kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-03-26 03:03:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
computer-playbook/03_SECURITY_GUIDELINES.md

4.4 KiB
Raw Permalink Blame History

Security Guidelines

CyMaIS is designed with security in mind. However, while following our guidelines can greatly improve your systems security, no IT system can be 100% secure. Please report any vulnerabilities as soon as possible.

For End Users

For optimal personal security, we strongly recommend the following:

  • Use a Password Manager
    Use a reliable password manager such as KeePass 🔐. (Learn more about password managers on Wikipedia.) KeePass is available for both smartphones and PCs, and it can automatically generate strong, random passwords.

  • Enable Two-Factor Authentication (2FA)
    Always enable 2FA whenever possible. Many password managers (like KeePass) can generate TOTP tokens, adding an extra layer of security even if your password is compromised.
    Synchronize your password database across devices using the Nextcloud Client 📱💻.

  • Use Encrypted Systems
    We recommend running CyMaIS only on systems with full disk encryption. For example, Linux distributions such as Manjaro (based on ArchLinux) with desktop environments like GNOME provide excellent security. (Learn more about disk encryption on Wikipedia.)

  • Beware of Phishing and Social Engineering
    Always verify email senders, avoid clicking on unknown links, and never share your passwords or 2FA codes with anyone. (Learn more about Phishing and Social Engineering on Wikipedia.)

Following these guidelines will significantly enhance your personal security—but remember, no system is completely immune to risk.

For Administrators

Administrators have additional responsibilities to secure the entire system:

  • Deploy on an Encrypted Server
    It is recommended to install CyMaIS on an encrypted server to prevent hosting providers from accessing end-user data. For a practical guide on setting up an encrypted server, refer to the Hetzner Arch LUKS repository 🔐. (Learn more about disk encryption on Wikipedia.)

  • Centralized User Management & SSO
    For robust authentication and central user management, set up CyMaIS using Keycloak and LDAP. This configuration enables centralized Single Sign-On (SSO) (SSO), simplifying user management and boosting security.

  • Enforce 2FA and Use a Password Manager
    Administrators should also enforce 2FA and use a password manager with auto-generated passwords. We again recommend KeePass. The KeePass database can be stored securely in your Nextcloud instance and synchronized between devices.

  • Avoid Root Logins & Plaintext Passwords
    CyMaIS forbids logging in via the root user or using simple passwords. Instead, an SSH key must be generated and transferred during system initialization. When executing commands as root, always use sudo (or, if necessary, sudo su—but only if you understand the risks). (More information on SSH and sudo is available on Wikipedia.)

  • Manage Inventories Securely
    Your inventories for running CyMaIS should be managed in a separate repository and secured with tools such as Ansible Vault 🔒. Sensitive credentials must never be stored in plaintext; use a password file to secure these details.

  • Reporting Vulnerabilities
    If you discover a security vulnerability in CyMaIS, please report it immediately. We encourage proactive vulnerability reporting so that issues can be addressed as quickly as possible. Contact our security team at security@cymais.cloud DO NOT OPEN AN ISSUE.

By following these guidelines, both end users and administrators can achieve a high degree of security. Stay vigilant, keep your systems updated, and report any suspicious activity. Remember: while we strive for maximum security, no system is completely infallible.