Firejail, Firetools (GUI) & AppArmor - Hardening Bionicdog

Antivirus, forensics, intrusion detection, cryptography, etc.
Post Reply
Message
Author
labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

Firejail, Firetools (GUI) & AppArmor - Hardening Bionicdog

#1 Post by labbe5 »

After compiling firejail (very few dependencies) or installing it with .deb binaries, you start browsing with this command line for highest security :

I use Firefox, but you can use a number of browsers with firejail.

$ firejail --private --dns=8.8.8.8 --dns=8.8.4.4. --caps.drop=all firefox -no-remote

For DNS, i use Google Public DNS, and the browser cannot access a number of processes.

This set up is for accessing bank accounts or other sensitive content.

When you are finished with your browsing, you look for client number of firejail with :
firejail --list

And you shutdown your contained firefox with :

firejail --shutdown=client number

Coupled with a VPN, such as VPNBook, you have a very secure browsing.

After installing OpenVPN, you use this command line to have a Virtual Private Network :
sudo openvpn --config vpnbook-ca1-tcp443.ovpn --auth-nocache

Depending on your downloaded bundle, it can be US, or CA, or other countries. In this instance it is the canadian bundle.

--auth-nocache means that the password is not cached in plain text.

More info at the firejail website.
Last edited by labbe5 on Sun 28 Oct 2018, 15:40, edited 2 times in total.

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

Do My Command utility

#2 Post by labbe5 »

Using Do My Command utility that is part of Dog-based OS, you can have firejail firefox up and running in a click.

Just save your command line at the bottom of the file provided by the utility and click Play. Your command line will be kept for other sessions.

Using public DNS servers from DNS.Watch, for maximum privacy :

$ firejail --private --dns=84.200.69.80 --dns=84.200.70.40 --caps.drop=all firefox -no-remote

The best is to couple Firejail with Openvpn.

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

more on Firejail

#3 Post by labbe5 »

https://firejail.wordpress.com/2017/05/ ... ing-guide/

Here is another review/guide to help you understand and use firejail :
https://linuxconfig.org/protect-your-sy ... n-firejail

Up to now, we had to prefix a command with firejail, such as firejail firefox in a terminal to have it sandboxed, but now there is full integration with desktop environnment.

Once you have installed firejail (now version 0.9.46), you need to complete installation with :

firecfg --fix-sound
and
sudo firecfg

Here is why :
First command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9. The second command integrates Firejail into your desktop. You would need to logout and login back to apply PulseAudio changes.

It is a major change, making Firejail as simple to use as it can be :
Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. The integration applies to any program supported by default by Firejail. There are about 250 default applications in Firejail version 0.9.46, and the number goes up with every new release. We keep the list in /usr/lib/firejail/firecfg.config file.

Just for fun, start several programs by clicking your desktop manager menus, then open a terminal and run the following command:

firejail --top

This command tells you what programs are running in a Firejail sandbox. If your program was not sandboxed automatically, use the old method of prefixing your program with “firejail
Last edited by labbe5 on Tue 11 Jul 2017, 14:12, edited 1 time in total.

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#4 Post by rufwoof »

Thanks for all this detail labbe5

All a dark science from my perspective. I already have firejail up and running with skype and firefox .desktop files changed to use that by default (firejail prefix to commands).

I tried installing openvpn out of the Debian repository (I run a Debian jwm/rox type frugal boot setup) and then ran the command you suggested, but that came back with a error report

Code: Select all

root@debian:/home/user# openvpn --config vpnbook-ca1-tcp443.ovpn --auth-nocache
Options error: In [CMD-LINE]:1: Error opening configuration file: vpnbook-ca1-tcp443.ovpn
So looks like there's a lot more to do/configure on the VPN front that I know next to nothing about and need to get my head down to do some studying.

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

Firetools

#5 Post by labbe5 »

http://www.linuxandubuntu.com/home/fire ... ty-sandbox

There are certain files required in order for Firejail to work properly (actually for Firetools to work properly).

For Dog-based OS :

Git and Compiler :
sudo apt-get install git build-essential

Qt5 :
sudo apt-get install build-essential qt5-default qt5-qmake qtbase5-dev-tools libqt5svg5 git

To install GUI, enter commands :

git clone https://github.com/netblue30/firetools
cd firetools
/configure --prefix=/usr && make && sudo make install

Firejail is now available in standard Ubuntu repositories, but for latest version, you still need to compile it (each new version contains new profiles, which are security rules followed by apps).

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

Hardening a newly installed Bionicdog

#6 Post by labbe5 »

A newly installed Bionicdog does not have AppArmor installed, nor Firejail, but they are both the easiest way to protect your system against sophisticated hacks.

How to install AppArmor

First check by yourself that apparmor is not installed with :
apt-cache policy apparmor

Having done that, you install apparmor and following packages :
apt install apparmor apparmor-profiles-extra apparmor-profiles apparmor-utils.

When it is done, you enforce profiles :
aa-enforce /etc/apparmor.d/*

When it is done, you can check apparmor status :
sudo aa-status

It looks like this :
apparmor module is loaded.
51 profiles are loaded.
51 profiles are in enforce mode.
/usr/bin/irssi
/usr/bin/pidgin
/usr/bin/pidgin//launchpad_integration
/usr/bin/pidgin//sanitized_helper
/usr/bin/totem
/usr/bin/totem-audio-preview
/usr/bin/totem-video-thumbnailer
/usr/lib/chromium-browser/chromium-browser
/usr/lib/chromium-browser/chromium-browser//browser_java
/usr/lib/chromium-browser/chromium-browser//browser_openjdk
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
/usr/lib/chromium-browser/chromium-browser//lsb_release
/usr/lib/chromium-browser/chromium-browser//sanitized_helper
/usr/lib/chromium-browser/chromium-browser//xdgsettings

Bionicdog can be even more hardened with Firejail. Download latest version on Sourceforge, because version from Ubuntu repositories will not work with latest Firefox.

Now use Slim to change from root to puppy the easiest way :
apt install slim
exit x
Once you are puppy user, now you can use firejail in your terminal.

For example, you want to start Firefox :
The simplest command is : firejail firefox. It is better than nothing. But we can do more, much more to secure Firefox without compromising functionality.

Firefox in complete isolation :
firejail --seccomp --caps.drop=all --nonewprivs --private --private-dev --private-tmp --dns=1.1.1.1 --dns=1.0.0.1 --whitelist=/home/puppy/Downloads firefox -no-remote
You will not see any change, but you are more safe using Firefox this way.

To autostart Firefox :
Here is the path : /home/puppy/.config/openbox
Click on autostart to open the file and add at the bottom :
firejail --seccomp --caps.drop=all --nonewprivs --private --private-dev --private-tmp --dns=1.1.1.1 --dns=1.0.0.1 --whitelist=/home/puppy/Downloads firefox -no-remote &

Adding & is all you need to do, then save.

Firefox, or other browsers, are better hardened to the maximum, the more so when you use your browser to do financial transactions.

When using internet-facing apps, a good habit is to use Firejail.
To block access to the internet while using an app, add --net=none

Try it yourself with Firefox. It will result in a lost connection. Some apps do not need to have internet access to function properly, but may attempt to connect to a server.

What more can be done? Use ufw. Uncomplicated Firewall.
Install it with apt install ufw. Gufw is the GUI for ufw, but stick to the command line for Bionicdog.
After installation, as root, you do : ufw enable. Most users are ok with that.
in is denied by default.

After you have hardened Bionicdog, reboot.

You are no longer the low-hanging fruit. You have multiple layers of security that need to be overcome for you to be hacked and your system be compromised.

For added security and privacy, use a VPN. There is AirVPN managed by privacy activists, or ProtonVPN that are on top of any list, AirVPN having a GUI called Eddie available for Linux users, with which you can easily use Tor, SSL and change protocols.

In spite of all this, phishing, spear phishing, evil twins wifi access point can compromise all you have done.

Credentials (username, passwords), hackers are after them in all possible ways. Add 2FA when possible. The use of social media does not help keep you private ans secure, but it is your choice to use them.

When possible use encryption, and some useful addons, such as NoScript, HTTPS Everywhere, uMatrix, uBlock origin.

Now your Bionicdog installation is hardened.
Congrat!

Post Reply