2015-07-22 09:19:04 +12:00
|
|
|
# Workstation security checklist
|
|
|
|
|
|
|
|
## Hardware considerations
|
|
|
|
|
|
|
|
- [CRITICAL] Has a TPM chip
|
|
|
|
- [CRITICAL] Supports SecureBoot
|
|
|
|
- [MODERATE] Has no firewire ports
|
|
|
|
- [MODERATE] Has no PCMCIA ports
|
|
|
|
|
|
|
|
## Pre-boot environment
|
|
|
|
- [CRITICAL] UEFI boot mode is used (not legacy BIOS)
|
|
|
|
- [CRITICAL] Password is required to enter UEFI configuration mode
|
|
|
|
- [CRITICAL] Password is required to initiate boot
|
|
|
|
- [CRITICAL] SecureBoot is enabled
|
|
|
|
|
|
|
|
## Distro choice considerations
|
|
|
|
- [CRITICAL] Has a robust MAC/RBAC implementation (SELinux/AppArmor/GrSecurity)
|
|
|
|
- [CRITICAL] Publishes security bulletins
|
2015-07-30 09:12:08 +12:00
|
|
|
- [CRITICAL] Provides timely security patches
|
|
|
|
- [CRITICAL] Provides cryptographic verification of packages
|
2015-07-22 09:19:04 +12:00
|
|
|
- [CRITICAL] Supports TrustedBoot
|
|
|
|
- [CRITICAL] Has robust full disk encryption support (LUKS)
|
|
|
|
|
|
|
|
## Distro installation guidelines
|
2015-07-30 09:12:08 +12:00
|
|
|
- [CRITICAL] Use full-disk encryption on LVM level
|
|
|
|
- [CRITICAL] Make sure swap is also encrypted
|
|
|
|
- [CRITICAL] Set up a unique, robust root password
|
|
|
|
- [CRITICAL] Use an unprivileged account, part of administrators group (sudo)
|
|
|
|
- [CRITICAL] Set up a robust user-account password, different from root
|
|
|
|
|
|
|
|
## Post-installation hardening
|
|
|
|
- [CRITICAL] Globally disable firewire modules
|
|
|
|
("blacklist firewire-core" in /etc/modprobe.d/bl-firewire.conf)
|
|
|
|
- [MODERATE] Check your firewalls to ensure all incoming ports are filtered
|
|
|
|
- [MODERATE] Check to ensure sshd service is disabled by default
|
|
|
|
- [MODERATE] Set up an automatic OS update schedule, or update reminders
|
|
|
|
(most distros will notify when updates are available)
|
|
|
|
|
|
|
|
## Personal workstation backups
|
|
|
|
|
|
|
|
## Best practices
|
|
|
|
|
|
|
|
### SELinux
|
|
|
|
|
|
|
|
- [CRITICAL] Make sure SELinux is enforcing on your workstation
|
|
|
|
- [CRITICAL] Never `setenforce 0`, use `semanage permissive -a somedomain_t`
|
|
|
|
- [CRITICAL] Never blindly run `audit2allow`, always check
|
|
|
|
- [MODERATE] Switch your account to SELinux user `staff_u` (use `usermod -Z`)
|
|
|
|
|
|
|
|
### Browsing
|
|
|
|
- [MODERATE] Use two different browsers, one for work sites only, the other
|
|
|
|
for everything else
|
|
|
|
- [PARANOID] Run the "everything else" browser as a different user
|
|
|
|
- [PARANOID+] Run the "everthing else" browser inside a local VM accessed
|
|
|
|
via RDP.
|
2015-07-22 09:19:04 +12:00
|
|
|
|