Menu
Linux Foundation's security checklist can help sysadmins harden workstations

Linux Foundation's security checklist can help sysadmins harden workstations

The group has published a new list of recommendations that range from moderate to paranoid

If you're a Linux user, especially a systems administrator, the Linux Foundation has some security tips to share with you, and they're quite good.

Konstantin Ryabitsev, the Foundation's director of collaborative IT services, published the security checklist that the organization uses to harden the laptops of its remote sysadmins against attacks.

The recommendations aim to balance security decisions with usability and are accompanied by explanations of why they were considered. They also have different severity levels: critical, moderate, low and paranoid.

Critical recommendations are those whose implementation should be considered a must-do. They include things like enabling SecureBoot to prevent rootkits or "Evil Maid" attacks, and choosing a Linux distribution that supports native full disk encryption, has timely security updates, provides cryptographic verification of packages and supports Mandatory Access Control (MAC) or Role-Based Access Control (RBAC) mechanisms like SELinux, AppArmor or Grsecurity.

Other critical recommendations include making sure the swap partition is also encrypted, requiring a password to edit the bootloader, setting up a robust root password and using an unprivileged account with a separate password for regular operations. The critical checklist also advises disabling hardware modules with direct full memory access like Firewire or Thunderbolt, filtering all incoming ports and setting up an encrypted backup routine to external storage.

Protecting passwords and cryptographic keys like those used to authenticate over SSH is extremely important, because they are some of the most sought after pieces of information by hackers. The Linux Foundation's recommendations include using a password manager, choosing unique passwords for different websites and protecting private keys with strong passphrases.

Recommendations flagged as paranoid are those that have significant security benefits, but which might take some effort to implement or understand. They include running an intrusion detection system and using separate password managers for websites and other types of accounts.

There are many other tips flagged as moderate or low severity that should definitely be considered as well, such as automatic OS updates, disabling the SSH server on the workstation, storing authentication, signing and encryption keys on smartcard devices and putting PGP master keys on removable storage.

When it comes to Web browsing, one of the most common and risky operations that users engage in, the Linux Foundation recommends the use of two separate browsers: Mozilla Firefox with the NoScript, Privacy Badger, HTTPS Everywhere and Certificate Patrol add-ons for work-related sites, and Google Chrome with Privacy Badger and HTTPS Everywhere for everything else.

Following the security tips in the Foundation's document is by no means a guarantee that the system will not get compromised, but it would certainly make the job much harder for attackers.

"Security is just like driving on the highway -- anyone going slower than you is an idiot, while anyone driving faster than you is a crazy person," Ryabitsev said in the document's introduction. "These guidelines are merely a basic set of core safety rules that is neither exhaustive, nor a replacement for experience, vigilance, and common sense."

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments