Linux Foundation's security checklist can help sysadmins harden workstations
Konstantin Ryabitsev, the Foundation's director of collaborative IT services, published the security checklist that the organization uses to harden the laptops of its remote sysadmins against attacks.
The recommendations aim to balance security decisions with usability and are accompanied by explanations of why they were considered. They also have different severity levels: critical, moderate, low and paranoid.
Critical recommendations are those whose implementation should be considered a must-do. They include things like enabling SecureBoot to prevent rootkits or "Evil Maid" attacks, and choosing a Linux distribution that supports native full disk encryption, has timely security updates, provides cryptographic verification of packages and supports Mandatory Access Control (MAC) or Role-Based Access Control (RBAC) mechanisms like SELinux, AppArmor or Grsecurity.
Other critical recommendations include making sure the swap partition is also encrypted, requiring a password to edit the bootloader, setting up a robust root password and using an unprivileged account with a separate password for regular operations. The critical checklist also advises disabling hardware modules with direct full memory access like Firewire or Thunderbolt, filtering all incoming ports and setting up an encrypted backup routine to external storage.
Protecting passwords and cryptographic keys like those used to authenticate over SSH is extremely important, because they are some of the most sought after pieces of information by hackers. The Linux Foundation's recommendations include using a password manager, choosing unique passwords for different websites and protecting private keys with strong passphrases.
Recommendations flagged as paranoid are those that have significant security benefits, but which might take some effort to implement or understand. They include running an intrusion detection system and using separate password managers for websites and other types of accounts.
There are many other tips flagged as moderate or low severity that should definitely be considered as well, such as automatic OS updates, disabling the SSH server on the workstation, storing authentication, signing and encryption keys on smartcard devices and putting PGP master keys on removable storage.
When it comes to Web browsing, one of the most common and risky operations that users engage in, the Linux Foundation recommends the use of two separate browsers: Mozilla Firefox with the NoScript, Privacy Badger, HTTPS Everywhere and Certificate Patrol add-ons for work-related sites, and Google Chrome with Privacy Badger and HTTPS Everywhere for everything else.
Following the security tips in the Foundation's document is by no means a guarantee that the system will not get compromised, but it would certainly make the job much harder for attackers.
"Security is just like driving on the highway -- anyone going slower than you is an idiot, while anyone driving faster than you is a crazy person," Ryabitsev said in the document's introduction. "These guidelines are merely a basic set of core safety rules that is neither exhaustive, nor a replacement for experience, vigilance, and common sense."