Advanced Security Linux Mint Cinnamon Wayland setup

Last updated
Jun 1, 2026
How it's used?
For work or educational use
Operating system
Linux
Other operating system
Linux Mint 22.3 Zena Cinnamon Wayland
On-device encryption
Other full-disk drive encryption software
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates and latest features
Update channels
Allow stable updates only
User Access Control
N/A - Linux / Mac / Other operating system
Smart App Control
N/A - Linux / Mac / Other operating system
Network firewall
Enabled
About WiFi router
TP-Link triband with IPv6 disabled and all security features enabled (TP-link home care, SPI-firewall, IP-MAC binding). E-mail log message level is set to critical.
Real-time security
Sticking to trusted package sources and using Linux sandboxing (AppArmor, Firejail, Flatpak) to contain utilities, accessoires and applications.
Firewall security
Built-in Firewall for Mac/Linux
About custom security
  • Using only official package sources from verified publishers and de-installed all unused accessoires and applications.
  • Mildly hardened Linux by disabling P2P, remote access, old TLS versions and enabling ASLR system wide.
  • Created additional Firejail profiles with firecfg and reduced Flatpak permissions with flatseal.
  • Added OpenSnitch outbound application firewall to compliment inbound GuFW.
  • Installed logcheck with e-mail warning for security alerts & events
  • Using Wayland (experimental) on Cinnamon desktop.
  • Enhanced browser security with flags.
Periodic malware scanners
When I receive files from others I scan them with Virus Total. My half yearly data backups to external USB are scanned with Microsoft Defender :cool:
Malware sample testing
I do not participate in malware testing
Environment for malware testing
None
Browser(s) and extensions
Brave with two profiles, one for surfing and one for work. Privacy wise I have Brave shieds disabled in my work and enabled in my surfing profile (only Ads, Kees1958 and custom rules). Security wise my surfing profile has most site permissions on block and Bitdefender Traffic Light while my work profile has website permission on default with NVT Browser lockdown limiting website access to a few trusted domains and file download to usual office documents.
Secure DNS
  1. NextDNS in the Router with OISD and telemetry blocklists enabled (for IOT devices), allowing only common TopLevelDomains to connect.
  2. We use Quad9 as default DNS (at OS-level) for our Laptops and smartphones (to bypas router TLD firewall restrictions)
  3. Cloudflare Zero Trust Free plan (with malware protection) is used as DNS over HTTPS in the browser.
Desktop VPN
Proton VPN free for Linux on-demand (out of home). At home I have little use for VPN because our IP and IP location are changed regularly :-).
Password manager
Build-in (OS and Browser)
Maintenance tools
None
File and Photo backup
  • FreeFileSync quick on-demand backups to a partition on my internal SSD to which sandboxed utilities, desktop accessoires and applications have no access to.
  • The half yearly full backup saves to an external USB-SSD which is checked (afterwards) by Microsoft Defender on my wife's laptop (which has triple USB protection).
Subscriptions
    • None
System recovery
TimeShift (to another partition on 1 TB SSD)
Risk factors
    • Browsing to popular websites
    • Working from home
    • Making audio/video calls
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
AMD Ryzen 7 (5700U) laptop with 1 TB SSD and 16GB RAM
Notable changes
To many :)

After jumping back and forth, I finally decided for:
  • Changed from ControlD free to Cloudflare free ZT
  • Replaced 7-zip (unsandboxed) with PeaZip in Flatpak
  • Moved from LibreOffice in Flatpak to LibreOffice in Firejail
  • Moved from Thunderbird to Evolution (both in Flatpak sandbox)
  • Moved from Xfce desktop with X11 to Cinnamon desktop with Wayland
What I'm looking for?

Looking for maximum feedback.

I already had set powerplan to performance. Thanks for tip.

I wanted to equal speedometer 3.1 of my wife's Windows laptop (same HP only with 2GB SSD instead of my 1GB SSD) and that's achieved, so the urge is gone :-)
1771427681142.png
 
  • Applause
Reactions: Sampei.Nihira
My friend @Sampei.Nihira often posts impressive AI based evaluations of his security setup, here is what free ChatGPT said about mine. What surprised me that AI was not that good in seperating the content from the time line. Also stuff included in prictures have to be explicitely explained to AI model. From an initial 9.2 it increased to 9.8 (AI totally missed I use a seperate admin account with standard user and website permission hardening in Brave).

1771825794489.png


As seasoned forum @oldschool always post: be safe not paranoid which I agree security and usability should be in balance, that is why I am glad with AI assessed "practical maximum" and "practically attack-resistant for every day use".
 
