Windows_Security

Level 22
Content Creator
Trusted
Verified
Posting this thread because i do this maximum once a year for relatives. Posting saves me time over searchng and re-finding information on the internet from different sources, so please mods make it a sticky :)

Installing additional user programs
Linux Lite comes with enough pre-installed software for most average PC users. After installation of Linux Lite click on menu and search for "Lite Software" a tool to easily install and remove popular software in linux lite. Choose install software and install Chromium from the list.

AppArmor
AppArmor is a Mandatory Access Control system (with specific rules per process) enforced in Kernel. I only enable the AppArmor proflles which come with Linux Lite. Open Menu, System choose Xfce Terminal. To put AppArmor into enfoce mode you first have to install AppArmor utils by entering this command in the Xfce Terminal (compare with command shell in Windows):
-"sudo apt install apparmor apparmor-utils" After entering (admin/root) password it should install.
Next put LibreOffice and Firefox AppArmor profiles in enforce mode:
-"sudo aa-enforce /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin"
-"sudo aa-enforce /etc/apparmor.d/usr.lib.libreoffice.program.oosplash"
-"sudo aa-enforce /etc/apparmor.d/usr.bin.firefox"

FireJail
Firejail is a SUID sandbox (Set Owner Pemission ID), so the program launched with Firejail does not inherit the userś permisions. Go to firejail website on GitHub and download current FireJail version Choose the download the ..amd64.deb (AMD processors) or x86_64.intel or i386.deb (Intel 64 or 32 bits), depending on your system. Double click the .deb package and Linux lite will elevate to root (admin) asking your password. Go to menu and create two desktop icons for Chromium and Thunderbird (click on menu, choose internet, right click chromium & thunderbird mail and choose option "add to desktop".

Right click those desktop shortcuts and choose "properties" (simular to Windows), next click on tab starter and change commands
- "thunderbird %u" into "firejail --seccomp thunderbird %u"
- "chromium-browser %U" into "firejail --seccomp chromium-browser %U --password-store=basic"
I start the system without requiring password, so I add "--password-store" to prevent password pop-up every time chromium is started.

Firejailing VLC
Create a desktop item for the VLC media player. Also change the launcher comman into "firejail --seccomp vlc --started-from-file %U". Now download an MP4 movie. Right click on the MP4 file and choose "Open with other application". After the "open with" prompt appears click on "Use a custom command". An text entry box will appear and enter "firejail --seccomp vlc --started-from-file %U". Clicking on an MP4 movie with the Linux Lite file manager will start the movie in a firejail sandbox. You have to do this for every file type associated with VLC movie player.

I use Firefox as default backup browser (runs always in AppArmor sandbox, no matter how it is started) and only have installed Noscript in default settings. In Chromium I only install uBlockOrigin enabling "Adguard English filter and AdGuard Spywarefilter" (all others disabled). When you want to launch chromium always incognito, just add --incognito to the above starter command (after -password etc).

Lite Tweaks
Startup of sandboxed programs takes a little longer. So lanch Lite Tweaks and select option "Preload Apps" to pre-load often used aplications and reduce cold start time. This only makes sense when the system is installed on old fashioned harddisk drives.

Firewall
Launch Xfce Terminal again and sudo apt-get install gufw. After reboot Firewall Configuration should appear in Menu>Settings, just enable blocking inbound traffic (incomming) in GUFW (GUFW is the Grafical interface of UFW = Unix FireWall)

Remove VisualBox
I install Linux Lite for older relatives, they don't need it and Virtualbox only delays system start, so copy and paste these commands in Terminal to remove and speed up boot time.:
-"sudo apt purge virtualbox* "
-"sudo systemctl stop vboxadd.service"
-"sudo systemctl stop vboxadd-service.service"
-"sudo systemctl disable vboxadd.service"
-"sudo systemctl disable vboxadd-service.service"

Make Linux Lite look like XP (and Windows7)
Search "Windows Manager" in all application menu option. Launch and choose Moheli as style. Do the same for "Appearance", choose Redmond as Style and Default Gnome theme for Icons

Set a restore point
Search for "Time Shift" in ap applications menu option. Choose Create.

Disclaimer
I am not an experienced Linux user, Use at your own risk and please correct when I made mistakes or you have tips. I am just a copy-paste monkey who won't be able to answer your question or trouble shoot your problems "

Why use AppArmor for Firefox and LibreOffice?
I like to use what is already available in the OS. When Linux lite (or better Ubuntu) has AppArmor by default in its distro, it is sort of 'officially'supported, so probably has the least problems or incompatibilities. Check status by entering "sudo aa-status" in Xfce Terminal. The advantage of AppArmor over FireJail is that the sandbox limitations are always applied when the AppArmor-ed program is started. That is why I have set Firefox as default browser (and added thrid party blocking with Noscript).

Why use FireJail for Thunderbird and Chromium (and VLC)?
There is a lot of information available and it comes with default profiles, tested and maintained by community experts. Installation is only one command and usage is simple by adding firejail to desktop/starter command. By changing desktop/starter shortcuts, it is easy t revert to running without when encountering problems. So that is a lot of extra security with little effort and little risk crippling your system.

Why not use both AppArmor and Firejail?
Mwhaa, that requires knowledge of Linux OS and time to learn to use thise sandboxes and I am only a 'copy & paste monkey"
 
Last edited: