Linux Network and Security Controls

Basics

Network control / firewalls:
Inside the kernel, there is netfilter, which is a set of hooks for kernel modules to control networking.
Wikipedia's "Netfilter"

On top of netfilter, there are iptables and nftables (use one, not both).
Each consists of a set of kernel modules and a set of user-space tools.
For iptables, the kernel modules are ip_tables, ip6_tables, arp_tables, and ebtables, and the user-space tools are iptables, ip6tables, arptables, and ebtables.
For nftables, the kernel module is nftables, and the user-space tool is nft.
Wikipedia's "nftables"
Debian Wiki's "nftables"
nftables wiki

On top of iptables, there are ufw and gufw (use one, not both).

On top of nftables, there is firewalld.

There also is an iptables-nft compatibility layer that lets you use iptables on top of nftables. And an iptables-translate utility to translate many existing iptables rules to equivalent nftables rules.

User Control:

Control what files and directories a user or group can access.

Application Control and Security:

Control what files, directories, system calls, networks an application can access.

Derived from Ubuntu Security Podcast episode 83 7/2020:

LSM == Linux Security Module inside the kernel.

Stacking == using multiple security modules in same system.

As of 5.8 kernel, stacking is limited, but this is being changed.

Current (5.8) stacking rules:
Major modules (SELinux, AppArmor, Smack): can't stack with another major module, because they all try to attach their security data blobs to the same hooks inside the kernel.
Minor modules (TOMOYO, Yama, LoadPin): can stack.
Some modules might be allowed to stack but not make sense to stack on each other, they conflict or duplicate.

Wikipedia's "Linux Security Modules"

Network Control and Firewalls

This section is for tools that generally run unattended. For tools used by a person, see the Network Monitoring section.

Some terms:

IDS: Intrusion Detection System.
SIEM: Security Information and Event Management.

Ubuntu's "DoINeedAFirewall"
Adrian Grigorof's "Open Source Security Controls"

You can change your MAC address to any value, either for Wi-Fi or for wired Ethernet, via Mint's Network application or Ubuntu's Network Manager application.

/etc/hosts file:
MintGuide's "Hosts - change and manage the /etc/hosts file"

iptables:
"Netfilter is the framework in the Linux kernel, which implements the rule and filters provided by the user, through an interface available to user called iptables."

GUFW and UFW (simplified UIs to use instead of iptables)
Virdo, Boucheron and Juell's "How To Set Up a Firewall with UFW on Debian 10"
Jahid Onik's "How To Configure Firewall with UFW on Ubuntu"
Daniel Aleksandersen's "How to switch firewalls from FirewallD to UFW"
"more /etc/default/ufw"

Also:
Eric Geier's "Little Known GUI Firewall Options for Linux"
Mehedi Hasan's "Firewall Software For Protecting Your Linux System"
firewalld
LinuxTeck's "15 basic useful firewall-cmd commands in Linux"
Brian Boucheron's "How To Set Up a Firewall Using firewalld on CentOS 8"
There are 5 "tables": filter, nat, mangle, raw, security. We only care about the filter table, which has these built-in "chains" of rules: INPUT, FORWARD, OUTPUT. You can create new chains if you wish. Each rule ends with an action which can be: ACCEPT, DROP, LOG, or name of another chain. (There is more, but that's all we need to know.)

To see how much traffic is passing through each section of rules in filter table, do "sudo iptables -L -v" (can reset counters via "sudo iptables -Z"). On my system, with Windscribe VPN active, after doing a bunch of downloading, that gives:
```
Chain INPUT (policy ACCEPT 2005K packets, 2860M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 306 packets, 21425 bytes)
 pkts bytes target     prot opt in     out     source               destination
  486 75925 ACCEPT     all  --  any    any     anywhere             192.168.0.0/16
 1104 72461 ACCEPT     all  --  any    any     anywhere             10.0.0.0/8
    0     0 ACCEPT     all  --  any    any     anywhere             172.16.0.0/12
 495K  860M ACCEPT     all  --  any    any     anywhere             localhost
 1339  139K ACCEPT     all  --  any    any     anywhere             104.20.122.38
 1369  143K ACCEPT     all  --  any    any     anywhere             104.20.123.38
 417K   55M ACCEPT     all  --  any    tun+    anywhere             anywhere
    0     0 ACCEPT     all  --  any    any     anywhere             localhost
 423K   78M ACCEPT     all  --  any    any     anywhere             89.238.nnn.nnn
```
So my system is doing no routing ("FORWARDing"). And if no rule is matched, the packet gets DROPped if it is output, ACCEPTed if it is input.

To block SSH connections from any address, do "sudo iptables -A INPUT -p tcp --dport ssh -j DROP". Can do the same with http and https if you're not running a web server.

There is "ip6tables" which is separate but mostly has the same syntax as "iptables".

There is a "conntrack" module which lets you do things such as "ctstate" in rules.

To save changes so they survive across system restart, on Ubuntu-type systems, do "sudo apt-get install iptables-persistent", then turn off Windscribe VPN and firewall, then do "sudo su", and then "iptables-save >/etc/iptables/rules.v4" and "ip6tables-save >/etc/iptables/rules.v6".

You can write commands such as "-P INPUT DROP" into a file such as "iptables.txt" and then run "sudo su" then "iptables-restore <iptable.txt"

How-To Geek's "The Beginner’s Guide to iptables, the Linux Firewall"
Supriyo Biswas's "An In-Depth Guide to iptables, the Linux Firewall"
Ravi Saive's "Basic Guide on IPTables (Linux Firewall) Tips / Commands"
Mitchell Anicas's "Iptables Essentials: Common Firewall Rules and Commands"
IP sets

I ran a bash file with commands:
```
iptables -P INPUT DROP
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -P FORWARD DROP
```
Ran Windscribe VPN client which resulted ("iptables -L") in:
```
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.0.0/16
ACCEPT     all  --  anywhere             10.0.0.0/8
ACCEPT     all  --  anywhere             172.16.0.0/12
ACCEPT     all  --  anywhere             localhost
ACCEPT     all  --  anywhere             104.20.123.38
ACCEPT     all  --  anywhere             104.20.122.38
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             localhost
ACCEPT     all  --  anywhere             89.238.nnn.nnn
```
That anywhere-anywhere rule actually has "out=tun+" attached to it (can see that via "iptables -L -v"), so all that traffic goes through the VPN.

Put DROP on all IPv6 chains; my ISP doesn't support IPv6.

Ran a couple of net-testing apps on my phone (which is on my LAN), targeting my PC, and they show all ports blocked, no response to ping, no services offered.

If you want to log packets that don't match any rule, and end up getting DROPed by the chain policy, add a rule at the END of the chain via a command such as "iptables -A FORWARD -m limit --limit 1/minute -j LOG".

Default logfile for iptables is /var/log/kern.log; "dmesg -T" command shows same log, with some useful coloring added.

I would like to log/detect all applications that create output connections. But it seems this is very difficult to do in a human-readable way:
Super User's "With Linux iptables, is it possible to log the process/command name that initiates an outbound connection?"
Akkana's "Find out what processes are making network connections"

You can get instantaneous snapshots (not cumulative logs) by running "ss -tp" or "netstat -A inet -p".

To see IP address and other details about each network interface, run "ip -d address".

I want to log any incoming attempts on protocols/ports I don't use.

Found this: "You can add the --syn flag to make the rule match only packets with the SYN flag set, which is set only on new connection attempts."

Maybe do this:
"iptables -I INPUT -p tcp --dport ssh --syn -m limit --limit 1/minute -j LOG --log-prefix "Incoming SSH attempt ""
Do similar for FTP, Telnet, HTTP, HTTPS.

I didn't bother to make rules for TeamViewer (port 5938), Remote Desktop (port 3389), SMB (port 139), NFS (port 2049), VNC (port 5900), http-alt (port 8080), RTelnet (port 107), TFTP (port 69), Simple FTP (port 115), rsh (port 514), rsync (port 873), Telnet-TLS (port 992), PPTP (port 1723), SSDP (port 1900), CIFS (port 3020), UPnP (port 5000), Socks Proxy (port 1080), Microsoft-DS (port 445) attempts. You can go a little nuts with this stuff. I think I don't have listeners active for any of it, but it would be nice to log and drop the packets.

But it turns out you can make one rule for multiple ports, so I made:
"iptables -I INPUT -p tcp --match multiport --dports 5938,3389,139,2049,5900,8080,107,69,115,514,873,992,1723,1900,3020,5000 --syn -m limit --limit 1/minute -j LOG --log-prefix "Incoming suspicious port attempt ""
Limit of 15 port numbers per rule; had to split it into two.

If one of your rules logs incoming HTTP attempts, test it by putting address "localhost:80" into browser's address field, then looking in logs. Or test by running "curl localhost" on the CLI.

If one of your rules logs incoming HTTPS attempts, test it by putting address "https://localhost" into browser's address field, then looking in logs. Or test by running "curl localhost:443" on the CLI.

If your rules log incoming SSH and/or Telnet and/or FTP attempts, test them by running "ssh localhost" and/or "telnet localhost" and/or "ftp localhost" in CLI, then looking in logs. Or doing "curl localhost:22" and/or "curl localhost:23" and/or "curl localhost:21" in CLI, then looking in logs.

