Content tweaks
This commit is contained in:
parent
155b098d93
commit
f9adb8bf80
|
@ -3,22 +3,22 @@
|
||||||
This is a set of recommendations used by the Linux Foundation for their systems
|
This is a set of recommendations used by the Linux Foundation for their systems
|
||||||
administrators. All of LF employees are remote workers and we use this set of
|
administrators. All of LF employees are remote workers and we use this set of
|
||||||
guidelines to ensure that a sysadmin's system passes core security requirements
|
guidelines to ensure that a sysadmin's system passes core security requirements
|
||||||
in order to reduce the risk of it becoming the attack vector against the rest
|
in order to reduce the risk of it becoming an attack vector against the rest
|
||||||
of our infrastructure.
|
of our infrastructure.
|
||||||
|
|
||||||
Even if your systems administrators are not remote workers, chances are that
|
Even if your systems administrators are not remote workers, chances are that
|
||||||
they perform a lot of their work either from a portable laptop in a work
|
they perform a lot of their work either from a portable laptop in a work
|
||||||
environment, or set up their home systems to access work infrastructure for
|
environment, or set up their home systems to access the work infrastructure
|
||||||
after-hours/emergency support. In either case, you can adapt this set of
|
for after-hours/emergency support. In either case, you can adapt this set of
|
||||||
recommendations to suit your environment.
|
recommendations to suit your environment.
|
||||||
|
|
||||||
This, by no means, is an exhaustive "workstation hardening" document, but
|
This, by no means, is an exhaustive "workstation hardening" document, but
|
||||||
rather an attempt at a set of baseline recommendations to avoid most glaring
|
rather an attempt at a set of baseline recommendations to avoid most glaring
|
||||||
security errors without introducing too much inconvenience. You may read this
|
security errors without introducing too much inconvenience. You may read this
|
||||||
document and think it is way too paranoid, while someone else may think this
|
document and think it is way too paranoid, while someone else may think this
|
||||||
barely scratches the surface. Security is just like driving on a highway --
|
barely scratches the surface. Security is just like driving on the highway --
|
||||||
anyone going slower than you is an idiot, while anyone driving faster than you
|
anyone going slower than you is an idiot, while anyone driving faster than you
|
||||||
is a crazy person. These guidelines are merely a basic set of highway safety
|
is a crazy person. These guidelines are merely a basic set of core safety
|
||||||
rules that is neither exhaustive, nor a replacement for experience, vigilance,
|
rules that is neither exhaustive, nor a replacement for experience, vigilance,
|
||||||
and common sense.
|
and common sense.
|
||||||
|
|
||||||
|
@ -29,7 +29,7 @@ Each section is split into two areas:
|
||||||
|
|
||||||
## Severity levels
|
## Severity levels
|
||||||
|
|
||||||
The items in the checklist include the severity level, which we hope will help
|
The items in each checklist include the severity level, which we hope will help
|
||||||
guide your decision:
|
guide your decision:
|
||||||
|
|
||||||
- _(CRITICAL)_ items should definitely be high on the consideration list.
|
- _(CRITICAL)_ items should definitely be high on the consideration list.
|
||||||
|
@ -43,7 +43,7 @@ guide your decision:
|
||||||
workstation security, but will probably require a lot of adjustment to the
|
workstation security, but will probably require a lot of adjustment to the
|
||||||
way you interact with your operating system.
|
way you interact with your operating system.
|
||||||
|
|
||||||
Remember, these are only guidelines. If you feel the severity levels do not
|
Remember, these are only guidelines. If you feel these severity levels do not
|
||||||
reflect your project's commitment to security, you should adjust them as you
|
reflect your project's commitment to security, you should adjust them as you
|
||||||
see fit.
|
see fit.
|
||||||
|
|
||||||
|
@ -69,9 +69,9 @@ plus there is a pretty high degree of certainty that state security agencies
|
||||||
have ways to defeat it (probably by design), but having SecureBoot is better
|
have ways to defeat it (probably by design), but having SecureBoot is better
|
||||||
than having nothing at all.
|
than having nothing at all.
|
||||||
|
|
||||||
Alternatively, you may set up [Anti Evil Maid][1] which offers more wholesome
|
Alternatively, you may set up [Anti Evil Maid][1] which offers a more
|
||||||
protection against the type of attacks that SecureBoot is supposed to prevent,
|
wholesome protection against the type of attacks that SecureBoot is supposed
|
||||||
but it will require more effort to set up and maintain.
