securing linux by terrance marcelle. the cia triad confidentiality integrity availability
TRANSCRIPT
![Page 1: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/1.jpg)
Securing Linux
By Terrance Marcelle
![Page 2: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/2.jpg)
The CIA Triad
ConfidentialityIntegrityAvailability
![Page 3: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/3.jpg)
PartitionsDefault
![Page 4: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/4.jpg)
PartitionsRecommended
![Page 5: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/5.jpg)
Partitions• A user stores too many files in their home
directory
• A user intentionally runs malicious code or a bad command to fill up as much space as possible– cat /dev/zero > zerofile
• Excess logging
• /dev /tmp are not mounted with noexec, nodev
and nosuid
![Page 6: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/6.jpg)
Encryption at RestShould you Encrypt?Depends on the type of informationYou may only want to encrypt portions of the
drive
What happens if……Server / hard-drive gets stolenThe drive space is reallocated to another VM
in a hypervisor setting.
![Page 7: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/7.jpg)
Encryption in transitWhy encrypt data in transit ?
So your information doesn’t get stolen.
Recommendations:https over httpsftp,scp over ftpsnmpv3 over snmpv2 and 1
![Page 8: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/8.jpg)
SSH and user loginsDefaultsAllowed to login with the root account via ssh (Centos)
Disallowed by default in Ubuntu
![Page 9: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/9.jpg)
SSH and user loginRecommendations
Disable root account login via ssh
/etc/ssh/sshd_config
#PermitRootLogin
P.S. make sure you have console access or another user with privileges created
![Page 10: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/10.jpg)
SSH and user loginInstall a third party programs like DenyHosts, fail2ban and dosdeflate to monitor invalid logins and block originating ipaddresses
Login information storageCentos (/var/log/secure)Ubuntu(/var/log/auth.log)
![Page 11: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/11.jpg)
Passwords
What happens by defaultOnly gives a warning if the password is considered weak, but still lets you create it
Password are never set to expireOld passwords can be reused
![Page 12: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/12.jpg)
PasswordsRecommendedEnforce password aging, minimum length, reuse
and complexity.
CentOS /etc/login.defs , /etc/pam.d/system-auth-ac
Ubuntu (install the cracklib pam module) /etc/login.defs , /etc/pam.d/common-password
![Page 13: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/13.jpg)
Passwords
/etc/login.def Controls Max Age, Min Age, Warning,
PASS_MAX_DAYS 150 PASS_MIN_DAYS 0 PASS_WARN_AGE 7
/etc/pam.d/common-passwords and /etc/pam.d/system-auth-ac
Controls Password Complexity, Password re-use and Password Length. password required pam_cracklib.so minlen=8 difok=3 lcredit=-1
ucredit=-1 dcredit=-2 ocredit=-1
![Page 14: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/14.jpg)
Why do we need to secure Linux
2011 2012 2013 2014 2015
password password 123456 123456 ??
123456 123456 password password ??
12345678 12345678 12345678 12345 ??
qwerty abc123 qwerty 12345678 ??
abc123 qwerty abc123 qwerty ??
monkey monkey 123456789 123456789 ??
1234567 letmein 111111 1234 ??
letmein dragon 1234567 baseball ??
trustno1 111111 iloveyou dragon ??
![Page 15: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/15.jpg)
Updates and Upgrades
Keeping you systems up to dateSecurity Updates Bug Fixes
What programs are used?Centos (yum / rpm)Ubuntu (apttitude / dpkg)
![Page 16: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/16.jpg)
Updates and Upgrades
Recommended
Consistent maintenance planCentralized package /patch management
System (spacewalk, redhat Satellite, Landscape, foreman, katello(candlepin, pulp) )
Automatic Updates ?
![Page 17: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/17.jpg)
User Quotas What is it?
Limit the amount of storage a user or group can use.