But I want to drop the packets after logging them. So I did this:
```
iptables -N I_LOG_DROP
iptables -A I_LOG_DROP -m limit --limit 4/minute -j LOG --log-prefix "IPTABLES-I-LOG-DROP: " --log-level 6
iptables -A I_LOG_DROP -j DROP

iptables -P INPUT DROP
iptables -A INPUT -p tcp --match multiport --dports 20,21,22,23,80,5938,3389,139,2049,5900,8080,107 --syn -j I_LOG_DROP
iptables -A INPUT -p tcp --match multiport --dports 69,115,514,873,992,1723,1900,3020,5000 --syn -j I_LOG_DROP
```
At some point, maybe it's easier to list the ports that should be open, instead of those that should be blocked. But maybe some high port numbers get opened dynamically.
"iptables -I INPUT -p tcp --match multiport ! --dports 80,443 --syn -m limit --limit 1/minute -j LOG --log-prefix "Incoming suspicious port attempt ""

Did this (in a shell script file):
```
iptables -F
iptables -Z

iptables -N I_LOG_DROP
iptables -A I_LOG_DROP -m limit --limit 4/minute -j LOG --log-prefix "IPTABLES-I-LOG-DROP: " --log-level 6
iptables -A I_LOG_DROP -j DROP

iptables -N O_LOG_DROP
iptables -A O_LOG_DROP -m limit --limit 4/minute -j LOG --log-prefix "IPTABLES-O-LOG-DROP: " --log-level 6
iptables -A O_LOG_DROP -j DROP

iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --syn -j I_LOG_DROP
# UDP 1194 for ProtonVPN, UDP 5353 is multicast DNS / Avahi
iptables -A INPUT -p udp --match multiport ! --dports 22,67,68,80,443,1194,5353 -j I_LOG_DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT
# port 23189 used by SFTP
iptables -A OUTPUT -p tcp --match multiport ! --dports ssh,http,https,23189 --syn -j O_LOG_DROP
# UDP 1194 for ProtonVPN, UDP 5037 when using Wireshark
iptables -A OUTPUT -p udp --match multiport ! --dports 22,53,67,68,80,123,443,1194,1900,5037,5353,30000:64000 -j O_LOG_DROP
```
The whole thing gets more complicated because your VPN probably does iptables stuff too. Windscribe VPN adds rules and changes chain policies. I had to have a big shell script to add rules before the VPN starts, then a small script to do a couple of tweaks after VPN has started.

And the number of ports keeps growing and growing. Apps such as Firefox and torrent-client open lots of high port numbers. Most/all of them may be on localhost, so maybe you have to start wiring addresses into your rules. The whole thing just gets too complicated.

If you see an iptables LOG line in /var/log/kern.log that doesn't show source and dest ports, but gives "PROTO=n", look up that protocol number in /etc/protocols.

Do "sudo netstat -tulpn" to see what ports have listeners. (Also "sudo ss -lptu")

Around this time, I mostly gave up with iptables. I think it was the wrong approach.
Instead, concentrate on reducing and understanding the number of listeners you have. It doesn't matter if an incoming packet gets through iptables, as long as no process is listening on that port.

Let the VPN do what it wants with iptables. Maybe do "sudo iptables -L -v" occasionally to see how much traffic is hitting each rule.

I think it would be different with a server, running only a few services. There you could allow only 10 or so open ports.

Maybe there are some "listeners" built into the protocol stack ? Turn off protocols you know you aren't using. Maybe do this to see unusual protocols:
```
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
...
# assuming your INPUT chain policy is ACCEPT, put these at the end of the chain
iptables -A INPUT -p tcp -j ACCEPT
iptables -A INPUT -p udp -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m limit --limit 1/minute -j LOG --log-prefix "Incoming IPv4 protocol "
```

Nftables:

This is a replacement for iptables. It is a more procedural language, I think. Should avoid a lot of duplication that you can get in iptables rules, and scale better. Also combines IPv4 and IPv6 in one structure. Not supported by VPNs yet, I think. Available through Mint's Software Manager, but still in development 11/2018, I think.

Debian / wiki / nftables
Nftables wiki
Alistair Ross's "Hello nftables, Goodbye iptables"

BPF (Berkeley Packet Filter; AKA cBPF) and eBPF:

Possible replacement for iptables and nftables.
eBPF allows attaching pieces of code in lots of places inside the kernel, such as on sockets.

Wikipedia's "Berkeley Packet Filter"

OSSEC:

OSSEC
File integrity monitoring, log monitoring, rootcheck, and process monitoring.

Snort:

Snort
Can be used as a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc), or as a network intrusion prevention system. Can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes.
Available through Mint's Software Manager.

I installed it (version 2.9.7.0) from Mint's Software Manager:
Got "interface 'eth0' is invalid". I have valid interfaces "enp19s0" (wired Ethernet), "wlp18s0" (Wi-Fi), and "tun0" (VPN). I switch among all three; usually VPN is on, but sometimes it's off, usually I'm on Ethernet, but sometimes on Wi-Fi. Am I going to have to reconfigure snort each time ?

Chose interface "enp19s0" even though VPN is on. I guess installer completed okay; no message.

At CLI, run "snort -V" to see that it's installed.

Snort logs to the /var/log/snort directory by default.
NIDS config file is /etc/snort/snort.conf

Run "sudo snort" to start in packet dump mode AKA sniffer mode.
Run "sudo snort -vde -c /etc/snort/snort.conf" to start in verbose NIDS mode.
Add "-i INTERFACENAME" to specify the network interface to use.
Ctrl+C to terminate it.

[These were already done in my version:]
Edit /etc/snort/snort.conf to:
Un-comment line starting with "output unified2"
Comment out line starting with "output log_tcpdump"
"snort -T -c /etc/snort/snort.conf" to syntax-check the config file.

Run "sudo snort -A fast -d -N -s -c /etc/snort/snort.conf" to start in NIDS alerting non-logging mode.
"cat /var/log/snort/alert" to see alerts.

I did a LAN-discovery from a phone app (Fing) and snort wrote entries about uPnP discovery scanning, into the alert file.

After about 8 hours, the alert file was over 105 KB, mostly alerts about malformed uPnP stuff.

I signed up for a Snort account, but there is no ruleset available for the old version I have (2.9.7.0).

A serious setup where logs/alerts couldn't be deleted by an attacker probably would send the info to some other machine, probably to a SQL database. And view the database with Splunk or something.

OccupyTheWeb's "Snort IDS for the Aspiring Hacker, Part 1 (Installing Snort)"
OccupyTheWeb's "Snort IDS for the Aspiring Hacker, Part 2 (Setting Up the Basic Configuration)"
OccupyTheWeb's "Snort IDS for the Aspiring Hacker, Part 3 (Sending Intrusion Alerts to MySQL)"
OccupyTheWeb's "How to Read & Write Snort Rules to Evade an NIDS (Network Intrusion Detection System)"
OccupyTheWeb's "How to Evade a Network Intrusion Detection System (NIDS) Using Snort"
Noah Dietrich's "Snort 2.9.9.x on Ubuntu"

Suricata:

Suricata
Capable of real-time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.

psad:

CipherDyne's "psad: Intrusion Detection and Log Analysis with iptables"

Graylog:

Graylog

Zeek (formerly Bro):

Network Security Monitor.
Zeek

Honeypots:
- Dionaea:
  
  Honeypot.
  DinoTools / dionaea
- Thug:
  
  Honeypot.
  buffer / thug
- Canarytokens:
  
  Honeypot. Mixture of Windows-only and OS-independent items.
  Thinkst's "Canarytokens"
  KaliLinux.in's "Canarytokens -- Danger For Attackers"
- OpenCanary:
  
  Honeypot. Maybe same as Canarytokens ? By same company.
  OpenCanary
  thinkst / opencanary
- Cowrie:
  
  Honeypot for SSH and Telnet.
  cowrie / cowrie
- Modern Honey Network (MHN):
  
  Software to deploy and manage honeypots in a network.
  pwnlandia / mhn
- T-Pot:
  
  Software to deploy and manage honeypots in a network.
  Deutsche Telekom's "T-Pot: A Multi-Honeypot Platform"
- Endlessh:
  
  A "tar-pit" which ties up SSH attackers for a long time.
  Chris Wellons' "Endlessh: an SSH Tarpit" (gives HTTP example too)
- Responder:
  
  Listens for and poisons responses to Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS), Web Proxy Auto-Discovery (WPAD), more.
  SpiderLabs / Responder
- xtables-addons-dkms:
  
  Iptables add-ons to implement "tar-pit" rules.
  moblog's "Howto: Install TARPIT on Debian Stable"
  Ubuntu manuals' "Xtables-addons - additional extensions for iptables, ip6tables, etc."
Vinsloev's "Cybersecurity 101 - What is a Honeypot?"
paralax / awesome-honeypots

List of Open Source IDS Tools
Daniel Berman's "6 Open Source SIEM Tools"

Application Control and Security

Firejail:
An application that restricts the environments of other apps, running them with access only to certain directories, or to fake copies of system directories, or no network access.

Firetools/Firejail
Easy Linux tips project's "Run your web browser (and other apps) in a secure sandbox"
xenopeek's "Using firejail as security sandbox for your programs"

You could use Firetools or Firejail Configuration Wizard apps in the GUI. But building a security profile doesn't seem to be persistent, and the Firetools monitor shows a much-too-high number for memory usage. And the UI is really annoying.

To just run an app while denying network access:
```
firejail --net=none (appname)
```
In Mint, the base Firejail is installed by default. Through Software Manager, installed Firejail-profiles and Firetools. Poked around a bit, quickest way to see the restrictions is to run "mount" in CLI before and after running "firejail bash".

When trying to debug a Firejail profile, launch the app in CLI ("firejail APPNAME"), not via an icon. Apps often put out error messages on stderr. Also, do "sudo ps -ax | grep firejail" to make sure an app isn't hanging; reboot if there is one.

