itpol/workstation-security.md

# Workstation security checklist

## Hardware considerations

- [CRITICAL] Has a TPM chip
- [CRITICAL] Supports SecureBoot
- [MODERATE] Has no firewire ports
- [MODERATE] Has no PCMCIA ports

## Pre-boot environment
- [CRITICAL] UEFI boot mode is used (not legacy BIOS)
- [CRITICAL] Password is required to enter UEFI configuration mode
- [CRITICAL] Password is required to initiate boot
- [CRITICAL] SecureBoot is enabled

## Distro choice considerations
- [CRITICAL] Has a robust MAC/RBAC implementation (SELinux/AppArmor/GrSecurity)
- [CRITICAL] Publishes security bulletins
- [CRITICAL] Provides timely security patches
- [CRITICAL] Provides cryptographic verification of packages
- [CRITICAL] Supports TrustedBoot
- [CRITICAL] Has robust full disk encryption support (LUKS)

## Distro installation guidelines
- [CRITICAL] Use full-disk encryption on LVM level
- [CRITICAL] Make sure swap is also encrypted
- [CRITICAL] Set up a unique, robust root password
- [CRITICAL] Use an unprivileged account, part of administrators group (sudo)
- [CRITICAL] Set up a robust user-account password, different from root

## Post-installation hardening
- [CRITICAL] Globally disable firewire modules
             ("blacklist firewire-core" in /etc/modprobe.d/bl-firewire.conf)
- [MODERATE] Check your firewalls to ensure all incoming ports are filtered
- [MODERATE] Check to ensure sshd service is disabled by default
- [MODERATE] Set up an automatic OS update schedule, or update reminders
             (most distros will notify when updates are available)

## Personal workstation backups

## Best practices

### SELinux

- [CRITICAL] Make sure SELinux is enforcing on your workstation
- [CRITICAL] Never `setenforce 0`, use `semanage permissive -a somedomain_t`
- [CRITICAL] Never blindly run `audit2allow`, always check
- [MODERATE] Switch your account to SELinux user `staff_u` (use `usermod -Z`)

### Browsing
- [MODERATE] Use two different browsers, one for work sites only, the other
             for everything else
- [PARANOID] Run the "everything else" browser as a different user
- [PARANOID+] Run the "everthing else" browser inside a local VM accessed
              via RDP.
Initial addition of workstation-security 2015-07-22 09:19:04 +12:00			`# Workstation security checklist`

			`## Hardware considerations`

			`- [CRITICAL] Has a TPM chip`
			`- [CRITICAL] Supports SecureBoot`
			`- [MODERATE] Has no firewire ports`
			`- [MODERATE] Has no PCMCIA ports`

			`## Pre-boot environment`
			`- [CRITICAL] UEFI boot mode is used (not legacy BIOS)`
			`- [CRITICAL] Password is required to enter UEFI configuration mode`
			`- [CRITICAL] Password is required to initiate boot`
			`- [CRITICAL] SecureBoot is enabled`

			`## Distro choice considerations`
			`- [CRITICAL] Has a robust MAC/RBAC implementation (SELinux/AppArmor/GrSecurity)`
			`- [CRITICAL] Publishes security bulletins`
Day's work 2015-07-30 09:12:08 +12:00			`- [CRITICAL] Provides timely security patches`
			`- [CRITICAL] Provides cryptographic verification of packages`
Initial addition of workstation-security 2015-07-22 09:19:04 +12:00			`- [CRITICAL] Supports TrustedBoot`
			`- [CRITICAL] Has robust full disk encryption support (LUKS)`

			`## Distro installation guidelines`
Day's work 2015-07-30 09:12:08 +12:00			`- [CRITICAL] Use full-disk encryption on LVM level`
			`- [CRITICAL] Make sure swap is also encrypted`
			`- [CRITICAL] Set up a unique, robust root password`
			`- [CRITICAL] Use an unprivileged account, part of administrators group (sudo)`
			`- [CRITICAL] Set up a robust user-account password, different from root`

			`## Post-installation hardening`
			`- [CRITICAL] Globally disable firewire modules`
			`("blacklist firewire-core" in /etc/modprobe.d/bl-firewire.conf)`
			`- [MODERATE] Check your firewalls to ensure all incoming ports are filtered`
			`- [MODERATE] Check to ensure sshd service is disabled by default`
			`- [MODERATE] Set up an automatic OS update schedule, or update reminders`
			`(most distros will notify when updates are available)`

			`## Personal workstation backups`

			`## Best practices`

			`### SELinux`

			`- [CRITICAL] Make sure SELinux is enforcing on your workstation`
			- [CRITICAL] Never `setenforce 0`, use `semanage permissive -a somedomain_t`
			- [CRITICAL] Never blindly run `audit2allow`, always check
			- [MODERATE] Switch your account to SELinux user `staff_u` (use `usermod -Z`)

			`### Browsing`
			`- [MODERATE] Use two different browsers, one for work sites only, the other`
			`for everything else`
			`- [PARANOID] Run the "everything else" browser as a different user`
			`- [PARANOID+] Run the "everthing else" browser inside a local VM accessed`
			`via RDP.`
Initial addition of workstation-security 2015-07-22 09:19:04 +12:00