Konstantin Ryabitsev, the foundation’s director of collaborative IT services, developed the list for the use of LF remote sysadmins, to harden their laptops against attacks. However, the foundation has not asked for universal adoption.
The document covers a variety of situations, and it includes explanations about why certain measures are necessary and how best to implement them.
“Checklists and best practices documents are how Linux Foundation IT works internally. We are just taking an extra step of making generalized versions of these documents available to others under free documentation licenses, in hopes that they are useful to other teams. We have been doing this for months as part of our regular work,” Ryabitsev told LinuxInsider.
The security checklist strikes a balance between security decisions and usability issues, according to Ryabitsev. It categorizes security according to four severity levels: critical, moderate, low and paranoid.
Critical recommendations consist of implementations that should be mandated: for instance, enabling SecureBoot to prevent rootkits or evil maid attacks, and choosing a Linux distribution that supports native full disk encryption.
Other factors deemed critical are using Linux products with timely security updates and cryptographic verification of packages. Also on the critical list are support for mandatory access control or role-based access control mechanisms like SELinux, AppArmor or Grsecurity.
More key critical guidelines include encrypting the swap partition, requiring a password to edit the bootloader, setting up a robust root password, and using an unprivileged account with a separate password for regular operations.
Further, using a password manager, choosing unique passwords for different websites, and protecting private keys with strong passphrases are considered critical.
From Moderate to Paranoid
The moderate and low severity guidelines offer substantial security value. Among them are running automatic operating system updates, disabling the SSH server on the workstation, storing authentication, having signing and encryption keys on smartcard devices, and putting PGP master keys on removable storage.
There are moderate and low severity guidelines for Web-surfing software, the Linux Foundation’s Ryabitsev noted.
For example, using two separate browsers is far from frivolous, he said, recommending Mozilla Firefox and Google Chrome.
The security angle focuses on which add-ons or extensions are paired with the browsers. For example, Firefox should have NoScript, Privacy Badger, HTTPS Everywhere and Certificate Patrol add-ons for work-related sites. Google Chrome should have Privacy Badger and HTTPS Everywhere installed.
The Linux Foundation’s recommendations labeled “paranoid” are for IT workers interested in implementing the ultimate security steps.
Guidelines for the paranoid IT worker include measures that have the potential for significant extra security benefits but that might take considerable effort to implement or understand. Two such items are running an intrusion-detection system, and using separate password managers for websites and other types of accounts.
The security checklist from the Linux Foundation is a shining example of a measured security guideline, according to Patrick Morgan, senior software engineer at CabForward.com.
“The vast majority of the list details best practice and pragmatically addresses the security pitfalls of modern desktop computing. Few if any of the concepts and software technologies mentioned should be new to the intended audience,” he told LinuxInsider.
IT works in an age of economically motivated computer attacks and politically driven pervasive monitoring and compromised networks. That makes system administrators primary targets, Morgan said.
A number of security problems have afflicted Linux systems recently, Ryabitsev noted.
“Systems administrators should approach this document just like they do all other open source resources,” he said.
“They can evaluate it, adapt it, hack on it until it fits their purpose, and hopefully contribute back via patches or feedback so others can, in turn, benefit from their work. That is one of the wonderful things about open source. If you create something, you share it and see where it goes,” Ryabitsev added.
“People are engaging with the document and sharing their feedback,” he pointed out. “We do believe that with many eyes all bugs are shallow, and the more people engage and learn from one another around security best practices, the better.”
Sysadmins’ computers offer a gold mine of opportunities for hackers. Gaining access to emails, text files and notes, contact lists, encryption keys, and ephemeral browser sessions allows them to abuse end users, clients and employers, Morgan noted.
“That makes your machine more valuable than any other single target. It should be protected as such,” he said.
IT workers are more responsible than the average computer user. So if IT pros are not following these guidelines at a minimum, they are doing everyone they support — and the Internet in general — a disservice.
“Sloth and ignorance are not valid excuses,” said Morgan.
Sysadmins definitely should put the checklist recommendations into full play, urged Tom O’Connor, lead product engineer for Linux solutions at Raytheon|Websense.
“The checklist admits to not being exhaustive and open to adaptation and tailoring,” he told LinuxInsider.
For an admin just starting a security project focusing on mobile Linux workstations, this checklist would be a great baseline. For an existing enterprise with mobile Linux assets and existing security practices and policies in place, it would be a good measuring stick for finding and addressing any gaps in coverage, O’Connor noted.
“Should this checklist be the only tool used for securing mobile Linux users? No. The Linux Foundation does not claim this checklist to be exhaustive. I found the checklist to be a perfectly reasonable set of steps to take in securing Linux mobile workstation environments,” he said.
In today’s hostile environment, IT workers can not be too paranoid about security issues, suggested Rob Kraus, director of security research and strategy at Solutionary.
“Linux or not, deep understanding of security is not the core competency of most system administrators I have encountered over the years. This is part of the reason we have focused on people who fill the security roles within organizations of all sizes,” he told LinuxInsider.
The primary rule of security is for IT to be paranoid, he said. “If you are not, then what are you doing in security, and how effective are you really being at protecting your organization today? In short, always leverage the tools that can make you successful. Checklists are nothing new and probably not used as much as they could be.”