Firejail project home: netblue30 / firejail

Firefox with Firejail:
[You could run Firetools, right-click, Configuration Wizard, select Firefox, click "Build a custom security profile", Continue. But the changes are not persistent; they're used for only one launch ?
Instead:]
1. Do "mkdir -v ~/.config/firejail".
2. Do "cp -v /etc/firejail/firefox.profile ~/.config/firejail".
3. Do "xed ~/.config/firejail/firefox.profile". [Following works on FF 63.0; other versions may be different.]
  Key lines I did/didn't change:
  - ~/Downloads is already whitelisted.
  - Add whitelist lines for ${HOME}/Videos or any other directories you want to give access to.
    No way to specify read-only ?
  - "caps.drop all": I didn't change it.
  - "netfilter": I didn't change it.
  - "noroot": I didn't change it.
  - Set the "protocol" line to "protocol unix,inet,inet6,netlink".
  - Set the "seccomp" line to "seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot, @resources,@swap,acct,bpf,fanotify_init,io_cancel,io_destroy, io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount, name_to_handle_at,nfsservctl,open_by_handle_at,personality, pivot_root,process_vm_readv,remap_file_pages,setdomainname, sethostname,umount,umount2,userfaultfd,vhangup,vmsplice" (all on one line, no spaces in the list)
    ["seccomp.drop mount,umount2,swapon,swapoff" also worked].
  - "shell none": I didn't change it.
  - "private-etc" commented out: I didn't change it.
4. Right-click on the orange Firefox icon near the Start button, click Edit, and change Command from "firefox %u" to "firejail firefox %u".
  Some articles say add "-no-remote", but that prevents my password manager from sending keystrokes to Firefox.
5. Launch Firefox, and test to see if it works normally.
  - Try Ctrl+O to open a page from disk, and only the allowed directories should be shown.
  - In CLI do "firejail --tree" or "firejail --list" and you should see Firefox there.
  - Test password manager sending info to Firefox.
If you caused a bunch of FF crashes while debugging, look in "~/.mozilla/firefox/'Crash Reports'/pending" and delete them.

Using Firefox under Firejail, I'm seeing some cases where FF can't access the internet, some where it doesn't shut down properly. It's not saving my uMatrix settings changes, too. Stopped running it under Firejail routinely.

Mint 19 has Firejail 0.9.52-2 as of 14 Nov 2018. "sudo apt-get install firejail" says that is latest version. But the project page says there is a 0.9.56-LTS version. Download page says download DEB file and do "sudo dpkg -i firejail_X.Y_1_amd64.deb". Did that, and got some error "while trying to overwrite /etc/firejail/etr.profile". I don't see anything special about that file. Removed that file, tried again, same error. Firejail still works, still says version 0.9.52-2.

So brought over just new firefox.profile, firefox-common.profile, and created empty firefox.local. Seems to work better, but still some problems, end up with zombie Firefox processes, etc. Stopped using Firejail on FF for now.
KeePassXC with Firejail:
Mint comes with a Firejail profile for it, "/etc/firejail/keepassxc.profile". But it disables all the "click on URL to open in browser" and "auto-type" features of KeePassXC. You'd be reduced to copy-switch-paste to copy info from manager to browser.

AppArmor:
Very similar to Firejail, but implemented as a Linux kernel security module.

Do "sudo apparmor_status" to see info.
To install more: "sudo apt install apparmor-profiles apparmor-profiles-extra apparmor-utils apparmor-easyprof"

Wikipedia's "AppArmor"
AppArmor

Making profiles:
Ubuntu Tutorials' "How to create an AppArmor Profile"
Uzair Shamim's "The Comprehensive Guide To AppArmor: Part 1"
The Debian Administrator's Handbook's "14.4. Introduction to AppArmor"

In Mint, Apparmor (user-space parser utility) was installed by default.
I installed Apparmor-utils through Software Manager.
Profiles are stored in /etc/apparmor.d directory.
You could turn on the profile for Firefox by doing "sudo aa-enforce /etc/apparmor.d/usr.bin.firefox".
To turn it off, do "sudo aa-disable /etc/apparmor.d/usr.bin.firefox".
If you do a disable when enforce is not on, you'll see a "Profile doesn't exist" error.
To see the list of active profiles, do "cat /sys/kernel/security/apparmor/profiles".
To see AppArmor activity, do "grep apparmor /var/log/kern.log".

When trying to debug an AppArmor profile, launch the app in CLI, not via an icon. Apps often put out error messages on stderr. Also, do "sudo ps -ax | grep APPNAME" to make sure an app isn't hanging; reboot if it is.

Firefox with AppArmor:
Already had FireFox working in Firejail, so all of the following is with FF running in Firejail.

Started enforcing AppArmor for Firefox, launched Firefox in Firejail, it showed some "welcome to Mint - file access failed" page, and the kernel log shows a dozen or more AppArmor "denied" messages.

Quit Firefox, disabled AppArmor for Firefox, launched Firefox, and my Firefox user profile is gone ! Bookmarks, settings, add-ons, everything gone !

Fortunately, I was able to find it all under a directory in "~/.mozilla/firefox", and was able to restore it by editing "~/.mozilla/firefox/profiles.ini" to point at the old profile instead of the new one. Whew ! Do a backup of that stuff before trying again.

Looking at "denied" messages in /var/log/kern.log, it looks like access to "/run/firejail/mnt/" is denied, maybe also access to "home/.ecryptfs/USERNAME/...". Edited "/etc/apparmor.d/usr.bin.firefox". Above "# so browsing directories works", I added lines "/run/firejail/mnt/** r," and "/home/.ecryptfs/** rw,".

Still got "bookmarks and history system will not be functional because one of Firefox's files is in use by another application. Security software can cause this problem." error message.

Tried AppArmor on, Firejail off, and FF works ! So the problem is somewhere in the interaction of AppArmor and Firejail. Did "sudo xed /etc/apparmor.d/firejail-default /etc/apparmor.d/usr.bin.firefox ~/.config/firejail/firefox.profile". Couldn't fix the problem. Tried adding lines "network unix stream, network netlink stream," and "/run/firejail/mnt/** r, /home/.ecryptfs/** rw," to "/etc/apparmor.d/usr.bin.firefox", didn't help.

If you caused a bunch of FF crashes while debugging, look in "~/.mozilla/firefox/'Crash Reports'/pending" and delete them.

KeePassXC with AppArmor:
Mint has no AppArmor profile for KeePassXC.

Made a profile the stupid way, trial-and-error, not using the profiling tools. Started with no restrictions.
"sudo aa-enforce /etc/apparmor.d/usr.bin.keepassxc"
"sudo aa-disable /etc/apparmor.d/usr.bin.keepassxc"
"sudo apparmor_parser -r /etc/apparmor.d/usr.bin.keepassxc"
Got it to work, despite showing "qt5ct: D-Bus global menu: no" error (same error when AppArmor is disabled).
Tried to turn off networking, got "Could not connect to any X display" error. Adding "network unix stream" fixed that. Very unfortunate that I had to do that; my main goal for this profile was to turn off networking.
Took a lot of fiddling to get the directory-tree permissions okay; I'm sure they're still too generous.
Ended up with this.

TOMOYO:

A Linux kernel security module.
Wikipedia's "Tomoyo Linux"
TOMOYO Linux
eLinux's "TomoyoLinux"

Bubblewrap:

ArchWiki's "Bubblewrap"

SMACK:

A Linux kernel security module.
Wikipedia's "Smack"
The Smack Project - Home

SELinux:
A Linux kernel security module. More fine-grained than AppArmor and Firejail, which run at the application level, only at the interface between app and OS.

Steven Vaughan-Nichols' "How to set up SELinux right, the first time"
Alex Callejas' "A sysadmin's guide to SELinux"
Wikipedia's "Security-Enhanced Linux"
SELinux Project
SELinux Project on GitHub
Barrow's "Use SELinux Targeted Policy to Secure Your Hosts"

On CLI, run "sestatus" or "getenforce" to see if it installed and/or enabled.
"man runcon"
"man sandbox"

Yama:

A Linux kernel security module.
Yama

Lockdown:

A set of Linux kernel features to optionally close off interfaces that allow root to modify the kernel.
Matthew Garrett's "Linux kernel lockdown, integrity, and confidentiality"
Arch Wiki's "Kernel lockdown mode"

seccomp and seccomp-bpf (SECure COMPuting with filters):

A Linux kernel security module that filters syscalls from a process.
The Linux Kernel's "Seccomp BPF (SECure COMPuting with filters)"
Wikipedia's "seccomp"

OpenSnitch:

evilsocket / opensnitch

But LinuxUprising's "How To Install OpenSnitch Application-Level Firewall In Ubuntu" says it's beta and you have to build from source (compiling in Go). The source project says it edits iptables rules and interacts with netfilter.
7/2019: Developer says he's dropping it for a while, discouraged by no help.
nixCraft's "OpenSnitch: The Little Snitch application like firewall tool for Linux"
Step 3 in TokyoNeon's "Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring)"
Do Son's "opensnitch: GNU/Linux port of the Little Snitch application firewall"

gustavo-iniguez-goya / opensnitch (fork that IS active)

Douane:

Douane on GitLab

Tuxdiary's "Douane: easy firewall with app rules"
Dedoimedo's "Linux per-application firewalls - Doable? Douane"
Project-insanity's "Application firewall Douane for ArchLinux"

Access Control Lists (ACLs):

A way to set finer-grained permissions than the base UGO permissions.
Kuldeep Sharma's "Secure Files/Directories using ACLs (Access Control Lists) in Linux"
See "man acl" and "man setfacl".

