Castle-security

Essential System Tools: Firejail – Excellent Security Sandboxing

Summary

What makes Firejail so special it qualifies for inclusion in our Essential System Tools feature? Above all, it puts users first.

It’s really easy to install and use. More time to spend actually using software. Most people won’t need any custom configuration. There’s a wide range of software which come with sandbox profiles.

The software helps to reduce the risk of security breaches. It’s lightweight and while it uses CPU cycles, the overhead is remarkably low. Firejail sandboxes do not each run their own copy of a full-blown operating system. Instead they operate in a resource-isolated environment created by standard facilities of your system’s existing Linux kernel. As such, despite the high level of protection offered, the overhead of running a Firejail sandbox is extremely low. So your software, including games, run at full steam, unlike a full virtualisation environment.

Firejail is an excellent tool for the security conscious. While it adds a layer of protection, you should use it with other security tools. We use it mainly for web browsing, and to lock down services.

There’s no socket connections open, and no daemons running in the background.  All security features are implemented directly in Linux kernel.

Website: firejail.wordpress.com, Firetools
Support: GitHub Code Repository
Developer: netblue30 and contributors
License: GNU General Public License v2

Pages in this article:
Page 1 – Introduction / Installation
Page 2 – In Operation
Page 3 – Other Features
Page 4 – Firetools
Page 5 – Summary

All the essential tools in this series:

Essential System Tools
ps_memAccurate reporting of software's memory consumption
gtopSystem monitoring dashboard
petSimple command-line snippet manager
AlacrittyInnovative, hardware-accelerated terminal emulator
inxiCommand-line system information tool that's a time-saver for everyone
BleachBitSystem cleaning software. Quick and easy way to service your computer
catfishVersatile file searching software
journalctlQuery and display messages from the journal
NmapNetwork security tool that builds a "map" of the network
ddrescueData recovery tool, retrieving data from failing drives as safely as possible
NeofetchSystem information tool written in Bash
TimeshiftSimilar to Windows' System Restore functionality, Time Machine Tool in Mac OS
GPartedResize, copy, and move partitions without data
ClonezillaPartition and disk cloning software
fdupesFind or delete duplicate files
KrusaderAdvanced, twin-panel (commander-style) file manager
nmonSystems administrator, tuner, and benchmark tool
f3Detect and fix counterfeit flash storage
QJournalctlGraphical User Interface for systemd’s journalctl
QDirStatQt-based directory statistics
FirejailRestrict the running environment of untrusted applications
VeraCryptStrong disk encryption software
UnisonConsole and graphical file synchronization software
hyperfineCommand-line benchmarking tool
TLPMust-have tool for anyone running Linux on a notebook
nnnPortable terminal file manager that's amazingly frugal
GlancesCross-platform system monitoring tool written in Python
CPU-XSystem profiler with both a GUI and text-based
VentoyCreate bootable USB drive for ISO/WIM/IMG/VHD(x)/EFI files
Fail2banBan hosts that cause multiple authentication errors
Share this article

Share your Thoughts

This site uses Akismet to reduce spam. Learn how your comment data is processed.