Presentation is loading. Please wait.

Presentation is loading. Please wait.

By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 1 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Hardening Linux By Gregg Rosenberg and Lee.

Similar presentations


Presentation on theme: "By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 1 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Hardening Linux By Gregg Rosenberg and Lee."— Presentation transcript:

1 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 1 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Hardening Linux By Gregg Rosenberg and Lee Leahu

2 3/7/2014 Slide # 2 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Contact Information RICIS, Inc Mallow Drive Tinley Park IL Voice Voice Fax Fax Gregory D. Rosenberg Lee Leahu

3 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 3 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum What You Will Learn A review of basic security principals An overview of Common Criteria security certifications An introduction to hardening servers reasonably close to the CC EAL 4+ security assurance level.

4 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 4 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Achieving a State of Security Identify the assets you want to protect Identify the risks to those assets Identify who & how assets are accessed Establish checks and balances Develop an enforceable security policies Use a layered approach Plan for disasters Get managements sign-off

5 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 5 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Why Security Policies Fail They impair user productivity No or Insufficient user education No policies for handling the unexpected No support from management Security policies are not enforced Laxed monitoring & auditing practices Users having too many privileges

6 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 6 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum The Real Threat Non malicious damage resulting from: –Human error –Denial of service –Inappropriate disclosure Policy Breakdown –Key under the doormat –Checks and balances bypassed –Rogues on your network

7 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 7 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum The Basic Security Tenet Deny all except that which is specifically permitted

8 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 8 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Security Policy Lifecycle 1.Identify the assets you are protecting 2.Assess risk to those assets 3.Develop security policy 4.Implement and test the security policy 5.Educate your user population 6.Monitor and enforce security policy 7.Audit security policy, go back to step 1

9 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 9 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Evaluation Criteria TCSEC (aka Orange Book) FIPS 140 Common Criteria SSE-CMM

10 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 10 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum CC Evaluation Assurance Levels EAL 1: Functionally tested EAL 2: Structurally tested EAL 3: Methodically tested and checked EAL 4: Methodically designed, tested, reviewed EAL 5: Semi-formally designed and tested EAL 6: Semi-formally verified design and tested EAL 7: Formally verified design and tested

11 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 11 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Planning for Disasters Securely install your operating system Accurate time source Know every file on your system Validate system integrity Centralize logging Monitor and audit your system regularly Documentation and procedures Emergency response team Backup, backup, backup (Make sure you test your restore procedures periodically)

12 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 12 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Linux Security Certifications SUSE Linux Enterprise Server archieves –CC EAL 2 in August 2003 (SLES8) –CC EAL 3+ in December 2003 (SLES8) –CC EAL 4+ in December 2004 (SLES9) –CC EAL 5 in March 2005 (SLES9) Red Hat Linux is nearly a year behind SUSE LINUX, but catching up fast IBM, HP, and others are helping both

13 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 13 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Overview of Security Functions Identification and authentication Audit Object reuse Discretionary Access Control Security management and system protection Secure communication

14 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 14 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Identification and Authentication Pluggable Authentication Module (PAM) OpenSSH vsftpd su sudo

15 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 15 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Linux Auditing Subsystem (LAUS) The audit subsystem was implemented by the SUSE Security Team members Olaf Kirch and Thomas Biege The audit subsystem is intended to be the central interface for collecting and viewing the record of security relevant events All authentication done through the PAM library, including the identity and location of the user and the success or failure result.

16 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 16 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Linux Auditing Subsystem (2) Use of su to change identity. All actions done as part of a su session are marked in the audit record with the original users login user ID. Adding, changing, or deleting users or groups Changes and change attempts to the contents of security critical files Changes to the access permissions or ownership of any files or IPC objects Binding network ports and accepting connections

17 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 17 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Discretionary Access Control Linux is a multi-user operating system. You can control which other users will be able to read or modify your files by setting the Unix permission bits and user/group IDs You can achieve more precise control using POSIX-style access control lists (ACLs). The administrators (root) are able to override these permissions and access all files on the system. Use of encryption is RECOMMENDED for additional protection of sensitive data.

