CivicActions · sfmcgee · Oct 4, 2023 · Jun 12, 2023 · Aug 22, 2023 · Aug 31, 2023
@@ -75,13 +75,11 @@ nav:
       - common-practices-tools/gold-star-program.md
       - Security awareness and tools:
           - common-practices-tools/security/README.md
-          - Setting up and using Yubikey:
-              - common-practices-tools/security/yubikey/README.md
-              - common-practices-tools/security/yubikey/linux.md
-              - common-practices-tools/security/yubikey/macosx.md
+          - common-practices-tools/security/yubikey.md
           - common-practices-tools/security/drupal-rmf-support.md
           - common-practices-tools/security/encryption.md
           - common-practices-tools/security/gnupg.md
+          - common-practices-tools/security/securing-your-workspace.md
           - Incidents:
               - common-practices-tools/security/contingency-plan.md
               - common-practices-tools/security/incident-response-checklist.md

@@ -502,3 +502,6 @@
 - from_url: /practice-areas/project-management/pm-role/
   to_url: /practice-areas/project-management/
   type: page
+- from_url: /common-practices-tools/security/yubikey/linux/
+  to_url: /common-practices-tools/security/securing-your-workspace/
+  type: page
@@ -12,10 +12,7 @@ _This is currently - and probably always will be - a work in progress. Pull Requ
 
 The operating system and software applications on your laptop - and all computers, phones, tablets, etc. in your house - should be kept up to date with new versions and security patches that ensure it presents a minimal attack surface to potential adversaries. (This is mentioned in the [Security Policy](../../company-policies/security.md) but is worth repeating.)
 
-Additionally, your laptop should lock (require a password to resume) on screen close and after 15 minutes idle time.
-
--   [GNU/Linux specific instructions](yubikey/linux.md)
--   [Mac OS X specific instructions](yubikey/macosx.md)
+Additionally, your laptop should lock (require a password to resume) on screen close and after 15 minutes idle time. See [Securing Your Workspace](./securing-your-workspace.md) for more details.
 
 ## Password management tools
 
@@ -50,7 +47,7 @@ CivicActions requires that its employees and contractors that are given access t
 
 ### Multi-Factor Authenticators (MFA)
 
-There are many hardware and software tools for creating secure "one time passwords" (OTP). Three that we frequently use internally are described below. _(Note that Google Authenticator is no longer recommended as it does not support encrypted cloud backup.)_
+There are many hardware and software tools for creating secure "one time passwords" (OTP). Three that we frequently use internally are described below.
 
 Do not rely on SMS text messages for general two-factor authentication as it is less secure than others listed here. At the time of this writing, however, setting up Multi-Factor Authentication on your Google account initially requires SMS verification. This is OK, and also serves as a "MFA Backup" mechanism (be sure to see the essential section below on [Multi-Factor Redundancy and MFA Backup Codes](#multi-factor-redundancy-and-mfa-backup-codes)).
 
@@ -69,7 +66,7 @@ Do not rely on SMS text messages for general two-factor authentication as it is
 
 Once set up, your YubiKey greatly simplifies the process of Multi-Factor Authentication (MFA). While at home, keep the key plugged into an unused USB port and simply touch the button if asked to authenticate. This saves time while enabling the strongest security. While on the road, the nearly indestructible YubiKey attaches easily to your keychain _(and should only be inserted when authenticating)_.
 
--   See "[Let's get your YubiKey to work](https://yubico.com/start)" (from Yubico) on how to use MFA with: [Gmail](https://www.yubico.com/why-yubico/for-individuals/gmail-for-individuals), [LastPass](https://www.yubico.com/works-with-yubikey/catalog/lastpass-premium-and-families/), [GitHub](https://www.yubico.com/works-with-yubikey/catalog/github/) and many other services.
+See the [Yubikey page](./yubikey.md) for details on setting it up with various operating systems.
 
 While YubiKey is the easiest to use on a daily basis, if you lose it you could get locked out of all your systems so be sure that you have set up [Multi-Factor Redundancy and MFA Backup Codes](#multi-factor-redundancy-and-mfa-backup-codes).
 
@@ -115,7 +112,7 @@ Social engineering is the most common attack vector used to compromise computer
         -   Watch out for an "Evil Twin" - a hotspot that looks good but could be an access point set up by an attacker (e.g., "StarbucksGuest" or "DeltaFreeWifi")
     -   Turn on your local firewall
     -   Use a VPN if possible
-        -   CivicActions has an [internal company VPN](https://git.civicactions.net/devops/internal-it-wireguard-vpn/tree/master) that has a static exit IP that can be whitelisted to CivicActions' client services
+        -   CivicActions has an [internal company VPN](https://git.civicactions.net/devops/internal-it-wireguard-vpn/tree/master) that has a static exit IP that can be allow-listed to CivicActions' client services
         -   If you always use HTTPS and SSH for connectivity, you are essentially creating a trusted VPN tunnel with every connection. There could still be metadata collection and local DNS spoofing, but [public Wi-Fi is now reasonably safe](https://www.eff.org/deeplinks/2020/01/why-public-wi-fi-lot-safer-you-think)
     -   As usual, never enter your name or password information:
         -   when on an insecure (non-HTTPS or SSL encrypted) connection, or

@@ -1,20 +1,30 @@
 ---
-title: Yubikey and Linux
+title: Securing Your Workspace
 ---
 
-# YubiKey Support for GNU/Linux
+Notes on securing your workspace (linux, Mac or Windows) for various platforms and applications.
 
-This is the GNU/Linux specific documentation for [YubiKey](README.md).
+## Introduction
 
-_Please help make this page more useful by adding links you found useful (describe exactly how they are useful) and specific steps you used to install, configure, and test your YubiKey._
+## High Level Security Guidelines
 
-## Screen lock when idle or lid closed (X server)
+-   Screen lock
+-   Strong password
+-   Disk encryption
+-   Separate browser profile for work
+-   No smart devices that are always listening
 
-_Note: this section does not require YubiKey_
+### Mac
+
+### Windows
+
+### Linux
+
+#### Screen lock when idle or lid closed (X server)
 
 After a period of inactivity and (for laptops) when you close the lid, the screen must blank (or be replaced with a background image).
 
-### Screen lock with xss-lock
+##### Screen lock with xss-lock
 
 This uses [xss-lock](http://manpages.ubuntu.com/manpages/xenial/man1/xss-lock.1.html) (the brains behind the venerable xscreensaver function) and [i3lock](http://i3wm.org/i3lock/) as the screen locker, but you can substitute this with another locker such as [xsecurelock](https://github.com/google/xsecurelock). xss-lock subscribes to the systemd-events `suspend`, `hibernate`, `lock-session`, and `unlock-session` with appropriate actions (run locker and wait for user to unlock or kill locker). xss-lock also reacts to DPMS events and runs or kills the locker in response. (See also: [Power Management with xss-lock](https://wiki.archlinux.org/index.php/Power_management#xss-lock))
 
@@ -32,13 +42,13 @@ Or if running the i3 windor manager, put this in your ~/.i3/config file:
 exec --no-startup-id xss-lock -- i3lock -n -c 000000
 ```
 
-### Screen lock with xautolock
+##### Screen lock with xautolock
 
 This uses [xsecurelock](https://github.com/google/xsecurelock) (recommended screen lock) together with [xautolock](https://linux.die.net/man/1/xautolock) (simple away command runner tool) to lock the screen after 10 minutes when away from home network. It also suspends after 30 mins, adds a hot corner to block locking (useful if watching a video, for example) and adds a notification (using `dunst` and `notify-send`) before locking. Note that pretty much all of these pieces are optional (you could use `gnome-screensaver` or `xscreensaver` for away detection for instance), but using `xsecurelock` for locking is strongly recommended since other lock screens have had vulnerabilities.
 
 Install packages as needed (`dunst` and `libnotify` optional -- you may already have a notification system):
 
-#### Arch xautolock setup
+###### Arch xautolock setup
 
