- System Hardening Overview
- Batille
- Securing X-Windows
- Securing Linux Daemons
- Security patches
- Security Benchmarks
System Hardening Overview
- Linux, like other operatingsystems, is not secure “out of the box”
- Security increases as newer versions and distros come out
- Users/administrators still need to take steps to “harden” systems
- Items typically requiring securing/hardening include:
- X-Windows
- System daemons
- Networking services
Bastille
- Scripts walk SA through several modules, automates changing a large number of configurable system items
- Has modules for checking and configuring Internet services, suid(set-user-ID) files, account and boot security, and TCP wrappers
- Bastille program is available from http://bastille-linux.sourceforge.net/
- Bastille currently supports most distros of Linux and Unix including:
- Red Hat, SuSe, Debian, Gentoo, Mandrake, and HP-UX
Securing X-Windows
- X-windows is Graphical Interface for Linux
- Comes with most distributions,but is ot part of them
- Used to access systems both locally and remotely
- X is a Protocol and set of utilities
- Client-server design
- Runs from the X server, and provides keyboard, mouse and video
- Not configured securely by default
- Signals can get intercepted btween x-server and client(either remote or local)
- Several ways of securing X
- xhost – controls authentication to x erver on a host basis
- X server maintains lists of allowed hosts
- xhost allows hosts to be added/deleted from list
- Vulnerabilities: Host spoofing, sessions are per host, not per user
- xauth – controls authentication through .Xauthority
- .Xauthority file contains authentication ‘cookie’ that client must send to server
- Best security mechanism is using X windows over ssh
- Authentication can be controlled and audited through user credentials
- communications traffic between x client and X erver is encrypted
Securing Linux Daemons
- Daemons are same as Windows services
- Programs that run in background to accomplish system tasks
- Often run with a set of credentials and privilege levels
- Securing Linux Daemons is to not install unnecessary ones!.
- Best way to secure daemons is to not install unnessary ones!
- Don’t use “Install Everything” option during installation
- Install services according to machine role
- Use ‘ps’ and ‘netstat’ commands to determine what services are running and network connections established by them
- Many Daemons turned on/off in /etc/inetd.conf – edit this file to selectively disable services that are not needed
- Recompiling kernel is another way to secure services
- Generate learner kernel with only daemons you need supported
- Eliminates risk of daemons being reconfigured or restarted
Security Patches
- Even after initial hardening, Linux can still be insecure
- New vulnerabilities discovered every day
- Security patches issued to counter threats and fix vulnerabilities
- Most current distros have automated patch utility
- Connects to trusted centralized site and downloads latest patches
- Usually provides patches for OS and popular software apps included in distro
- Third party apps frequently need patches from different vendors
- Usually manual download and installation process
- Download patches only from trusted sites
- Verify hashes provided with patches to ensure file integrity
- Many utilities to download and install security patches
- Up2date, YUM, and YaST are a few
- Get familiar with your distro’s update utilities
Security Benchmarks
- Several free and commercial tools exist to test/measure security on Linux
- Benchmarks available for almost all distros
- Usually automated tool that checks security of daemons, processes, accounts,permissions , etc.
- Nessus is free valnerability scanner provided with most distros
- Uses frequently updated database of vulnerabilities
- Can be used for single or multiple machines
- Uses client/server architecture
Mentor for DevOps - DevSecOps - SRE - Cloud - Container & Micorservices at Cotocus
Join my following certification courses...
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/
My Linkedin - https://www.linkedin.com/in/rajeshkumarin
My Email - contact@DevOpsSchool.com
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/
My Linkedin - https://www.linkedin.com/in/rajeshkumarin
My Email - contact@DevOpsSchool.com
Latest posts by Rajesh Kumar (see all)
- Packer Tutorials: Amazon Secrets Manager Data Source – amazon-secretsmanager - May 25, 2023
- Packer Tutorials: Amazon Data Sources – amazon-parameterstore - May 25, 2023
- What is DevSecTestOps? - May 25, 2023
