Installation

The official install directions are very good. Below I document for myself what I did.

• Go to Linux Mint's homepage and choose "Download"
• I was on Windows at the time and used Balena Etcherto burn the live USB drive
• Had to go into my BIOS to allow booting from USB
• Booted from the USB
• Double-clicked the "Install Linux Mint" icon
• Chose English for the OS, then the English (US) keyboard
• Connected to my home WiFi
• Installed the multimedia CODECs
  • NOTE: To install the codecs, you have to choose to put in a "secure boot" password. You will need to put this password in the first time you boot. Make sure it's easy to type and remember!
• Chose the internal NVME drive
• Chose my time zone
• Added my local user account and password
• Chose to encrypt the home folder
• Continue until it reboots.
• NOTE: Don't pull the thumb drive until the computer says to do so
• NOTE: On reboot, it will ask to "Enroll MOK". This is that multimedia key. Here is where you type in that first password you typed in during the install, for the multimedia drivers/secure boot. You'll reboot again.

Post-Installation Configuration

Linux Mint has a really nice post-installation welcome screen, that helps you get started with important stuff.

• I changed the Desktop colors to "Dark Theme", with green highlights
• NOTE: I need to figure out System Snapshots
• In "Driver Manager", changed to the "Recommended" nvidia driver and rebooted
• Went into the "Update Manager" and changed to local mirrors, then updated everything
• NOTE: I went into the "Firewall Manager" and changed the "Status" toggle to "On". Why is this not on by default???
• Went into Firefox and added the "uBlock Origin" ad-blocker extension.
• In order to access the Raspberry Pi via VNC, I needed to install a VNC viewer. I opened the "Software Manager" and searched for "VNC". The one that I ended up installing was "Tigervnc-viewer", as it had the highest rating. I was then able to open the app and log into my Raspberry Pi.

Snapshots and Backing up

coming soon

Hardening the OS

Details coming soon.
My risk analysis suggests my primary threat vectors are:

• Malicious website (either the website itself or malvertising)
  • I've seen this one hit people who were careful. Risk management strategies include DNS protection (to minimize redirection attacks), browser sand-boxing (I need to read up on the Apparmor protections for Firefox) and extension protections (uBlock Origin filters).
• Supply Chain attack , either of a Steam game or via a poisoned update to a trusted repository
  • Need to look into stronger sand-boxing strategies for Steam games
• Malicious attachment to an email.
  • I'm pretty careful on opening email attachments, but I'd like something a bit more formal. At least it looks like Mint ships LibreOfice with active Apparmor profiles.

Research

• Found this, seems promising: https://forums.linuxmint.com/viewtopic.php?t=454383
  • Direct link to the PDF: https://nallino.net/stockage/security/Linux_Mint_Security.pdf

Previous: 0. Design Considerations
Next: 2. VPN