Namespaces:
Wikipedia's "Linux namespaces"
Mahmud Ridwan's "Separation Anxiety: A Tutorial for Isolating Your System with Linux Namespaces"
Ed King's "Linux Namespaces"

Namespaces are a key feature used to implement isolation for container systems (Docker, flatpak, snap, LXC), applications and daemons (AppArmor, Firejail), and multi-process applications (some browsers).
```
man namespaces
man lsns

lsns		# list namespaces in use by current user
sudo lsns	# list namespaces in use by all users
```
A program uses the clone() system call instead of fork(), to make a copy of itself running in a separate space. That can mean separate process trees (clone can't see parent process or any pre-existing processes), different views of the network connections, separate mount spaces (/etc/fstab's, I think), pseudo-root privileges, separate IPC spaces, more. There can be sockets set up to communicate between namespaces.

In the CLI, you can use the "unshare" command to run a process in a separate namespace. The "ps" command has options to display namespace IDs for processes.

iptables:

You could assign an application to belong to a particular group, then make iptables rules about that group using "-m owner --gid-owner" qualifiers in iptables rules.
discussion

My evaluation:

The mainstream solutions (at least, in Mint) seem to be Firejail and AppArmor.

Firejail better because:
- Can have different icons that launch an app with/without Firejail.
- Can have private copies of /dev, /bin, /tmp, /etc.
- Easy to say nodvd, noshell, noroot.
- In Mint, there are far more Firejail profiles than AppArmor profiles.

AppArmor better because:
- No way to evade controls when you launch an app.
- Lots of fine-grained controls on D-Bus.
- Can set detailed rwxmk permissions on directory trees and files; Firejail just has whitelist/blacklist.
- Has some kind of controls on "signals".

Neither AppArmor nor Firejail supports restricting network access to just X system, or just localhost, or just LAN addresses.

Trying to use both AppArmor and Firejail on same app usually fails.

In Mint, by default, AppArmor is controlling several daemons, such as dhcp, cups, mysql-akonadi, Clam updater, ippusbxd (USB printer).

I think I would try to get my key applications running in Firejail. Leave AppArmor enforcing on the daemons.

My opinion: firewalls / app control / security is a bit of a mess:

Firejail, AppArmor, SELinux, Yama, iptables, ip6tables, nftables, bpf, ufw, gufw, firewalld, netfilter, VPN, IDS, IPS, etc. Why can't we have one integrated solution, with a body of rules that can do filesystem and network access and syscall access and service and app and login control, and take user ID, app ID, MAC address, IP address, IP port, etc as input to the rules ?

Examples:

I'd like to control Firefox now. I go to the Security GUI, select Firefox, and I see everything about it: what files/dirs it can access, what syscalls it can do, what devices, what IP ports, domain whitelists and blacklists, what users/groups can access it, everything. All in one place. I don't care if separate kernel modules do the networking and the filesystem control, and some module inside Firefox does the domain whitelist/blacklist.

Same for any other app or service or module. I go to the Security GUI and choose my password manager app. In one place, I can control everything about it: filesystem access, network access, syscalls, etc.

I don't want my system to do anything with IPv6. I go to the Security GUI and choose IPv6. In one place, I can control everything about it: turn it off for everything, turn off incoming, whatever. Later, maybe I decide only Firefox can do IPv6. I can check a box to allow that.

I don't want user "skype" (which owns Skype app and the cron job that updates it) to be able to contact any domains except Microsoft's Skype domain. I go to the Security GUI and choose user "skype" and set the appropriate things.

I think today Firejail and AppArmor already mix some of this. You can set filesystem, syscall and network permissions in a Firejail profile or an AppArmor profile, I think. But Firejail and AppArmor settings are hard to share across many apps, and iptables rules know nothing about applications/processes. Iptables has a module that allows rules based on connection state, but I don't think Firejail and AppArmor have anything like that.

System Hardware Monitoring and Control

TLP:

Tecmint's "TLP: Quickly Increase and Optimize Linux Laptop Battery Life"
TLP - Optimize Linux Laptop Battery Life

Installed it through Mint 19 Software Manager.
Rebooted to make it take effect.
Not in Ubuntu 20 stores.
On Ubuntu 20, do:
```
sudo apt install tlp tlp-rdw
sudo tlp start
```
It's a CLI-only tool.
Config file is /etc/default/tlp.
After changing that file, do "sudo tlp start".
```
# see if the services are running:
sudo systemctl status tlp.service
sudo systemctl status tlp-sleep.service

sudo tlp-stat -s			# check status
sudo tlp-stat | more		# see all settings and status
```
Since I'm running on AC power, I probably won't be able to see any difference.

Use Mint's "Disks" app, or install "GSmartControl" app through Software Manager, to test hard disk and see SMART info.
Thomas-Krenn's "SMART tests with smartctl"

Software Resource Monitoring

System's GUI apps:

On Mint, run System Monitor application.

service:

To see what services are running, run "service --status-all".

pstree -T:

Nice tree-view of running processes.

top:

It shows process/memory info, but not networking.

Run "top", then:
"?" to see list of commands in top,
"f" for field management,
"c" to see command-line of each process,
"V" to see tree-view of processes,
"q" to quit.

Useful command-line flags: "top -d 5.0"

Quick test for overall memory leaks:

Do "watch 'free -m'".

auditd:

Through Mint's Software Manager, installed auditd.

Ran "sudo auditctl -l" and it says there are no rules.
Ran "sudo auditctl -s" to see status of the auditing subsystem.
Also "sudo systemctl status auditd" to see status of the auditing subsystem.
Ran "sudo cat /etc/audit/audit.rules" to see contents of rules file.
Ran "sudo ausearch --interpret" to see what has been logged.
Run "sudo /etc/init.d/auditd restart" (start/stop/restart) to control auditd service.
Log file is "/var/log/audit/audit.log".
Stopped auditd via "sudo /etc/init.d/auditd stop", but after reboot it was running again.
Did "sudo systemctl disable auditd", which seemed to succeed, but auditd is still running.

"sudo auditctl -a exit,always -F arch=b64 -S connect -k MYCONNECT" to log all outgoing network connections (warning: log file size will increase by about 1-2 KB/sec in an "idle" system!).
"sudo auditctl -d exit,always -F arch=b64 -S connect -k MYCONNECT" to remove that rule so log file isn't flooded.

LinOxide's "Auditd - Tool for Security Auditing on Linux Server"
Aaron Kili's "Learn Linux System Auditing with Auditd Tool on CentOS/RHEL"
Paul Brown's "Customized File Monitoring with Auditd"

Network Monitoring

This section is for tools used by a person. For tools that generally run unattended, see the Network Control section.

Some terms:

IDS: Intrusion Detection System.
SIEM: Security Information and Event Management.

netstat:

To see what incoming ports are open and/or have listeners on them, do "sudo netstat -tulp".

lsof:

To see established connections, do "sudo lsof -i".

iptraf-ng:

Through Mint's Software Manager, installed iptraf-ng.
Ran "sudo iptraf-ng". If you want names instead of numbers, go into "Configure" and turn on "Reverse DNS lookups" and "TCP/UDP Service names". Exit out of Configuration and then go to "IP traffic monitor".
Shows both UDP and TCP.

iftop:

Through Mint's Software Manager, installed iftop.
Ran "sudo iftop -P". Type "h" to get into and out of help screen.
It does show cumulative totals; you may have to press "T".
But it just shows IP addresses and port numbers; no app or service names.

Nethogs:

Through Mint's Software Manager, installed Nethogs.
Ran "sudo nethogs".
But it seems to show only currently active processes, not a historical/cumulative log.
Aha ! "sudo nethogs -v 3" will show cumulative, so apps don't disappear from the list after they terminate.

Tried to install hogwatch, but got a lot of "error: invalid command 'bdist_wheel'" problems.

ntopng:

Through Mint's Software Manager, installed ntopng. Huge package.
But it won't start up, says address or port 3000 is busy. Turned off VPN, maybe iptables is stopping it, gave up.

conntrack-tools:

conntrack-tools: Netfilter's connection tracking userspace tools
conntrack (8) - Linux Man Pages
To install: "sudo apt install conntrack".

Justniffer:

Thought about installing Justniffer, but it looks old, decided against it. If I'm going to learn some big complicated tool, it's going to be Wireshark.

Wireshark:

Tried running Wireshark from GUI Start button, but none of the 4 "capture filters" it shows me seem appropriate.
Ran "sudo wireshark" from CLI, and it gave a warning but then showed me interfaces I expected, including my Ethernet adapter. Chose that, and it started live monitoring of packets.

If you see a lot of UDP traffic labeled as "QUIC", Wireshark probably is guessing wrong, and: "If you don't want the QUIC tag, simply go to the "Analyze" menu and select "Enabled Protocols" from the list. Find the entry for QUIC and uncheck the box."

Did "sudo usermod -a -G wireshark MYUSERNAME" so I can run Wireshark without sudo.

In Wireshark, do "Capture / Options" and turn off "promiscuous mode" to see traffic just for your computer, not all traffic on the LAN.

Chris Hoffman's "How to Use Wireshark to Capture, Filter and Inspect Packets"
David D Warden's "Everything You Need to Know About Wireshark"
OTW's "Network Forensics: Wireshark Basics, Part 2"
Ceos3c's "Wireshark Tutorial Series 1 - Introduction, lab setup and GUI overview"
FromDev's "30+ Best Free Wireshark Tutorials PDF & eBooks To Learn"
Brad Duncan's "Using Wireshark: Identifying Hosts and Users"
elitest's "Decrypting TLS Browser Traffic With Wireshark - The Easy Way!"

There's also a CLI version/part of Wireshark: tshark

PA Toolkit (Pentester Academy Wireshark Toolkit)

Nikto:

Nikto2
Web server testing.

arpwatch:

Tool for seeing ARP traffic, alerting if a new MAC-to-IP address mapping appears or an existing one changes.