Last edited:
  • Wow
  • Hundred Points
Reactions: Zero Knowledge and Sampei.Nihira
LinuxFan58 said:
My friend @Sampei.Nihira often posts impressive AI based evaluations of his security setup, here is what free ChatGPT said about mine. What surprised me that AI was not that good in seperating the content from the time line. Also stuff included in prictures have to be explicitely explained to AI model. From an initial 9.2 it increased to 9.8 (AI totally missed I use a seperate admin account with standard user and website permission hardening in Brave).

View attachment 295869

As seasoned forum @oldschool always post: be safe not paranoid which I agree security and usability should be in balance.
Funny that AI assessed it as "practical maximum" and "practically attack-resistant for every day use"
Click to expand...

Your security configuration is very efficient. (y)

I had fun comparing various security configurations using AI with ChatGPT account.

However, I used percentages.
If the reference parameter is x/10, many configurations seem quite similar.
The gap widens with x/100.
 
  • Like
Reactions: LinuxFan58
Yesterday I suddenly got problems in Thunderbird deleting the most recent e-mail in card view. It kept displayed, so I switched to Evolution in Flatpak

Advantage of Evolution you can create two unified inboxes (collecting all your inbox email accounts) one with known and one with senders not in you contacts using
1771950102572.png
 
Last edited:
  • Wow
Reactions: lokamoka820 and Sampei.Nihira
Given that you can do whatever you want on your PC, I wonder if it wouldn't be better to have Scam protection at the DNS level and therefore no reduction in the Speedometer 3.1 test score? :unsure:
 
  • Like
Reactions: lokamoka820
Bummer, Windows Defender is not working on Linux, should I call Microsoft Windows support?

1773849052148.png

Edit: I did and I was guided to a website to download "remote-repair" and I clicked on it, but exe's don't execute. It does nothing? Nothing, right click execute as admin the support operator told me. I don't have that option. Then the tele-operator asked whether I was on a corporate computer, so I said no an a HP computer. A little annoyed he asked whether it was from my company. No it is from the internet cafe I am in right now. Oh ask the manager from the internet cafe to come over. The guy at the counter says I am not allowed to change anything. biep biep biep. :)
 
Last edited:
  • Wow
Reactions: lokamoka820
Latest Windows 11 - Linux Mint Xfce comparison on nearly identical HP laptops (Ryzen7 with 16GB) with Windows 2TB SSD and Linux 1 TB SSD

Wife's laptop with Windows 11 achieves a Speedometer 3.1 benchmark from 19.2 to 19.4
- security: standard user, SAC, SRP blocking scipts in user folders and lolbins for standard user, Defender in MAX mode (ConfigureDefender)
- browser: Chrome with advanced security, MBAM Browsr Guard (with ads off), uBol

My Laptop with Linux Mint Xfce achieves a Speedometer 3.1 benchmark from 18.6 to 18.8
- security: no-root user, Linux sandboxing (print in AppArmor, accessories in Firejail, applications in Flatpak)
- browser: Brave with standard security. MBAM Browser Guard (ads off), uBol
 
Last edited:
  • Like
  • +Reputation
Reactions: lokamoka820, harlan4096 and Sampei.Nihira
LinuxFan58 said:
Latest Windows 11 - Linux Mint Xfce comparison on nearly identical HP laptops (Ryzen7 with 16GB) with Windows 2TB SSD and Linux 1 TB SSD

Wife's laptop with Windows 11 achieves a Speedometer 3.1 benchmark from 19.2 to 19.4
- security: standard user, SAC, SRP blocking scipts in user folders and lolbins for standard user, Defender in MAX mode (ConfigureDefender)
- browser: Chrome with advanced security, MBAM Browsr Guard (with ads off), uBol

My Laptop with Linux Mint Xfce achieves a Speedometer 3.1 benchmark from 18.6 to 18.8
- security: no-root user, Linux sandboxing (print in AppArmor, accessories in Firejail, applications in Flatpak)
- browser: Brave with standard security. MBAM Browser Guard (ads off), uBol
Click to expand...

All you have to do is cheat:

Disable JIT optimization in the browser your wife uses.....;)
 
  • HaHa
Reactions: lokamoka820 and LinuxFan58
According to previous ChatGPT assessment my setup was rated 9.8 out of 10 (and described as "practical attack resistant for every day use"). Being moderated constantly (meaning my post take some time to show up) I dug a little deeper in what the real word threats of the remaining 0,2 were. Chat answered social engineering and chained exploit attacks (a chain which escapes the browser's sandbox, flatpak sandbox and the no-root OS limitation) were the reason for the 0.2 risk gap.

