- encrypted everything the way d-i does it (boot unencrypted – rest dm-crypt+LUKS). Check
- strong passphrase for encryption. Check
- seperate laptop ssh key. Check
- sshd only public daemon running. keylogin only. Check
- other stuff that ‘listens’ either killed or firewalled away. Check
- weak password on user account. hmmm
- screensaver/autolock after 3 minutes. Check
- sudo-to-root passwordless. hmmm
Am I on the right track? should I turn up my paranoia on the ‘hmmm’s or is it in general acceptable?
Oh – and of course – a layer of security by obscurity is always nice. So let us throw dvorak keymap in also.
My policy is to never allow commands to be arbitrarily run as root by an unprivileged user. Even if you required a password for sudo, it’s still the weak link in your chain – guessing the weak password gains the attacker root. Having local access and enough time and the attacker could easily switch to a vc, work out that the layout is dvorak and proceed to work on the password.
Me, I would up the password to be stronger and require a password for sudo.
You also don’t mention if you encrypt swap. If you use hibernate, you should always use an encrypted swap partition.
Cheers
– Niall
You should definitely improve your weak password.
Given a strong password, I don’t think sudo without a password seems like a problem. If someone breaks into your account, they have all the interesting access they need, and having root doesn’t make much difference. If they can break into your account, they can get all the interesting files off your system, and they can intercept any actions you take as that user.
Having an unencrypted /boot seems like a serious weak point. Someone can trivially substitute their own kernel, or bootloader for that matter, and either way they can then wait for you to boot it and decrypt the rest of your data. For that extra level of paranoia, you might consider booting off of a trusted USB key, business card CD, or something else you can keep on your person. That works as long as you trust your BIOS. You can enhance that trust with a BIOS password; if you ever find it reset, panic. Still not perfect, but significantly improved.
However, that only matters if you suspect someone might break into your system in an attempt to monitor you after the break-in. If you only encrypt and password things in an attempt to deter casual attempts or someone who steals the entire laptop for good, you probably have enough security.
Apart from that potential 3 minute window where your laptop is unlocked :)
What about SELinux ? If you have a firewall, the best start to attack you would be
a website which attacks your browser ? (jpg running code on your box etc)
SELinux could be used to forbid the browser to access your invaluable data in ~/private/, ~/.ssh, ~/.gnupg.
Or am I wrong ?