Day's work
This commit is contained in:
Konstantin Ryabitsev
parent
424ee3544d
commit
8a884bc0e8
|
|
@ -16,33 +16,41 @@
|
|||
## Distro choice considerations
|
||||
- [CRITICAL] Has a robust MAC/RBAC implementation (SELinux/AppArmor/GrSecurity)
|
||||
- [CRITICAL] Publishes security bulletins
|
||||
- [CRITICAL] Provides timely security patches
|
||||
- [CRITICAL] Provides cryptographic verification of packages
|
||||
- [CRITICAL] Supports TrustedBoot
|
||||
- [CRITICAL] Has robust full disk encryption support (LUKS)
|
||||
|
||||
## Distro installation guidelines
|
||||
- [CRITICAL] Use full-disk encryption
|
||||
- [CRITICAL] Create a separate /home partition
|
||||
- Make sure swap is also encrypted
|
||||
- [CRITICAL] Use full-disk encryption on LVM level
|
||||
- [CRITICAL] Make sure swap is also encrypted
|
||||
- [CRITICAL] Set up a unique, robust root password
|
||||
- [CRITICAL] Use an unprivileged account, part of administrators group (sudo)
|
||||
- [CRITICAL] Set up a robust user-account password, different from root
|
||||
|
||||
## Untrusted hardware
|
||||
## Post-installation hardening
|
||||
- [CRITICAL] Globally disable firewire modules
|
||||
("blacklist firewire-core" in /etc/modprobe.d/bl-firewire.conf)
|
||||
- [MODERATE] Check your firewalls to ensure all incoming ports are filtered
|
||||
- [MODERATE] Check to ensure sshd service is disabled by default
|
||||
- [MODERATE] Set up an automatic OS update schedule, or update reminders
|
||||
(most distros will notify when updates are available)
|
||||
|
||||
- Firewire ports are disabled
|
||||
## Personal workstation backups
|
||||
|
||||
- blacklist firewire-core in /etc/modprobe.d/blacklist-firewire.conf
|
||||
## Best practices
|
||||
|
||||
-
|
||||
### SELinux
|
||||
|
||||
Team communication:
|
||||
- Establish PGP web of trust
|
||||
- Or use s/mime with a trusted CA
|
||||
- Use a password vault
|
||||
- [CRITICAL] Make sure SELinux is enforcing on your workstation
|
||||
- [CRITICAL] Never `setenforce 0`, use `semanage permissive -a somedomain_t`
|
||||
- [CRITICAL] Never blindly run `audit2allow`, always check
|
||||
- [MODERATE] Switch your account to SELinux user `staff_u` (use `usermod -Z`)
|
||||
|
||||
### Browsing
|
||||
- [MODERATE] Use two different browsers, one for work sites only, the other
|
||||
for everything else
|
||||
- [PARANOID] Run the "everything else" browser as a different user
|
||||
- [PARANOID+] Run the "everthing else" browser inside a local VM accessed
|
||||
via RDP.
|
||||
|
||||
Practices:
|
||||
- Apply updates daily
|
||||
|
||||
SELinux hints:
|
||||
- Run as SELinux user staff_u
|
||||
- Never setenforce 0
|
||||
- Use "semanage permissive -a somedomain_t"
|
||||
-
|
||||
|
|
|
|||
Loading…
Reference in a new issue