Why is it necessary? Because people…
How is it implemented? /etc/fstab LABEL=/home /home ext2 defaults,usrquota,grpquota 1 2 mount -o remount /home quotacheck -cvug (creates the quota files) ls -l /home/ edquota username quotaon -a
Disk quotas for user username(uid 500): Filesystem blocks soft hard inodes soft hard /dev/sda3 1419352 0 0 1686 0 0
![Page 18: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/18.jpg)
Firewalls Controls incoming and outgoing network traffic based on a
set of rules One of the last lines of defense for your server.
Both CentOS and Ubuntu come with iptables Tool allows you to perform very fine grained control of network related
transactions through a set of rules. iptables control network related rules for the IPV4 standard ip6tables deals with the ipv6 standard
![Page 19: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/19.jpg)
Firewalls Example Configuration:
iptables -I INPUT 3 -p tcp -i eth0 -s 192.168.220.25 --dport 22 -m state --state NEW,ESTABLISHED -m comment --comment “SSH access limited to carl’s computer” -j ACCEPT
Alternative Mangaerment (ufw, apf)
Firewalld (centos 7)
![Page 20: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/20.jpg)
Logging Logs are located in /var/log
/var/log/messages – Contains global system messages, system startup information,mail, cron, daemon, kern, auth, etc.
/var/log/boot.log – Logs system booting information.
/var/log/dmesg –kernel ring buffer information. Logs messages about hardware devices detected by the kernel kernel during boot. The content can also be viewed by typing the dmesg command.
/var/log/auth.log – Contains user logins and authentication mechanisms that were used in Ubuntu.
/var/log/secure - Contains user logins and authentication mechanisms that were used in Centos.
![Page 21: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/21.jpg)
LoggingTHE AUDIT LOG: /var/log/audit Linux audit allows you to comprehensively log and track
access to files, directories, and resources of your system, as well as trace system calls. It enables you to monitor your system for application misbehavior or code malfunctions
Rule to log every attempt to read or modify the /etc/ssh/sshd_config file: auditctl -w /etc/ssh/sshd_config -p rwxa -k sshd_config
If the auditd daemon is running, running the following command creates a new event in the Audit log file:
~]# cat /etc/ssh/sshd_config
![Page 22: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/22.jpg)
Logging
THE AUDIT LOG continued ausearch - a command that can query the audit daemon logs
based for events based on different search criteria. ausearch -f /etc/sshd_config (searches on file name) ausearch -k sshd_config (searches on keyname created to represent
file)
aureport - a tool that produces summary reports of the audit system logs.
![Page 23: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/23.jpg)
Advanced Configurations Disable / blacklist devices (modprobe)
Tune Kernel Parameters (sysctl)
Limit system wide resource usage (ulimit)
Cron jobs (limit cron users cron.allow, cron.deny)
Control Keys (Ctrl-alt-delete)
ICMP (disable)
selinux and apparmor
![Page 24: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/24.jpg)
Avanced Configurations continued Password protect grub Password protect Single user mode
![Page 25: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/25.jpg)
Complete Security Packages
Are there any tools to help? http://www.ossec.net/ http://bastille-linux.sourceforge.net/index.html https://cisofy.com/lynis/http://www.open-scap.org/page/Main_Page
![Page 26: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/26.jpg)
References General Hardening https://wiki.centos.org/HowTos/OS_Protection http://hardenubuntu.com/
Disk Encryption https://www.linux.com/community/blogs/133-general-linux/83
1121-how-to-full-encrypt-your-linux-system-with-lvm-on-luks https://access.redhat.com/documentation/en-US/Red_Hat_E
nterprise_Linux/7/html/Security_Guide/sec-Encryption.html
![Page 27: Securing Linux By Terrance Marcelle. The CIA Triad Confidentiality Integrity Availability](https://reader036.vdocuments.site/reader036/viewer/2022062305/5697bfa71a28abf838c98e8b/html5/thumbnails/27.jpg)
References
Password Hardening https://en.wikipedia.org/wiki/Linux_PAM http://xmodulo.com/set-password-policy-linux.html http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
Logs (Audit Logs) https://
access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.html
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html