{"id":23694,"date":"2021-09-18T12:27:40","date_gmt":"2021-09-18T12:27:40","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=23694"},"modified":"2022-04-13T15:56:34","modified_gmt":"2022-04-13T15:56:34","slug":"complete-referance-of-hardening-in-linux-security","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/complete-referance-of-hardening-in-linux-security\/","title":{"rendered":"Complete Referance of Hardening in Linux Security"},"content":{"rendered":"\n<ul class=\"wp-block-list\"><li><strong>System Hardening Overview<\/strong><\/li><li><strong>Batille<\/strong><\/li><li><strong>Securing X-Windows<\/strong><\/li><li><strong>Securing Linux Daemons<\/strong><\/li><li><strong>Security patches<\/strong><\/li><li><strong>Security Benchmarks<\/strong><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">System Hardening Overview<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Linux, like other operatingsystems, is not secure &#8220;out of the box&#8221;<\/li><li>Security increases as newer versions and distros come out<\/li><li>Users\/administrators still need to take steps to &#8220;harden&#8221; systems<\/li><li>Items typically requiring securing\/hardening include:<\/li><li>X-Windows<\/li><li>System daemons<\/li><li>Networking services<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Bastille<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Scripts walk SA through several modules, automates changing a large number of configurable system items<\/li><li>Has modules for checking and configuring Internet services, suid(set-user-ID) files, account and boot security, and TCP wrappers<\/li><li>Bastille program is available from http:\/\/bastille-linux.sourceforge.net\/<\/li><li>Bastille currently supports most distros of Linux and Unix including:<\/li><li>Red Hat, SuSe, Debian, Gentoo, Mandrake, and HP-UX<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Securing X-Windows<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>X-windows is Graphical Interface for Linux<\/li><li>Comes with most distributions,but is ot part of them<\/li><li>Used to access systems both locally and remotely<\/li><li>X is a Protocol and set of utilities<\/li><li>Client-server design<\/li><li>Runs from the X server, and provides keyboard, mouse and video<\/li><li>Not configured securely by default<\/li><li>Signals can get intercepted btween x-server and client(either remote or local)<\/li><li>Several ways of securing X<\/li><li>xhost &#8211; controls authentication to x erver on a host basis<\/li><li>X server maintains lists of allowed hosts<\/li><li>xhost allows hosts to be added\/deleted from list<\/li><li>Vulnerabilities: Host spoofing, sessions are per host, not per user<\/li><li>xauth &#8211; controls authentication through .Xauthority<\/li><li>.Xauthority file contains authentication &#8216;cookie&#8217; that client must send to server<\/li><li>Best security mechanism is using X windows over ssh<\/li><li>Authentication can be controlled and audited through user credentials<\/li><li>communications traffic between x client and X erver is encrypted<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Securing Linux Daemons<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Daemons are same as Windows services<\/li><li>Programs that run in background to accomplish system tasks<\/li><li>Often run with a set of credentials and privilege levels<\/li><li>Securing Linux Daemons is to not install unnecessary ones!.<\/li><li>Best way to secure daemons is to not install unnessary ones!<\/li><li>Don&#8217;t use &#8220;Install Everything&#8221; option during installation<\/li><li>Install services according to machine role<\/li><li>Use &#8216;ps&#8217; and &#8216;netstat&#8217; commands to determine what services are running and network connections established by them<\/li><li>Many Daemons turned on\/off in \/etc\/inetd.conf &#8211; edit this file to selectively disable services that are not needed<\/li><li>Recompiling kernel is another way to secure services<\/li><li>Generate learner kernel with only daemons you need supported<\/li><li>Eliminates risk of daemons being reconfigured or restarted<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Security Patches<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Even after initial hardening, Linux can still be insecure<\/li><li>New vulnerabilities discovered every day<\/li><li>Security patches issued to counter threats and fix vulnerabilities<\/li><li>Most current distros have automated patch utility<\/li><li>Connects to trusted centralized site and downloads latest patches<\/li><li>Usually provides patches for OS and popular software apps included in distro<\/li><li>Third party apps frequently need patches from different vendors<\/li><li>Usually manual download and installation process<\/li><li>Download patches only from trusted sites<\/li><li>Verify hashes provided with patches to ensure file integrity<\/li><li>Many utilities to download and install security patches<\/li><li>Up2date, YUM, and YaST are a few<\/li><li>Get familiar with your distro&#8217;s update utilities<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Security Benchmarks<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Several free and commercial tools exist to test\/measure security on Linux<\/li><li>Benchmarks available for almost all distros<\/li><li>Usually automated tool that checks security of daemons, processes, accounts,permissions , etc.<\/li><li>Nessus is free valnerability scanner provided with most distros<\/li><li>Uses frequently updated database of vulnerabilities<\/li><li>Can be used for single or multiple machines<\/li><li>Uses client\/server architecture<\/li><\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>System Hardening Overview Batille Securing X-Windows Securing Linux Daemons Security patches Security Benchmarks System Hardening Overview Linux, like other operatingsystems, is not secure &#8220;out of the box&#8221; Security increases as&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[4957],"tags":[460,7055],"class_list":["post-23694","post","type-post","status-publish","format-standard","hentry","category-linux","tag-linux","tag-linux-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/23694","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=23694"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/23694\/revisions"}],"predecessor-version":[{"id":23695,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/23694\/revisions\/23695"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=23694"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=23694"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=23694"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}