

# For USERNAME, for CMDPATH1 and CMDPATH2, sudo never ask for password:
USERNAME ALL=(ALL) NOPASSWD: CMDPATH2 CMDPATH2

• Linux kernel keyring:
  
  "man 7 keyrings"
  "man session-keyring"
  "man user-keyring"
  "man process-keyring"
  "man thread-keyring"
  "keyctl show"
  "keyctl list @us"
  "keyctl print @us"
  "cat /proc/keys" to see some of the keys in the Linux kernel keyring.
  Keyrings(7) man page
  
  
  
• GNOME Keyring:
  
  GNOME Keyring
  Creates ~/.pki directory tree (also could be created by Chrome/chromium) ?
  "secret-tool"
  swick / mozilla-gnome-keyring (extension for Firefox and Thunderbird)
  From GNOME Keyring - Security FAQ:
  "GNOME Keyring is integrated with PAM, so that the 'login' keyring can be unlocked when the user logs in.".
  LZone's "Using Linux keyring secrets from your scripts"
  GNOME Keyring
  Arch Wiki's "GNOME/Keyring"
  Nurdletech's "GNOME Keyring"
  
  GNOME keyring is stored under ~/.local/share/keyrings
  
  If you keep getting prompted for password to unlock keyring, and you don't want that, delete the (default ?) keyring inside ~/.local/share/keyrings and then next time you're asked for password, set an empty password.
  
  
• KDE Wallet:
  
  "man -k kwallet"
  "KWallet isn't a password manager in the traditional sense like Bitwarden or Lastpass. It simply manages the user keyring, which serves as a storage area for apps to store their secrets in an encrypted way."
  
  
  
• systemd-creds:
  
  "systemd-creds list"
  
  
  
• App-internal keyrings:
  
  
  • Thunderbird internal keyring:
    
    Thunderbird OpenPGP Key Manager ?
    
    
    
  • MySQL internal keyring:
    
    The MySQL Keyring
    
    
    
• System GnuPG Keyring:
  
  "gpg2 --list-keys"
  "gpg2 --list-secret-keys"
  "man gpg"
  "man gpa"
  Jack Wallen's "How to encrypt a file on Linux" (GPG and Seahorse)
  
  
  
• ssh-agent:
  
  "man ssh-agent"
  Not persistent across reboots; starts up empty each time.
  
  Is integrated with ssh, sftp, scp, PAM, Chrome, chromium ? Can be integrated with Git, GnuPG, Firefox ?
  
  KeePassXC password manager can supply SSH keys to an SSH agent: KeePassXC and SSH.
  
  Run "ssh-add -l" or "ssh-add -L" to see all keys available through ssh-agent.
  Run "ssh-add -s filename.pkcs11" to add a digital certificate to ssh-agent.
  
  
  
• SSSD (System Security Services Daemon):
  
  Cached credentials fetched from back-end systems (providers) such as LDAP, Active Directory, or Kerberos.
  
  Red Hat Training's "Configuring SSSD"
  
  
  
• Network Manager:
  
  Stores credentials for connecting to Wi-Fi and VPNs.
  Maybe uses system keyring ?
  nmcli can act as a NetworkManager secret agent or polkit agent, or both.