Available through Mint's Software Manager.
Wikipedia's "arpwatch"

gupnp-tools:

See uPNP traffic.
"sudo apt install gupnp-tools"

Run "GUPNP Universal Control Point" application (on CLI: gupnp-universal-cp) to display traffic.
No man page, but see "gupnp-universal-cp --help".
Works with VPN on or off: I see uPNP traffic from our smart TV.

Another application: "GUPnP AV Control Point" application (on CLI: gupnp-av-cp) to get a remote control UI.
I can't get it to control our smart TV, but if I use the TV's remote control to change the volume, the app's volume slider moves to reflect the change.

Mehedi Hasan's "Linux Monitoring Tools For SysAdmin"
Hayden James' "Linux Networking commands and scripts"
Martin Bruchanov's "Linux Network Administration"

Monitor the traffic in/out of your LAN. Best ways probably are custom software in your router, and a Pi-hole doing DNS filtering. From Security in Five Podcast - Episode 746, investigation of traffic volume exceeding data cap found that iCloud was uploading/downloading the entire collection any time one thing was added, and after that was fixed almost 50% of all traffic was due to blockable scripts (ads, trackers).

Security Testing and Penetration Testing

Smartphone apps or web sites to do port scanning of your system:

See the "Port scanning and router testing" section of my "Computer Security and Privacy" page.

Nmap / Zenmap:

In Mint's Software Manager, installed Zenmap to do port scanning.

Turn off VPN; it prevents operations Zenmap/Nmap tries to do.

Run via "Zenmap as root" menu item.

To get started, type "127.0.0.0" into Target field, select "Quick Scan" in Profile field, and click Scan.

Use Target of "192.168.0.0/24" to scan your whole LAN, maybe with Profile set to "Quick Scan". Equivalent of "nmap -F 192.168.0.0/24" ? Also try "sudo nmap -O -F 192.168.0.0/24".

Try scanning your own machine with Profile set to "Intense scan plus UDP".

WebMap:

A visual dashboard that uses a capture file from nmap.

BabySploit:

M4cs / BabySploit

Sparta:

SPARTA
WonderHowTo's "Using Sparta for Reconnaissance"

Lynis:

Installed it through Mint's Software Manager. It's a security-auditing package. Ran "sudo lynis audit system". It complained about outdated version of Lynis. Followed instructions at Cisofy's "Software Repository (Community)" to update Lynis. Ran "sudo lynis audit system" again. Went to BOOT-5122 - Set boot loader password but decided not to do it.

Maybe try "lynis --check-all --quick" ?

Later got this on reddit:
"Tool author here. Lynis does not make changes to the system. It only makes suggestions on what you can do."

Ran the tool again, it ran fine, afterward do: "sudo grep Sugg /var/log/lynis.log"

Balaji N's "Lynis - Open Source Security Auditing & Pentesting Tool - A Detailed Explanation"
Alan Formy-Duval's "How to read Lynis reports to improve Linux security"

Vuls:

Vuls
Scans system for vulnerabilities listed in various vulnerability databases.
Savik's "How To Use Vuls as a Vulnerability Scanner on Ubuntu 18.04"

Pompem:

rfunix / Pompem
Scans system for vulnerabilities listed in various vulnerability databases.

cvescan:

Ubuntu-only, snap-only, from Canonical.
I think it's based on OpenSCAP.
Scans system for CVEs listed in official list from Canonical.
No man page, just CLI help.
No version option in CLI. "snap list" gives version.
CLI-only, no GUI.
Default "cvescan" shows high/critical-priority CVEs for which fixes are available but not yet applied to your system.
"cvescan --priority medium --unresolved | more" shows medium/high/critical-priority CVEs for which fixes are not available.
https://github.com/canonical/sec-cvescan

ubuntu-security-status:

Ubuntu-only, from Canonical.
Gives support/update status (e.g. "will receive updates with LTS until 4/2025") of installed packages.

linux-exploit-suggester:

mzet- / linux-exploit-suggester

checksec.sh:

slimm609 / checksec.sh
Dejan Lukan's "Gentoo Hardening: Part 3: Using Checksec"

security-assessor:

Scripts that scan a Linux system looking for security and robustness problems.
stevegrubb / security-assessor

Attack Surface Analyzer:

microsoft / AttackSurfaceAnalyzer
Does a diff of security configuration before and after installing new software.

Aircrack-ng:

Wi-Fi penetration and analysis.
Aircrack-ng
Maybe run it via the wifite or wifite2 front-end application.

systemd-analyze security:

Requires version 240 or later; "systemd-analyze --version"
"systemd-analyze security"
"systemd-analyze security UNITNAME"

"Should be used with caution. Not every security setting makes sense for every unit. You should therefore know what you are doing. The tool is therefore less suitable for end users but more for administrators."
"For example, sshd carries a status of '9.6 UNSAFE'. Most of this is because it requires running as UID 1 (root), loading kernel modules and lots of net based capabilities. To get sshd.service to a safe status would completely break the service and render it not even capable of performing its basic functions."

Daniel Aleksandersen's "systemd service sandboxing and security hardening 101"
Daniel Aleksandersen's "Limit the impact of a security intrusion with systemd security directives"
Arch Wiki's "Security guidelines - Systemd services"
Adrian Grigorof's "Open Source Security Controls"

Tightening Security

Really, it seems that 95% of the vulnerabilities are eliminated if you just don't run a web server on your machine. Also don't run SSH or FTP or other login-type services, and keep software updated, and you're above 99%.

From older version of Easy Linux tips project's "Security in Linux Mint: an explanation and some tips":
"Don't install Windows emulators such as Wine, PlayOnLinux and CrossOver, or the Mono infrastructure, in your Linux, because they make your Linux partially vulnerable to Windows malware. Mono is present by default in Linux Mint; run 'sudo apt-get remove mono-runtime-common' to get rid of Mono."
[First run 'sudo apt-get --simulate remove mono-runtime-common' to see what else you'd lose.]

Ask Ubuntu's "What are PPAs and how do I use them?"
But: "One thing to keep in mind about using PPAs (Personal Package Archives) is that when you add a PPA to your Software Sources, you're giving Administrative access (root) to everyone that can upload to that PPA. Packages in PPAs have access to your entire system as they get installed (just like a regular package from the main Ubuntu Archive), so always decide if you trust a PPA before you add it to your system."

It's a good idea to get CLI mail working, and check it regularly, since various services and packages will send failure or security notices to root's email. See "Getting Linux local CLI mail working" section.

Learn a little about how network traffic is controlled in your system:

The key pieces and how you can see things:
- Physical network devices (Ethernet adapter, Wi-Fi adapter).
- Logical or software network devices (loopback, localhost, VPN).
- inxi -i (network devices)
- ip -d address (network devices)
- netstat -r or route -n or ip route show (IP routing)
- sudo iptables -L -v (packet filtering and routing)
- sudo netstat -tulp (listeners)
- cat /etc/resolv.conf (DNS servers)
- arp and arp -n (LAN devices talked to)
- cat /var/lib/dhcp/dhclient.leases (current DHCP leases)
- Apps: services (service --status-all), listeners (sudo netstat -tulp), and foreground apps
Inside Linux, while running a VPN and through a router, there are four kinds of IPv4 address:
- LAN address (192.n.n.n).
- VPN client's WAN address (10.n.n.n in my case).
- Router's WAN address (77.n.n.n in my case).
- VPN server's WAN address (89.n.n.n in my case).
I haven't found a way yet that an app on my computer can get the Router's WAN address, either with VPN on or VPN off. But with VPN off, an app could talk to a server outside and ask it "what IP address am I coming from ?".

Other types of address:
- MAC address (address of physical adapter xx.xx.xx.xx.xx.xx, see with "inxi -i").
- IPv6 address (xxxx.xxxx.xxxx.xxxx.xxxx.xxxx).

Turn off services and network listeners:
On Mint, run System Settings application and click through many of the icons, turn off anything you don't need.

See what incoming ports are open and/or have listeners on them, and close down as many as possible. Do "sudo netstat -tulpn" or "sudo netstat -tulp". (Also "sudo ss -lptu".) For all ports, do "sudo netstat -tuap".

I see various TCP and UDP permutations of:
- systemd-resolve: DNS caching. Listens on a localhost address.
  systemd-resolved manual page
  I think you shouldn't disable this.
- cupsd and cups-browsed: print server. Port 631.
  Some pieces of the cups package do other things such as PDF-conversion.
  Service can be configured via http://localhost:631/admin
  Ubuntu's "CUPS - Print Server"
  Ran Mint's Software Manager and removed "Cups-daemon".
  
  But then printing even to a local USB printer stopped working. And I see traffic to port 631 being dropped. Re-installed the daemon. Ran Printer app and said start the service. Still not working. In Mint's Software Manager, installed Printer-driver-postcript-hp, then Hp-ppd, then Cups-browsed. In Printer app, clicked "Enable" for the printer. Eventually got the USB printer going again.
- redis-server: a database server. Uses port 6379 and only on loopback 127.0.0.1 ?
  Run "sudo systemctl status redis-server" to see status of it.
  Can be removed through Mint's Software Manager.
  I removed it and apparently nothing broke.
  NixCraft's "How to install Redis server on Ubuntu Linux 16.04"
  OSTechNix's "How To Install And Configure Redis Server In Ubuntu"
- dhclient: DHCP Client. Uses port 68. I think you shouldn't disable this unless your machine has a static IP address.
- avahi-daemon: Apple mDNS/DNS Zeroconf (AKA Rendezvous or Bonjour) service. For easy access to (Apple ?) networked printers and file servers on your LAN. Wikipedia. Uses UDP ports 32768 and 5353, maybe also 52482 and 51623 ? Ran Mint's Software Manager and removed "Avahi-autoipd", "Avahi-daemon" and "Avahi-utils".
- openvpn: I'm using a VPN, can't remove it.
- Tor: listening on localhost port 9050 even when I'm not using Tor Browser.
  