|
to prevent, but it will require more effort to set up and maintain.
|
||||||
|
|
||||||
#### Firewire, thunderbolt, and ExpressCard ports
|
#### Firewire, thunderbolt, and ExpressCard ports
|
||||||
|
|
||||||
|
@ -147,39 +147,41 @@ what you should consider when picking a distribution to use.
|
||||||
|
|
||||||
#### SELinux, AppArmor, and GrSecurity/PaX
|
#### SELinux, AppArmor, and GrSecurity/PaX
|
||||||
|
|
||||||
Mandatory Access Controls (MAC) or Role-Based Access Controls are an extension
|
Mandatory Access Controls (MAC) or Role-Based Access Controls (RBAC) are an
|
||||||
of the basic user/group security mechanism used in legacy POSIX systems. Most
|
extension of the basic user/group security mechanism used in legacy POSIX
|
||||||
distributions these days either already come bundled with a MAC/RBAC
|
systems. Most distributions these days either already come bundled with a
|
||||||
implementation (Fedora, Ubuntu), or provide a mechanism to add it via an
|
MAC/RBAC implementation (Fedora, Ubuntu), or provide a mechanism to add it via
|
||||||
optional post-installation step (Gentoo, Arch, Debian). Obviously, it is highly
|
an optional post-installation step (Gentoo, Arch, Debian). Obviously, it is
|
||||||
advised that you pick a distribution that comes pre-configured with a MAC/RBAC
|
highly advised that you pick a distribution that comes pre-configured with a
|
||||||
system, but if you have strong feelings about a distribution that doesn't come
|
MAC/RBAC system, but if you have strong feelings about a distribution that
|
||||||
with one enabled by default, do plan to configure it post-installation.
|
doesn't have one enabled by default, do plan to configure it
|
||||||
|
post-installation.
|
||||||
|
|
||||||
Distributions that do not provide any MAC/RBAC mechanisms should be strongly
|
Distributions that do not provide any MAC/RBAC mechanisms should be strongly
|
||||||
avoided, as traditional POSIX user- and group-based security mechanisms should
|
avoided, as traditional POSIX user- and group-based security should be
|
||||||
be considered insufficient in this day and age. If you would like to start out
|
considered insufficient in this day and age. If you would like to start out
|
||||||
with a MAC/RBAC workstation, AppArmor and PaX are generally considered easier
|
with a MAC/RBAC workstation, AppArmor and PaX are generally considered easier
|
||||||
to learn than SELinux. Furthermore, on a workstation, where there are few or no
|
to learn than SELinux. Furthermore, on a workstation, where there are few or
|
||||||
externally listening daemons, and where user-run applications pose the highest
|
no externally listening daemons, and where user-run applications pose the
|
||||||
risk, GrSecurity/PaX will _probably_ offer more security benefits than SELinux.
|
highest risk, GrSecurity/PaX will _probably_ offer more security benefits than
|
||||||
|
SELinux.
|
||||||
|
|
||||||
#### Distro security bulletins
|
#### Distro security bulletins
|
||||||
|
|
||||||
Most widely used distributions have a mechanism to deliver security bulletins
|
Most of the widely used distributions have a mechanism to deliver security
|
||||||
to its users, but if you are fond of something esoteric, check whether the
|
bulletins to their users, but if you are fond of something esoteric, check
|
||||||
developers have a documented mechanism of alerting the users about security
|
whether the developers have a documented mechanism of alerting the users about
|
||||||
vulnerabilities and patches. Absence of such mechanism is a major warning sign
|
security vulnerabilities and patches. Absence of such mechanism is a major
|
||||||
that the distribution is not mature enough to be considered for a primary admin
|
warning sign that the distribution is not mature enough to be considered for a
|
||||||
workstation.
|
primary admin workstation.