18 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 18 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Objects Reuse the kernel automatically ensures that new objects (disk files, memory, IPC) do not contain any traces of previous contents

19 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 19 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Installation Considerations Ensure the hardware clock is accurately set to the current date, time, and time zone. Install the latest system BIOS and firmware Ensure that all hardware interfaces or devices that are not required are disabled in BIOS Password protect BIOS and boot menus Consider using a remote management solution and losing the keyboard, and mouse Carefully consider disk controllers / spindles

20 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 20 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Installation Considerations (2) Carefully plan your partition layout before beginning your base operating system installation Verify your installation source is authentic Build and harden the system before plugging it into your network You can also build from a package distribution server if you and it are on a trusted internal network Do a less than minimum installation Do not install a GUI

21 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 21 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Example MD5 Checksums SLES-9-i386-RC5-CD1.iso cc419d86f3f5ff99395ca4de9d SLES-9-i386-RC5-CD2.iso 86e97184aae42ba6013ea ffe5 SLES-9-i386-RC5-CD3.iso f880b3ba92fc43add18259c9437f648d SLES-9-i386-RC5-CD4.iso bc7b88f34a8142bacbdd4d1fddd3fc50 SLES-9-i386-RC5-CD5.iso 7844c76fc9f39a2af9ef6751ec18af60 SLES-9-i386-RC5-CD6.iso 9e0fdd835e52f53906dff110515eb002

22 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 22 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Partition Layout /boot 128MBs SWAP1GBs => 1 to 1.5 times the amount of physical memory or more /Size as required (i.e. 12GBs) /tmp512MBs, size as required /home512MBs, size as required /varSize as required (i.e. 4GBs) /var/log Size as required (i.e. 20GBs)

23 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 23 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Partition Layout (2) Although it violates the rules /usrSize as required (i.e. 4GBs) /optSize as required (i.e. 2GBs) Set file system type to ext3, although xfs is considered more secure by many. In Fstab options enable Access Control Lists, Optionally enable No access times, Mount read-only, andExtended User Attributes as required.

24 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 24 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Trusted, Tolerated, and Unknown Software Trusted software has been evaluated and can be well trusted. Tolerated software has been evaluated, but should be carefully considered before use. Unknown software is any other software you intend to install on the system that has not been formally evaluated

25 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 25 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Additional Required Packages laus - The Linux Audit System laus-64bit - ONLY for ppc64 (pSeries, iSeries) systems pam-laus - Audit-enabled version of the PAM libraries The above packages should be installed after you finish the base minimum install. Star - Data archival tool with ACL support

26 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 26 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Recommended Packages texinfo - Info documentation viewer man-pages - Manual pages howtoenh - how-to documentation (HTML format) sles-admin_en - Administrator Manual

27 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 27 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Optional Packages lprng - Print spooler cups – May be a better choice, but it is not on the trusted or tollerated list. xinetd - XInetd (only used for vsftpd) vsftpd - FTP daemon (needs xinetd) stunnel - set up encrypted SSL tunnels There are additional packages on the trusted or tolerated list that can be installed

28 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 28 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Hardware Any storage devices and backup devices supported by the operating system, but not USB storage devices All Ethernet and Token Ring network adapters supported by the operating system You can use a USB keyboard and mouse, as long as they installed before booting the system. Any printers supported by the operating system Operator console consisting of a keyboard, video monitor, and optionally mouse, as well as a serially attached terminal but not modems, ISDN cards, or other remote access terminals

29 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 29 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Installation Disconnect network cables Verify authenticity of installation source Boot from Service Pack 2 CD # 1 Launch installer You may use text mode or a serial console Accept EULA Select English language

30 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 30 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Installation (2) On the Installation Settings screen: Select New Installation for mode Select appropriate keyboard Customize partitioning Select minimum software installation and add / remove additional packages discussed in the prior slides Keep default boot options (no other OS allowed)

31 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 31 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Installation (3) Keep hardware clock on UTC and select your local time zone Choose Accept to start installation The installer will reboot Secure boot settings in BIOS to HDD only Configure network interface with static IP, host name, default gateway, no DHCP Do not enable LDAP, use local only

