The Linux Foundation’s Security Checklist

There’s nothing really new in this, but it’s interesting to see what the Linux Foundation considers to be worthy of membership in the list.  I’ve removed some redundancy and consolidated their points in a different (superior, if you ask me) organizational format for easier browsing:

Hardware

-[Nice] Disable or remove firewire, thunderbolt, or ExpressCard ports
-[Nice] Use a TPM chip

Pre-Boot Environment

-[Essential] Enable SecureBoot
-[Essential] Use UEFI instead of BIOS
-[Essential] Password-protect the UEFI or BIOS configuration screen
-[Nice] Require a UEFI password to boot the system

Operating System Security

Encryption:
-[Essential] Robust native full disk encryption support
-[Essential] Encrypt swap

Authentication and Authorization:
-[Essential] Configure a robust bootloader password
-[Essential] Configure a robust root password
-[Essential] Configure a robust non-privileged user account password
-[Essential] Use the non-privileged user account(s) for standard system activities

-[Essential] Robust MAC/RBAC implementation (SELinux/AppArmor/GrSecurity)

Software Management:
-[Essential] Security bulletin publishing by distribution maintainers
-[Essential] Timely security patches provided by distribution maintainers
-[Essential] Cryptographic verification of patches by distribution mainainers
-[Essential] Use automatic updates

Networking:
-[Essential] Accurately configure the system’s firewall to allow access only to essential services

General Security Practice:
-[Essential] Forward root mail to a maintained administrative mailbox
-[Nice] Set up logwatch
-[Nice] Install and use rkhunter
-[Nice] Install and use an Intrusion Detection System
-[Nice] Configure a screen-saver auto-lock

I love a good checklist, and this one seems rudimentary, but solid as a very basic introduction.  It’d be cool if they had gone for a more thorough product rather than hide behind the same disclaimer you see everywhere, but that’s ok.  If you’re looking for something more along those lines, I recommend checking out the Center for Internet Security’s OS benchmarks.  They are certainly not without fault (including a disappointing number of typos and poorly-written commands), but they give a nice idea of what modern system administrators and engineers consider to be a high degree of security.

I’m glad the Linux Foundation marked as essential the use of MAC/RBAC, such as SELinux.  I’ve even heard security professionals in important roles declare SELinux “more trouble than it’s worth” and I am definitely on the other side of that debate, as you might suspect from my System Defense Stack write-up.

Advertisements
This entry was posted in Information Technology and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s