I told Chat that being a security hobbyist (because I have worked in the security industry in a commercial role) when we would take social engineering out of the equation for discussion sake, what are or would be the risks of encountering a staged exploit attack

1774789141561.png

Focusing on the "who you are" aspect, ( a retired 67 year old still teaching for fun in his old trade) ChatGPT concluded that the risk of becoming victim of a high cost staged exploit attack on a OS with marginal market share is zero.
1774791703136.png


So ChatGPT basiically told me I am safe, because I am of no interest being a nobody :ROFLMAO::ROFLMAO::ROFLMAO:


@Sampei.Nihira Could you ask ChatGPT what your risk percentage is when you rule out social engineering?
;) You probably guessed it (with your years of investigating experience) without social engineering my rating increases from 9.8 to 99,9999% :giggle:
 
Last edited:
  • Applause
  • Like
Reactions: simmerskool, Sampei.Nihira and lokamoka820
LinuxFan58 said:
According to previous ChatGPT assessment my setup was rated 9.8 out of 10 (and described as "practical attack resistant for every day use"). Being moderated constantly (meaning my post take some time to show up) I dug a little deeper in what the real word threats of the remaining 0,2 were. Chat answered social engineering and chained exploit attacks (a chain which escapes the browser's sandbox, flatpak sandbox and the no-root OS limitation) were the reason for the 0.2 risk gap.

I told Chat that being a security hobbyist (because I have worked in the security industry in a commercial role) when we would take social engineering out of the equation for discussion sake, what are or would be the risks of encountering a staged exploit attack

View attachment 296694
Focusing on the "who you are" aspect, ( a retired 67 year old still teaching for fun in his old trade) ChatGPT conclued that the risk of becoming victim of a high cost staged exploit attack on a OS with marginal market share is zero.
View attachment 296699

So ChatGPT basiically told me I am safe, because I am of no interest being a nobody :ROFLMAO::ROFLMAO::ROFLMAO:


@Sampei.Nihira Could you ask ChatGPT what your risk percentage is when you rule out social engineering?
;) You probably guessed it (with your years of investigating experience) without social engineering my rating increases from 9.8 to 99,9999% :giggle:
Click to expand...

The user's experience with the PC and their professional role are both important factors in the assessment.
I was much more curious about the security score the AI assigned to each component of my security setup.
 
  • Like
Reactions: simmerskool and LinuxFan58
LinuxFan58 said:
Latest Windows 11 - Linux Mint Xfce comparison on nearly identical HP laptops (Ryzen7 with 16GB) with Windows 2TB SSD and Linux 1 TB SSD

Wife's laptop with Windows 11 achieves a Speedometer 3.1 benchmark from 19.2 to 19.4
- security: standard user, SAC, SRP blocking scipts in user folders and lolbins for standard user, Defender in MAX mode (ConfigureDefender)
- browser: Chrome with advanced security, MBAM Browsr Guard (with ads off), uBol

My Laptop with Linux Mint Xfce achieves a Speedometer 3.1 benchmark from 18.6 to 18.8
- security: no-root user, Linux sandboxing (print in AppArmor, accessories in Firejail, applications in Flatpak)
- browser: Brave with standard security. MBAM Browser Guard (ads off), uBol
Click to expand...
What about comparing performance? Linux generally uses fewer resources, but what about CPU usage in particular? I tested LMDE yesterday, and even though the RAM usage is very low, the CPU spikes to 100% when I watch a YouTube video with Firefox. Is this a common occurrence, or was it because it was using the NVIDIA open-source driver?
 
  • Like
Reactions: simmerskool, Sampei.Nihira and LinuxFan58
lokamoka820 said:
What about comparing performance? Linux generally uses fewer resources, but what about CPU usage in particular? I tested LMDE yesterday, and even though the RAM usage is very low, the CPU spikes to 100% when I watch a YouTube video with Firefox. Is this a common occurrence, or was it because it was using the NVIDIA open-source driver?
Click to expand...
The Windows laptop seems to run substantially longer on batteries when looking TV or streaming media, so it seems Windows11 also runs more efficiently. I did not look at ram usage since that is a non issue even on 16GB laptops (when you ar doing normal office and internet related stuff).
 
  • Like
  • Thanks
Reactions: simmerskool, Sampei.Nihira and lokamoka820
LinuxFan58 said:
The Windows laptop seems to run substantially longer on batteries when looking TV or streaming media, so it seems Windows11 also runs more efficiently. I did not look at ram usage since that is a non issue even on 16GB laptops (when you ar doing normal office and internet related stuff).
Click to expand...
The biggest issue for battery efficiency when relying on open Chromium browsers (instead of Google Chrome) is that hardware acceleration is not always ready to go out of the box. Software decoding is dramatically less efficient than GPU decoding, which will make or break your battery life.