|
||||||
|
|
||||||
#### Timely and trusted security updates
|
#### Timely and trusted security updates
|
||||||
|
|
||||||
Most widely used distributions deliver security updates, but is worth checking
|
Most of the widely used distributions deliver regular security updates, but is
|
||||||
to ensure that critical package updates are provided in a timely fashion. Avoid
|
worth checking to ensure that critical package updates are provided in a
|
||||||
using spin-offs and "community rebuilds" for this reason, as they routinely
|
timely fashion. Avoid using spin-offs and "community rebuilds" for this
|
||||||
delay security updates due to having to wait for the upstream distribution to
|
reason, as they routinely delay security updates due to having to wait for the
|
||||||
release it first.
|
upstream distribution to release it first.
|
||||||
|
|
||||||
You'll be hard-pressed to find a distribution that does not use cryptographic
|
You'll be hard-pressed to find a distribution that does not use cryptographic
|
||||||
signatures on packages, updates metadata, or both. That being said, fairly
|
signatures on packages, updates metadata, or both. That being said, fairly
|
||||||
|
@ -226,11 +228,11 @@ All distributions are different, but here are general guidelines:
|
||||||
Unless you are using self-encrypting hard drives, it is important to configure
|
Unless you are using self-encrypting hard drives, it is important to configure
|
||||||
your installer to fully encrypt all the disks that will be used for storing
|
your installer to fully encrypt all the disks that will be used for storing
|
||||||
your data and your system files. It is not sufficient to simply encrypt the
|
your data and your system files. It is not sufficient to simply encrypt the
|
||||||
user directory via auto-mounting cryptfs loop files (I'm looking at you,
|
user directory via auto-mounting cryptfs loop files (I'm looking at you, older
|
||||||
Ubuntu), as this offers no protection for system binaries or swap, which is
|
versions of Ubuntu), as this offers no protection for system binaries or swap,
|
||||||
likely to contain a slew of sensitive data. The recommended encryption strategy
|
which is likely to contain a slew of sensitive data. The recommended
|
||||||
is to encrypt the LVM device, so only one passphrase is required during the
|
encryption strategy is to encrypt the LVM device, so only one passphrase is
|
||||||
boot process.
|
required during the boot process.
|
||||||
|
|
||||||
The `/boot` partition will always remain unencrypted, as the bootloader needs
|
The `/boot` partition will always remain unencrypted, as the bootloader needs
|
||||||
to be able to actually boot the kernel before invoking LUKS/dm-crypt. The
|
to be able to actually boot the kernel before invoking LUKS/dm-crypt. The
|
||||||
|
@ -262,15 +264,15 @@ passphrases and keep them in a safe place away from your work desk.
|
||||||
|
|
||||||
#### Root, user passwords and the admin group
|
#### Root, user passwords and the admin group
|
||||||
|
|
||||||
I recommend that you use the same passphrase for your root password as you use
|
We recommend that you use the same passphrase for your root password as you
|
||||||
for your LUKS encryption (unless you share your laptop with other trusted
|
use for your LUKS encryption (unless you share your laptop with other trusted
|
||||||
people who should be able to unlock the drives, but shouldn't be able to become
|
people who should be able to unlock the drives, but shouldn't be able to
|
||||||
root). If you are the sole user of the laptop, then having your root password
|
become root). If you are the sole user of the laptop, then having your root
|
||||||
be different from your LUKS password has no meaningful security advantages.
|
password be different from your LUKS password has no meaningful security
|
||||||
Generally, you can use the same passphrase for your UEFI administration, disk
|
advantages. Generally, you can use the same passphrase for your UEFI
|
||||||
encryption, and root account -- knowing any of these will give an attacker full
|
administration, disk encryption, and root account -- knowing any of these will
|
||||||
control of your system anyway, so there is little security benefit to have them
|
give an attacker full control of your system anyway, so there is little
|
||||||
be different on a single-user workstation.
|
security benefit to have them be different on a single-user workstation.
|
||||||
|
|
||||||
You should have a different, but equally strong password for your regular user
|
You should have a different, but equally strong password for your regular user
|
||||||
account that you will be using for day-to-day tasks. This user should be member
|
account that you will be using for day-to-day tasks. This user should be member
|
||||||
|
@ -395,9 +397,9 @@ configuration changes, etc). If you are not willing to take these steps and
|
||||||
adjust how you do things on your own workstation, these tools will introduce
|
adjust how you do things on your own workstation, these tools will introduce
|
||||||
hassle without any tangible security benefit.
|
hassle without any tangible security benefit.
