Safe Computing
Home Students Faculty and Staff IT Security Community

Secure and Manage Your Computer (Linux/Unix)

If you are permitted to access or maintain sensitive institutional data using your personally owned computer or self-managed university-owned computer, please meet the minimum expectations below.

See Your Responsibilities for Protecting University Data When Using Your Own Devices for a complete list of your responsibilities when using your own devices to work with sensitive U-M data.

By meeting the minimum expectations below, you also protect your personal data.

Minimum Expectations for a Secure Computer

Settings
Require a password for access to your computer. Follow these guidelines for a strong password.
Set your screensaver to activate after 15 or fewer minutes of inactivity, and require your password to unlock it This helps prevent unauthorized access to your computer.
Turn on your local firewall It is normally turned on by default. Current versions of Linux use the iptables firewall. Standard firewall practice dictates that you deny everything and then allow only services that you require. Consult the documentation for your system to learn how to adjust the firewall rules to ensure that only the services you require are enabled.
Disable root login / su - and implement sudo Implementation of sudo will allow privileged access as required and will log all such activity and link specific actions to specific individuals. It also avoids shared root accounts, which can make it more difficult to securely deprovision access for an individual or contain security incidents involving compromised credentials. Many Linux distributions already implement the no root login feature and force the use of sudo. If the distribution you are using does not already support sudo, install the sudo package and configure it appropriately (ensure "su -" does not switch user to root. Consider bash, vi, and other apps that can shell out to root).
Disable / remove guest and defaults accounts Best practice is to not allow guest, default, or shared accounts access to the workstation. Verify that there are no suspicious accounts in the /etc/passwd file. Ubuntu has the guest account enabled by default. Edit the /etc/lightdm/lightdm.conf file and add the following line to the end of the file:
allow-guest=false
Install U-M VPN (Virtual Private Network) software if you expect to use untrusted networks (such as guest wireless in a hotel or coffee shop) Members of the U-M community can download and install the U-M VPN. UMHS faculty and staff should download and install the the UMHS VPN.*
Use full disk encryption for laptops Full disk encryption will prevent unauthorized access to the sensitive data stored there should the laptop be lost or stolen. Install a version of Linux/Unix that supports full disk encryption.

*U-M Health System (UMHS) faculty and staff should use the Cisco AnyConnect VPN client provided by Medical Center Information Technology (MCIT) to access Protected Health Information (PHI), Clinical Network and Applications, Schedulon, and Printing, as well as to access file servers and internal UMHS web content. For more information, installers, and instructions, see VPN - Cisco AnyConnect SSL Client in the UMHS KnowledgeBase.

Connections
Use a secure internet connection Secure networks include wired connections and MWireless.
Turn on the U-M VPN if using untrusted wireless networks (such as guest wireless in a hotel or coffee shop). UMHS users should use the UMHS VPN (see above). UMHS faculty and staff should use the UMHS VPN (see above).
Turn off optional network connections (WiFi, Bluetooth) when you are not using them This prevents unauthorized access to your computer through those connections.

Management
Turn on automatic updating to keep your Linux/Unix operating system updated Most Linux and Unix distributions provide a way to update the operating system automatically via the Internet. Consult the documentation for your system to learn how to perform this operation. This provides you with security updates and other improvements.
Keep your applications updated to take advantage of security updates and other improvements Use automatic updating where available.
Configure audit logging (syslog) to help you to reconstruct a timeline of events or system activity This information is important for responding to security incidents or resolving system errors. Audit rules are specified in the file/etc/syslog.conf. Typically, the system stores sequential logs in files located in the /var/log directory.
Configure ntp time synchronization Many Internet services rely on the computers’ clock being accurate. Also, accurate time/date stamps in logged activity aids any forensics analysis and system troubleshooting. Install the ntp package. Configure the ntp.conf to use the university’s time servers at ntp.itd.umich.edu or set up a cron job using rdate to set the clock every four hours.
Only install trusted applications Only install applications from reputable software providers.
Be aware that certain types of sensitive data (such as Export Control, HIPAA, and FISMA) cannot be accessed or maintained outside the U.S. See the Sensitive Data Guide for details.
Before you sell or give away your computer, erase the hard drive securely See Remove Data from a Hard Drive.
Report security incidents If you use your computer to maintain or access sensitive institutional data and it is lost or stolen, notify the ITS Service Center.

Instructions for security settings and tips for protecting your Linux/Unix computer are available from various vendors:


Back To Top

Additional Best Practices

Consider these additional options for enhanced security for your computer and the data maintained on or accessed from it.

Back To Top
Back To Top