Security review

[cameronyule]

Review my current setup against some security guides, and consider whether I should be making any changes.

Requirements:

• Research guides for security on macOS, Nix, and Unix-based systems.
• Consider tension between software supply chain risks (pin dependencies, update sparingly) with security (update when required), and ergonomics (update when desired).
• (Likely a sub-task) Consider data security in the context of exfiltration, and hygiene around what is stored where. What data is okay on a service like Dropbox as compared to S3? What data should be encrypted at rest and only decrypted when necessary.

[cameronyule]

Prompt for Gemini 2.5 Pro:

I’d like to review my computer security and I’m looking for high-quality guides, like this https://drduh.github.io/macOS-Security-and-Privacy-Guide/ Are there any you would recommend? I use macOS, Linux, and Nix. I do not use Windows.

Response:

Of course. The guide you've linked is a comprehensive resource for hardening macOS, and there are several other high-quality guides available that adopt a similar in-depth and practical approach for macOS, Linux, and Nix-based systems. Here are some recommendations:

macOS

For macOS, the guide you're already using is excellent. However, for a broader perspective and to stay updated, consider these resources:

• Apple's Platform Security Guide: This is Apple's own detailed documentation on the security features of its hardware and software. It's less of a step-by-step guide and more of a technical deep dive into the security architecture of macOS, iOS, and other Apple products. It's an essential read for understanding the "why" behind many security recommendations.
• Privacy Guides - macOS Overview: This guide provides a more user-friendly and privacy-focused overview of securing macOS. It covers many of the same topics as the drduh guide but in a more accessible format, with clear explanations for each recommendation. It's a great starting point if you want to understand the rationale behind different security settings.

Linux

Securing a Linux system, often referred to as "hardening," is a well-trodden path with many excellent resources.

• CIS Benchmarks: The Center for Internet Security (CIS) provides detailed, consensus-based hardening guides for a wide variety of operating systems, including many Linux distributions. These benchmarks are industry-standard and provide a strong foundation for securing your system. They are available for free, though you do need to register.
• Stigler's IT Security: This website offers a comprehensive collection of security checklists and guides for various systems, including detailed recommendations for hardening different Linux distributions. The guides are practical and cover a wide range of security controls.
• The Arch Linux Wiki's Security Page: Even if you don't use Arch Linux, its wiki is an incredible resource for in-depth Linux knowledge. The security section provides a wealth of information on hardening measures, from kernel parameters to application-level security.

Nix & NixOS

The declarative and reproducible nature of Nix and NixOS offers a unique approach to system security.

• NixOS Manual - Security: The official NixOS manual has a dedicated section on security that covers the built-in security features of NixOS, such as its read-only /nix/store and the ability to create isolated, per-user environments.
• NixOS Wiki - Security: This is a community-driven resource that complements the official documentation with practical examples and discussions on various security topics, including setting up a firewall, managing secrets, and using security modules.
• Anduril's NixOS Security Technical Implementation Guide (STIG): For a more rigorous and compliance-focused approach, this STIG provides a set of security guidelines for deploying NixOS in high-security environments. It's a valuable resource for understanding how to lock down a NixOS system to a very high standard. By consulting these guides, you can build a robust and multi-layered security posture across all your operating systems.

[cameronyule]

Do the EFF have anything you’d recommend? Also, I’m in the UK - what about UK government agencies such as GCHQ?

Excellent questions. Both the Electronic Frontier Foundation (EFF) and UK government agencies provide valuable, high-quality resources that align with your security review.

Electronic Frontier Foundation (EFF)

The EFF is a leading non-profit defending civil liberties in the digital world. Their recommendations focus heavily on privacy and resisting surveillance, which are key components of personal computer security.

Their flagship guide is Surveillance Self-Defense (SSD). This is a comprehensive resource that is very much in the spirit of the guide you originally linked. It's an excellent collection of explanations, tutorials, and expert advice for protecting yourself from online tracking and state-sponsored surveillance.

Key sections of the SSD guide you might find useful include:

• Tool Guides: Step-by-step tutorials for installing and using specific privacy and security tools, such as password managers, encryption software, and anonymous Browse tools like Tor.
• Security Scenarios: Advice tailored to specific situations, such as securing your data while crossing borders or attending a protest.
• How to: Encrypt Your Computer: A guide that covers full-disk encryption for macOS, Linux, and other operating systems.

UK Government Agencies (NCSC / GCHQ)

In the UK, the public-facing cybersecurity authority is the National Cyber Security Centre (NCSC), which is a part of GCHQ. The NCSC provides authoritative security advice for individuals, businesses, and government. Their guidance is pragmatic, well-researched, and highly respected.

For your purposes, the most relevant resource is the NCSC Device Security Guidance.

This collection includes specific, detailed guides for securing various platforms to a standard appropriate for government and enterprise use, but the principles are equally applicable to security-conscious individuals.

• macOS Security Guidance: This guide provides 12 security principles for configuring macOS devices. It details how to implement controls using Mobile Device Management (MDM), but the underlying settings are relevant for any user. For a more hands-on approach, the NCSC also publishes recommended configurations.
• NCSC Device Security GitHub: Here you can find configuration profiles and scripts to implement the NCSC's recommendations for various platforms, including macOS.
• Linux (Ubuntu) Guidance: While there isn't a constantly updated guide for every Linux distribution, the NCSC has published detailed guidance for Ubuntu LTS releases in the past. The principles outlined in their Ubuntu 18.04 security guide are still highly relevant for hardening most Debian-based and other Linux systems. Key recommendations often include setting up secure boot, enabling AppArmor/SELinux, configuring firewalls, and ensuring data-at-rest encryption.

By combining the privacy-focused, activist perspective of the EFF with the official, threat-intelligence-driven guidance from the NCSC, you will have a very well-rounded and robust foundation for your computer security review.