Update a handful of recommendations for early 2017
Largely the same stuff, but modify a few recommendations and add a couple of other ones. See CHANGELOG.md for complete details. Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
This commit is contained in:
parent
424aa0316d
commit
cdfc1d246e
2 changed files with 93 additions and 30 deletions
11
CHANGELOG.md
Normal file
11
CHANGELOG.md
Normal file
|
@ -0,0 +1,11 @@
|
|||
# 2017-01-23
|
||||
## Linux workstation security checklist
|
||||
|
||||
- add warning that attackers routinely brute-force simple passphrases
|
||||
- recommend switching to Wayland
|
||||
- Replace browser-in-VM recommendation with firejail-separated profiles
|
||||
instead
|
||||
- List NitroKey in addition to Yubikey
|
||||
- Add recommendation to use Fido U2F for services supporting it
|
||||
- Add SubgraphOS alongside QubesOS (though SubgraphOS is still in alpha)
|
||||
- Not adding Flatpak/Snappy yet, as the list of supported apps is pretty pithy
|
|
@ -1,5 +1,7 @@
|
|||
# Linux workstation security checklist
|
||||
|
||||
Updated: 2017-01-23
|
||||
|
||||
### Target audience
|
||||
|
||||
This document is aimed at teams of systems administrators who use Linux
|
||||
|
@ -28,10 +30,10 @@ is a crazy person. These guidelines are merely a basic set of core safety
|
|||
rules that is neither exhaustive, nor a replacement for experience, vigilance,
|
||||
and common sense.
|
||||
|
||||
We're sharing this document as a way to
|
||||
[bring the benefits of open-source collaboration to IT policy documentation][18]. If
|
||||
you find it useful, we hope you'll contribute to its development by making a fork for
|
||||
your own organization and sharing your improvements.
|
||||
We're sharing this document as a way to [bring the benefits of open-source
|
||||
collaboration to IT policy documentation][18]. If you find it useful, we hope
|
||||
you'll contribute to its development by making a fork for your own
|
||||
organization and sharing your improvements.
|
||||
|
||||
### Structure
|
||||
|
||||
|
@ -270,7 +272,9 @@ Examples of good passphrases (yes, you can use spaces):
|
|||
- perdon, tengo flatulence
|
||||
|
||||
Weak passphrases are combinations of words you're likely to see in published
|
||||
works or anywhere else in real life, such as:
|
||||
works or anywhere else in real life, and you should avoid using them, as
|
||||
attackers are starting to include such simple passphrases into their
|
||||
brute-force strategies. Examples of passphrases to avoid:
|
||||
|
||||
- Mary had a little lamb
|
||||
- you're a wizard, Harry
|
||||
|
@ -452,7 +456,8 @@ Above all, avoid copying your home directory onto any unencrypted storage, even
|
|||
as a quick way to move your files around between systems, as you will most
|
||||
certainly forget to erase it once you're done, exposing potentially private or
|
||||
otherwise security sensitive data to snooping hands -- especially if you keep
|
||||
that storage media in the same bag with your laptop.
|
||||
that storage media in the same bag with your laptop or in your office desk
|
||||
drawer.
|
||||
|
||||
#### Selective zero-knowledge backups off-site
|
||||
|
||||
|
@ -474,7 +479,27 @@ adopt. It is most certainly non-exhaustive, but rather attempts to offer
|
|||
practical advice that strikes a workable balance between security and overall
|
||||
usability.
|
||||
|
||||
### Browsing
|
||||
### Graphical environment
|
||||
|
||||
The venerable X protocol was conceived and implemented for a wholly different
|
||||
era of personal computing and lacks important security features that should be
|
||||
considered essential on a networked workstation. To give a few examples:
|
||||
|
||||
- Any X application has access to full screen contents
|
||||
- Any X application can register to receive all keystrokes, regardless into
|
||||
which window they are typed
|
||||
|
||||
A sufficiently severe browser vulnerability means attackers get automatic
|
||||
access to what is effectively a builtin keylogger and screen recorder and
|
||||
can watch and capture everything you type into your root terminal sessions.
|
||||
|
||||
You should strongly consider switching to a more modern platform like Wayland,
|
||||
even if this means using many of your existing applications through an X11
|
||||
protocol wrapper. With Fedora starting to default to Wayland for all
|
||||
applications, we can hope that most software will soon stop requiring the
|
||||
legacy X11 layer.
|
||||
|
||||
### Browsers
|
||||
|
||||
There is no question that the web browser will be the piece of software with
|
||||
the largest and the most exposed attack surface on your system. It is a tool
|
||||
|
@ -553,44 +578,64 @@ It is recommended that you install **Privacy Badger** and **HTTPS Everywhere**
|
|||
extensions in Chrome as well and give it a distinct theme from Firefox to
|
||||
indicate that this is your "untrusted sites" browser.
|
||||
|
||||
#### 2: Use two different browsers, one inside a dedicated VM _(NICE)_
|
||||
#### 2: Use firejail _(ESSENTIAL)_
|
||||
|
||||
This is a similar recommendation to the above, except you will add an extra
|
||||
step of running the "everything else" browser inside a dedicated VM that you
|
||||
access via a fast protocol, allowing you to share clipboards and forward sound
|
||||
events (e.g. Spice or RDP). This will add an excellent layer of isolation
|
||||
between the untrusted browser and the rest of your work environment, ensuring
|
||||
that attackers who manage to fully compromise your browser will then have to
|
||||
additionally break out of the VM isolation layer in order to get to the rest
|
||||
of your system.
|
||||
[Firejail][19] is a project that uses Linux namespaces and seccomp-bpf to
|
||||
create a sandbox around Linux applications. It is an excellent way to help
|
||||
build additional protection between the browser and the rest of your system.
