ShieldedBytes

Introduction to systemd-resolved

I’ve seen this go wrong when people upgrade to a modern Linux distribution and suddenly find that their DNS settings aren’t working as expected. This is because systemd-resolved has taken over DNS resolution, and managing it can be a bit different from the old way of editing /etc/resolv.conf directly. In this article, we’ll explore how to work with systemd-resolved and manage DNS settings effectively.

Understanding systemd-resolved

systemd-resolved is a part of the systemd suite, and it’s designed to provide a robust and flexible way to manage DNS resolution on Linux systems. The real trick is that it acts as a stub resolver, which means it doesn’t perform the actual DNS lookups itself but instead forwards requests to a real DNS resolver. This approach allows for better integration with the system’s networking stack and provides features like DNSSEC validation and caching.

Introduction to Umask and ACLs

When working with shared directories in Linux, I’ve seen permission issues arise due to the default umask and Access Control Lists (ACLs). The real trick is understanding how these two settings interact. The umask is a 3-digit octal number that determines the default permissions for newly created files and directories, while ACLs provide a more fine-grained access control mechanism.

Understanding Umask

The umask is subtracted from the maximum possible permissions (777 for directories and 666 for files) to determine the default permissions. For example, a umask of 022 would result in default permissions of 755 for directories (777 - 022 = 755) and 644 for files (666 - 022 = 644). To view the current umask, you can use the umask command:

Introduction to systemd’s Journal

I’ve worked with Linux systems for years, and one thing that’s always been important is managing system logs. Systemd’s journal is a great tool for this, providing a centralized logging solution that’s both robust and efficient. By default, the journal stores its data in a volatile, in-memory cache, and on disk in /var/log/journal/. However, I’ve seen this go wrong when the journal’s size grows rapidly, especially on systems with high log volumes. This can lead to performance issues and disk space consumption. To avoid this, you can use log rotation and persistent journal storage.

Introduction to Non-Root Users

I’ve seen many Linux workstations compromised due to reckless use of the root account. Running a Linux workstation with a non-root user by default is a simple yet effective way to harden your system against potential security threats. By not using the root account for daily activities, you significantly reduce the attack surface of your system. In practice, this means you’ll be less vulnerable to malware and other exploits that rely on elevated privileges.

Introduction to SSH Hardening

Securing your SSH connection is crucial - I’ve seen this go wrong when a friend of mine had his server compromised due to a weak SSH setup. In today’s world, with cyber threats lurking around every corner, hardening your SSH setup using Linux kernel’s built-in features and sysctl tweaks is essential. This article will guide you through the process of securing your SSH connection using practical examples and commands.

Introduction to Mandatory Access Control

Mandatory Access Control (MAC) is a security framework that enforces access control decisions based on a set of rules, rather than relying on user identity or group membership. On Linux, one of the most popular MAC implementations is SELinux (Security-Enhanced Linux) and AppArmor. I’ve found AppArmor to be generally easier to use and more widely supported, so we’ll focus on hardening your Linux desktop using AppArmor.

Introduction to Linux Hardening

I’ve seen many Linux systems compromised due to lack of proper hardening. To prevent this, you can use a combination of Mandatory Access Control (MAC) and namespace isolation. These two security features can help prevent unauthorized access to sensitive data and system resources. In this article, we’ll explore how to implement MAC and namespace isolation on a Linux desktop.

Mandatory Access Control

Mandatory Access Control is a security feature that enforces a set of rules defining what actions a user or process can perform on a system. One popular MAC system for Linux is SELinux (Security-Enhanced Linux), which was integrated into the Linux kernel in 2003. SELinux provides a robust security framework that can help prevent attacks such as buffer overflows and privilege escalation. Don’t bother with other MAC systems unless you have a specific reason to - SELinux is well-maintained and widely supported.

Introduction to Linux Laptop Hardening

As a Linux user, you’re probably already thinking about how to harden your system for security. But when it comes to laptops, this process is even more crucial. I mean, think about it - laptops are portable, and they’re often connecting to various networks, some of which might not be entirely trustworthy. The rise in public Wi-Fi exploits in recent years only adds to the importance of securing your laptop. In this article, we’ll focus on firewall rules and network profiles to help you navigate these scenarios securely.

Introduction to seccomp

I’ve seen seccomp, short for “secure computing,” become an essential tool in my Linux toolkit. It’s a Linux kernel feature that lets you filter system calls, effectively limiting what a process can do. This is especially useful when running containers - it helps prevent a compromised container from causing damage to the host system. In this article, I’ll explore how to use seccomp to lock down container privileges in Linux.

Introduction to AppArmor

I’ve been using AppArmor for years to add an extra layer of security to my Linux systems. It’s a Mandatory Access Control (MAC) system that lets you restrict what applications and services can do. By defining a set of rules, you can control file access, network connections, and system calls. This helps prevent malicious activities and gives you more peace of mind.

Installing and Enabling AppArmor

To get started with AppArmor, you’ll need to install the apparmor package. On Debian-based systems, I usually start with: