You gotta love Government Official-speak. So the UK Gov has issued a bunch of guides (I guess to employees with sensitive data) on how to secure their desktop machines. They've even issued one for Ubuntu catchily titled :
End User Devices Security Guidance: Ubuntu 12.04 I'm pointing it out because it is actually quite interesting, well .. if you like geeking out about security like me. The document compares Ubuntu against a bunch of security metrics and the distro (and thus in fact Linux) comes out quite well. It falls down only in that alot of open source software hasn't been put through the stringent vulnerability testing required to gain high-level approved governmental certification, this is because it's crazy expensive and as there's no "Open Source the company" no-one's willing to pay for it.

The part of the document that really interests me are the Policy Recommendations, ie. what a tech should do to the box once he's got his grubby mits on it. I particularly like the bit about using apparmor to restrict python, I guess you may have to extend this to ruby and lua and whatever else interpreter you may install with random software packages .. and down the rabbit-hole (feverishly writing security framework policy files) you go.

Set the default shell to /bin/false in both /etc/default/useradd and /etc/adduser.conf. -- It says this will prevent shell access but afaict this would only apply to new users.

Separate noexec,nosuid,nodev partitions for /tmp and /home. -- OK, much discussed in the Debian Security Manual only prob is that doing that to /tmp will break some (perhaps badly written) software. Always loved the idea, I do it on servers.

Find and change the perms on any directory that the user can write to using find / -type d -writable.

Use apparmor policy to deny execution of files that can be run by interpreters, the example is python which will always be installed. -- Coolah.

It's an interesting perspective .. no mention of Java or securing your web-browser or dodgy PDF's running code through Acrobat (or even Evince). And the question that also springs to mind, is who or what exactly is this attempting to prevent? Viruses for Linux desktops are rare as hens' teeth because the installed base is too small (don't tell me that it's because Windows security "sux" and Linux is much more difficult to write viruses for, this is no longer true), so are we talking about trying to prevent much more comprehensive hack attacks? Maybe trying to prevent malware from other Governments??

Lest it disappear from the Intertubes

The sadly defunct crypto-currency "shares" exchange Litecoin Global has closed due to I guess not being able to fit a spanky new thing adequately into the current regulatory environment (whatever that may have been in Belize). The site has/had an offer up for anyone willing to buy its code ...

Making Use of Rootkit Hunter

I've been using Rootkit Hunter on my servers for a while now and am aware that perhaps I don't use it to its full extent. So I took the trouble to investigate. It's a path-based rootkit detector, so it's mostly looking for file/directory names and ...

Page 1 / 1

My Darkest Mutterings

Other articles

Lest it disappear from the Intertubes

Making Use of Rootkit Hunter

Other articles

social