commit 424ee3544d6a010f75f0f94517683ce94ad5a56a
Author: Konstantin Ryabitsev <mricon@kernel.org>
Date:   Tue Jul 21 17:19:04 2015 -0400

    Initial addition of workstation-security

diff --git a/workstation-security.md b/workstation-security.md
new file mode 100644
index 0000000..f6ffbd9
--- /dev/null
+++ b/workstation-security.md
@@ -0,0 +1,48 @@
+# Workstation security checklist
+
+## Hardware considerations
+
+- [CRITICAL] Has a TPM chip
+- [CRITICAL] Supports SecureBoot
+- [MODERATE] Has no firewire ports
+- [MODERATE] Has no PCMCIA ports
+
+## Pre-boot environment
+- [CRITICAL] UEFI boot mode is used (not legacy BIOS)
+- [CRITICAL] Password is required to enter UEFI configuration mode
+- [CRITICAL] Password is required to initiate boot
+- [CRITICAL] SecureBoot is enabled
+
+## Distro choice considerations
+- [CRITICAL] Has a robust MAC/RBAC implementation (SELinux/AppArmor/GrSecurity)
+- [CRITICAL] Publishes security bulletins
+- [CRITICAL] Supports TrustedBoot
+- [CRITICAL] Has robust full disk encryption support (LUKS)
+
+## Distro installation guidelines
+- [CRITICAL] Use full-disk encryption
+- [CRITICAL] Create a separate /home partition
+    - Make sure swap is also encrypted
+
+## Untrusted hardware
+
+- Firewire ports are disabled
+
+    - blacklist firewire-core in /etc/modprobe.d/blacklist-firewire.conf
+
+-
+
+Team communication:
+- Establish PGP web of trust
+  - Or use s/mime with a trusted CA
+- Use a password vault
+
+
+Practices:
+- Apply updates daily
+
+SELinux hints:
+- Run as SELinux user staff_u
+- Never setenforce 0
+  - Use "semanage permissive -a somedomain_t"
+  -