# Best practices for secure installation?

## sirlark

Hi all,

This is both an installation question and a security question, so if any moderator feels this is in the wrong forum, feel free to move it.

I'm interested in installing a new laptop with which I intend to travel a lot. I'll be doing office work on it, although it is a personal laptop, and I want a number of things out of it.

1. If it's stolen, I want my data to be inaccessible. An encrypted partition or home directory will take care of this situation assuming the machine is off when it's stolen. Even if the machine is suspended and in my laptop bag, and it's stolen from me, I think I have this case taken care of, because the waking machine would be locked immediately by xscreensaver, and I never leave text consoles logged in. Correct me if I'm wrong here though. The worst case scenario (and least likely by far) is that the machine is stolen whilst on, awake, and logged in, possibly from a work desk, or in a grab from a coffee shop table. Are there any solutions for this?

2. If, for some reason, someone else at the office needs to use my machine, I want my personal data kept safe, and similarly I want my work data safe from prying eyes at home.

The most obvious solution here is to have two separate accounts each with encrypted home directories, although I would be likely to be logged in as both personal and work user simultaneously. I don't know whether an encrypted home directory that is decrypted and mounted is visible to all users according to the standard unix permissions scheme?

3. Of course the above measure are useless is the machine isn't secured with a decent set of firewall rules, and preferably with a hardened profile, maybe running IPSec. I've never tried a hardened profiles or IPSec before, but I know enough about iptables to create a pretty solid firewall. POSIX acl and extended attributes come to mind, although I'm not sure how useful they are, and whether they will be convenient enough to use on a daily basis.

So I was wondering if there's a howto out there covering any or all of the above, and what the 'best practices' might be for such situations.

----------

## Hu

 *sirlark wrote:*   

> 1. If it's stolen, I want my data to be inaccessible. An encrypted partition or home directory will take care of this situation assuming the machine is off when it's stolen. Even if the machine is suspended and in my laptop bag, and it's stolen from me, I think I have this case taken care of, because the waking machine would be locked immediately by xscreensaver, and I never leave text consoles logged in. Correct me if I'm wrong here though. The worst case scenario (and least likely by far) is that the machine is stolen whilst on, awake, and logged in, possibly from a work desk, or in a grab from a coffee shop table. Are there any solutions for this?

 There are no perfect answers here.  You can help by pushing the xscreensaver timeout down as far as you can without making the system unusable to you, so as to minimize the time an attacker can stare at the screen and consider options before it locks on him.  Similarly, you can configure your hibernate tools to ensure that the screensaver is explicitly locked before entering suspend, so that the machine is safe on resume.  Bind a keyboard key to lock the screensaver, and get in the habit of locking the system any time you get up to walk away.

If you plan to hibernate the machine, you should hibernate to an encrypted swap device.  Otherwise, personal data might be recoverable by booting a LiveCD and scanning the swap device.

 *sirlark wrote:*   

> 2. I don't know whether an encrypted home directory that is decrypted and mounted is visible to all users according to the standard unix permissions scheme?

 That depends a bit on what encryption method you plan to use.  The simplest and most popular is to  use a LUKS-encrypted (or TrueCrypt-encrypted) block device, with a standard filesystem on the upper level device.  In that scenario, the encryption is transparent to user code, so normal Unix permissions apply.  There might be different rules if you use something like eCryptFS.  I use encrypted block devices, so I cannot comment on other schemes.

 *sirlark wrote:*   

> 3. Of course the above measure are useless is the machine isn't secured with a decent set of firewall rules, and preferably with a hardened profile, maybe running IPSec. I've never tried a hardened profiles or IPSec before, but I know enough about iptables to create a pretty solid firewall. POSIX acl and extended attributes come to mind, although I'm not sure how useful they are, and whether they will be convenient enough to use on a daily basis.

 Each of the described items guards against a different type of attack:

Firewall: useful to prevent connections to potentially vulnerable services running locally.  In some cases, it can be useful to trap locally executing malicious processes so they cannot report home.  I doubt the latter is worth your trouble to configure.

Hardened profile: this makes it more difficult for an attacker to leverage buffer overflows into code execution, but the vulnerable program will still crash.  It will not protect against attacks where the local application does something stupid, like allow anyone to access the administrative commands without requiring proper authorization or allow an attacker to supply a string of his choosing to a shell command.  Additionally, there may be overflows in some scripting environments that are not trapped by the hardened techniques.

If you need to guard against the stupid application case, you want a Mandatory Access Control system, such as SELinux, AppArmor, GRsecurity, or RSBAC.  Some of these are supported, at least in part, by the Gentoo Hardened project.

IPsec: useful if you need to connect securely to a remote system and you do not trust the intervening network to preserve the privacy and integrity of your data.  If you only ever use the network from a secure location (e.g. work or home, but not coffee shops or hotels), you may not need this.  Additionally, if you only use the network for traffic you do not mind making public, such as reading news sites, you may not need this.  If you do anything that requires authentication, you should require a VPN or a secure location.  See Firesheep for an example of how many people are extremely bad at maintaining security of credentials.

As a second point with regard to IPsec, you should also investigate other forms of VPN, such as the ssh ad-hoc VPN and various SSL VPNs.  IPsec is not necessarily the easiest VPN to configure.  Your choice of VPN may be influenced by what your office IT group offers.

----------

## Etal

 *sirlark wrote:*   

> The worst case scenario (and least likely by far) is that the machine is stolen whilst on, awake, and logged in, possibly from a work desk, or in a grab from a coffee shop table. Are there any solutions for this?

 

I haven't used it myself, but if you have bluetooth on your machine and you carry around a cell phone, you can get make the computer lock/unlock whenever you move away from it using this (gentoo bug)

----------

## iss

IIRC Kbluetooth also has option to lock/unlock based on BT device present.

I tried it a bit and with one phone it worked perfectly, but with the other one it was rather erratic.

----------

