Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

One security expert a while back recommended grsecurity. From what I gather, it prevents permission exploitation in the first place and does so in a way that is pretty robust (can't remember the principle on how it does so)

Otherwise, I'd say forget about trying to secure Linux and just go with QubesOS unless you need 3D graphics acceleration

Edit: QubesOS allows you to run at least some conventional brands of Linux out of the box, but it allows memory efficient VM isolation between them, and some other really cool features, overall making securing stuff much simpler than installing a bunch of of random tools from different parties



I nuked my Ubuntu Mate laptop and installed Qubes, just to get a feel for it. It's significantly more maintenance than a vanilla distro, because of all the separated environments, but if I ever wanted to return to Linux on the desktop as my main OS, I'd absolutely use it. It's the only BYOD/WFH solution I've found that feels even close to secure enough if you don't want to run physically separate PCs.


Security wise, QubesOS is better than separate PCs since (at least in part) isolating the network card into a separate VM prevents it from having direct memory access to the whole system (I think devices do have DMA?)

It also provides a better way to communicate between VMs through simple RPC commands rather than hoping USB device drivers are not malicious

In terms of maintenance, I'm pretty sure you could have only one templateVM for everything, which means you only have to update dom0 and that templateVM. So in terms of maintenance thats really not that much more I guess?

I think I might try that myself actually

If you need persistence in the root filesystem, that could mean a standalone VM or a new VM. Last I tried I had trouble with their AppVM solution on that




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: