Published: Thu 20 March 2014
You gotta love Government Official-speak. So the UK Gov has issued a bunch of guides (I guess to employees with sensitive
data) on how to secure their desktop machines. They've even issued one for Ubuntu catchily titled :
End User Devices Security Guidance: Ubuntu 12.04
I'm pointing it out because it is actually quite interesting, well .. if you like geeking out about security like me.
The document compares Ubuntu against a bunch of security metrics and the distro (and thus in fact Linux) comes out quite
well. It falls down only in that alot of open source software hasn't been put through the stringent vulnerability testing
required to gain high-level approved governmental certification, this is because it's crazy expensive and as there's no
"Open Source the company" no-one's willing to pay for it.
The part of the document that really interests me are the
Anyway the recommendations are :
Policy Recommendations, ie. what a tech should do to the box once he's got his grubby mits on it. I particularly like the bit about using apparmor to restrict python, I guess you may have to extend this to ruby and lua and whatever else interpreter you may install with random software packages .. and down the rabbit-hole (feverishly writing security framework policy files) you go.
Set the default shell to
/bin/false in both
/etc/adduser.conf. -- It says this will
prevent shell access but afaict this would only apply to new users.
Separate noexec,nosuid,nodev partitions for /tmp and /home. -- OK, much discussed in the Debian Security Manual only
prob is that doing that to
/tmp will break some (perhaps badly written) software. Always loved the idea, I do it on
Find and change the perms on any directory that the user can write to using
find / -type d -writable.
Use apparmor policy to deny execution of files that can be run by interpreters, the example is python which will always
be installed. -- Coolah.
It's an interesting perspective .. no mention of Java or securing your web-browser or dodgy PDF's running code through
Acrobat (or even Evince). And the question that also springs to mind, is who or what exactly is this attempting to prevent?
Viruses for Linux desktops are rare as hens' teeth because the installed base is too small (don't tell me that it's because
Windows security "sux" and Linux is much more difficult to write viruses for, this is no longer true), so are we talking
about trying to prevent much more comprehensive hack attacks? Maybe trying to prevent malware from
Proudly powered by
Pelican, which takes great advantage of Python.
The theme is by
Smashing Magazine, thanks!