  Apparently it's there in case you want to run a Tor socks proxy, or host an onion service, or run an onion node.
  
  Did "sudo systemctl disable tor" and "sudo systemctl stop tor". Tor Browser still works afterward. While Tor Browser is running, you will see a Tor listener on port 9150.
  
  Later re-enabled the listener service. I want to do some things with outbound onion links from apps other than Tor Browser. Edit /etc/tor/torrc to un-comment the lines:
```
SocksPolicy accept 192.168.0.0/16
SocksPolicy reject *
```
- SSH:
  
  "ps -ax | grep ssh"
  ssh-agent is not a listener, it's a server that supplies keys to other apps.
What services are started at boot time: "sudo systemctl list-units".
Also see timer-based services: "sudo systemctl list-timers".

To disable a service: "sudo systemctl disable --now SERVICENAME" or sometimes "/lib/systemd/systemd-sysv-install disable SERVICENAME".

Delightly Linux's "Speed Up Linux Boot by Disabling Services"
TecMint's "How to Stop and Disable Unwanted Services from Linux System"

Use iptables to log and understand and block network traffic:

See iptables section for details.

To see how much traffic is passing through each section of rules in filter table, do "sudo iptables -L -v" (can reset counters via "sudo iptables -Z").

There is "ip6tables" which is separate but mostly has the same syntax as "iptables". "sudo ip6tables -L -v"

Default logfile for iptables is /var/log/kern.log; "dmesg -T" command shows same log, with some useful coloring added.

I would like to log/detect all applications that create output connections. You can get instantaneous snapshots (not cumulative logs) by running "ss -tp" or "netstat -A inet -p".

To see IP address and other details about each network interface, run "ip -d address".

Setting iptables rules gets more complicated because your VPN probably does iptables stuff too. Windscribe VPN adds rules and changes chain policies. I had to have a big shell script to add rules before the VPN starts, then a small script to do a couple of tweaks after VPN has started.

Do "sudo netstat -tulpn" to see what ports have listeners. (Also "sudo ss -lptu")

I mostly gave up with iptables. I think it was the wrong approach.
Instead, concentrate on reducing and understanding the number of listeners you have. It doesn't matter if an incoming packet gets through iptables, as long as no process is listening on that port.

I think it would be different with a server, running only a few services. There you could allow only 10 or so open ports.

IPv6:

My ISP (or their router) blocks IPv6, so I can't test it. I do get a little incoming ICMPv6 traffic from somewhere, and my system outputs a little ICMPv6 traffic. Windscribe VPN does not support IPv6, and wants to block outgoing IPv6 via iptables.

superuser's "Did you know that IPv6 may include your MAC address?"

Cron:
Check what jobs are being run by cron.

On Mint, cron jobs live under a variety of /etc/cron* dirs, and also in files /etc/crontab and /etc/anacrontab, and in dir /var/spool/cron/crontabs.
```
# See cron log entries
grep CRON /var/log/syslog /var/log/syslog.1
# command "debian-sa1" is /usr/lib/sysstat/debian-sa1, see "man sysstat"

# See status and some logging
systemctl status cron.service

# See which cron file is producing a job you see in the log:
sudo bash
grep SOMETHING /etc/crontab /etc/cron.*/* /etc/anacrontab /var/spool/cron/crontabs/*

# Edit jobs for current user:
crontab -e

# Edit jobs for root user:
sudo crontab -e
```
To change the editor used by "crontab -e", set e.g. "export VISUAL=/usr/bin/xed" in your .profile.

Paraphrased from discussion on reddit:
Rules:
- Don't put user commands in the default (root) cron file.
- Use the user cron file for user commands.
- Don't put GUI commands in any cron file.
- Always include complete paths for every command and data file.
- Don't put commands and arguments in the cron file, instead call a shell script.
- Cron's shell environment is very different than yours. See the cron man page.
nixCraft's "I put a cronjob in /etc/cron.{hourly,daily,weekly,monthly} and it does not run and how can I troubleshoot it?"
Ubuntu wiki's "CronHowto"
Raj's "Linux Basics: 20 Useful Crontab Examples in Linux"

systemd:
Wikipedia's "systemd"
Sahil Suri's "Introducing systemd"
ArchWiki's "systemd"
Carla Schroder's "Understanding and Using Systemd"
David Both's "Learning to love systemd"
alegrey91 / systemd-service-hardening
systemd.io

Jason Wertz's "Basics of the Linux Boot Process" (video) (2013 and pre-systemd, but interesting)
Professor Messer's "Init, Systemd, and Upstart" (video) (2013, not much systemd, but interesting)
```
man systemd
man udev

systemctl list-units
systemctl status UNITNAME
systemctl cat UNITNAME
```
Casey Houser's "How to Use Systemd Timers as a Cron Replacement"
blog'o'less's "Using systemd timers instead of cron"
blog'o'less's "More about using systemd timers: reboot"
luqmaan's "Using systemd as a better cron"

ArchWiki's "systemd/Timers: As a cron replacement"
From discussion on stackexchange, why systemd better than cron:
Checking what your cron job really does can be kind of a mess, but all systemd timer events are carefully logged in systemd journal.

Systemd timers are systemd services with all their capabilities for controlling their resource management, IO, CPU, scheduling, etc.

There can be dependencies on other services.

Services can be started and triggered by different events like user, boot, hardware state changes or for example 5 mins after some hardware plugged in.

Easily enable/disable the whole thing with "systemctl enable/disable" and kill all the job's children with "systemctl start/stop".

Timer events can be scheduled based on finish times of executions some delays can be set between executions.

Communication with other programs is also notable; sometimes it's needed for some other programs to know timers and the state of their tasks.

Good things about systemd:
- Does things that init scripts can't do: react to events, do operations in parallel (but init scripts can do this with startpar ?), let user start/stop daemons, set limits to the resource usage of a service, have one service depend on result of another (but init scripts can do this with insserv ?).
- Pushes control away from the init-project and towards the distro maintainers. It's easier to enable/disable/add/delete services than to rewrite the init scripts.
- User is less likely to bork the system by making a mistake while adding a new service than while editing init scripts ? More modular.
NotMine's "Archlinux is moving to systemd"
/u/thlst's "Why did ArchLinux embrace Systemd?"

IMO: systemd does one thing, and does it well: represent/control units of work. It satisfies many uses: managing services at boot/login/logout/shutdown times, letting the user manage services manually, managing services in reaction to events, I think daemons spawning/controlling other services. I'd like to see init go away completely, and also have cron be a systemd service (that launchs other services).
Bad things about systemd:
- Added a second system log (the journal) to the system.
- Has its own DNS resolver.
  
  From someone on reddit:
  > Why does systemd have DNS in it ?
  
  Because in certain situations they need to have it very early in the boot process, before other stuff is up and running. In most cases it isn't needed and thus isn't used, but when it is needed it is very useful.
  
  That is the big thing a lot of people don't seem to get: systemd provides a lot of optional components that serve niche use-cases but are turned off by default. In most cases those aren't needed and aren't used, but they are there when someone really needs them.
  
  > Something being turned off by default doesn't make it any easier to understand the code,
  > or understand which DNS specification takes precedence over which other one.
- Runs all services in one process ? Or dispatches all from one process ? Not sure.
- Now is trying to control the definition of the home directory ? article
- Also has time-sync ?
- An overly-heavy solution for situations where a very simple init system would suffice (such as a container that contains multiple processes).
Dave McKay's "Why Linux's systemd Is Still Divisive After All These Years"
V.R.'s "systemd, 10 years later: a historical and technical retrospective"

See "systemd Service" section of my Develop an Application page

ArpON:

A network daemon to protect against ARP MITM attacks.

Available through Mint's Software Manager.
ArpON

In LibreOffice, turn off macroes:

See item "Libre Office: improving Macro Security" in Easy Linux tips project's "Security in Linux Mint: an explanation and some tips"

Application controls and sandboxing:

See Application Control and Security section.

Monitor what's happening in your system:

Look at some key log and status files every day or every week:
```
# Whatever command shows status of your VPN connection, e.g.:
sudo ipsec statusall	# if you're using IPsec, maybe with IKEv2, strongSwan
windscribe status	# for Windscribe using OpenVPN
systemctl status openvpn
curl --get ifconfig.me && echo

# Check logs for errors:
sudo journalctl -p 3 -xb
sudo systemctl --failed

# Maybe do these, or not:

sudo iptables -L -v
sudo netstat -tulp
sudo apparmor_status
firejail --list

sudo journalctl -u cron
cat /var/log/kern.log
dmesg -T	# shows same log, with coloring added
sudo journalctl --pager-end

egrep -i 'error|warn' /var/log/*g | more

# Read root's CLI mailbox; some failure and security messages are sent to it
sudo bash
mail

last		# history of logins
lastlog		# last time each user logged in
sudo more /var/log/auth.log		# authentication-related activity
```
You can put a message into the journal, but not the kernel log, by doing "logger -p user.info this is the message". See "man logger" for more options. Maybe do this each time you make a significant change to the system ?

You can delete old entries in journalctl, freeing space, by doing "sudo journalctl --vacuum-time='2d'"

To view log files, install "glogg" application.

Radu Gheorghe's "Linux Logging Tutorial: What Are Linux Logs, How to View, Search and Centralize Them"

There's a "D-Bus" for inter-application messaging.
Wikipedia's "D-Bus"
Koen Vervloesem's "Control Your Linux Desktop with D-Bus"
Do "sudo dbus-monitor --system --profile" to look at activity on it ? But I don't see much happening. Do "qdbus" to see what apps/services are registered on it (but it's all system stuff, no browsers or password managers registered on it). Install "Bustle" (Flathub's "Bustle"). qdbusviewer ? d-feet "apt install d-feet" ?

