diff --git a/CHANGELOG.md b/CHANGELOG.md index fcc0dcf..62c353b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,17 @@ +# 2017-12-15 +## Linux workstation security +- Remove detailed SELinux instrusctions +- Remove GrSecurity recommendation, as it's not available without subscription +- Change NoScript to uMatrix recommendation +- Add some Firejail usage quickies + +## Protecting code integrity with PGP +- Add whole new doc on PGP and its use with Git. It is aimed at free software + developers and should be used alongside with the workstation security doc. + +## Trusted team communication +- A fairly major rewrite in the works... + # 2017-01-23 ## Linux workstation security checklist diff --git a/linux-workstation-security.md b/linux-workstation-security.md index a496e87..22d3361 100644 --- a/linux-workstation-security.md +++ b/linux-workstation-security.md @@ -1,6 +1,6 @@ # Linux workstation security checklist -Updated: 2017-11-15 +Updated: 2017-12-15 ### Target audience @@ -122,10 +122,12 @@ considered potentially vulnerable, especially if it has not received manufacturer firmware updates. There are [some laptop manufacturers][27] that have started providing systems -with the Intel ME chip disabled, and it may be possible to manually disable -the IME by using a tool such as [me_cleaner][25], though you should be mindful -that it is an involved process and that disabling the IME may void the -manufacturer support warranty (or even be against your employer policy). +with a lot of IME functionality disabled (it is not possible to disable the +chip completely, as it would likely render the system unbootable). It is also +possible to use a tool such as [me_cleaner][25] to significantly reduce the +chip functionality on your own. You should be mindful that it is an involved +process, and that disabling the IME may void the manufacturer support warranty +(or even be against your employer policy). ## Pre-boot environment @@ -561,12 +563,6 @@ this browser for accessing any other sites except select few. You should install the following Firefox add-ons: -- [ ] NoScript _(ESSENTIAL)_ - - NoScript prevents active content from loading, except from user - whitelisted domains. It is a great hassle to use with your default browser - (though offers really good security benefits), so we recommend only - enabling it on the browser you use to access work-related sites. - - [ ] Privacy Badger _(ESSENTIAL)_ - EFF's Privacy Badger will prevent most external trackers and ad platforms from being loaded, which will help avoid compromises on these tracking @@ -579,15 +575,13 @@ You should install the following Firefox add-ons: over a secure connection, even if a link you click is using http:// (great to avoid a number of attacks, such as [SSL-strip][7]). -- [ ] Certificate Patrol _(NICE)_ - - This tool will alert you if the site you're accessing has recently changed - their TLS certificates -- especially if it wasn't nearing expiration dates - or if it is now using a different certification authority. It helps - alert you if someone is trying to man-in-the-middle your connection, - but generates a lot of benign false-positives. - -You should leave Firefox as your default browser for opening links, as -NoScript will prevent most active content from loading or executing. +- [ ] uMatrix _(NICE)_ + - uMatrix prevents active content from third-party locations from being + loaded and executed. It is a hassle to use with your default browser + (though offers really good security benefits), so we recommend only + enabling it on the browser you use to access work-related sites. + Here's a [Video Overview](https://www.youtube.com/watch?v=TVozpo3zUBk) of + uMatrix. ##### Chrome/Chromium for everything else @@ -600,8 +594,9 @@ the usual paranoid caution about not using it for anything you don't want Google to know about). It is recommended that you install **Privacy Badger** and **HTTPS Everywhere** -extensions in Chrome as well and give it a distinct theme from Firefox to -indicate that this is your "untrusted sites" browser. +extensions in Chrome (and uMatrix, too, if you're comfortable with it), as +well and give it a distinct theme from Firefox to indicate that this is your +"untrusted sites" browser. #### 2: Use firejail _(ESSENTIAL)_ @@ -618,6 +613,16 @@ documentation provided by the project: - [Firefox Sandboxing Guide][20] +Most frequently, you'll just want to pass a `--private=directory` switch to +separate your browsing profiles. You can create convenient aliases and add +them to your `.bashrc`: + + alias ff-perso="firejail --private=$HOME/.firejail/personal firefox -no-remote" + alias ff-work="firejail --private=$HOME/.firejail/work firefox -no-remote" + +Any downloaded files will be located in `~/.firejail/[name]/Downloads`. To +upload files, you'll need to move them into that subdirectory first. + #### 3: Fully separate your work and play environments via virtualization _(PARANOID)_ See [QubesOS project][3], which strives to provide a "reasonably secure" @@ -717,31 +722,9 @@ to ensure that your private keys are well protected against theft. #### Considerations -The best way to prevent private key theft is to use a smartcard to store your -encryption private keys and never copy them onto the workstation. There are -several manufacturers that offer OpenPGP capable devices: - -- [Kernel Concepts][12], where you can purchase both the OpenPGP compatible - smartcards and the USB readers, should you need one. -- [Yubikey][13], which offers OpenPGP smartcard functionality in addition - to many other cool features (U2F, PIV, HOTP, etc). -- [NitroKey][21], which is based on open-source software and hardware - -It is also important to make sure that the master PGP key is not stored on the -main workstation, and only subkeys are used. The master key will only be -needed when signing someone else's keys or creating new subkeys -- operations -which do not happen very frequently. You may follow [the Debian's subkeys][14] -guide to learn how to move your master key to removable storage and how to -create subkeys. - -You should then configure your gnupg agent to act as ssh agent and use the -smartcard-based PGP Auth key to act as your ssh private key. We publish a -[detailed guide][15] on how to do that using either a smartcard reader or a -Yubikey NEO. - -If you are not willing to go that far, at least make sure you