If you’re a sysadmin who works from home, logs in for after-hours emergency support or simply prefers to work from a laptop in your office, you need to do it securely. Preparation and vigilance are essential in keeping your workstation and network safe from hackers.
Anyone who uses a Linux workstation to access and manage their company’s or project's IT infrastructure runs the risk that his or her computer will become an incursion vector against the rest of that infrastructure.
The Linux Foundation’s sysadmin team works almost 100 percent remotely, so we’ve developed a set of guidelines that our team follows to help ensure that their workstations pass core security requirements in order to reduce the risk of attack.
We released our recommendations on GitHub a while back and have since updated them into a handy, downloadable checklist that we hope will be useful to other IT teams. We go into some detail about the reasoning behind our recommendations and try to provide a rough guideline for what we consider essential steps, what is more of a nice to have, and what is recommended but may be seen as “too paranoid” by most other sysadmins.
Here, we give an overview of the areas for consideration when preparing your Linux workstation for remote work.
1. Choosing the right hardware
We do not mandate that our admins use a specific vendor or a specific model, but there are three core considerations when choosing a work system. The most essential is that the system supports SecureBoot.
2. Pre-boot environment
Before you even start with operating system installation, there are some essential UEFI and SecureBoot considerations, such as whether UEFI boot mode is used, password requirements, and the like.
3. Distro choice
Chances are you'll stick with a fairly widely used distribution such as Fedora, Ubuntu, Arch, Debian, or one of their close spin-offs. In any case, you’ll want a distro with a robust MAC/RBAC implementation that publishes security bulletins, provides timely security patches and other considerations.
4. Distro installation
All distributions are different, but there are some good general guidelines for installation including full disk encryption, encrypted swap and password configuration.
5. Post-installation hardening
Post-installation security hardening will depend greatly on your distribution of choice, so it is futile to provide detailed instructions in a general document such as our guide. However, there are some steps you should take including disabling firewire and thunderbolt modules, checking your firewalls to ensure all incoming ports are filtered, and more.
6. Personal workstation backups
Workstation backups tend to be overlooked or done in a haphazard, often unsafe manner.
7. Other best practices
There are several other best practices that we think you should adopt. Most strike a workable balance between security and overall usability. There are many considerations around the use of your graphical environment, browsers, two-factor authentication, password managers, SSH and PGP private keys, and SELinux.
By Konstantin Ryabitsev, director of IT infrastructure security at The Linux Foundation
Photo courtesy of Shutterstock.