Put some commands in a shell script that you can run a couple of times each day, to show status of VPN, iptables, listeners, tails of log files.

A mega-command that will "tail" a whole bunch of log files at the same time and keep updating as they get updated:
"sudo find /var/log/ -type f $ -name "*.log" $ -exec tail -f "$file" {} +"

Run "System Monitor" (on Mint) every now and then, sort by memory used, sort by name, look for anything unusual.

To see all packages installed on your system, do "dpkg -l".

On Ubuntu, to see known security vulnerabilities, do "cvescan" (without args, it shows high/critical CVEs for which fixes are available but not yet applied to your system).

Don't expect perfect security just because you're running Linux.

You're still relying on a lot of applications and other software to be well-behaved.

From someone on reddit 6/2020, about Linux Mint:
Firewall is off by default.

Ufwd does not switch rule zones when on connections like firewalld can so people do not use it or use it well (they dump everything into one rule zone or forget to switch) due to the inconvenience and hassle ironic given UFW is supposed to make it easy (firewalld can do this but UFW is Canonical so it's in the distro).

Avahi zeroconf enabled by default and not behind a home firewall rule zone (has been exploited for UDP reflection amplifications and fingerprinting even if you do not use zeroconf services on it, it by itself is exploitable).

Lagging behind in updates for main attack surface apps like Firefox.

Have not checked if Warpinator is enabled and advertising by default, last I checked in the source it was not but it uses zeroconf to do so.

See "Secure because Linux" section of my "Linux Problems" page.

Easy Linux tips project's "Security in Linux Mint: an explanation and some tips"
The Empire's "An Ubuntu Hardening Guide"
lfit's "Linux workstation security checklist"
blakkheim's "Linux Security Hardening and Other Tweaks"
Maybe likely to break things:
SK's "How To Password Protect GRUB Bootloader In Linux"
[But that doesn't protect against booting from USB drive.]

See Anti-Virus and Malware Scanners section of my "Using Linux" page.

See Application Control and Security section.

Tightening Privacy

Location services:
To test these, best if you have separate locations set for:
- Real IP address.
- VPN server.
- Location Guard add-on in each browser.
- Fake location set in GeoClue.
Location services:
- GeoClue service in D-Bus.
  
  In Mint's Software Manager you can remove Geoclue-2.0, but then things such as Redshift will complain (fix for Redshift: here, or maybe use "-l" option on command line).
  
  Installed Geoclue-examples, but found no obvious new apps, in /usr/lib/geoclue-2.0/demos I see "where-am-i". Also found /usr/bin/geoclue-test-gui app, but it just returns all zeroes even though the GeoClue service should be running and accessing a Mozilla location server. (It shows "Error getting position from Geoclue Master: Geoclue master client has no usable Position providers" on stderr.)
  Redshift also shows zeroes for location.
  
  Configuration file is /etc/geoclue/geoclue.conf.
  Tried replacing the Mozilla service URL in there with "file" URL to a local JSON file, but it failed, couldn't be fetched.
  Put a "https://api.jsonbin.io/" URL in there, got "Failed to query location: Not Found" in journalctl.
  Verified that the original Mozilla URL returns valid JSON, so the problem must be in the code.
  
  Installed Gnome Maps application, but when it starts it says "no internet connection", same with VPN on or off.
  
  For package dependencies, do "apt-cache rdepends geoclue" and "apt-cache rdepends geoclue-2.0".
  
  At system boot, in journalctl I see (via "sudo journalctl | grep [Gg]eo[Cc]") "geoclue: Failed to connect to avahi service" (which is local DNS, sort of), but you can turn that off by changing "Fetch location from NMEA sources on local network?" in /etc/geoclue/geoclue.conf to false or undefined.
  
  "geoclue-example.provider" is from "/usr/lib/geoclue/geoclue-example" file ?
  
  Project home
  "apt show geoclue-2.0" says I have version 2.4.7-1ubuntu1; project says newest is 2.5.1.
- Mozilla Location Service.
  
  Used by GeoClue.
  You can opt-out of having your Wi-Fi listed in MLS, but you have to modify your Wi-Fi network name or visibility to do so.
- Apple, Google, Microsoft have similar services.
  "http://maps.google.com/?ie=UTF8&ll=48.861426,2.338929&spn=0.011237,0.027874&z=16" (Paris)
  "http://maps.google.com/?ie=UTF8&ll=36.7160858,-4.4233916&spn=0.011237,0.027874&z=16" (Malaga)
- The browser is a key point for controlling location data.
  Set the preferences in each browser you use.
  Also there are browser add-ons to control or fake your location, such as Location Guard
- Network Time server.
  Not a good idea to turn this off.
Testing your location settings:
- Settings / Date & Time is getting location from Network Time server, I think.
  For me it is showing VPN server location.
- Test browser via BrowserLeaks' "Geolocation API".
  For me, in Firefox, it shows location set in Location Guard add-on.
  For me, in Chromium, it showed VPN server location, until I installed Location Guard.

System knowledge of online accounts:

GNOME Online Accounts (GOA). org.gnome.OnlineAccounts
GNOME Help's "Allow or disallow online accounts"

To trace what files an app or command is using:

strace -e trace=open,openat -f YOURCOMMANDANDARGSGOHERE

Accounts

Run "sudo more /etc/shadow". Any account with password field (2nd field) set to a single character such as "*" or "!" or "x" is blocked from login: no possible password can be typed to log into that account.

My understanding of accounts:

Login can occur on the system desktop GUI (display and keyboard and mouse), through system virtual console (TTY1; Ctrl+Alt+F1 to open, Ctrl+Alt+F7 to close), through Telnet/SSH from a network, through remote-desktop software such as VNC or TeamViewer.

The account you specified at installation time is a user that belongs to the "sudoers" group and thus can use the "sudo" command to do super-user things. You can login as that user.

There is a "root" account, but it is locked so you can't log in as root. No password can be typed which will match the value in root's password hash field.

BUT: from Easy Linux tips project's "Security in Linux Mint: an explanation and some tips":
"In Linux Mint 18.3, the root password is unfortunately no longer set by default. This means that a malicious person with physical access to your computer, can simply boot it into Recovery mode. In the recovery menu he can then select to launch a root shell, without having to enter any password. After which your system is fully his. So, set a password for root (preferably identical to your own password)."

There may be a "guest" account, and you can log in as that user. [Disabled by default on Mint 19.] There is no password on that account. Can it login through SSH ?

Definitely disable guest login, and you have to reboot after doing so. In Mint, run "System Settings", go to "Administration" section, click on "Login Window", click "Users" tab, probably everything should be turned off.

Abhishek Prakash's "How To Disable Guest Account In Ubuntu"
Ubuntu's "CustomizeGuestSession"

If you create more users, you can choose to add each new user to the "sudoers" group or not.

If you are logged in as a user who belongs to the "sudoers" group, you can do any administrative operation, and the password to use when "sudo" asks is the password for that user.

I guess it is okay to routinely log in and do all your daily computing as the user you specified during installation, which belongs to the "sudoers" group. Any malware you run accidentally would have to know your password in order to do "sudo" and then do administrative stuff, and I think sudo accepts password only from keyboard. So it's not quite like routinely running as Administrator under Windows.

On a single-user system, the security distinction between root and normal user is not so important. All of the interesting personal files probably are owned by the normal user. So if an attacker can get in as that normal user, they get all the good stuff, no need to escalate to root.

Escalating to root might let the attacker do a few more things, such as access network hardware at a low level to attack other machines on the LAN.

Escalating to root on a multi-user system is much more serious/important than on a single-user system.

From someone on reddit:
"Normally, all keyrings should get signed into automatically upon user login to the system. If suddenly you have to log in to a keyring when you never did before, what's gone wrong is that you changed the password with passwd instead of using the account manager built into the GUI. The GUI will automatically change your keyring password too. The command line won't."

Ubuntu's "RootSudo"

Some command-line ways to list all users: "getent passwd", "compgen -u", "cat /etc/passwd".

List users with no password set: "sudo awk -F: '($2 == "") {print}' /etc/shadow"

List users with UID set to 0 (superuser): "sudo awk -F: '($3 == "0") {print}' /etc/passwd"

List info about a user: "id user1"

Set limits on users or groups: /etc/security/limits.conf

Login security can be defeated if attacker has physical access:

Alarming article about (a hole in) account security:
Abhishek Prakash's "How to Reset Ubuntu Password in 2 Minutes" (boot into Recovery mode)
Maybe there is some way to password-protect GRUB, or maybe this doesn't work if /home is encrypted ?
SK's "How To Password Protect GRUB Bootloader In Linux"

Another way to change passwords if you have physical access: boot the machine from a Live system on USB or CD, do "sudo -i", do chroot to the main system disk, do "passwd $username".

Ask Ubuntu's "How do I reset a lost administrative password?" (boot into Recovery mode)
SK's "How To Reset Root User Password In Linux"

Not sure, but I think these methods work even if user's home is encrypted. Access to the disk encryption passphrase is controlled by the user permissions, so once you login as the user (with any or empty password), software can decrypt the user's home.

PAM (Pluggable Authentication Modules):

Files in /etc/pam.d directory.
"apt list | grep libpam | more"
Mokhtar Ebrahim's "Configure and Use Linux-PAM"

To enable TOTP on desktop logins:

If you're going to enable this, I would save a copy of "/etc/pam.d/lightdm", then create another user account, login to that account, and enable TOTP on that account, to make sure everything works.

