Learn how to work from anywhere and keep your data, identity, and sanity. DOWNLOAD NOW
Systems administrators who use a Linux workstation to access and manage IT infrastructure — whether from home or at work — are at risk of becoming attack vectors against the rest of the infrastructure.
In this blog series, we’re laying out a set of baseline recommendations for Linux workstation security to help systems administrators avoid most glaring security errors without introducing too much inconvenience. Last week, we covered security considerations for choosing your hardware.
Now, before you even start with your operating system installation, there are a few things you should consider to ensure your pre-boot environment is up to snuff. You will want to make sure:
￼UEFI boot mode is used (not legacy BIOS) (ESSENTIAL)
A password is required to enter UEFI configuration (ESSENTIAL)
SecureBoot is enabled (ESSENTIAL)
A UEFI-level password is required to boot the system (NICE-to-HAVE)
UEFI and SecureBoot
UEFI, with all its warts, offers a lot of goodies that legacy BIOS doesn’t, such as SecureBoot. Most modern systems come with UEFI mode on by default.
Make sure a strong password is required to enter UEFI configuration mode. Pay attention, as many manufacturers quietly limit the length of the password you are allowed to use, so you may need to choose high- entropy short passwords vs. long passphrases (see the full ebook for more on passphrases).
Depending on the Linux distribution you decide to use, you may or may not have to jump through additional hoops in order to import your distribution’s SecureBoot key that would allow you to boot the distro. Many distributions have partnered with Microsoft to sign their released kernels with a key that is already recognized by most system manufacturers, therefore saving you the trouble of having to deal with key importing.
As an extra measure, before someone is allowed to even get to the boot partition and try some badness there, let’s make them enter a password. This password should be different from your UEFI management password, in order to prevent shoulder-surfing. If you shut down and start a lot, you may choose to not bother with this, as you will already have to enter a LUKS passphrase and this will save you a few extra keystrokes.
Once you’ve mastered the hardware and pre-boot considerations, you’re ready to choose a distro. Chances are you’ll stick with a fairly widely-used distribution such as Fedora, Ubuntu, Arch, Debian, or one of their close spin-offs. In any case, we’ll tell you what to consider when picking a distribution to use in our next article in this series.
Whether you work from home, log in for after-hours emergency support, or simply prefer to work from a laptop in your office, you can use A SysAdmin’s Essential Guide to Linux Workstation Security to do it securely. Download the free ebook and checklist now!