End User Devices Security Guidance

You gotta love Government Official-speak. So the UK Gov has issued a bunch of guides (I guess to employees with sensitive data) on how to secure their desktop machines. They've even issued one for Ubuntu catchily titled :
End User Devices Security Guidance: Ubuntu 12.04 I'm pointing it out because it is actually quite interesting, well .. if you like geeking out about security like me. The document compares Ubuntu against a bunch of security metrics and the distro (and thus in fact Linux) comes out quite well. It falls down only in that alot of open source software hasn't been put through the stringent vulnerability testing required to gain high-level approved governmental certification, this is because it's crazy expensive and as there's no "Open Source the company" no-one's willing to pay for it.

The part of the document that really interests me are the Policy Recommendations, ie. what a tech should do to the box once he's got his grubby mits on it. I particularly like the bit about using apparmor to restrict python, I guess you may have to extend this to ruby and lua and whatever else interpreter you may install with random software packages .. and down the rabbit-hole (feverishly writing security framework policy files) you go.

Anyway the recommendations are :

  • Set the default shell to /bin/false in both /etc/default/useradd and /etc/adduser.conf. -- It says this will prevent shell access but afaict this would only apply to new users.
  • Separate noexec,nosuid,nodev partitions for /tmp and /home. -- OK, much discussed in the Debian Security Manual only prob is that doing that to /tmp will break some (perhaps badly written) software. Always loved the idea, I do it on servers.
  • Find and change the perms on any directory that the user can write to using find / -type d -writable.
  • Use apparmor policy to deny execution of files that can be run by interpreters, the example is python which will always be installed. -- Coolah.

It's an interesting perspective .. no mention of Java or securing your web-browser or dodgy PDF's running code through Acrobat (or even Evince). And the question that also springs to mind, is who or what exactly is this attempting to prevent? Viruses for Linux desktops are rare as hens' teeth because the installed base is too small (don't tell me that it's because Windows security "sux" and Linux is much more difficult to write viruses for, this is no longer true), so are we talking about trying to prevent much more comprehensive hack attacks? Maybe trying to prevent malware from other Governments??