Linux Foundation project director Konstantin Ryabitsev has publicly-released the penguinistas' internal hardening requirements to help sysadmins and other paranoid tech bods and system administrators secure their workstations.
The baseline hardening recommendations are designed that balance security and convenience for its many remote admins, rather than a full-blown security document.
The document is designed to be adapted to individual admins' requirements, and contains explanations justifying security paranoia.
Severity levels range from low to critical, and escalate to "paranoid" for those willing to operate in blacked-out faraday cages under more inconvenient but secure conditions.
"We use this set of guidelines to ensure that a sys admin's system passes core security requirements in order to reduce the risk of it becoming an attack vector against the rest of our infrastructure," Ryabitsev explains.
"You may read this document and think it is way too paranoid, while someone else may think this barely scratches the surface.
"Security is just like driving on the highway - anyone going slower than you is an idiot, while anyone driving faster than you is a crazy person."
Ryabitsev is a web and Linux security geek who manages Linux Foundation-hosted collaborative projects. He says the guidelines should be adjusted if they are out of step with organisational risk appetites.
The first section covers buying hardware and lists SecureBoot as a critical feature, and a lack of firewire and Thunderbolt ports as as a bonus. Here password-protected UEFI boot mode is a must.
An admin's operating system distro of choice has to meet a dozen critical requirements around fast patching, verification, and native disk encryption. The latter must include Linux Unified Key Setup full disk encryption, including swap, an unprivileged admin group account, and lots of robust passwords.
The hardened Linux geek will need to globally disable firewire and Thunderbolt modules where they exist, filter incoming ports with firewalls, disable shd, and schedule automatic updates.
To be a fully-paranoid neckbeard, admins must install rkhunter and an intrusion detection system, and, crucially, maintain it (including running checks from a trusted environment).
Firefox is your browser of choice for accessing trusted sites. It must sport NoScript, Privacy Badger, and HTTPS Everywhere, and should have Certificate Patrol which squeals when out of date TLS certs are found.
The more secure Chromium is the sludge plow of the internet using seccomp, sandboxing, and kernel user namespaces to clear a secure path through insecure web trash. Admins should outfit their Chromium plow with Privacy Badger and HTTPS Everywhere (this correspondent recommends ScriptSafe to fully ruin the shininess and ad revenues of websites).
Chrome should also be dumped in a VM where possible, a configuration that is "surprisingly workable" if RAM-intensive, so says Ryabitsev.
The doc suggests VMs to compartmentalise applications, and points to the the Qubes-OS project as a suitable environment.
Password managers are a good idea; separate password managers for untrusted and trusted browsers are even better for the paranoid trophy seekers.
The guide does not touch on hardware data destruction, but robotics engineer 'zoz' has offered some tips for the slightly nervous to fully paranoid. The easy way is to remove disk platters with a couple of Torx screwdrivers, rubbing with a rare earth magnet, crushing in a manner offering the admin the most gratification, burning with fire, and dispersal among city limits.
Truely paranoid admins seeking GCHQ Five Eyes-assured obliteration will need to dabble in thermal, serious kinetic, and electric means of hard drive destruction. Zoz in his DEF CON talk showcases oxygen, copper, and thermate injection, and custom-made explosives. ®