Add U2F section and tweak wks-security doc
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
This commit is contained in:
parent
34233e9d81
commit
3148a35dda
14
CHANGELOG.md
14
CHANGELOG.md
|
@ -1,3 +1,17 @@
|
||||||
|
# 2017-12-15
|
||||||
|
## Linux workstation security
|
||||||
|
- Remove detailed SELinux instrusctions
|
||||||
|
- Remove GrSecurity recommendation, as it's not available without subscription
|
||||||
|
- Change NoScript to uMatrix recommendation
|
||||||
|
- Add some Firejail usage quickies
|
||||||
|
|
||||||
|
## Protecting code integrity with PGP
|
||||||
|
- Add whole new doc on PGP and its use with Git. It is aimed at free software
|
||||||
|
developers and should be used alongside with the workstation security doc.
|
||||||
|
|
||||||
|
## Trusted team communication
|
||||||
|
- A fairly major rewrite in the works...
|
||||||
|
|
||||||
# 2017-01-23
|
# 2017-01-23
|
||||||
## Linux workstation security checklist
|
## Linux workstation security checklist
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Linux workstation security checklist
|
# Linux workstation security checklist
|
||||||
|
|
||||||
Updated: 2017-11-15
|
Updated: 2017-12-15
|
||||||
|
|
||||||
### Target audience
|
### Target audience
|
||||||
|
|
||||||
|
@ -122,10 +122,12 @@ considered potentially vulnerable, especially if it has not received
|
||||||
manufacturer firmware updates.
|
manufacturer firmware updates.
|
||||||
|
|
||||||
There are [some laptop manufacturers][27] that have started providing systems
|
There are [some laptop manufacturers][27] that have started providing systems
|
||||||
with the Intel ME chip disabled, and it may be possible to manually disable
|
with a lot of IME functionality disabled (it is not possible to disable the
|
||||||
the IME by using a tool such as [me_cleaner][25], though you should be mindful
|
chip completely, as it would likely render the system unbootable). It is also
|
||||||
that it is an involved process and that disabling the IME may void the
|
possible to use a tool such as [me_cleaner][25] to significantly reduce the
|
||||||
manufacturer support warranty (or even be against your employer policy).
|
chip functionality on your own. You should be mindful that it is an involved
|
||||||
|
process, and that disabling the IME may void the manufacturer support warranty
|
||||||
|
(or even be against your employer policy).
|
||||||
|
|
||||||
## Pre-boot environment
|
## Pre-boot environment
|
||||||
|
|
||||||
|
@ -561,12 +563,6 @@ this browser for accessing any other sites except select few.
|
||||||
|
|
||||||
You should install the following Firefox add-ons:
|
You should install the following Firefox add-ons:
|
||||||
|
|
||||||
- [ ] NoScript _(ESSENTIAL)_
|
|
||||||
- NoScript prevents active content from loading, except from user
|
|
||||||
whitelisted domains. It is a great hassle to use with your default browser
|
|
||||||
(though offers really good security benefits), so we recommend only
|
|
||||||
enabling it on the browser you use to access work-related sites.
|
|
||||||
|
|
||||||
- [ ] Privacy Badger _(ESSENTIAL)_
|
- [ ] Privacy Badger _(ESSENTIAL)_
|
||||||
- EFF's Privacy Badger will prevent most external trackers and ad platforms
|
- EFF's Privacy Badger will prevent most external trackers and ad platforms
|
||||||
from being loaded, which will help avoid compromises on these tracking
|
from being loaded, which will help avoid compromises on these tracking
|
||||||
|
@ -579,15 +575,13 @@ You should install the following Firefox add-ons:
|
||||||
over a secure connection, even if a link you click is using http:// (great
|
over a secure connection, even if a link you click is using http:// (great
|
||||||
to avoid a number of attacks, such as [SSL-strip][7]).
|
to avoid a number of attacks, such as [SSL-strip][7]).
|
||||||
|
|
||||||
- [ ] Certificate Patrol _(NICE)_
|
- [ ] uMatrix _(NICE)_
|
||||||
- This tool will alert you if the site you're accessing has recently changed
|
- uMatrix prevents active content from third-party locations from being
|
||||||
their TLS certificates -- especially if it wasn't nearing expiration dates
|
loaded and executed. It is a hassle to use with your default browser
|
||||||
or if it is now using a different certification authority. It helps
|
(though offers really good security benefits), so we recommend only
|
||||||
alert you if someone is trying to man-in-the-middle your connection,
|
enabling it on the browser you use to access work-related sites.