|
||||
You can use Firejail to create separate isolated instances of Firefox to
|
||||
use for different purposes -- for work, for personal but trusted sites (such
|
||||
as banking), and one more for casual browsing (social media, etc).
|
||||
|
||||
This is a surprisingly workable configuration, but requires a lot of RAM and
|
||||
fast processors that can handle the increased load. It will also require an
|
||||
important amount of dedication on the part of the admin who will need to
|
||||
adjust their work practices accordingly.
|
||||
Firejail is most effective on Wayland, unless you use X11-isolation mechanisms
|
||||
(the `--x11` flag). To start using Firejail with Firefox, please refer to the
|
||||
documentation provided by the project:
|
||||
|
||||
- [Firefox Sandboxing Guide][20]
|
||||
|
||||
#### 3: Fully separate your work and play environments via virtualization _(PARANOID)_
|
||||
|
||||
See [Qubes-OS project][3], which strives to provide a high-security
|
||||
See [QubesOS project][3], which strives to provide a "reasonably secure"
|
||||
workstation environment via compartmentalizing your applications into separate
|
||||
fully isolated VMs.
|
||||
fully isolated VMs. You may also investigate [SubgraphOS][24] that achieves
|
||||
similar goals using container technology (currently in Alpha).
|
||||
|
||||
### Use Fido U2F for website 2-factor authentication
|
||||
|
||||
[Fido U2F][22] is a standard developed specifically to provide a mechanism for
|
||||
2-factor authentication *and* combat credential phishing. Regular OTP
|
||||
(one-time password) mechanisms are ineffective in the case where the attacker
|
||||
is able to trick you into submitting your password and token into a malicious
|
||||
site masquerading as a legitimate service. The U2F protocol will store site
|
||||
authentication data on the USB token that will prevent you from accidentally
|
||||
giving an attacker both your password and your one-time token if you try to
|
||||
use it on anything other than the legitimate website.
|
||||
|
||||
See this site for a curated list of services providing Fido U2F support:
|
||||
|
||||
- [dongleauth.info][23]
|
||||
|
||||
Note, that not all browsers currently support U2F-capable hardware tokens, and
|
||||
if you use sandboxes or virtualization-based isolation around your browser,
|
||||
you may have to work extra hard to enable USB pass-through from the
|
||||
application to your USB token.
|
||||
|
||||
### Password managers
|
||||
|
||||
#### Checklist
|
||||
|
||||
- [ ] Use a password manager _(ESSENTIAL)_
|
||||
- [ ] Use unique passwords on unrelated sites _(ESSENTIAL)_
|
||||
- [ ] Use unique, randomly generated passwords on unrelated sites _(ESSENTIAL)_
|
||||
- [ ] Use a password manager that supports team sharing _(NICE)_
|
||||
- [ ] Use a separate password manager for non-website accounts _(NICE)_
|
||||
|
||||
#### Considerations
|
||||
|
||||
Using good, unique passwords should be a critical requirement for every member
|
||||
of your team. Credential theft is happening all the time -- either via
|
||||
compromised computers, stolen database dumps, remote site exploits, or any
|
||||
number of other means. No credentials should ever be reused across sites,
|
||||
especially for critical applications.
|
||||
Using strong, unique, randomly generated passwords should be a critical
|
||||
requirement for every member of your team. Credential theft is happening all
|
||||
the time -- either via compromised computers, stolen database dumps, remote
|
||||
site exploits, or any number of other means. No credentials should be reused
|
||||
across different sites, ever.
|
||||
|
||||
##### In-browser password manager
|
||||
|
||||
|
@ -653,8 +698,9 @@ several manufacturers that offer OpenPGP capable devices:
|
|||
|
||||
- [Kernel Concepts][12], where you can purchase both the OpenPGP compatible
|
||||
smartcards and the USB readers, should you need one.
|
||||
- [Yubikey NEO][13], which offers OpenPGP smartcard functionality in addition
|
||||
- [Yubikey][13], which offers OpenPGP smartcard functionality in addition
|
||||
to many other cool features (U2F, PIV, HOTP, etc).
|
||||
- [NitroKey][21], which is based on open-source software and hardware
|
||||
|
||||
It is also important to make sure that the master PGP key is not stored on the
|
||||
main workstation, and only subkeys are used. The master key will only be
|
||||
|
@ -812,9 +858,15 @@ This work is licensed under a
|
|||
[10]: https://pypi.python.org/pypi/django-pstore
|
||||
[11]: https://github.com/TomPoulton/hiera-eyaml
|
||||
[12]: http://shop.kernelconcepts.de/
|
||||
[13]: https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
|
||||
[13]: https://www.yubico.com/products/yubikey-hardware/
|
||||
[14]: https://wiki.debian.org/Subkeys
|
||||
[15]: https://github.com/lfit/ssh-gpg-smartcard-config
|
||||
[16]: http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
|
||||
[17]: https://en.wikipedia.org/wiki/Cold_boot_attack
|
||||
[18]: http://www.linux.com/news/featured-blogs/167-amanda-mcpherson/850607-linux-foundation-sysadmins-open-source-their-it-policies
|
||||
[19]: https://firejail.wordpress.com/
|
||||
[20]: https://firejail.wordpress.com/documentation-2/firefox-guide/
|
||||
[21]: https://www.nitrokey.com/
|
||||
[22]: https://en.wikipedia.org/wiki/Universal_2nd_Factor
|
||||
[23]: http://www.dongleauth.info/
|
||||
[24]: https://subgraph.com/sgos/
|
||||
|
|
Loading…
Reference in a new issue