Open chrome://gpu. Under Graphics Feature Status, look for Video Decode—it tells you if hardware acceleration is working. Also note that Firejail has been known to cause hardware acceleration to fail. Flatpak is better about GPU processing, but neither are totally optimal when dealing with Chromium.

Recently, Chromium has greatly improved integration with Landlock, the modern Mandatory Access Control sandbox built into the Linux kernel. If you want further security hardening for Chromium, I recommend SELinux or AppArmor.
 
Last edited by a moderator:
  • +Reputation
Reactions: lokamoka820 and oldschool
Athena OS—a specialized distro for pentesting, ethical hacking, and cybersecurity education—has a good introductory article on sandboxing. It provides an explanation of the problem with modern browsers in Firejail:
Do not use Firejail as the primary sandbox for browsers:
Modern browsers (Firefox, Chromium) implement a broker-architecture sandbox that isolates every renderer process individually - a far stronger model than what any wrapper sandbox can provide. Wrapping Firefox in Firejail puts a weak outer perimeter around a much stronger inner one. More critically, if Firejail’s seccomp profile blocks syscalls that Firefox needs to build its own internal sandbox, you end up with worse security than running Firefox normally.

Never run a browser with --no-sandbox or equivalent options to satisfy Firejail’s requirements. Use AppArmor enforce instead - see AppArmor integration below.

The SUID tradeoff:
Firejail is an SUID binary. It temporarily holds elevated privileges to set up the sandbox. This means Firejail itself is an attack surface - 18 CVEs in its history are directly attributable to this design, most involving privilege escalation. This does not make Firejail useless, but it means it is not a zero-cost addition. For applications you run constantly (browsers, email), AppArmor profiles are a better choice: same filesystem isolation, no SUID surface.
Click to expand...
 
Last edited by a moderator:
  • +Reputation
  • Like
Reactions: LinuxFan58, simmerskool and lokamoka820
LinuxFan58 said:
Moving my applications from flatpak to firejail because of Security News - Flatpak 1.16.4 Fixes Critical Sandbox Escape Vulnerability en Linux Mint LTS users are stuck on 1.14-6. Succesfully changed form Brave in Flatpak to Chromiun in Firejail. Manually tightening the sandbox Next will be Evolution.
Click to expand...
This is because Linux Mint security updates depend on Ubuntu security, and Ubuntu is still determining whether the problem affects the currently supported version of Ubuntu or not. Here is the latest flatpak security issue on Ubuntu security.

Don't worry, Ubuntu takes security very seriously. It is a large distribution with many team members, which is why the majority of well-known distros are built on it. Even if the flatpak version is still outdated, they will provide a patch for it from the latest version. This is common for fixed distributions like Ubuntu and Debian. Here is an example from an earlier problem: https://forums.linuxmint.com/viewtopic.php?t=418294
 
  • +Reputation
  • Like
Reactions: LinuxFan58, simmerskool, SeriousHoax and 2 others
Miravi said:
CPU spikes like this indicate that you're using inefficient software decoding for video, which I pointed out above. Historically, Firefox has really slacked on Linux hardware acceleration and better media playback. They only just improved that in early 2026 (v147–148), believe it or not. On my setup, if I watch a 4K video even in Firefox, I don't see any CPU spikes at all because the GPU is handling it.

Google Chrome has made a name for themselves on Linux by having everything set up for proprietary codecs and smooth media playback. So much so, it hasn't been uncommon for people to simply use Chrome for videos instead of their daily Firefox.

On Intel and AMD, VA-API is mostly enabled by default on modern distros. The modern Nouveau (NVK + Vulkan) driver should support VA-API. Both NVIDIA's proprietary and their new nvidia-open drivers support NVDEC for video decoding—I recently switched from proprietary to nvidia-open, so that's how I decode video.

Make sure your graphics driver, media codecs, and browser configuration are all aligned, and YouTube won't turn your CPU fan into a jet engine.
Click to expand...
You're absolutely correct; I was testing LMDE from a USB drive using the NVIDIA GPU (hybrid mode disabled). Other distros would have given me a black screen in this situation, but LMDE used the (safe graphics) mode automatically, which I assume depends entirely on CPU power.

When I enable hybrid mode on my device or use a distribution that came with the NVIDIA proprietary driver or Nouveau pre-installed in the live ISO, I don't encounter this problem.
 
Last edited:
  • Like
Reactions: LinuxFan58 and simmerskool

You may also like...