|
||||||
but generates a lot of benign false-positives.
|
Here's a [Video Overview](https://www.youtube.com/watch?v=TVozpo3zUBk) of
|
||||||
|
uMatrix.
|
||||||
You should leave Firefox as your default browser for opening links, as
|
|
||||||
NoScript will prevent most active content from loading or executing.
|
|
||||||
|
|
||||||
##### Chrome/Chromium for everything else
|
##### Chrome/Chromium for everything else
|
||||||
|
|
||||||
|
@ -600,8 +594,9 @@ the usual paranoid caution about not using it for anything you don't want
|
||||||
Google to know about).
|
Google to know about).
|
||||||
|
|
||||||
It is recommended that you install **Privacy Badger** and **HTTPS Everywhere**
|
It is recommended that you install **Privacy Badger** and **HTTPS Everywhere**
|
||||||
extensions in Chrome as well and give it a distinct theme from Firefox to
|
extensions in Chrome (and uMatrix, too, if you're comfortable with it), as
|
||||||
indicate that this is your "untrusted sites" browser.
|
well and give it a distinct theme from Firefox to indicate that this is your
|
||||||
|
"untrusted sites" browser.
|
||||||
|
|
||||||
#### 2: Use firejail _(ESSENTIAL)_
|
#### 2: Use firejail _(ESSENTIAL)_
|
||||||
|
|
||||||
|
@ -618,6 +613,16 @@ documentation provided by the project:
|
||||||
|
|
||||||
- [Firefox Sandboxing Guide][20]
|
- [Firefox Sandboxing Guide][20]
|
||||||
|
|
||||||
|
Most frequently, you'll just want to pass a `--private=directory` switch to
|
||||||
|
separate your browsing profiles. You can create convenient aliases and add
|
||||||
|
them to your `.bashrc`:
|
||||||
|
|
||||||
|
alias ff-perso="firejail --private=$HOME/.firejail/personal firefox -no-remote"
|
||||||
|
alias ff-work="firejail --private=$HOME/.firejail/work firefox -no-remote"
|
||||||
|
|
||||||
|
Any downloaded files will be located in `~/.firejail/[name]/Downloads`. To
|
||||||
|
upload files, you'll need to move them into that subdirectory first.
|
||||||
|
|
||||||
#### 3: Fully separate your work and play environments via virtualization _(PARANOID)_
|
#### 3: Fully separate your work and play environments via virtualization _(PARANOID)_
|
||||||
|
|
||||||
See [QubesOS project][3], which strives to provide a "reasonably secure"
|
See [QubesOS project][3], which strives to provide a "reasonably secure"
|
||||||
|
@ -717,31 +722,9 @@ to ensure that your private keys are well protected against theft.
|
||||||
|
|
||||||
#### Considerations
|
#### Considerations
|
||||||
|
|
||||||
The best way to prevent private key theft is to use a smartcard to store your
|
Please see the "Protecting Code Integrity with PGP" document available in the
|
||||||
encryption private keys and never copy them onto the workstation. There are
|
same repository for introduction to PGP best practices and instructions on how
|
||||||
several manufacturers that offer OpenPGP capable devices:
|
to set up and use offline master and smartcard subkeys.
|
||||||
|
|
||||||
- [Kernel Concepts][12], where you can purchase both the OpenPGP compatible
|
|
||||||
smartcards and the USB readers, should you need one.
|
|
||||||
- [Yubikey][13], which offers OpenPGP smartcard functionality in addition
|
|
||||||
to many other cool features (U2F, PIV, HOTP, etc).
|
|
||||||
- [NitroKey][21], which is based on open-source software and hardware
|
|
||||||
|
|
||||||
It is also important to make sure that the master PGP key is not stored on the
|
|
||||||
main workstation, and only subkeys are used. The master key will only be
|
|
||||||
needed when signing someone else's keys or creating new subkeys -- operations
|
|
||||||
which do not happen very frequently. You may follow [the Debian's subkeys][14]
|
|
||||||
guide to learn how to move your master key to removable storage and how to
|
|
||||||
create subkeys.
