The safe 3. profile configuration.?

[Jakob77]

j2mcgreg

Yes, I get your point. It is the same with the internet. You might not know if your profile has been compromised.
I might just think the security proportions are getting a bit twisted if I can connect to videos for a whole day but close friends are not alowed to do a single click with my mouse.

I do want to read about the risks but if they are spooky and maybe not existing they are not very helpful.
I get the impression that you think creating more user profiles on a MX computer is a security risk in itself. Is that the case.?


At the moment I work on configuring a computer for news, movies and games for kids and entertainment.
It is not hard to bang but I still do the same with different profiles so I have some prototype backups.
Extra profiles are very easy to make and I guess only time can show to what degree they will be helpful.



How can we encrypt one whole profile, nothing more and nothing less.?

[j2mcgreg]

@Jakob77 wrote:

I do want to read about the risks but if they are spooky and maybe not existing they are not very helpful.
I get the impression that you think creating more user profiles on a MX computer is a security risk in itself. Is that the case.?

No, it's not. We've all given you our lists of best practices and you have made it clear that you will pick and choose which ones to follow. Fine, it's your machine. I truly believe that you need to be bitten a couple of times before you understand. With that, I'm out.

[Jakob77]

When someone asks me how to keep a computer secure, my short answer is usually the following:

1) Never save passwords in a browser – Use an offline password manager. (KeePass or KeePassXC)

2) Use STRONG passwords ( I have HUGE list on that one!), but basically 12 Characters or more, at least 2 numbers, 2 special characters, upper and lower case, do not “make the password” about anything of ‘yours’, and if you use ‘words’ they should NEVER be found in a dictionary. (ie they should be partial, made up, or misspelled words.)

3) Never use passwords for multiple places – ever! ( you would be amazed at how much I see this done!)

4) Use an encrypted vault for anything important.

5) Do not click links in email – period!

6) Do not use search engines to lookup ANY place you go to on a regular occasion and log in. Find where you need to go, and then make a book mark – or BETTER YET, save the URL in your password manager!

7) Always lock your computer when you step away from it. ( Auto locking is good, but a 10 min auto lock is 9 min too long!)

Do not install anything that you cannot trust where it came from – and I mean *know and trust* .

9) Do not let anyone onto your computer. Even family that would never *think* about harming you can cause a serious issue by just checking their email.

10) Discipline your self in everything – websites you go to, sign-ups, opening email, backing up regularly, *thinking before you do something*.


And honestly, ( no ego here! ) … if I can have a client think “What would Charles say about doing this?” … then I have succeeded in at least one thing - helping them be more secure!

My contribution can be rule no 1 not to let people with iOS into your house or office where you use the password list or keyboards.

You made me think. Since you use long passwords it is likely you expect a robot to do the cracking.
So is that for websites only and much less strict for a local MX user profile.?
I don't even know if it is possible to find other MX computers login prompt via the network.?

[CharlesV]

All passwords. And as for computer login via network, I believe it would really depend upon your firewall and how secure the machine really is.

[Jakob77]

In the manual 4.5.1 there is a link to a place where we can see more about how the MX Firewall works:

http://gufw.org/

Forbidden

You don't have permission to access / on this server.

Very efficient.!


There are also an other link in the program:
https://help.ubuntu.com/community/Gufw
https://help.ubuntu.com/community/UFW

I am not smart enough to make rules and I don't understand the report.

So I better go for preconfigured settings.

Maybe moving it from from "Home" to "Public" will give a better protection.?

The Firewall works for all profiles.

So does samba.

Manual page 35:

• If you are not going to host shared network folders on your PC, then you can disable samba. This will not affect your PC's ability to access shares hosted elsewhere on your network.

I still have problems with closing down a profile completely when I log out.
If user 1 mounts a USB disk, log off and log in as user 2, he can't mount the drive because it is already mounted and in use by user 1.

Do we perhaps have a Terminal command (unmount?) that can do the job so I can add it to my log out procedure.?

[CharlesV]

The umount command is what your after.

Code: Select all

umount {your_usb_disk__id}

for the gufw link.. the last couple of years have been harsh on websites with many going down, being moved or struggling to maintain links. I am sure one of the document peeps here will see that and adjust accordingly.

[Jakob77]

The umount command is what your after.

Code: Select all

umount {your_usb_disk__id}

Thank you. Can we make it unmount all usb drives no matter what id they have.?

[CharlesV]

The umount command is what your after.

Code: Select all

umount {your_usb_disk__id}

Thank you. Can we make it unmount all usb drives no matter what id they have.?

All most all of the scripts I have seen to do that require a little scripting, I would suggest doing some research on it - I *know* that I have seen that out there.

In fact... once you find a method you like, *THAT* might be an EXCELLENT tutorial for your NEXT scripting lesson !!

[Jakob77]

Yes, and thank you. Actually I already have a log out script for turning off the network and doing some writing to a log file.
I found it was necessary to make a script in order to make sure the session commands always were fully executed before log out.

So when I am at it I think it could be a good idea to put the profile further into a sleep as deep as possible before I log out.
But since we don't have easy to find obvious commands for it, I might just leave it or see what Xfce forum has to say about it.
Maybe I have overlooked something but to me it seems like Xfce still has some foggy borders that deserves more clarification.

[andy]

...
So when I am at it I think it could be a good idea to put the profile further into a sleep as deep as possible before I log out.
But since we don't have easy to find obvious commands for it, I might just leave it or see what Xfce forum has to say about it.
Maybe I have overlooked something but to me it seems like Xfce still has some foggy borders that deserves more clarification.

Hi all, I have much enjoyed this discussion, and a huge thank for everyone who participaded.
When I will have more spare time I plan to revisit this thread, and take notes from all valueable info here.

Until,
I just want to say: isn't the best way how to put a profile into sleep: to store it encrypted and to unmount it after logout?
I cannot imaginge safer way to protect it at rest.

BUT: we have to keep in mind: this protection works only against attacks when profile is not in use. Immediately we have our system compromised, and login into the profile with it, the profile is easy target.
This seems useful, however a bit old:
https://bbs.archlinux.org/viewtopic.php?id=98227
Also interesting discussion. It 12 years old, dm-crypt vs ecryptfs mentioned, and no LUKS. To put things into perspective:
https://stackoverflow.com/questions/716 ... sibilities
Basically, LUKS is a higher layer that uses functionality from dm-crypt and dm-integrity as lower layers. Clever. (I am using LUKS everytime, but did not heard a lot about dm-crypt, so this is the reason.)
So in 2023 maybe there is a better tutorial to accomplish encrypted profile auto log-in/out.

Some distro's offer setting up encrypted home profile, I think MX Linux offers just entire /home on an encrypted partition (what is not the same).
This is only one layer of protection. Works only for some specific threat model - stolen computer. It is weak or useless in case of using compromised system to open it. So, it all depends, what is your threat model.
From what threats do you want to protect yourself?

This is the main question, and you set up your countermeasures accordingly.

Regards,
Andy