have a strong -passphrase on both your PGP private key and your SSH private key, which will -make it harder for attackers to steal and use them. +Please see the "Protecting Code Integrity with PGP" document available in the +same repository for introduction to PGP best practices and instructions on how +to set up and use offline master and smartcard subkeys. ### Hibernate or shut down, do not suspend diff --git a/protecting-code-integrity.md b/protecting-code-integrity.md index d69b7da..b899148 100644 --- a/protecting-code-integrity.md +++ b/protecting-code-integrity.md @@ -693,14 +693,14 @@ features on the internal chip. Here are a few recommendations: but with fewest extra security features - [Nitrokey Pro](https://shop.nitrokey.com/shop/product/nitrokey-pro-3): Similar to the Nitrokey Start, but is tamper-resistant and offers more - security features (see the U2F section of the guide) + security features (but not U2F, see the Fido U2F section of the guide) - [Yubikey 4](https://www.yubico.com/product/yubikey-4-series/): Proprietary hardware and software, but cheaper than Nitrokey Pro and comes available in the USB-C form that is more useful with newer laptops; also offers additional security features such as U2F Our recommendation is to pick a device that is capable of both smartcard -functionality and U2F, which means either a Nitrokey Pro, or a Yubikey 4. +functionality and U2F, which, at the time of writing, means a Yubikey 4. #### Configuring your smartcard device @@ -1236,7 +1236,107 @@ keyservers, should you need to grant them ssh-based access to anything: This can come in super handy if you need to allow developers access to git repositories over ssh. -## TODO: Tarball release signatures +## Protecting online accounts + +### Checklist + +- [ ] Get a U2F-capable device _(ESSENTIAL)_ +- [ ] Enable 2-factor authentication for your online accounts _(ESSENTIAL)_ + - [ ] GitHub/GitLab + - [ ] Google + - [ ] Social Media +- [ ] Use U2F as primary mechanism, with TOTP as fallback _(ESSENTIAL)_ + +### Considerations + +You may have noticed how a lot of your online developer identity is tied to +your email address. If someone can gain access to your mailbox, they would be +able to do a lot of damage to you personally, and to your reputation as a free +software developer. Protecting your email accounts is just as important as +protecting your PGP keys. + +#### Two-factor authentication with Fido U2F + +[Two-factor +authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) is +a mechanism to improve account security by requiring a physical token in +addition to a username and password. The goal is to make sure that even if +someone steals your password (via keylogging, shoulder surfing, or other +means), they still wouldn't be able to gain access to your account without +having in their possession a specific pre-configured physical device. + +The most widely known mechanisms for 2-factor authentication are: + +- SMS-based verification +- Time-based One-Time Passwords (TOTP) via a smartphone app +- Hardware tokens supporting Fido U2F + +SMS-based verification is easiest to configure, but has the following +important downsides: it is useless in areas without signal (e.g. building +basements), and can be defeated if the attacker is able to intercept or divert +SMS messages. + +TOTP-based multi-factor authentication offers more protection than SMS, but +has important scaling hurdles (there's only so many tokens you can add to your +smartphone app before finding the correct one becomes wearisome). Plus, +there's no avoiding the fact that your secret key ends up stored on the +smartphone itself, which is a complex, globally connected device with a very +poor record of timely patching by the vendors. + +Most importantly, neither TOTP nor SMS methods protect you from phishing +attacks -- if the phisher is able to obtain both your account password and +2-factor token, they can replay them on the legitimate site and gain access to +your account. + +[Fido U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) is a standard +developed specifically to provide a mechanism for 2-factor authentication +*and* combat credential phishing. The U2F protocol will store site +authentication data on the USB token that will prevent you from accidentally +giving an attacker both your password and your one-time token if you try to +use it on anything other than the legitimate website. + +Both Chrome and Firefox support U2F 2-factor authentication, and hopefully +other browsers will soon follow. + +#### Get a token capable of Fido U2F + +There are [many options available](http://www.dongleauth.info/dongles/) for +hardware tokens with Fido U2F support, but if you're already ordering a +smartcard-capable physical token, then your best option is a Yubikey 4, which +supports both. + +#### Enable 2-factor authentication on your online accounts + +You definitely want to enable this option on the email provider you are using +(especially if it is Google, which has excellent support for U2F). Other sites +where this should definitely be considered: + +- GitHub: it probably occurred to you when you uploaded your public key that + if anyone else is able to gain access to your account, they can replace your + key with their own. If you publish code on GitHub, you should take care of + your account security by protecting it with U2F-backed authentication. +- GitLab: for the same reasons as above +- Google: if you have a google account, you will be surprised how many places + allow to log in with Google authentication instead of site-backed + credentials. +- Facebook: same as above, a lot of online sites offer the option to + authenticate using a Facebook account. You should protect your Facebook + account even if you do not use it. +- Other sites, as you deem necessary. See + [dongleauth.info](http://www.dongleauth.info) for inspiration. + +#### Configure TOTP failover, if possible + +Many sites will allow you to configure multiple 2-factor mechanisms, and the +recommended option is: + +- U2F token as the primary mechanism +- TOTP phone app as the secondary mechanism + +This way, even if you lose your U2F token, you should be able to gain access +to your account. Alternatively, you can enroll multiple U2F tokens (e.g. +you can get another cheap token that only does U2F and use it for backup +reasons). ## Further reading