Chris Hoffman's "How to Log In To Your Linux Desktop With Google Authenticator"
Daniel Pellarini's "How To Configure Multi-Factor Authentication on Ubuntu 18.04"
nixCraft's "Secure Your Linux Desktop and SSH Login Using Two Factor Google Authenticator"

"sudo apt-get install libpam-google-authenticator".
"man google-authenticator".

Types of keys and certificates:

RSA / SSH public-private key-pair.

Usually generated by a client, which authenticates to a server some other way and then sends the public key to that server, for future use in authentication.
File id_rsa.pub is the public key and file id_rsa is the private key.
Can these files hold multiple key-pairs, or only one pair ?
~/.ssh directory.

Identity certificate.

X.509, usually generated and signed by a trusted authority.
Wikipedia's "X.509"
Personal cert file types .pem .p12 .pfx.
Authority cert file types .cer .cert .crt. Also .der ?

PGP public-private key-pair.

~/.gnupg directory.

From "man ssh":
"The idea is that each user creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. ssh implements public key authentication protocol automatically ..." and "A variation on public key authentication is available in the form of certificate authentication: instead of a set of public/private keys, signed certificates are used. This has the advantage that a single trusted certification authority can be used in place of many public/private keys."
Also relevant "man ssh-keygen".

Steve Cope's "SSL and SSL Certificates Explained For Beginners"

Keyring / GnomeKeyring / ksecretservice:

setevoy's "What is: Linux keyring, gnome-keyring, Secret Service, and D-Bus" (also here)
GNOME Keyring
Keyrings(7) man page
Arch Wiki's "GNOME/Keyring"
Nurdletech's "Gnome Keyring"

There is a Linux kernel keyring (see "man 7 keyrings"), and a GNOME Keyring (GNOME Keyring).

Is integrated with ssh, sftp, scp, PAM, Chrome, chromium. Can be integrated with Git, GnuPG, Firefox.
swick / mozilla-gnome-keyring (extension for Firefox and Thunderbird)
From Gnome Keyring - Security FAQ:
"Gnome Keyring is integrated with PAM, so that the 'login' keyring can be unlocked when the user logs in.".
LZone's "Using Linux keyring secrets from your scripts"

On CLI, do "cat /proc/keys" to see some of the keys in the Linux kernel keyring.
On CLI, do "man keyctl".

GNOME keyring stored under ~/.local/share/keyrings

Mint's "Passwords and Keys" application (AKA "Seahorse"):

Accesses GNOME Keyring.
AKA Seahorse

Under Passwords - Logins, it seems to have a bunch of placeholder entries for web sites, and a couple of things for apps (Chrome, Skype). There's nothing (for me) under Certificates (I do have certs installed in FF, Chrome, Thunderbird, but they don't show up here), and under Secure Shell (OpenSSH = ~/.ssh). But there are several keys under PGP Keys (maybe stored under ~/.gnupg directory ?). Hover mouse over each item to see tooltips.

SSH logins:

Ubuntu's "SSH / OpenSSH / Installing Configuring Testing"
Chris Hoffman's "How to Secure SSH with Google Authenticator’s Two-Factor Authentication"
Linuxaria's "Add security to your ssh daemon with PAM module"
nixCraft's "Top 20 OpenSSH Server Best Security Practices"

From Ravi Saive's ""How to Setup Two-Factor Authentication (Google Authenticator) for SSH Logins:
"Important: The two-factor authentication works with password based SSH login. If you are using any private/public key SSH session, it will ignore two-factor authentication and log you in directly."

SK's "How To Configure SSH Key-based Authentication In Linux"
Alistair Ross's "How To Set Up SSH Keys"
Carla Schroder's "5 SSH Hardening Tips"

Testing your SSH from outside:
InfoByIp's "SSH server connectivity test"
Rebex SSH Check
But really you need to try to connect from an outside machine and see what happens.

Jesus Vigo's "How to join a Linux computer to an Active Directory domain"

Trusted certificate stores:

Security certificates can be stored in a number of places ?

In some browsers. /usr/share/ca-certificates/mozilla/
In other mini-browser-containing apps such as Thunderbird email client ? ~/.thunderbird/PROFILENAME/cert9.db and key4.db ?
Electron apps contain the Chromium browser engine; what certificate store is used, or none ?
Node.js comes with a built-in store of CA's ?
Java has its own store ? Also each Java app could have its own ? /etc/ssl/certs/java/cacerts, jre/lib/security/cacerts ? "man keytool" article
LDAP or OpenLDAP ?

System store used by openssl (/etc/ssl):

# find the base directory:
openssl version -d
# list the certs:
ls -R `openssl version -d | sed -E 's/OPENSSLDIR: "([^"]*)"/\1/'`/cert*
# or maybe
sudo ls -lAR /etc/ssl
# or
sudo find /etc/ssl -name '*.pem' -print | xargs -I{} openssl x509 -subject -noout -in {}
sudo find /etc/ssl -name '*.crt' -print | xargs -I{} openssl x509 -subject -noout -in {}
sudo find /etc/pki -name '*.pem' -print | xargs -I{} openssl x509 -subject -noout -in {}
# but my personal certs (installed in browsers etc) don't show up in there
man update-ca-certificates
ls -l /etc/ssh
ls -lAR ~/.pki
ls -lAR /etc/pki
# while user is logged in:
sudo ls -lAR /run/user/USERIDNUMBER/keyring

From someone on Stack Exchange:

Most distros put their certificates soft-link in system-wide location at /etc/ssl/certs.

Key files go into /etc/ssl/private
System-provided actual files are located at /usr/share/ca-certificates
Custom certificates go into /usr/local/share/ca-certificates

Whenever you put a certificate in one of the above mentioned paths, run update-ca-certificates to update /etc/ssl/certs lists.

From someone on reddit 11/2019:

Applications that utilize the system cert store: Chrome on macOS/windows. Safari on macOS. Edge on windows. Linux support depends on the distribution. RHEL is probably better than others.

Firefox uses it's own key store ...

Java applications will vary in support. It really depends on the implementer.

[Certs can be stored in a hardware device:] A Yubikey with certs provisioned acts as a pkcs#11 device which is an industry standard interface to cryptographic devices. It has good support for all applications that utilize the system cert store. There are plugins to utilize pkcs11 devices for Firefox.

Amit N. Bhagat's "Digital Certificates Explained"
Federal Public Key Infrastructure Guides' "Trust Stores"

Places passwords are stored:

GNOME networking passwords are stored in plaintext in files in /etc/NetworkManager/system-connections

MEGA password discussion
MEGAchat: Technical Security Primer

libsecret-based clients via the Freedesktop.org secret storage DBus API ?
KeePassXC 2.5.x can be used as a vault service by libsecret: https://keepassxc.org/blog/2019-10-26-2.5.0-released/ KeePassXC as "secret service"

KeePassXC password manager can supply SSH keys to an SSH agent: KeePassXC and SSH.

Run "ssh-add -l" or "ssh-add -L" to see all keys available through ssh-agent.
Run "ssh-add -s filename.pkcs11" to add a digital certificate to ssh-agent.

"nmap --script ssl-cert localhost" gives me one cert used by port 25 SMTP, called "mint" or "DNS:Mint".

"nmap --script ssl-enum-ciphers localhost" gives me TLS ciphers used by port 25 SMTP, port 631 CUPS.

Security Test / Audit

Lynis
David Mytton's "80+ Linux Monitoring Tools for SysAdmins"
tcpdump:
Daniel Miessler's "A tcpdump Tutorial and Primer with Examples"
"sudo tcpdump -i lo -A | grep Host:"
iptraf
iptop
ntop
netstat: "sudo netstat -atupl"
lsof: "sudo lsof -i" to see established connections.
ss: "sudo ss -lptu".
NixCraft's "ss command: Display Linux TCP / UDP Network/Socket Information"
NixCraft's "Linux: 25 Iptables Netfilter Firewall Examples For New SysAdmins" (see "27. Testing Your Firewall")
nethogs: install from Mint's Software Manager, and then "sudo nethogs"
ngrep
auditd

unix-privesc-check:

Download from pentestmonkey / unix-privesc-check
Run via:
```
sudo ./upc.sh --help | more
sudo ./upc.sh --color --type all
```
Results tend to be very repetitive. For example, okay, the 100,000 files under my home directory all have write permission for everyone in my group. Would be nice if it didn't report that 100,000 times. So:
```
cd unix-privesc-check-master/lib/checks/enabled/all
rm group_writable
rm privileged_writable
```
and run it again. It ran for almost 2 hours, didn't give any output colored red, so I guess it didn't find anything serious.

Tiger UN*X security checking system:

Savannnah's "Tiger UNIX security tool - Summary"
nongnu.org's "Tiger - The Unix security audit and intrusion detection tool"

Installed in Mint by default. Checks lots of stuff. I ran it from Start menu, but see "man tiger" about running it from CLI. Ran for 1 hour on my laptop, and then just exited at the end, the CLI window disappeared. Left a 5.7 MB report file in /var/log/tiger directory. Definitely read the report; all kinds of information and warnings in there. But I think most of it is just the way Mint is configured.

"sudo tiger -h"

After I got local CLI mail working, started getting daily reports from tiger in mail. It's running every HOUR, via cron ! Edit /etc/crontab.d/tiger to change that.

CERT's "Intruder Detection Checklist"

See the "Port scanning and router testing" section of my "Computer Security and Privacy" page.

SEI's "Steps for Recovering from a UNIX or NT System Compromise" (PDF)

Miscellaneous

Throttling network bandwidth, for testing purposes:
"sudo tc qdisc add dev enp19s0 root tbf rate 32kbit latency 50ms burst 770"
"sudo tc qdisc delete dev enp19s0 root"

Search my site