Day's work
This commit is contained in:
parent
424ee3544d
commit
8a884bc0e8
|
@ -16,33 +16,41 @@
|
||||||
## Distro choice considerations
|
## Distro choice considerations
|
||||||
- [CRITICAL] Has a robust MAC/RBAC implementation (SELinux/AppArmor/GrSecurity)
|
- [CRITICAL] Has a robust MAC/RBAC implementation (SELinux/AppArmor/GrSecurity)
|
||||||
- [CRITICAL] Publishes security bulletins
|
- [CRITICAL] Publishes security bulletins
|
||||||
|
- [CRITICAL] Provides timely security patches
|
||||||
|
- [CRITICAL] Provides cryptographic verification of packages
|
||||||
- [CRITICAL] Supports TrustedBoot
|
- [CRITICAL] Supports TrustedBoot
|
||||||
- [CRITICAL] Has robust full disk encryption support (LUKS)
|
- [CRITICAL] Has robust full disk encryption support (LUKS)
|
||||||
|
|
||||||
## Distro installation guidelines
|
## Distro installation guidelines
|
||||||
- [CRITICAL] Use full-disk encryption
|
- [CRITICAL] Use full-disk encryption on LVM level
|
||||||
- [CRITICAL] Create a separate /home partition
|
- [CRITICAL] Make sure swap is also encrypted
|
||||||
- Make sure swap is also encrypted
|
- [CRITICAL] Set up a unique, robust root password
|
||||||
|
- [CRITICAL] Use an unprivileged account, part of administrators group (sudo)
|
||||||
|
- [CRITICAL] Set up a robust user-account password, different from root
|
||||||
|
|
||||||
## Untrusted hardware
|
## Post-installation hardening
|
||||||
|
- [CRITICAL] Globally disable firewire modules
|
||||||
|
("blacklist firewire-core" in /etc/modprobe.d/bl-firewire.conf)
|
||||||
|
- [MODERATE] Check your firewalls to ensure all incoming ports are filtered
|
||||||
|
- [MODERATE] Check to ensure sshd service is disabled by default
|
||||||
|
- [MODERATE] Set up an automatic OS update schedule, or update reminders
|
||||||
|
(most distros will notify when updates are available)
|
||||||
|
|
||||||
- Firewire ports are disabled
|
## Personal workstation backups
|
||||||
|
|
||||||
- blacklist firewire-core in /etc/modprobe.d/blacklist-firewire.conf
|
## Best practices
|
||||||
|
|
||||||
-
|
### SELinux
|
||||||
|
|
||||||
Team communication:
|
- [CRITICAL] Make sure SELinux is enforcing on your workstation
|
||||||
- Establish PGP web of trust
|
- [CRITICAL] Never `setenforce 0`, use `semanage permissive -a somedomain_t`
|
||||||
- Or use s/mime with a trusted CA
|
- [CRITICAL] Never blindly run `audit2allow`, always check
|
||||||
- Use a password vault
|
- [MODERATE] Switch your account to SELinux user `staff_u` (use `usermod -Z`)
|
||||||
|
|
||||||
|
### Browsing
|
||||||
|
- [MODERATE] Use two different browsers, one for work sites only, the other
|
||||||
|
for everything else
|
||||||
|
- [PARANOID] Run the "everything else" browser as a different user
|
||||||
|
- [PARANOID+] Run the "everthing else" browser inside a local VM accessed
|
||||||
|
via RDP.
|
||||||
|
|
||||||
Practices:
|
|
||||||
- Apply updates daily
|
|
||||||
|
|
||||||
SELinux hints:
|
|
||||||
- Run as SELinux user staff_u
|
|
||||||
- Never setenforce 0
|
|
||||||
- Use "semanage permissive -a somedomain_t"
|
|
||||||
-
|
|
||||||
|
|
Loading…
Reference in a new issue