# Install additionnal AA profiles apt-get install --no-install-recommends apparmor-profiles # Set some profiles in enforce mode for p in /bin/ping /usr/sbin/avahi-daemon /usr/sbin/dnsmasq; do aa-enforce $p done # Enforce medium passwords apt-get install --no-install-recommends libpam-cracklib # Install the file integrity checker AIDE apt-get install --no-install-recommends aide # Just in case I connect to an old server with insecure key apt-get install --no-install-recommends openssl-blacklist openvpn-blacklist # Log analysis is always good apt-get install logwatch apt-get install --no-install-recommends logcheck logcheck-database
Firefox setup
# Enhance privacy by disabling Flash/Macromedia cookie storage
cat << EOF >> /etc/apparmor.d/local/usr.bin.firefox
# Prevent Flash/Macromedia cookie storage
deny @{HOME}/.adobe/** rw,
deny @{HOME}/.macromedia/** rw,
EOF
# Enable Firefox AA profile
rm /etc/apparmor.d/disable/usr.bin.firefox
apparmor_parser -a -T -W /etc/apparmor.d/usr.bin.firefox
# Install Adblock Plus and add the anti-malware subscription
http://adblockplus.org/en/subscriptions
http://www.malwaredomains.com/
# Minimal comfort apt-get install -V --no-install-recommends vim-nox terminator thunderbird enigmail xul-ext-lightning pidgin # Create an empty directory that thunderbird requires and the can't create itself mkdir /usr/lib/mozilla/extensions/ # Enable thunderbird AA profile apparmor_parser -a -T -W /etc/apparmor.d/usr.lib.thunderbird.thunderbird-bin # Enable pidgin AA profile apparmor_parser -a -T -W /etc/apparmor.d/usr.bin.pidgin # Install the KVM virtualization layer and it's management frontend apt-get install --no-install-recommends qemu-kvm libvirt-bin virt-manager adduser $SUDO_USER libvirtd # or sudo adduser $USER libvirtd # Disable local virtual network as it relies on NAT (bad) virsh net-autostart default --disable virsh net-destroy default # Networking apt-get install --no-install-recommends vlan bridge-utils # Multimedia apt-get install --no-install-recommends vlc vlc-plugin-pulse gstreamer0.10-ffmpeg gstreamer0.10-fluendo-mp3 # Misc apt-get install --no-install-recommends cifs-utils sshfs powertop pwgen debootstrap schroot nmap tftp-hpa
apt-get install --no-install-recommends devscripts fakeroot devscripts debhelper dput patchutils bzr git pylint # Now that we have all the required VCS, ensure that important files are tracked apt-get install --no-install-recommends etckeeper cd /etc etckeeper uninit # use git instead of bzr sed -i -e 's/^VCS="\(.*\)"/VCS="git"/' /etc/etckeeper/etckeeper.conf etckeeper init etckeeper commit "Initial /etc commit using git as the VCS for etckeeper"
This is covered in OpenVPN on Ubuntu
# Keep upstart jobs just in case mkdir /etc/init.disabled cd /etc/init # Only one tty is used for s in $(seq 2 6); do stop tty$s mv tty$s.conf /etc/init.disabled/ done # I don't like noisy packages :) stop avahi-daemon mv avahi-daemon.conf /etc/init.disabled/ # I don't have a printer (it might not be the case for everyone) stop cups mv cups.conf /etc/init.disabled/ # I don't use weird binary formats for s in binfmt-support; do service $s stop update-rc.d -f $s remove done # Who uses atd these days ? stop atd mv /etc/init/atd.conf /etc/init.disabled/
# I don't user social media, cloud services or mono appliacaions (except Banshee) apt-get purge gwibber-service ubuntuone-client python-ubuntuone-client tomboy # I don't have bluetooth support apt-get purge bluez # I use Thunderbird exclusively and don't like having useless daemon running all the time apt-get purge evolution-data-server # Free some space apt-get purge linux-headers-generic example-content