Just had an interesting question from a colleague who has a #linux notebook and works remotely from random places:
> I've got full-disk #encryption (FDE), what else I can do for #security ?
2) Always run the latest available Linux distro - so in case of Ubuntu go for 19.10 - and always have all updates installed.
3) When there's choice between .deb and Snap/Flatpak version available (there is for Firefox, Brave and many other popular programs) always go for Snap/Flatpak version as it runs in a much more effective sandbox.
This doesn't come completely free either because with Snaps your profile file move to the sandbox but it's quite a simple operation.
@kravietz Set a grub password!
Use OpenSCAP Workbench with the proper profile for Ubuntu, Fedora or CentOS to check compliance.
Full set of instructions (one might want to select just a few, but still):
I guess that should already help a lot :)
@sheogorath But will Grub password protect from evil maid attacks such as this one? https://github.com/nyxxxie/de-LUKS
Because the main problem is that in Ubuntu the bootloader is loaded from an unencrypted partition, which can be modified off-line...
@kravietz The main goal of using a grub password is preventing someone from booting, pressing e setting /bin/bash as init and use vi to write nasty little scripts around your boot partition. It rasies the bar to "I have to open the device" which that again can be made visible using nail polish:
https://mullvad.net/en/blog/2016/12/14/how-tamper-protect-laptop-nail-polish/
At least when you are paranoid enough.
Also of course you should use secureboot as you mentioned.
@sheogorath BTW nail polish cannot prevent someone booting your computer from an USB stick with Kali - much easier than physically opening the laptop. I think this can be also only prevented in BIOS.
@kravietz That of course. Standard BIOS setup should include:
- BIOS update
- BIOS password for accessing settings and changing boot options,
- Changing boot order and disable not needed boot devices
- Reset TPM and change to 2.0 mode
- Enable Secureboot and reset Secureboot keys
- Disable unneeded devices
- Explore further features in BIOS/firmware (like enable temper detection, disable Intel device mangement, …)
@kravietz
This is really something to be worried about, I have my partitions encrypted by LUKS :(
@sheogorath
My answers in random order:
1) Make sure you have Secure Boot enabled in BIOS, and BIOS password set.
That's pretty much all you can do to prevent backdooring & keysniffing of your bootloader today when someone covertly gets physical acces to your laptop.
If this is a viable threat, go for QubesOS, but be aware of its limitations (e.g. inability to access GPU by the operating system, so no games or 3D graphics)