Security for Linux desktops: 8 best practices

Here are a few guiding principles which can form the basis of security for Linux desktops in your organization.

Using a Linux desktop at your workstation? As with any other operating system, security will be one of the issues you have to deal with. Here are a few steps to be followed for the effective security of Linux desktops.

Grant the least privilege: As part of providing security for Linux desktops, grant the least privilege necessary for user accounts and software to perform tasks. Any user who does not require administrator access should not be granted such rights. Using appropriate security-enhanced Linux (SELinux) settings and policies, you can confine software to perform only specifically allowed actions on the systems. In addition, delete unused user accounts.

Minimize the number of installed software packages: This is the simplest thing to do to minimize vulnerability. Careful selection and management of installed software leads to a selection of software for which there is an operational need. This would, ideally, lead to a smaller target profile being vulnerable, and thus help in enhancing the security of Linux desktops.

Encrypt transmitted data whenever it is possible: Any data transmitted over the network (whether wired or wireless) can be passively monitored. So apply solutions to encrypt data wherever possible.

Encrypting authentication data such as passwords is particularly important for security. This helps in the management of risks and for providing security to Linux desktops. The Linux Unified Key Setup-on-disk-format (or LUKS) allows you to encrypt partitions on your Linux computer. This is particularly important when it comes to mobile computers and removable media. LUKS allows multiple user keys to decrypt a master key which is used for the bulk encryption of the partition. Distributions such as Fedora 13 utilize LUKS to perform file system encryption.

Configure security tools to improve robustness of the system: Desktop installation comes with several tools which can be effectively configured to improve a system’s resistance to and detection of unknown attacks. As far as security for Linux desktops is concerned, one can use firewall techniques (iptables) for host-based firewalling, SELinux for protection against vulnerable services and  mandatory access control, a logging-plus-auditing infrastructure for detection of problems, and the GNU Privacy Guard for encrypting files.

Plan and configure security updates: All software contains bugs. Often, these bugs can result in a vulnerability which can expose your Linux desktop to malicious users. Unpatched systems are a common cause of computer intrusions. You should have a plan to install security patches in a timely manner to close those vulnerabilities so that they cannot be exploited. Configuring the automatic installation of security updates is an effective way, but it does carry the slight risk of conflicts with your configuration or other software in the system. Additional controls will need to be used to protect the system during the time between the patch release and its installation on the system. These controls will depend on the exact vulnerability, but could include additional firewall rules, use of external firewalls, or changes in software settings.

Avoid sourcing packages from unknown destinations: Software maintenance is extremely important to maintain a secure Linux desktop. It is vital to patch software as soon as it becomes available in order to prevent attackers from using known holes to infiltrate your system. You should also take care to ensure that you are not sourcing and installing packages from unknown/untrusted package repositories. Every GNU/Linux distribution signs-off official packages, thus ensuring that the packages being installed are being sourced from the repository that is trusted. This is a good step toward security for Linux desktops.

Run each network service on a separate system: As part of providing security for Linux desktops, run each network service on a separate system (if possible) to minimize the risk of one compromised service being used to compromise another service.

Review system and application logs routinely: By default, security-relevant system logs are written to /var/log/secure and /var/log/audit/audit.log. Sending logs to a dedicated log server helps to prevent attackers from easily modifying local logs to avoid detection, and this provides security to Linux desktops. Additionally, never log in as the root user unless absolutely necessary. It is recommended that administrators use sudo to execute commands as root when required. Users capable of running sudo are specified in /etc/sudoers. Use the visudo utility to edit /etc/sudoers.

About the author: Sankarshan Mukhopadhyay has been associated with free and open source software projects for some time now. He contributes to, and participates in The Fedora Project. The One Laptop Per Child mission is among his other interests

(As told to Anuradha Ramamirtham.)

Read more on IT risk management