|
|
||||||
|
|
||||||
You should then configure your gnupg agent to act as ssh agent and use the
|
|
||||||
smartcard-based PGP Auth key to act as your ssh private key. We publish a
|
|
||||||
[detailed guide][15] on how to do that using either a smartcard reader or a
|
|
||||||
Yubikey NEO.
|
|
||||||
|
|
||||||
If you are not willing to go that far, at least make sure you have a strong
|
|
||||||
passphrase on both your PGP private key and your SSH private key, which will
|
|
||||||
make it harder for attackers to steal and use them.
|
|
||||||
|
|
||||||
### Hibernate or shut down, do not suspend
|
### Hibernate or shut down, do not suspend
|
||||||
|
|
||||||
|
|
|
@ -693,14 +693,14 @@ features on the internal chip. Here are a few recommendations:
|
||||||
but with fewest extra security features
|
but with fewest extra security features
|
||||||
- [Nitrokey Pro](https://shop.nitrokey.com/shop/product/nitrokey-pro-3):
|
- [Nitrokey Pro](https://shop.nitrokey.com/shop/product/nitrokey-pro-3):
|
||||||
Similar to the Nitrokey Start, but is tamper-resistant and offers more
|
Similar to the Nitrokey Start, but is tamper-resistant and offers more
|
||||||
security features (see the U2F section of the guide)
|
security features (but not U2F, see the Fido U2F section of the guide)
|
||||||
- [Yubikey 4](https://www.yubico.com/product/yubikey-4-series/): Proprietary
|
- [Yubikey 4](https://www.yubico.com/product/yubikey-4-series/): Proprietary
|
||||||
hardware and software, but cheaper than Nitrokey Pro and comes available
|
hardware and software, but cheaper than Nitrokey Pro and comes available
|
||||||
in the USB-C form that is more useful with newer laptops; also offers
|
in the USB-C form that is more useful with newer laptops; also offers
|
||||||
additional security features such as U2F
|
additional security features such as U2F
|
||||||
|
|
||||||
Our recommendation is to pick a device that is capable of both smartcard
|
Our recommendation is to pick a device that is capable of both smartcard
|
||||||
functionality and U2F, which means either a Nitrokey Pro, or a Yubikey 4.
|
functionality and U2F, which, at the time of writing, means a Yubikey 4.
|
||||||
|
|
||||||
#### Configuring your smartcard device
|
#### Configuring your smartcard device
|
||||||
|
|
||||||
|
@ -1236,7 +1236,107 @@ keyservers, should you need to grant them ssh-based access to anything:
|
||||||
This can come in super handy if you need to allow developers access to git
|
This can come in super handy if you need to allow developers access to git
|
||||||
repositories over ssh.
|
repositories over ssh.
|
||||||
|
|
||||||
## TODO: Tarball release signatures
|
## Protecting online accounts
|
||||||
|
|
||||||
|
### Checklist
|
||||||
|
|
||||||
|
- [ ] Get a U2F-capable device _(ESSENTIAL)_
|
||||||
|
- [ ] Enable 2-factor authentication for your online accounts _(ESSENTIAL)_
|
||||||
|
- [ ] GitHub/GitLab
|
||||||
|
- [ ] Google
|
||||||
|
- [ ] Social Media
|
||||||
|
- [ ] Use U2F as primary mechanism, with TOTP as fallback _(ESSENTIAL)_
|
||||||
|
|
||||||
|
### Considerations
|
||||||
|
|
||||||
|
You may have noticed how a lot of your online developer identity is tied to
|
||||||
|
your email address. If someone can gain access to your mailbox, they would be
|
||||||
|
able to do a lot of damage to you personally, and to your reputation as a free
|
||||||
|
software developer. Protecting your email accounts is just as important as
|
||||||
|
protecting your PGP keys.
|
||||||
|
|
||||||
|
#### Two-factor authentication with Fido U2F
|
||||||
|
|
||||||
|
[Two-factor
|
||||||
|
authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) is
|
||||||
|
a mechanism to improve account security by requiring a physical token in
|
||||||
|
addition to a username and password. The goal is to make sure that even if
|
||||||
|
someone steals your password (via keylogging, shoulder surfing, or other
|
||||||
|
means), they still wouldn't be able to gain access to your account without
|
||||||
|
having in their possession a specific pre-configured physical device.
