[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fsuk-manchester] Follow-up: MFS Meeting. Tue, 20 Nov. "NCSC End User De

From: Michael Dorrington
Subject: [Fsuk-manchester] Follow-up: MFS Meeting. Tue, 20 Nov. "NCSC End User Device security - Installer. AppArmor+auditd. GRUB."
Date: Thu, 13 Dec 2018 20:39:11 +0000
User-agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0

On 16/11/2018 00:17, Michael Dorrington wrote:
> Please forward this notice to those that would welcome it.
> You can subscribe to the Manchester Free Software mailing list at:
> https://lists.nongnu.org/mailman/listinfo/fsuk-manchester
> * Event: Manchester Free Software's November Meeting
> * 45 minute slot: AppArmor + auditd
> * 15 minute slot 1: Debian Installer Preseeding for security
> * 15 minute slot 2: Boot process hardening including GRUB
> * 15 minute slot 3: Security monthly round-up

The National Cyber Security Centre (NCSC) End User Device (EUD) Security
Guidance for GNU/Linux is at:

In January's MFS meeting we will do the remaining parts of the NCSC EUD
security; the large part will be on VPN with smaller parts on user
setup, file systems and automatic updates.  Over the Christmas and New
Year period you can put into practice the items we covered in November's
meeting, particularly:

1. Setup AppArmor and enforce the profiles in the guidance.

Some distros will require enabling AppArmor, hints:
apparmor=1 security=apparmor

Advanced: Produce a profile for an application that is missing one.

2. Setup auditd to start from boot and put in rules useful for your

man audit.rules

3. Use 'Preseeding' (or the equivalent for your distro) to ensure
security setup is consistently done during Operating System installation.

Advanced: Use a tool to ensure that the security setup is kept as
desired throughout the life of the Operating System.

4. Set a GRUB password

You could configure GRUB so it only needs a password if not doing the
default boot or you could require a password for doing anything.  It is
probably best to start with allowing a default boot without password in
case you make a mistake and so lock yourself out.

Post to the MFS mailing list if you need more hints or help.

See you at MFS Christmas meeting on Tuesday,
MFS Chair.

FSF member #9429
"The Free Software Foundation (FSF) is a nonprofit with a worldwide
mission to promote computer user freedom and to defend the rights of all
free software users."

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]