Update a handful of recommendations for early 2017
Largely the same stuff, but modify a few recommendations and add a couple of other ones. See CHANGELOG.md for complete details. Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
This commit is contained in:
parent
424aa0316d
commit
cdfc1d246e
11
CHANGELOG.md
Normal file
11
CHANGELOG.md
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
# 2017-01-23
|
||||||
|
## Linux workstation security checklist
|
||||||
|
|
||||||
|
- add warning that attackers routinely brute-force simple passphrases
|
||||||
|
- recommend switching to Wayland
|
||||||
|
- Replace browser-in-VM recommendation with firejail-separated profiles
|
||||||
|
instead
|
||||||
|
- List NitroKey in addition to Yubikey
|
||||||
|
- Add recommendation to use Fido U2F for services supporting it
|
||||||
|
- Add SubgraphOS alongside QubesOS (though SubgraphOS is still in alpha)
|
||||||
|
- Not adding Flatpak/Snappy yet, as the list of supported apps is pretty pithy
|
|
@ -1,5 +1,7 @@
|
||||||
# Linux workstation security checklist
|
# Linux workstation security checklist
|
||||||
|
|
||||||
|
Updated: 2017-01-23
|
||||||
|
|
||||||
### Target audience
|
### Target audience
|
||||||
|
|
||||||
This document is aimed at teams of systems administrators who use Linux
|
This document is aimed at teams of systems administrators who use Linux
|
||||||
|
@ -28,10 +30,10 @@ is a crazy person. These guidelines are merely a basic set of core safety
|
||||||
rules that is neither exhaustive, nor a replacement for experience, vigilance,
|
rules that is neither exhaustive, nor a replacement for experience, vigilance,
|
||||||
and common sense.
|
and common sense.
|
||||||
|
|
||||||
We're sharing this document as a way to
|
We're sharing this document as a way to [bring the benefits of open-source
|
||||||
[bring the benefits of open-source collaboration to IT policy documentation][18]. If
|
collaboration to IT policy documentation][18]. If you find it useful, we hope
|
||||||
you find it useful, we hope you'll contribute to its development by making a fork for
|
you'll contribute to its development by making a fork for your own
|
||||||
your own organization and sharing your improvements.
|
organization and sharing your improvements.
|
||||||
|
|
||||||
### Structure
|
### Structure
|
||||||
|
|
||||||
|
@ -270,7 +272,9 @@ Examples of good passphrases (yes, you can use spaces):
|
||||||
- perdon, tengo flatulence
|
- perdon, tengo flatulence
|
||||||
|
|
||||||
Weak passphrases are combinations of words you're likely to see in published
|
Weak passphrases are combinations of words you're likely to see in published
|
||||||
works or anywhere else in real life, such as:
|
works or anywhere else in real life, and you should avoid using them, as
|
||||||
|
attackers are starting to include such simple passphrases into their
|
||||||
|
brute-force strategies. Examples of passphrases to avoid:
|
||||||
|
|
||||||
- Mary had a little lamb
|
- Mary had a little lamb
|
||||||
- you're a wizard, Harry
|
- you're a wizard, Harry
|
||||||
|
@ -452,7 +456,8 @@ Above all, avoid copying your home directory onto any unencrypted storage, even
|
||||||
as a quick way to move your files around between systems, as you will most
|
as a quick way to move your files around between systems, as you will most
|
||||||
certainly forget to erase it once you're done, exposing potentially private or
|
certainly forget to erase it once you're done, exposing potentially private or
|
||||||
otherwise security sensitive data to snooping hands -- especially if you keep
|
otherwise security sensitive data to snooping hands -- especially if you keep
|
||||||
that storage media in the same bag with your laptop.
|
that storage media in the same bag with your laptop or in your office desk
|
||||||
|
drawer.
|
||||||
|
|
||||||
#### Selective zero-knowledge backups off-site
|
#### Selective zero-knowledge backups off-site
|
||||||
|
|
||||||
|
@ -474,7 +479,27 @@ adopt. It is most certainly non-exhaustive, but rather attempts to offer
|
||||||
practical advice that strikes a workable balance between security and overall
|
practical advice that strikes a workable balance between security and overall
|
||||||
usability.
|
usability.
|
||||||
|
|
||||||
### Browsing
|
### Graphical environment
|
||||||
|
|
||||||
|
The venerable X protocol was conceived and implemented for a wholly different
|
||||||
|
era of personal computing and lacks important security features that should be
|
||||||
|
considered essential on a networked workstation. To give a few examples:
|
||||||
|
|
||||||
|
- Any X application has access to full screen contents
|
||||||
|
- Any X application can register to receive all keystrokes, regardless into
|
||||||
|
which window they are typed
|
||||||
|
|
||||||
|
A sufficiently severe browser vulnerability means attackers get automatic
|
||||||
|
access to what is effectively a builtin keylogger and screen recorder and
|
||||||
|
can watch and capture everything you type into your root terminal sessions.
|
||||||
|
|
||||||
|
You should strongly consider switching to a more modern platform like Wayland,
|
||||||
|
even if this means using many of your existing applications through an X11
|
||||||
|
protocol wrapper. With Fedora starting to default to Wayland for all
|
||||||
|
applications, we can hope that most software will soon stop requiring the
|
||||||
|
legacy X11 layer.
|
||||||
|
|
||||||
|
### Browsers
|
||||||
|
|
||||||
There is no question that the web browser will be the piece of software with
|
There is no question that the web browser will be the piece of software with
|
||||||
the largest and the most exposed attack surface on your system. It is a tool
|
the largest and the most exposed attack surface on your system. It is a tool
|
||||||
|
@ -553,44 +578,64 @@ It is recommended that you install **Privacy Badger** and **HTTPS Everywhere**
|
||||||
extensions in Chrome as well and give it a distinct theme from Firefox to
|
extensions in Chrome as well and give it a distinct theme from Firefox to
|
||||||
indicate that this is your "untrusted sites" browser.
|
indicate that this is your "untrusted sites" browser.
|
||||||
|
|
||||||
#### 2: Use two different browsers, one inside a dedicated VM _(NICE)_
|
#### 2: Use firejail _(ESSENTIAL)_
|
||||||
|
|
||||||
This is a similar recommendation to the above, except you will add an extra
|
[Firejail][19] is a project that uses Linux namespaces and seccomp-bpf to
|
||||||
step of running the "everything else" browser inside a dedicated VM that you
|
create a sandbox around Linux applications. It is an excellent way to help
|
||||||
access via a fast protocol, allowing you to share clipboards and forward sound
|
build additional protection between the browser and the rest of your system.
|
||||||
events (e.g. Spice or RDP). This will add an excellent layer of isolation
|
You can use Firejail to create separate isolated instances of Firefox to
|
||||||
between the untrusted browser and the rest of your work environment, ensuring
|
use for different purposes -- for work, for personal but trusted sites (such
|
||||||
that attackers who manage to fully compromise your browser will then have to
|
as banking), and one more for casual browsing (social media, etc).
|
||||||
additionally break out of the VM isolation layer in order to get to the rest
|
|
||||||
of your system.
|
|
||||||
|
|
||||||
This is a surprisingly workable configuration, but requires a lot of RAM and
|
Firejail is most effective on Wayland, unless you use X11-isolation mechanisms
|
||||||
fast processors that can handle the increased load. It will also require an
|
(the `--x11` flag). To start using Firejail with Firefox, please refer to the
|
||||||
important amount of dedication on the part of the admin who will need to
|
documentation provided by the project:
|
||||||
adjust their work practices accordingly.
|
|
||||||
|
- [Firefox Sandboxing Guide][20]
|
||||||
|
|
||||||
#### 3: Fully separate your work and play environments via virtualization _(PARANOID)_
|
#### 3: Fully separate your work and play environments via virtualization _(PARANOID)_
|
||||||
|
|
||||||
See [Qubes-OS project][3], which strives to provide a high-security
|
See [QubesOS project][3], which strives to provide a "reasonably secure"
|
||||||
workstation environment via compartmentalizing your applications into separate
|
workstation environment via compartmentalizing your applications into separate
|
||||||
fully isolated VMs.
|
fully isolated VMs. You may also investigate [SubgraphOS][24] that achieves
|
||||||
|
similar goals using container technology (currently in Alpha).
|
||||||
|
|
||||||
|
### Use Fido U2F for website 2-factor authentication
|
||||||
|
|
||||||
|
[Fido U2F][22] is a standard developed specifically to provide a mechanism for
|
||||||
|
2-factor authentication *and* combat credential phishing. Regular OTP
|
||||||
|
(one-time password) mechanisms are ineffective in the case where the attacker
|
||||||
|
is able to trick you into submitting your password and token into a malicious
|
||||||
|
site masquerading as a legitimate service. The U2F protocol will store site
|
||||||
|
authentication data on the USB token that will prevent you from accidentally
|
||||||
|
giving an attacker both your password and your one-time token if you try to
|
||||||
|
use it on anything other than the legitimate website.
|
||||||
|
|
||||||
|
See this site for a curated list of services providing Fido U2F support:
|
||||||
|
|
||||||
|
- [dongleauth.info][23]
|
||||||
|
|
||||||
|
Note, that not all browsers currently support U2F-capable hardware tokens, and
|
||||||
|
if you use sandboxes or virtualization-based isolation around your browser,
|
||||||
|
you may have to work extra hard to enable USB pass-through from the
|
||||||
|
application to your USB token.
|
||||||
|
|
||||||
### Password managers
|
### Password managers
|
||||||
|
|
||||||
#### Checklist
|
#### Checklist
|
||||||
|
|
||||||
- [ ] Use a password manager _(ESSENTIAL)_
|
- [ ] Use a password manager _(ESSENTIAL)_
|
||||||
- [ ] Use unique passwords on unrelated sites _(ESSENTIAL)_
|
- [ ] Use unique, randomly generated passwords on unrelated sites _(ESSENTIAL)_
|
||||||
- [ ] Use a password manager that supports team sharing _(NICE)_
|
- [ ] Use a password manager that supports team sharing _(NICE)_
|
||||||
- [ ] Use a separate password manager for non-website accounts _(NICE)_
|
- [ ] Use a separate password manager for non-website accounts _(NICE)_
|
||||||
|
|
||||||
#### Considerations
|
#### Considerations
|
||||||
|
|
||||||
Using good, unique passwords should be a critical requirement for every member
|
Using strong, unique, randomly generated passwords should be a critical
|
||||||
of your team. Credential theft is happening all the time -- either via
|
requirement for every member of your team. Credential theft is happening all
|
||||||
compromised computers, stolen database dumps, remote site exploits, or any
|
the time -- either via compromised computers, stolen database dumps, remote
|
||||||
number of other means. No credentials should ever be reused across sites,
|
site exploits, or any number of other means. No credentials should be reused
|
||||||
especially for critical applications.
|
across different sites, ever.
|
||||||
|
|
||||||
##### In-browser password manager
|
##### In-browser password manager
|
||||||
|
|
||||||
|
@ -653,8 +698,9 @@ several manufacturers that offer OpenPGP capable devices:
|
||||||
|
|
||||||
- [Kernel Concepts][12], where you can purchase both the OpenPGP compatible
|
- [Kernel Concepts][12], where you can purchase both the OpenPGP compatible
|
||||||
smartcards and the USB readers, should you need one.
|
smartcards and the USB readers, should you need one.
|
||||||
- [Yubikey NEO][13], which offers OpenPGP smartcard functionality in addition
|
- [Yubikey][13], which offers OpenPGP smartcard functionality in addition
|
||||||
to many other cool features (U2F, PIV, HOTP, etc).
|
to many other cool features (U2F, PIV, HOTP, etc).
|
||||||
|
- [NitroKey][21], which is based on open-source software and hardware
|
||||||
|
|
||||||
It is also important to make sure that the master PGP key is not stored on the
|
It is also important to make sure that the master PGP key is not stored on the
|
||||||
main workstation, and only subkeys are used. The master key will only be
|
main workstation, and only subkeys are used. The master key will only be
|
||||||
|
@ -812,9 +858,15 @@ This work is licensed under a
|
||||||
[10]: https://pypi.python.org/pypi/django-pstore
|
[10]: https://pypi.python.org/pypi/django-pstore
|
||||||
[11]: https://github.com/TomPoulton/hiera-eyaml
|
[11]: https://github.com/TomPoulton/hiera-eyaml
|
||||||
[12]: http://shop.kernelconcepts.de/
|
[12]: http://shop.kernelconcepts.de/
|
||||||
[13]: https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
|
[13]: https://www.yubico.com/products/yubikey-hardware/
|
||||||
[14]: https://wiki.debian.org/Subkeys
|
[14]: https://wiki.debian.org/Subkeys
|
||||||
[15]: https://github.com/lfit/ssh-gpg-smartcard-config
|
[15]: https://github.com/lfit/ssh-gpg-smartcard-config
|
||||||
[16]: http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
|
[16]: http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
|
||||||
[17]: https://en.wikipedia.org/wiki/Cold_boot_attack
|
[17]: https://en.wikipedia.org/wiki/Cold_boot_attack
|
||||||
[18]: http://www.linux.com/news/featured-blogs/167-amanda-mcpherson/850607-linux-foundation-sysadmins-open-source-their-it-policies
|
[18]: http://www.linux.com/news/featured-blogs/167-amanda-mcpherson/850607-linux-foundation-sysadmins-open-source-their-it-policies
|
||||||
|
[19]: https://firejail.wordpress.com/
|
||||||
|
[20]: https://firejail.wordpress.com/documentation-2/firefox-guide/
|
||||||
|
[21]: https://www.nitrokey.com/
|
||||||
|
[22]: https://en.wikipedia.org/wiki/Universal_2nd_Factor
|
||||||
|
[23]: http://www.dongleauth.info/
|
||||||
|
[24]: https://subgraph.com/sgos/
|
||||||
|
|
Loading…
Reference in a new issue