Linux Foundation's security checklist can help sysadmins harden workstations

The group has published a new list of recommendations that range from moderate to paranoid

If you're a Linux user, especially a systems administrator, the Linux Foundation has some security tips to share with you, and they're quite good.

Konstantin Ryabitsev, the Foundation's director of collaborative IT services, published the security checklist that the organization uses to harden the laptops of its remote sysadmins against attacks.

The recommendations aim to balance security decisions with usability and are accompanied by explanations of why they were considered. They also have different severity levels: critical, moderate, low and paranoid.

Critical recommendations are those whose implementation should be considered a must-do. They include things like enabling SecureBoot to prevent rootkits or "Evil Maid" attacks, and choosing a Linux distribution that supports native full disk encryption, has timely security updates, provides cryptographic verification of packages and supports Mandatory Access Control (MAC) or Role-Based Access Control (RBAC) mechanisms like SELinux, AppArmor or Grsecurity.

Other critical recommendations include making sure the swap partition is also encrypted, requiring a password to edit the bootloader, setting up a robust root password and using an unprivileged account with a separate password for regular operations. The critical checklist also advises disabling hardware modules with direct full memory access like Firewire or Thunderbolt, filtering all incoming ports and setting up an encrypted backup routine to external storage.

Protecting passwords and cryptographic keys like those used to authenticate over SSH is extremely important, because they are some of the most sought after pieces of information by hackers. The Linux Foundation's recommendations include using a password manager, choosing unique passwords for different websites and protecting private keys with strong passphrases.

Recommendations flagged as paranoid are those that have significant security benefits, but which might take some effort to implement or understand. They include running an intrusion detection system and using separate password managers for websites and other types of accounts.

There are many other tips flagged as moderate or low severity that should definitely be considered as well, such as automatic OS updates, disabling the SSH server on the workstation, storing authentication, signing and encryption keys on smartcard devices and putting PGP master keys on removable storage.

When it comes to Web browsing, one of the most common and risky operations that users engage in, the Linux Foundation recommends the use of two separate browsers: Mozilla Firefox with the NoScript, Privacy Badger, HTTPS Everywhere and Certificate Patrol add-ons for work-related sites, and Google Chrome with Privacy Badger and HTTPS Everywhere for everything else.

Following the security tips in the Foundation's document is by no means a guarantee that the system will not get compromised, but it would certainly make the job much harder for attackers.

"Security is just like driving on the highway -- anyone going slower than you is an idiot, while anyone driving faster than you is a crazy person," Ryabitsev said in the document's introduction. "These guidelines are merely a basic set of core safety rules that is neither exhaustive, nor a replacement for experience, vigilance, and common sense."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?