|
||||||
|
|
||||||
I do recommend that you install `rkhunter` and run it nightly. It's fairly easy
|
We do recommend that you install `rkhunter` and run it nightly. It's fairly
|
||||||
to learn and use, and though it will not deter a sophisticated attacker, it may
|
easy to learn and use, and though it will not deter a sophisticated attacker,
|
||||||
help you catch your own mistakes.
|
it may help you catch your own mistakes.
|
||||||
|
|
||||||
## Personal workstation backups
|
## Personal workstation backups
|
||||||
|
|
||||||
|
@ -475,8 +477,8 @@ sometimes they are limited to allowing one to read local browser storage,
|
||||||
steal active sessions from other tabs, capture input entered into the browser,
|
steal active sessions from other tabs, capture input entered into the browser,
|
||||||
etc. Using two different browsers, one for work/high security sites, and
|
etc. Using two different browsers, one for work/high security sites, and
|
||||||
another for everything else will help prevent minor compromises from giving
|
another for everything else will help prevent minor compromises from giving
|
||||||
attackers access to the whole proverbial cookie jar. The main inconvenience
|
attackers access to the whole cookie jar. The main inconvenience will be the
|
||||||
will be the amount of memory consumed by two different browser processes.
|
amount of memory consumed by two different browser processes.
|
||||||
|
|
||||||
Here's what we recommend:
|
Here's what we recommend:
|
||||||
|
|
||||||
|
@ -490,16 +492,16 @@ this browser for accessing any other sites except select few.
|
||||||
You should install the following Firefox add-ons:
|
You should install the following Firefox add-ons:
|
||||||
|
|
||||||
- [ ] NoScript _(CRITICAL)_
|
- [ ] NoScript _(CRITICAL)_
|
||||||
- NoScript prevents active content from loading, unless specifically
|
- NoScript prevents active content from loading, except from user
|
||||||
whitelisted. It is a great hassle to use with your default browser
|
whitelisted domains. It is a great hassle to use with your default browser
|
||||||
(though offers really good security benefits), so we recommend only
|
(though offers really good security benefits), so we recommend only
|
||||||
enabling it on the browser you use to access work-related sites.
|
enabling it on the browser you use to access work-related sites.
|
||||||
|
|
||||||
- [ ] Ghostery _(CRITICAL)_
|
- [ ] Ghostery _(CRITICAL)_
|
||||||
- Ghostery will prevent most external trackers and ad platforms from being
|
- Ghostery will prevent most external trackers and ad platforms from being
|
||||||
loaded on the pages, which will help avoid compromises on these tracking
|
loaded, which will help avoid compromises on these tracking sites from
|
||||||
sites from affecting your browser (trackers and ad sites are very commonly
|
affecting your browser (trackers and ad sites are very commonly targeted
|
||||||
targeted by attackers, as they allow rapid infection of thousands of systems
|
by attackers, as they allow rapid infection of thousands of systems
|
||||||
worldwide).
|
worldwide).
|
||||||
|
|
||||||
- [ ] HTTPS Everywhere _(CRITICAL)_
|
- [ ] HTTPS Everywhere _(CRITICAL)_
|
||||||
|
@ -510,8 +512,9 @@ You should install the following Firefox add-ons:
|
||||||
- [ ] Certificate Patrol _(MODERATE)_
|
- [ ] Certificate Patrol _(MODERATE)_
|
||||||
- This tool will alert you if the site you're accessing has recently changed
|
- This tool will alert you if the site you're accessing has recently changed
|
||||||
their TLS certificates -- especially if it wasn't nearing expiration dates
|
their TLS certificates -- especially if it wasn't nearing expiration dates
|
||||||
or if it is now using a different certification authority. Note, that this
|
or if it is now using a different certification authority. It helps
|
||||||
will generate a lot of false-positives.
|
alert you if someone is trying to man-in-the-middle your connection,
|
||||||
|
but generates a lot of benign false-positives.
|
||||||
|
|
||||||
You should leave Firefox as your default browser for opening links, as
|
You should leave Firefox as your default browser for opening links, as
|
||||||
NoScript will prevent most active content from loading or executing.
|
NoScript will prevent most active content from loading or executing.
|
||||||
|
@ -534,12 +537,12 @@ indicate that this is your "untrusted sites" browser.
