Securing a Linux Laptop for Cyber Essentials
This document provides steps to help secure a Linux laptop to meet the Cyber Essentials requirement.
Installing your Linux OS
You should install your Linux OS with the following features:
- Secure Boot enabled
- All file-systems encrypted
- Auto-login disabled
You must also:
- Create a user account for yourself with a secure password
- Install all the latest OS updates once your install has completed
Setting up your user account
To secure your user account, you must:
- Set a secure, unique password — see Password Recommendations for details
- Enable automatic screen locking for your Linux desktop environment
- Require that unlocking the device requires either a password, PIN or biometric authentication
- Use
sudoto elevate privileges
Installing ClamAV as Anti-malware Protection
To use ClamAV as your anti-malware protection, you need to install the following components:
clamav— ClamAV softwarefreshclam— Freshclam, the ClamAV auto updater
These can be installed as follows:
On Ubuntu:
sudo apt install clamav clamav-freshclam
On Fedora:
sudo dnf install clamav clamav-freshclam
On Fedora Silverblue:
rpm-ostree install clamav clamav-freshclam
Once installed, start and enable the updater services with:
sudo systemctl enable --now clamav-freshclam
And schedule regular filesystem scans by adding the following cron task using crontab -e:
30 12 * * * mkdir -p ${HOME}/.infected && /usr/bin/clamscan -r --move=${HOME}/.infected /home/
Installing Firewalld as a Firewall
A widely available and used firewall on Linux is firewalld. On a lot of systems it is installed and configured as standard. To check it is installed and running:
systemctl status firewalld
If it reports enabled and active then you have the appropriate level of protection.
If it's missing, you can install it with:
On Ubuntu:
sudo apt install firewalld
Then enable and start it with:
sudo systemctl enable --now firewalld
Training last reviewed: 07/05/2025
Training last reviewed by: Matt Dean