 ```bash
 pacaur -S xsecurelock-git xautolock dunst libnotify
@@ -52,7 +62,7 @@ dunst &
 xautolock -time 10 -corners -000 -locker "/usr/bin/xsecurelock auth_pam_x11 saver_blank" -killtime 30 -killer "systemctl suspend" -notify 30 -notifier "notify-send -- 'Locking screen in 30 seconds'" &
 ```
 
-### Away detection ideas
+##### Away detection ideas
 
 Exceptions to the "idle timeout lock" can be made if you are on your home network and feel that it is secure. Adapt the below script if you only want to lock your screen when you are away from home.
 
@@ -72,70 +82,3 @@ if ! arp 192.168.1.1 | grep 48:5d:36:4c:d5:51 &> /dev/null; then
   fi
 fi
 ```
-
-## Locking your Machine with YubiKey
-
-This will require the YubiKey (Two Factor Authentication) to be inserted to authenticate via PAM (login, sudo or screen unlock). Test this carefully in an alternate console session to ensure you **don't lock yourself out!** (If you do get locked out, you'll have to boot with a live CD and undo the changes in /etc/pam.d/. As this requires a reboot, your [encrypted disk](https://github.com/CivicActions/security-policy/blob/master/tools#disk-encryption-and-storage-management) will require its passphrase again, which is the key to security here.)
-
-This is required of CivicActions "privileged users" such as System Administrators, and it is our intention that it be standard practice for all CivicActions employees and contractors.
-
-### Installing the Yubico libpam module
-
-In order to connect your YubiKey to the screen locking software on your computer, you need to
-
-#### Arch yubico-pam setup
-
-```bash
-pacaur -S yubico-pam
-```
-
-#### Fedora
-
-#### Ubuntu/Xubuntu
-
-```bash
-sudo apt-get install libpam-yubico
-```
-
-### Set up PAM TFA
-
-PAM is the Pluggable Authentication Module used by GNU/Linux and Mac OS X to manage login authentication.
-
-See [Yubico GitHub](https://github.com/Yubico/yubico-pam/blob/b0e243835e61418bfa760e57c3d313b2e9452e87/doc/Authentication_Using_Challenge-Response.adoc) page for complete documentation.
-
-```bash
-ykpamcfg -2 -v
-```
-
-Ubuntu autoconfiguration during installation of `libpam-yubico` may already have placed a line like the following in either `/etc/pam.d/common-auth` or `/etc/pam.d/system-auth`. If not using Ubuntu (or the line is not there), edit `/etc/pam.d/system-auth` (will need to `sudo`) and add the following line at the top of the file:
-
-```bash
-auth      required  pam_yubico.so   mode=challenge-response
-```
-
-### YubiKey removal lock
-
-For additional security, you may want to immediately lock the screen when the YubiKey is removed.
-
-This locks the laptop immediately when any YubiKey is removed. If you are not using xautolock as your "away detector", replace xautolock with a command to trigger your screen lock with the "away detector" that you do use. This is inspired by <https://vtluug.org/wiki/Yubikey#Automatic_Screen_Locking_.28i3lock.2C_slock.2C_etc..29>
-
-As your login user, create executable file `~/bin/ykgone`:
-
-```bash
-#!/bin/bash
-USER=$(stat -c "%U" "$0")
-if usb-devices | fgrep Vendor=1050; then
-  echo "YubiKey present"
-else
-  echo "YubiKey not present, locking"
-  export DISPLAY=":0"
-  export XAUTHORITY=/home/$USER/.Xauthority
-  su $USER -c "xautolock -locknow" &
-fi
-```
-
-Next, create (with sudo) a device notification file `/etc/udev/rules.d/90-yubikey.rules`:
-
-```bash
-ACTION=="remove", ATTRS{idVendor}=="1050", RUN+="/home/$USER/bin/ykgone"
-```