|
||||||
|
|
||||||
This is a similar recommendation to the above, except you will add an extra
|
This is a similar recommendation to the above, except you will add an extra
|
||||||
step of running Chrome inside a dedicated VM that you access via a fast
|
step of running Chrome inside a dedicated VM that you access via a fast
|
||||||
protocol that allows you to share clipboards and forwards sound events (e.g.
|
protocol, allowing you to share clipboards and forward sound events (e.g.
|
||||||
Spice or RDP). This will add an excellent layer of isolation between the
|
Spice or RDP). This will add an excellent layer of isolation between the
|
||||||
untrusted browser and the rest of your work environment, ensuring that
|
untrusted browser and the rest of your work environment, ensuring that
|
||||||
attackers who manage to fully compromise your browser will then have to then
|
attackers who manage to fully compromise your browser will then have to
|
||||||
break out of the VM isolation layer in order to get to the rest of your
|
additionally break out of the VM isolation layer in order to get to the rest
|
||||||
system.
|
of your system.
|
||||||
|
|
||||||
This is a surprisingly workable configuration, but requires a lot of RAM and
|
This is a surprisingly workable configuration, but requires a lot of RAM and
|
||||||
fast processors that can handle the increased load. It will also require an
|
fast processors that can handle the increased load. It will also require an
|
||||||
|
@ -572,8 +575,9 @@ especially for critical applications.
|
||||||
##### In-browser password manager
|
##### In-browser password manager
|
||||||
|
|
||||||
Every browser has a mechanism for saving passwords that is fairly secure and
|
Every browser has a mechanism for saving passwords that is fairly secure and
|
||||||
can sync with vendor-provided cloud storage by first encrypting the data with
|
can sync with vendor-maintained cloud storage while keeping the data encrypted
|
||||||
a passphrase. However, this mechanism has important disadvantages:
|
with a user-provided passphrase. However, this mechanism has important
|
||||||
|
disadvantages:
|
||||||
|
|
||||||
1. It does not work across browsers
|
1. It does not work across browsers
|
||||||
2. It does not offer any way of sharing credentials with team members
|
2. It does not offer any way of sharing credentials with team members
|
||||||
|
@ -585,29 +589,26 @@ search engines.
|
||||||
|
|
||||||
##### Standalone password manager
|
##### Standalone password manager
|
||||||
|
|
||||||
One of the major drawbacks of any password manager that is integrated with
|
One of the major drawbacks of any password manager that comes integrated with
|
||||||
the browser is the fact that it's part of the application that is most likely
|
the browser is the fact that it's part of the application that is most likely
|
||||||
to be attacked by intruders. If this makes you uncomfortable (and it should),
|
to be attacked by intruders. If this makes you uncomfortable (and it should),
|
||||||
you may choose to have two different password managers -- one for websites
|
you may choose to have two different password managers -- one for websites
|
||||||
that is integrated into your browser, and one as a standalone application. The
|
that is integrated into your browser, and one that runs as a standalone
|
||||||
latter can be used to store high-risk credentials such as root passwords,
|
application. The latter can be used to store high-risk credentials such as
|
||||||
database passwords, other shell account credentials, etc.
|
root passwords, database passwords, other shell account credentials, etc.
|
||||||
|
|
||||||
It may be particularly useful to have such tool for sharing superuser account
|
It may be particularly useful to have such tool for sharing superuser account
|
||||||
credentials with other members of your team. The best is, obviously, not to
|
credentials with other members of your team (server root passwords, ILO
|
||||||
have shared account credentials at all and manage superuser access via
|
passwords, database admin passwords, bootloader passwords, etc).
|
||||||
role-based tools such as sudo and group membership. However, not all
|
|
||||||
systems are easily managed that way, so having a way to securely pass account
|
|
||||||
credentials to other members of your team may be very handy.
