Learn how to work from anywhere and keep your data, identity, and sanity. DOWNLOAD NOW
If your systems administrators are remote workers, you may wish to establish a set of guidelines to help ensure that their workstations pass core security requirements. This will help reduce the risk that they become attack vectors against the rest of your IT infrastructure.
In this new blog series, we’ll lay out a set of baseline recommendations for Linux workstation security to help systems administrators avoid the most glaring security errors without introducing too much inconvenience. These are the same guidelines our own 100 percent remote team uses every day to access and manage the IT infrastructure for dozens of The Linux Foundation projects including Linux, Hyperledger, Kubernetes, and others.
Even if your systems administrators are not remote workers, chances are that they perform a lot of their work either from a portable laptop in a work environment, or set up their home systems to access the work infrastructure for after-hours/emergency support. In either case, you can adapt these recommendations to suit your environment.
You may read through this series and think it is way too paranoid, while someone else may think this barely scratches the surface. Security is just like driving on the highway — anyone going slower than you is an idiot, while anyone driving faster than you is a crazy person. These guidelines are merely a basic set of core safety rules that is neither exhaustive, nor a replacement for experience, vigilance, and common sense.
We’ll start with how to choose the right hardware, then discuss pre- and post- operating system installation guidelines, how to choose the best Linux distro, and a range of other best practices for working securely from anywhere on your Linux workstation. You can also download the entire set of recommendations as a handy guide and checklist.
Choosing the right hardware
We do not mandate that our admins use a specific vendor or a specific model, so this article will address core considerations when choosing a work system. Here are three things to consider:
￼- System supports SecureBoot (ESSENTIAL)
– System has no firewire, thunderbolt or ExpressCard ports (NICE-to-HAVE)
– System has a TPM chip (NICE-to-HAVE)
Despite its controversial nature, SecureBoot offers prevention against many attacks targeting workstations (Rootkits, “Evil Maid,” etc.), without introducing too much extra hassle. It will not stop a truly dedicated attacker, plus there is a pretty high degree of certainty that state security agencies have ways to defeat it (probably by design), but having SecureBoot is better than having nothing at all.
Alternatively, you may set up Anti Evil Maid which offers a more wholesome protection against the type of attacks that SecureBoot is supposed to prevent, but it will require more effort to set up and maintain.
Firewire, Thunderbolt, and ExpressCard ports
Firewire is a standard that, by design, allows any connecting device full direct memory access to your system (see Wikipedia). Thunderbolt and ExpressCard are guilty of the same, though some later implementations of Thunderbolt attempt to limit the scope of memory access. It is best if the system you are getting has none of these ports, but it is not critical, as they usually can be turned off via UEFI or disabled in the kernel itself.
Trusted Platform Module (TPM) is a crypto chip bundled with the motherboard separately from the core processor, which can be used for additional platform security (such as to store full-disk encryption keys), but is not normally used for day-to-day workstation operation. At best, this is a nice-to-have, unless you have a specific need to use TPM for your workstation security.
Now that we’ve discussed some basic hardware requirements for a secure Linux workstation, it’s time to consider your pre-boot environment. In the next post we’ll lay out a set of recommendations for your workstation before you even start with OS installation.
Whether you work from home, log in for after-hours emergency support, or simply prefer to work from a laptop in your office, you can use “A SysAdmin’s Essential Guide to Linux Workstation Security” to do it securely. Download the free ebook and checklist now!
Read the next article: