Limited Time Offer!

For Less Than the Cost of a Starbucks Coffee, Access All DevOpsSchool Videos on YouTube Unlimitedly.
Master DevOps, SRE, DevSecOps Skills!

Enroll Now

Complete Referance of Hardening in Linux Security

  • System Hardening Overview
  • Batille
  • Securing X-Windows
  • Securing Linux Daemons
  • Security patches
  • Security Benchmarks

System Hardening Overview

  • Linux, like other operatingsystems, is not secure “out of the box”
  • Security increases as newer versions and distros come out
  • Users/administrators still need to take steps to “harden” systems
  • Items typically requiring securing/hardening include:
  • X-Windows
  • System daemons
  • Networking services

Bastille

  • Scripts walk SA through several modules, automates changing a large number of configurable system items
  • Has modules for checking and configuring Internet services, suid(set-user-ID) files, account and boot security, and TCP wrappers
  • Bastille program is available from http://bastille-linux.sourceforge.net/
  • Bastille currently supports most distros of Linux and Unix including:
  • Red Hat, SuSe, Debian, Gentoo, Mandrake, and HP-UX

Securing X-Windows

  • X-windows is Graphical Interface for Linux
  • Comes with most distributions,but is ot part of them
  • Used to access systems both locally and remotely
  • X is a Protocol and set of utilities
  • Client-server design
  • Runs from the X server, and provides keyboard, mouse and video
  • Not configured securely by default
  • Signals can get intercepted btween x-server and client(either remote or local)
  • Several ways of securing X
  • xhost – controls authentication to x erver on a host basis
  • X server maintains lists of allowed hosts
  • xhost allows hosts to be added/deleted from list
  • Vulnerabilities: Host spoofing, sessions are per host, not per user
  • xauth – controls authentication through .Xauthority
  • .Xauthority file contains authentication ‘cookie’ that client must send to server
  • Best security mechanism is using X windows over ssh
  • Authentication can be controlled and audited through user credentials
  • communications traffic between x client and X erver is encrypted

Securing Linux Daemons

  • Daemons are same as Windows services
  • Programs that run in background to accomplish system tasks
  • Often run with a set of credentials and privilege levels
  • Securing Linux Daemons is to not install unnecessary ones!.
  • Best way to secure daemons is to not install unnessary ones!
  • Don’t use “Install Everything” option during installation
  • Install services according to machine role
  • Use ‘ps’ and ‘netstat’ commands to determine what services are running and network connections established by them
  • Many Daemons turned on/off in /etc/inetd.conf – edit this file to selectively disable services that are not needed
  • Recompiling kernel is another way to secure services
  • Generate learner kernel with only daemons you need supported
  • Eliminates risk of daemons being reconfigured or restarted

Security Patches

  • Even after initial hardening, Linux can still be insecure
  • New vulnerabilities discovered every day
  • Security patches issued to counter threats and fix vulnerabilities
  • Most current distros have automated patch utility
  • Connects to trusted centralized site and downloads latest patches
  • Usually provides patches for OS and popular software apps included in distro
  • Third party apps frequently need patches from different vendors
  • Usually manual download and installation process
  • Download patches only from trusted sites
  • Verify hashes provided with patches to ensure file integrity
  • Many utilities to download and install security patches
  • Up2date, YUM, and YaST are a few
  • Get familiar with your distro’s update utilities

Security Benchmarks

  • Several free and commercial tools exist to test/measure security on Linux
  • Benchmarks available for almost all distros
  • Usually automated tool that checks security of daemons, processes, accounts,permissions , etc.
  • Nessus is free valnerability scanner provided with most distros
  • Uses frequently updated database of vulnerabilities
  • Can be used for single or multiple machines
  • Uses client/server architecture

Rajesh Kumar
Follow me