|
|
||||||
|
|
||||||
A few tools can help you:
|
A few tools can help you:
|
||||||
|
|
||||||
- [KeePassX][8], which improves team sharing in version 2
|
- [KeePassX][8], which improves team sharing in version 2
|
||||||
- [Pass][9], which uses text files and PGP and integrates with git
|
- [Pass][9], which uses text files and PGP and integrates with git
|
||||||
- [Django-Pstore][10], which uses GPG to share credentials between admins
|
- [Django-Pstore][10], which uses GPG to share credentials between admins
|
||||||
- [Hiera-Eyaml][11], if you are already using Puppet for your infrastructure,
|
- [Hiera-Eyaml][11], which, if you are already using Puppet for your
|
||||||
this may be a handy way to track your server/service credentials as part of
|
infrastructure, may be a handy way to track your server/service credentials
|
||||||
your encrypted Hiera data store
|
as part of your encrypted Hiera data store
|
||||||
|
|
||||||
### Securing SSH and PGP private keys
|
### Securing SSH and PGP private keys
|
||||||
|
|
||||||
|
@ -615,7 +616,7 @@ Personal encryption keys, including SSH and PGP private keys, are going to be
|
||||||
the most prized items on your workstation -- something the attackers will be
|
the most prized items on your workstation -- something the attackers will be
|
||||||
most interested in obtaining, as that would allow them to further attack your
|
most interested in obtaining, as that would allow them to further attack your
|
||||||
infrastructure or impersonate you to other admins. You should take extra steps
|
infrastructure or impersonate you to other admins. You should take extra steps
|
||||||
to ensure that they are well protected against theft.
|
to ensure that your private keys are well protected against theft.
|
||||||
|
|
||||||
#### Checklist
|
#### Checklist
|
||||||
|
|
||||||
|
@ -633,17 +634,18 @@ several manufacturers that offer OpenPGP capable devices:
|
||||||
- [Kernel Concepts][12], where you can purchase both the OpenPGP compatible
|
- [Kernel Concepts][12], where you can purchase both the OpenPGP compatible
|
||||||
smartcards and the USB readers, should you need one.
|
smartcards and the USB readers, should you need one.
|
||||||
- [Yubikey NEO][13], which offers OpenPGP smartcard functionality in addition
|
- [Yubikey NEO][13], which offers OpenPGP smartcard functionality in addition
|
||||||
to other features.
|
to many other cool features (U2F, PIV, HOTP, etc).
|
||||||
|
|
||||||
It is also important to make sure that the master PGP key is not stored on the
|
It is also important to make sure that the master PGP key is not stored on the
|
||||||
main workstation, and only subkeys are used. The master key will only be
|
main workstation, and only subkeys are used. The master key will only be
|
||||||
needed when signing someone else's keys or creating new subkeys -- operations
|
needed when signing someone else's keys or creating new subkeys -- operations
|
||||||
which do not happen very frequently. You may follow [the Debian's subkeys][14]
|
which do not happen very frequently. You may follow [the Debian's subkeys][14]
|
||||||
guide to learn how to move your master key to removable storage.
|
guide to learn how to move your master key to removable storage and how to
|
||||||
|
create subkeys.
|
||||||
|
|
||||||
You should then configure your gnupg agent to act as ssh agent and use the
|
You should then configure your gnupg agent to act as ssh agent and use the
|
||||||
smartcard-based PGP Auth key to act as your ssh private key. We publish a
|
smartcard-based PGP Auth key to act as your ssh private key. We publish a
|
||||||
[detailed guide][15] on how to do that using either a smartcard reader or
|
[detailed guide][15] on how to do that using either a smartcard reader or a
|
||||||
Yubikey NEO.
|
Yubikey NEO.
|
||||||
|
|
||||||
If you are not willing to go that far, at least make sure you have a strong
|
If you are not willing to go that far, at least make sure you have a strong
|
||||||
|
@ -667,8 +669,8 @@ maximize your workstation security.
|
||||||
|
|
||||||
SELinux is a Mandatory Access Controls (MAC) extension to core POSIX
|
SELinux is a Mandatory Access Controls (MAC) extension to core POSIX
|
||||||
permissions functionality. It is mature, robust, and has come a long way since
|
permissions functionality. It is mature, robust, and has come a long way since
|
||||||
its initial roll-out, but most people to this day repeat the outdated mantra
|
its initial roll-out. Regardless, many sysadmins to this day repeat the
|
||||||
of "just turn it off."
|
outdated mantra of "just turn it off."
|
||||||
|
|
||||||
That being said, SELinux will have limited security benefits on the
|
That being said, SELinux will have limited security benefits on the
|
||||||
workstation, as most applications you will be running as a user are going to
|
workstation, as most applications you will be running as a user are going to
|
||||||
|
@ -676,6 +678,8 @@ be running unconfined. It does provide enough net benefit to warrant leaving
|
||||||
it on, as it will likely help prevent an attacker from escalating privileges
|
it on, as it will likely help prevent an attacker from escalating privileges
|
||||||
to gain root-level access via a vulnerable daemon service.
|
to gain root-level access via a vulnerable daemon service.
|
||||||
|
|
||||||
|
Our recommendation is to leave it on and enforcing.
|
||||||
|
|
||||||
##### Never `setenforce 0`
|
##### Never `setenforce 0`
|
||||||
|
|
||||||
It's tempting to use `setenforce 0` to flip SELinux into permissive mode
|
It's tempting to use `setenforce 0` to flip SELinux into permissive mode
|
||||||
|
@ -684,14 +688,15 @@ off SELinux for the entire system, while what you really want is to
|
||||||
troubleshoot a particular application or daemon.
|
troubleshoot a particular application or daemon.
|
||||||
|
|
||||||
Instead of `setenforce 0` you should be using `semanage permissive -a
|
Instead of `setenforce 0` you should be using `semanage permissive -a
|
||||||
somedomain_t` to put only that domain into permissive mode. First, find out
|
[somedomain_t]` to put only that domain into permissive mode. First, find out
|
||||||
which domain is causing troubles by running `ausearch`:
|
which domain is causing troubles by running `ausearch`:
|
||||||
|
|
||||||
ausearch -ts recent -m avc
|
ausearch -ts recent -m avc
|
||||||
|
|
||||||
and then look for `scontext=` line, like so:
|
and then look for `scontext=` (source SELinux context) line, like so:
|
||||||
|
|
||||||
scontext=staff_u:staff_r:gpg_pinentry_t:s0-s0:c0.c1023
|
scontext=staff_u:staff_r:gpg_pinentry_t:s0-s0:c0.c1023
|
||||||
|
^^^^^^^^^^^^^^
|
||||||
|
|
||||||
This tells you that the domain being denied is `gpg_pinentry_t`, so if you
|
This tells you that the domain being denied is `gpg_pinentry_t`, so if you
|
||||||
want to troubleshoot the application, you should add it to permissive domains:
|
want to troubleshoot the application, you should add it to permissive domains:
|
||||||
|
@ -699,19 +704,24 @@ want to troubleshoot the application, you should add it to permissive domains:
|
||||||
semange permissive -a gpg_pinentry_t
|
semange permissive -a gpg_pinentry_t
|
||||||
|
|
||||||
This will allow you to use the application and collect the rest of the AVCs,
|
This will allow you to use the application and collect the rest of the AVCs,
|
||||||
which you can then use in conjunction with `audit2allow`.
|
which you can then use in conjunction with `audit2allow` to write a local
|
||||||
|
policy. Once that is done and you see no new AVC denials, you can remove that
|
||||||
|
domain from permissive by running:
|
||||||
|
|
||||||
|
semanage permissive -d gpg_pinentry_t
|
||||||
|
|
||||||
##### Use your workstation as SELinux role staff_r
|
##### Use your workstation as SELinux role staff_r
|
||||||
|
|
||||||
SELinux comes with a concept of roles, which will prohibit or grant certain
|
SELinux comes with a native implementation of roles that prohibit or grant
|
||||||
privileges based on the role associated with the user account. As an
|
certain privileges based on the role associated with the user account. As an
|
||||||
administrator, you should be using the `staff_r` role, which will restrict
|
administrator, you should be using the `staff_r` role, which will restrict
|
||||||
access to many configuration and hardware directories, unless you first
|
access to many configuration and other security-sensitive files, unless you
|
||||||
perform `sudo`.
|
first perform `sudo`.
|
||||||
|
|
||||||
By default, accounts are created as `unconfined_r`, which will run most
|
By default, accounts are created as `unconfined_r` and most applications you
|
||||||
applications you execute without any SELinux constraints. To switch your
|
execute will run unconfined, without any (or with only very few) SELinux
|
||||||
account to the `staff_r` role, run the following command:
|
constraints. To switch your account to the `staff_r` role, run the following
|
||||||
|
command:
|
||||||
|
|
||||||
usermod -Z staff_u [username]
|
usermod -Z staff_u [username]
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue