14 DAY TRIAL // The Linux Foundation has recently published, on GitHub, the internal Security Checklist used by its staffers to protect their workstations and laptops from the most basic forms of cyber-threats.
The checklist, which you can read in full below, is a simple set of guidelines with instructions and recommendations labeled from critical to moderate, and from low to paranoid.
The Foundation recommends that all users follow the instructions tagged with the critical severity level, which only address issues that might put workstations at severe risk.
All items labelled as moderate, low, and paranoid, improve on the basic critical level, but also seriously interfere with the way users interact or use their Linux operating system.
SecureBoot is a must for all workstations
The first thing on the Foundation's security team's agenda was SecureBoot, a technology that checks if the boot loader is signed with a specific cryptographic key during each PC startup.
This technology is considered a must-have for every Linux Foundation contributor, being labelled as critical, while Firewire, Thunderbolt, and ExpressCard ports are labelled as moderate.
Other pre-boot items that should also be activated by Foundation contributors and normal Linux users should be the UEFI boot mode instead of the older BIOS, and the activation of a password for entering the UEFI configuration panel.
Regardless if these last two tips are on the "Linux Security Checklist," they should also be implemented by Windows and Mac users as well, since they prevent malicious actors (malware and/or humans) from tampering with the computer's firmware.
Advice on securing your Linux distro after installation
Even if there are thousands of Linux distributions on the market, no matter what a user chooses to install, an essential set of guidelines and operations apply to all.
Some of the tips brought for consideration by the Linux Foundation include the usage of full disk encryption (LUKS), making sure there's a password on the bootloader, and checking that swap is also encrypted.
Since most problems with Linux security comes from unsecure accounts, the Foundation's experts recommend using an unprivileged account for day-to-day operations, while also protecting the root and the unprivileged account with robust, complex passwords. These two passwords should be different from one another.
Additionally, sysadmins are urged to globally disable the Firewire and Thunderbolt modules, filter incoming ports using a firewall, and to forward the root mail to an account they check daily.
A timely backup routine should also be put in place, one that first encrypts the data and then sends it to an external storage system.
Since Web browsing is a daily routine for all Foundation members and regular users alike, the Security Checklist recommends Firefox for dealing with work-related tasks and Chrome for everything else.
If you use Firefox, the following add-ons are a must: NoScript, Privacy Badger, and HTTPS Everywhere.
For Chrome/Chromium, all users must use Privacy Badger and HTTPS Everywhere.
Other Web-related recommendations include the usage of password managers, different passwords for unrelated sites and strong passphrases for protecting private keys.