Linux Foundation's security checklist can help sysadmins harden workstations

The group has published a new list of recommendations that range from moderate to paranoid

If you're a Linux user, especially a systems administrator, the Linux Foundation has some security tips to share with you, and they're quite good.

Konstantin Ryabitsev, the Foundation's director of collaborative IT services, published the security checklist that the organization uses to harden the laptops of its remote sysadmins against attacks.

The recommendations aim to balance security decisions with usability and are accompanied by explanations of why they were considered. They also have different severity levels: critical, moderate, low and paranoid.

Critical recommendations are those whose implementation should be considered a must-do. They include things like enabling SecureBoot to prevent rootkits or "Evil Maid" attacks, and choosing a Linux distribution that supports native full disk encryption, has timely security updates, provides cryptographic verification of packages and supports Mandatory Access Control (MAC) or Role-Based Access Control (RBAC) mechanisms like SELinux, AppArmor or Grsecurity.

Other critical recommendations include making sure the swap partition is also encrypted, requiring a password to edit the bootloader, setting up a robust root password and using an unprivileged account with a separate password for regular operations. The critical checklist also advises disabling hardware modules with direct full memory access like Firewire or Thunderbolt, filtering all incoming ports and setting up an encrypted backup routine to external storage.

Protecting passwords and cryptographic keys like those used to authenticate over SSH is extremely important, because they are some of the most sought after pieces of information by hackers. The Linux Foundation's recommendations include using a password manager, choosing unique passwords for different websites and protecting private keys with strong passphrases.

Recommendations flagged as paranoid are those that have significant security benefits, but which might take some effort to implement or understand. They include running an intrusion detection system and using separate password managers for websites and other types of accounts.

There are many other tips flagged as moderate or low severity that should definitely be considered as well, such as automatic OS updates, disabling the SSH server on the workstation, storing authentication, signing and encryption keys on smartcard devices and putting PGP master keys on removable storage.

When it comes to Web browsing, one of the most common and risky operations that users engage in, the Linux Foundation recommends the use of two separate browsers: Mozilla Firefox with the NoScript, Privacy Badger, HTTPS Everywhere and Certificate Patrol add-ons for work-related sites, and Google Chrome with Privacy Badger and HTTPS Everywhere for everything else.

Following the security tips in the Foundation's document is by no means a guarantee that the system will not get compromised, but it would certainly make the job much harder for attackers.

"Security is just like driving on the highway -- anyone going slower than you is an idiot, while anyone driving faster than you is a crazy person," Ryabitsev said in the document's introduction. "These guidelines are merely a basic set of core safety rules that is neither exhaustive, nor a replacement for experience, vigilance, and common sense."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?