Content tweaks

2024-05-06 21:42:34 +12:00 · 2015-08-11 10:28:53 -04:00 · 2015-08-11 10:28:53 -04:00 · f9adb8bf80
parent 155b098d93
commit f9adb8bf80
1 changed files with 104 additions and 94 deletions
--- a/linux-workstation-security.md
+++ b/linux-workstation-security.md
@ -3,22 +3,22 @@
 This is a set of recommendations used by the Linux Foundation for their systems
 administrators. All of LF employees are remote workers and we use this set of
 guidelines to ensure that a sysadmin's system passes core security requirements
-in order to reduce the risk of it becoming the attack vector against the rest
+in order to reduce the risk of it becoming an attack vector against the rest
 of our infrastructure.
 Even if your systems administrators are not remote workers, chances are that
 they perform a lot of their work either from a portable laptop in a work
-environment, or set up their home systems to access work infrastructure for
+environment, or set up their home systems to access the work infrastructure
-after-hours/emergency support. In either case, you can adapt this set of
+for after-hours/emergency support. In either case, you can adapt this set of
 recommendations to suit your environment.
 This, by no means, is an exhaustive "workstation hardening" document, but
 rather an attempt at a set of baseline recommendations to avoid most glaring
 security errors without introducing too much inconvenience. You may read this
 document and think it is way too paranoid, while someone else may think this
-barely scratches the surface. Security is just like driving on a highway --
+barely scratches the surface. Security is just like driving on the highway --
 anyone going slower than you is an idiot, while anyone driving faster than you
-is a crazy person. These guidelines are merely a basic set of highway safety
+is a crazy person. These guidelines are merely a basic set of core safety
 rules that is neither exhaustive, nor a replacement for experience, vigilance,
 and common sense.
@ -29,7 +29,7 @@ Each section is split into two areas:
 ## Severity levels
-The items in the checklist include the severity level, which we hope will help
+The items in each checklist include the severity level, which we hope will help
 guide your decision:
 - _(CRITICAL)_ items should definitely be high on the consideration list.
@ -43,7 +43,7 @@ guide your decision:
  workstation security, but will probably require a lot of adjustment to the
  way you interact with your operating system.
-Remember, these are only guidelines. If you feel the severity levels do not
+Remember, these are only guidelines. If you feel these severity levels do not
 reflect your project's commitment to security, you should adjust them as you
 see fit.
@ -69,9 +69,9 @@ plus there is a pretty high degree of certainty that state security agencies
 have ways to defeat it (probably by design), but having SecureBoot is better
 than having nothing at all.
-Alternatively, you may set up [Anti Evil Maid][1] which offers more wholesome
+Alternatively, you may set up [Anti Evil Maid][1] which offers a more
-protection against the type of attacks that SecureBoot is supposed to prevent,
+wholesome protection against the type of attacks that SecureBoot is supposed
-but it will require more effort to set up and maintain.
+to prevent, but it will require more effort to set up and maintain.
 #### Firewire, thunderbolt, and ExpressCard ports
@ -147,39 +147,41 @@ what you should consider when picking a distribution to use.
 #### SELinux, AppArmor, and GrSecurity/PaX
-Mandatory Access Controls (MAC) or Role-Based Access Controls are an extension
+Mandatory Access Controls (MAC) or Role-Based Access Controls (RBAC) are an
-of the basic user/group security mechanism used in legacy POSIX systems. Most
+extension of the basic user/group security mechanism used in legacy POSIX
-distributions these days either already come bundled with a MAC/RBAC
+systems. Most distributions these days either already come bundled with a
-implementation (Fedora, Ubuntu), or provide a mechanism to add it via an
+MAC/RBAC implementation (Fedora, Ubuntu), or provide a mechanism to add it via
-optional post-installation step (Gentoo, Arch, Debian). Obviously, it is highly
+an optional post-installation step (Gentoo, Arch, Debian). Obviously, it is
-advised that you pick a distribution that comes pre-configured with a MAC/RBAC
+highly advised that you pick a distribution that comes pre-configured with a
-system, but if you have strong feelings about a distribution that doesn't come
+MAC/RBAC system, but if you have strong feelings about a distribution that
-with one enabled by default, do plan to configure it post-installation.
+doesn't have one enabled by default, do plan to configure it
 post-installation.
 Distributions that do not provide any MAC/RBAC mechanisms should be strongly
-avoided, as traditional POSIX user- and group-based security mechanisms should
+avoided, as traditional POSIX user- and group-based security should be
-be considered insufficient in this day and age. If you would like to start out
+considered insufficient in this day and age. If you would like to start out
 with a MAC/RBAC workstation, AppArmor and PaX are generally considered easier
-to learn than SELinux. Furthermore, on a workstation, where there are few or no
+to learn than SELinux. Furthermore, on a workstation, where there are few or
-externally listening daemons, and where user-run applications pose the highest
+no externally listening daemons, and where user-run applications pose the
-risk, GrSecurity/PaX will _probably_ offer more security benefits than SELinux.
+highest risk, GrSecurity/PaX will _probably_ offer more security benefits than
 SELinux.
 #### Distro security bulletins
-Most widely used distributions have a mechanism to deliver security bulletins
+Most of the widely used distributions have a mechanism to deliver security
-to its users, but if you are fond of something esoteric, check whether the
+bulletins to their users, but if you are fond of something esoteric, check
-developers have a documented mechanism of alerting the users about security
+whether the developers have a documented mechanism of alerting the users about
-vulnerabilities and patches. Absence of such mechanism is a major warning sign
+security vulnerabilities and patches. Absence of such mechanism is a major
-that the distribution is not mature enough to be considered for a primary admin
+warning sign that the distribution is not mature enough to be considered for a
-workstation.
+primary admin workstation.
 #### Timely and trusted security updates
-Most widely used distributions deliver security updates, but is worth checking
+Most of the widely used distributions deliver regular security updates, but is
-to ensure that critical package updates are provided in a timely fashion. Avoid
+worth checking to ensure that critical package updates are provided in a
-using spin-offs and "community rebuilds" for this reason, as they routinely
+timely fashion. Avoid using spin-offs and "community rebuilds" for this
-delay security updates due to having to wait for the upstream distribution to
+reason, as they routinely delay security updates due to having to wait for the
-release it first.
+upstream distribution to release it first.
 You'll be hard-pressed to find a distribution that does not use cryptographic
 signatures on packages, updates metadata, or both. That being said, fairly
@ -226,11 +228,11 @@ All distributions are different, but here are general guidelines:
 Unless you are using self-encrypting hard drives, it is important to configure
 your installer to fully encrypt all the disks that will be used for storing
 your data and your system files. It is not sufficient to simply encrypt the
-user directory via auto-mounting cryptfs loop files (I'm looking at you,
+user directory via auto-mounting cryptfs loop files (I'm looking at you, older
-Ubuntu), as this offers no protection for system binaries or swap, which is
+versions of Ubuntu), as this offers no protection for system binaries or swap,
-likely to contain a slew of sensitive data. The recommended encryption strategy
+which is likely to contain a slew of sensitive data. The recommended
-is to encrypt the LVM device, so only one passphrase is required during the
+encryption strategy is to encrypt the LVM device, so only one passphrase is
-boot process.
+required during the boot process.
 The `/boot` partition will always remain unencrypted, as the bootloader needs
 to be able to actually boot the kernel before invoking LUKS/dm-crypt. The
@ -262,15 +264,15 @@ passphrases and keep them in a safe place away from your work desk.
 #### Root, user passwords and the admin group
-I recommend that you use the same passphrase for your root password as you use
+We recommend that you use the same passphrase for your root password as you
-for your LUKS encryption (unless you share your laptop with other trusted
+use for your LUKS encryption (unless you share your laptop with other trusted
-people who should be able to unlock the drives, but shouldn't be able to become
+people who should be able to unlock the drives, but shouldn't be able to
-root). If you are the sole user of the laptop, then having your root password
+become root). If you are the sole user of the laptop, then having your root
-be different from your LUKS password has no meaningful security advantages.
+password be different from your LUKS password has no meaningful security
-Generally, you can use the same passphrase for your UEFI administration, disk
+advantages.  Generally, you can use the same passphrase for your UEFI
-encryption, and root account -- knowing any of these will give an attacker full
+administration, disk encryption, and root account -- knowing any of these will
-control of your system anyway, so there is little security benefit to have them
+give an attacker full control of your system anyway, so there is little
-be different on a single-user workstation.
+security benefit to have them be different on a single-user workstation.
 You should have a different, but equally strong password for your regular user
 account that you will be using for day-to-day tasks. This user should be member
@ -395,9 +397,9 @@ configuration changes, etc). If you are not willing to take these steps and
 adjust how you do things on your own workstation, these tools will introduce
 hassle without any tangible security benefit.
-I do recommend that you install `rkhunter` and run it nightly. It's fairly easy
+We do recommend that you install `rkhunter` and run it nightly. It's fairly
-to learn and use, and though it will not deter a sophisticated attacker, it may
+easy to learn and use, and though it will not deter a sophisticated attacker,
-help you catch your own mistakes.
+it may help you catch your own mistakes.
 ## Personal workstation backups
@ -475,8 +477,8 @@ sometimes they are limited to allowing one to read local browser storage,
 steal active sessions from other tabs, capture input entered into the browser,
 etc. Using two different browsers, one for work/high security sites, and
 another for everything else will help prevent minor compromises from giving
-attackers access to the whole proverbial cookie jar. The main inconvenience
+attackers access to the whole cookie jar. The main inconvenience will be the
-will be the amount of memory consumed by two different browser processes.
+amount of memory consumed by two different browser processes.
 Here's what we recommend:
@ -490,16 +492,16 @@ this browser for accessing any other sites except select few.
 You should install the following Firefox add-ons:
 - [ ] NoScript _(CRITICAL)_
-  - NoScript prevents active content from loading, unless specifically
+  - NoScript prevents active content from loading, except from user
-    whitelisted. It is a great hassle to use with your default browser
+    whitelisted domains. It is a great hassle to use with your default browser
    (though offers really good security benefits), so we recommend only
    enabling it on the browser you use to access work-related sites.
 - [ ] Ghostery _(CRITICAL)_
  - Ghostery will prevent most external trackers and ad platforms from being
-    loaded on the pages, which will help avoid compromises on these tracking
+    loaded, which will help avoid compromises on these tracking sites from
-    sites from affecting your browser (trackers and ad sites are very commonly
+    affecting your browser (trackers and ad sites are very commonly targeted
-    targeted by attackers, as they allow rapid infection of thousands of systems
+    by attackers, as they allow rapid infection of thousands of systems
    worldwide).
 - [ ] HTTPS Everywhere _(CRITICAL)_
@ -510,8 +512,9 @@ You should install the following Firefox add-ons:
 - [ ] Certificate Patrol _(MODERATE)_
  - This tool will alert you if the site you're accessing has recently changed
    their TLS certificates -- especially if it wasn't nearing expiration dates
-    or if it is now using a different certification authority. Note, that this
+    or if it is now using a different certification authority. It helps
-    will generate a lot of false-positives.
+    alert you if someone is trying to man-in-the-middle your connection,
    but generates a lot of benign false-positives.
 You should leave Firefox as your default browser for opening links, as
 NoScript will prevent most active content from loading or executing.
@ -534,12 +537,12 @@ indicate that this is your "untrusted sites" browser.
 This is a similar recommendation to the above, except you will add an extra
 step of running Chrome inside a dedicated VM that you access via a fast
-protocol that allows you to share clipboards and forwards sound events (e.g.
+protocol, allowing you to share clipboards and forward sound events (e.g.
 Spice or RDP). This will add an excellent layer of isolation between the
 untrusted browser and the rest of your work environment, ensuring that
-attackers who manage to fully compromise your browser will then have to then
+attackers who manage to fully compromise your browser will then have to
-break out of the VM isolation layer in order to get to the rest of your
+additionally break out of the VM isolation layer in order to get to the rest
-system.
+of your system.
 This is a surprisingly workable configuration, but requires a lot of RAM and
 fast processors that can handle the increased load. It will also require an
@ -572,8 +575,9 @@ especially for critical applications.
 ##### In-browser password manager
 Every browser has a mechanism for saving passwords that is fairly secure and
-can sync with vendor-provided cloud storage by first encrypting the data with
+can sync with vendor-maintained cloud storage while keeping the data encrypted
-a passphrase. However, this mechanism has important disadvantages:
+with a user-provided passphrase. However, this mechanism has important
 disadvantages:
 1. It does not work across browsers
 2. It does not offer any way of sharing credentials with team members
@ -585,29 +589,26 @@ search engines.
 ##### Standalone password manager
-One of the major drawbacks of any password manager that is integrated with
+One of the major drawbacks of any password manager that comes integrated with
 the browser is the fact that it's part of the application that is most likely
 to be attacked by intruders. If this makes you uncomfortable (and it should),
 you may choose to have two different password managers -- one for websites
-that is integrated into your browser, and one as a standalone application. The
+that is integrated into your browser, and one that runs as a standalone
-latter can be used to store high-risk credentials such as root passwords,
+application. The latter can be used to store high-risk credentials such as
-database passwords, other shell account credentials, etc.
+root passwords, database passwords, other shell account credentials, etc.
 It may be particularly useful to have such tool for sharing superuser account
-credentials with other members of your team. The best is, obviously, not to
+credentials with other members of your team (server root passwords, ILO
-have shared account credentials at all and manage superuser access via
+passwords, database admin passwords, bootloader passwords, etc).
 role-based tools such as sudo and group membership. However, not all
 systems are easily managed that way, so having a way to securely pass account
 credentials to other members of your team may be very handy.
 A few tools can help you:
 - [KeePassX][8], which improves team sharing in version 2
 - [Pass][9], which uses text files and PGP and integrates with git
 - [Django-Pstore][10], which uses GPG to share credentials between admins
- [Hiera-Eyaml][11], if you are already using Puppet for your infrastructure,
+- [Hiera-Eyaml][11], which, if you are already using Puppet for your
-  this may be a handy way to track your server/service credentials as part of
+  infrastructure, may be a handy way to track your server/service credentials
-  your encrypted Hiera data store
+  as part of your encrypted Hiera data store
 ### Securing SSH and PGP private keys
@ -615,7 +616,7 @@ Personal encryption keys, including SSH and PGP private keys, are going to be
 the most prized items on your workstation -- something the attackers will be
 most interested in obtaining, as that would allow them to further attack your
 infrastructure or impersonate you to other admins. You should take extra steps
-to ensure that they are well protected against theft.
+to ensure that your private keys are well protected against theft.
 #### Checklist
@ -633,17 +634,18 @@ several manufacturers that offer OpenPGP capable devices:
 - [Kernel Concepts][12], where you can purchase both the OpenPGP compatible
  smartcards and the USB readers, should you need one.
 - [Yubikey NEO][13], which offers OpenPGP smartcard functionality in addition
-  to other features.
+  to many other cool features (U2F, PIV, HOTP, etc).
 It is also important to make sure that the master PGP key is not stored on the
 main workstation, and only subkeys are used. The master key will only be
 needed when signing someone else's keys or creating new subkeys -- operations
 which do not happen very frequently. You may follow [the Debian's subkeys][14]
-guide to learn how to move your master key to removable storage.
+guide to learn how to move your master key to removable storage and how to
 create subkeys.
 You should then configure your gnupg agent to act as ssh agent and use the
 smartcard-based PGP Auth key to act as your ssh private key. We publish a
-[detailed guide][15] on how to do that using either a smartcard reader or
+[detailed guide][15] on how to do that using either a smartcard reader or a
 Yubikey NEO.
 If you are not willing to go that far, at least make sure you have a strong
@ -667,8 +669,8 @@ maximize your workstation security.
 SELinux is a Mandatory Access Controls (MAC) extension to core POSIX
 permissions functionality. It is mature, robust, and has come a long way since
-its initial roll-out, but most people to this day repeat the outdated mantra
+its initial roll-out. Regardless, many sysadmins to this day repeat the
-of "just turn it off."
+outdated mantra of "just turn it off."
 That being said, SELinux will have limited security benefits on the
 workstation, as most applications you will be running as a user are going to
@ -676,6 +678,8 @@ be running unconfined. It does provide enough net benefit to warrant leaving
 it on, as it will likely help prevent an attacker from escalating privileges
 to gain root-level access via a vulnerable daemon service.
 Our recommendation is to leave it on and enforcing.
 ##### Never `setenforce 0`
 It's tempting to use `setenforce 0` to flip SELinux into permissive mode
@ -684,14 +688,15 @@ off SELinux for the entire system, while what you really want is to
 troubleshoot a particular application or daemon.
 Instead of `setenforce 0` you should be using `semanage permissive -a
-somedomain_t` to put only that domain into permissive mode. First, find out
+[somedomain_t]` to put only that domain into permissive mode. First, find out
 which domain is causing troubles by running `ausearch`:
    ausearch -ts recent -m avc
-and then look for `scontext=` line, like so:
+and then look for `scontext=` (source SELinux context) line, like so:
    scontext=staff_u:staff_r:gpg_pinentry_t:s0-s0:c0.c1023
                             ^^^^^^^^^^^^^^
 This tells you that the domain being denied is `gpg_pinentry_t`, so if you
 want to troubleshoot the application, you should add it to permissive domains:
@ -699,19 +704,24 @@ want to troubleshoot the application, you should add it to permissive domains:
    semange permissive -a gpg_pinentry_t
 This will allow you to use the application and collect the rest of the AVCs,
-which you can then use in conjunction with `audit2allow`.
+which you can then use in conjunction with `audit2allow` to write a local
 policy. Once that is done and you see no new AVC denials, you can remove that
 domain from permissive by running:
    semanage permissive -d gpg_pinentry_t
 ##### Use your workstation as SELinux role staff_r
-SELinux comes with a concept of roles, which will prohibit or grant certain
+SELinux comes with a native implementation of roles that prohibit or grant
-privileges based on the role associated with the user account. As an
+certain privileges based on the role associated with the user account. As an
 administrator, you should be using the `staff_r` role, which will restrict
-access to many configuration and hardware directories, unless you first
+access to many configuration and other security-sensitive files, unless you
-perform `sudo`.
+first perform `sudo`.
-By default, accounts are created as `unconfined_r`, which will run most
+By default, accounts are created as `unconfined_r` and most applications you
-applications you execute without any SELinux constraints. To switch your
+execute will run unconfined, without any (or with only very few) SELinux
-account to the `staff_r` role, run the following command:
+constraints. To switch your account to the `staff_r` role, run the following
 command:
    usermod -Z staff_u [username]