|
||||||
|
|
||||||
|
The most widely known mechanisms for 2-factor authentication are:
|
||||||
|
|
||||||
|
- SMS-based verification
|
||||||
|
- Time-based One-Time Passwords (TOTP) via a smartphone app
|
||||||
|
- Hardware tokens supporting Fido U2F
|
||||||
|
|
||||||
|
SMS-based verification is easiest to configure, but has the following
|
||||||
|
important downsides: it is useless in areas without signal (e.g. building
|
||||||
|
basements), and can be defeated if the attacker is able to intercept or divert
|
||||||
|
SMS messages.
|
||||||
|
|
||||||
|
TOTP-based multi-factor authentication offers more protection than SMS, but
|
||||||
|
has important scaling hurdles (there's only so many tokens you can add to your
|
||||||
|
smartphone app before finding the correct one becomes wearisome). Plus,
|
||||||
|
there's no avoiding the fact that your secret key ends up stored on the
|
||||||
|
smartphone itself, which is a complex, globally connected device with a very
|
||||||
|
poor record of timely patching by the vendors.
|
||||||
|
|
||||||
|
Most importantly, neither TOTP nor SMS methods protect you from phishing
|
||||||
|
attacks -- if the phisher is able to obtain both your account password and
|
||||||
|
2-factor token, they can replay them on the legitimate site and gain access to
|
||||||
|
your account.
|
||||||
|
|
||||||
|
[Fido U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) is a standard
|
||||||
|
developed specifically to provide a mechanism for 2-factor authentication
|
||||||
|
*and* combat credential phishing. The U2F protocol will store site
|
||||||
|
authentication data on the USB token that will prevent you from accidentally
|
||||||
|
giving an attacker both your password and your one-time token if you try to
|
||||||
|
use it on anything other than the legitimate website.
|
||||||
|
|
||||||
|
Both Chrome and Firefox support U2F 2-factor authentication, and hopefully
|
||||||
|
other browsers will soon follow.
|
||||||
|
|
||||||
|
#### Get a token capable of Fido U2F
|
||||||
|
|
||||||
|
There are [many options available](http://www.dongleauth.info/dongles/) for
|
||||||
|
hardware tokens with Fido U2F support, but if you're already ordering a
|
||||||
|
smartcard-capable physical token, then your best option is a Yubikey 4, which
|
||||||
|
supports both.
|
||||||
|
|
||||||
|
#### Enable 2-factor authentication on your online accounts
|
||||||
|
|
||||||
|
You definitely want to enable this option on the email provider you are using
|
||||||
|
(especially if it is Google, which has excellent support for U2F). Other sites
|
||||||
|
where this should definitely be considered:
|
||||||
|
|
||||||
|
- GitHub: it probably occurred to you when you uploaded your public key that
|
||||||
|
if anyone else is able to gain access to your account, they can replace your
|
||||||
|
key with their own. If you publish code on GitHub, you should take care of
|
||||||
|
your account security by protecting it with U2F-backed authentication.
|
||||||
|
- GitLab: for the same reasons as above
|
||||||
|
- Google: if you have a google account, you will be surprised how many places
|
||||||
|
allow to log in with Google authentication instead of site-backed
|
||||||
|
credentials.
|
||||||
|
- Facebook: same as above, a lot of online sites offer the option to
|
||||||
|
authenticate using a Facebook account. You should protect your Facebook
|
||||||
|
account even if you do not use it.
|
||||||
|
- Other sites, as you deem necessary. See
|
||||||
|
[dongleauth.info](http://www.dongleauth.info) for inspiration.
|
||||||
|
|
||||||
|
#### Configure TOTP failover, if possible
|
||||||
|
|
||||||
|
Many sites will allow you to configure multiple 2-factor mechanisms, and the
|
||||||
|
recommended option is:
|
||||||
|
|
||||||
|
- U2F token as the primary mechanism
|
||||||
|
- TOTP phone app as the secondary mechanism
|
||||||
|
|
||||||
|
This way, even if you lose your U2F token, you should be able to gain access
|
||||||
|
to your account. Alternatively, you can enroll multiple U2F tokens (e.g.
|
||||||
|
you can get another cheap token that only does U2F and use it for backup
|
||||||
|
reasons).
|
||||||
|
|
||||||
## Further reading
|
## Further reading
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue