Initial addition of workstation-security
This commit is contained in:
commit
424ee3544d
1 changed files with 48 additions and 0 deletions
48
workstation-security.md
Normal file
48
workstation-security.md
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
# Workstation security checklist
|
||||||
|
|
||||||
|
## Hardware considerations
|
||||||
|
|
||||||
|
- [CRITICAL] Has a TPM chip
|
||||||
|
- [CRITICAL] Supports SecureBoot
|
||||||
|
- [MODERATE] Has no firewire ports
|
||||||
|
- [MODERATE] Has no PCMCIA ports
|
||||||
|
|
||||||
|
## Pre-boot environment
|
||||||
|
- [CRITICAL] UEFI boot mode is used (not legacy BIOS)
|
||||||
|
- [CRITICAL] Password is required to enter UEFI configuration mode
|
||||||
|
- [CRITICAL] Password is required to initiate boot
|
||||||
|
- [CRITICAL] SecureBoot is enabled
|
||||||
|
|
||||||
|
## Distro choice considerations
|
||||||
|
- [CRITICAL] Has a robust MAC/RBAC implementation (SELinux/AppArmor/GrSecurity)
|
||||||
|
- [CRITICAL] Publishes security bulletins
|
||||||
|
- [CRITICAL] Supports TrustedBoot
|
||||||
|
- [CRITICAL] Has robust full disk encryption support (LUKS)
|
||||||
|
|
||||||
|
## Distro installation guidelines
|
||||||
|
- [CRITICAL] Use full-disk encryption
|
||||||
|
- [CRITICAL] Create a separate /home partition
|
||||||
|
- Make sure swap is also encrypted
|
||||||
|
|
||||||
|
## Untrusted hardware
|
||||||
|
|
||||||
|
- Firewire ports are disabled
|
||||||
|
|
||||||
|
- blacklist firewire-core in /etc/modprobe.d/blacklist-firewire.conf
|
||||||
|
|
||||||
|
-
|
||||||
|
|
||||||
|
Team communication:
|
||||||
|
- Establish PGP web of trust
|
||||||
|
- Or use s/mime with a trusted CA
|
||||||
|
- Use a password vault
|
||||||
|
|
||||||
|
|
||||||
|
Practices:
|
||||||
|
- Apply updates daily
|
||||||
|
|
||||||
|
SELinux hints:
|
||||||
|
- Run as SELinux user staff_u
|
||||||
|
- Never setenforce 0
|
||||||
|
- Use "semanage permissive -a somedomain_t"
|
||||||
|
-
|
Loading…
Reference in a new issue