32 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 32 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Secure Initial System Config Enable the SUSE Firewall 2 and only permit ssh. Later you can open other ports that are required. Setup /etc/hosts.allow to restrict access further. Lockdown removable media (CD/DVD) devices, -t ISO9660 -o ro,nodev,nosuid,noauto Disable usbfs Disable all unneeded services Remove or rename links to their startup and shutdown scripts in /etc/init.d

33 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 33 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Secure Initial System Config (2) If not using NIS, removed NIS on the automount line in /etc/nsswitch.conf. It is a good idea to setup an ntp client to draw time from a reliable and accurate local time source. You can use the ntpq –c peer command to verify that time synchronization is working correctly.

34 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 34 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Secure Initial System Config (3) Install the optional CC EAL 4+ Security Update. rpm -Uvh /root/rpm/certification-sles- ibm-eal4*.noarch.rpm Please check the file /usr/share/doc/packages/certification- sles-ibm-eal4/README-eal4.txt from the certification-sles-ibm-eal4.rpm for the latest errata information.

35 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 35 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Disable Services Disable the following services using the run level editor: –Nfs –Nfsboot –Powersaved –ACPI modules –Slpd –xdm - although it is not installed –fbset

36 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 36 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Disable Services (2) The system runlevel as specified in the initdefault entry in /etc/inittab MUST BE 3 The following services are REQUIRED for runlevel 3: atdaudit coldplugcron hwscannetwork randomsyslog rpmconfigcheck The following services are OPTIONAL for runlevel 3: hotplugkbd lpdpostfix sshdxinetd –Disable usbfs

37 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 37 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Restricted Execution Environment Setup a chroot directory structure Enable chroot support for those services that can be chrootd Some services can be installed into your chrootd environment

38 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 38 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Remove SUID/SGID Remove SUID / SGID root settings from binaries find / \( ! -fstype ext3 -prune -false \) -o \ -type f \( -perm o -perm \) \ -exec chmod u-s,g-s {} \; -print Make sure that /etc/sysconfig/security has the following two variables set: –CHECK_PERMISSIONS=set –PERMISSION_SECURITY="eal4" Then run chkstat -set /etc/permissions.eal4 to set the needed SUID and SGID bits.

39 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 39 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Set User ID (SUID) Only the following may have SUID bits set /bin/ping /bin/su /usr/bin/at /usr/bin/chage /usr/bin/chfn /usr/bin/chsh /usr/bin/crontab /usr/bin/gpasswd /usr/bin/lpq /usr/bin/lpr /usr/bin/lprm /usr/bin/lpstat /usr/bin/passwd

40 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 40 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Set Group ID (SGID) The SGID bit MUST NOT be used to give group root privileges to any binary. /usr/sbin/postdrop - group "maildrop" /usr/sbin/postqueue - group "maildrop" /usr/sbin/utempter - group "tty"

41 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 41 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Disable root Login Over Network Login from the network with user ID 0 (root) MUST NOT be permitted over the network. Administrators MUST use an ordinary user ID to log in, and then use the /bin/su - command to switch identities. The restriction for direct root logins is enforced through two separate mechanisms. For network logins using ssh, the PermitRootLogin no entry in /etc/ssh/sshd config MUST be set. logins use the pam securetty.so PAM module in the /etc/pam.d/login file that verifies that the terminal character device used is listed in the file /etc/securetty.

42 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 42 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Reminder Alias for su It is RECOMMENDED that you remind administrators of this by adding the following alias to the bash configuration file /etc/bash.bashrc.local that disables the pathless su command: alias su="echo \"Always use /bin/su - (see Configuration Guide)\"" This alias can be disabled for the root user in /root/.bashrc: unalias su

43 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 43 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Update permissions for su The su binary MUST be restricted to members of the trusted group. This will be enforced both with PAM configuration (configured later) and the binarys permissions. –chgrp trusted /bin/su –chmod 4750 /bin/su You MUST have at least one user account other than root configured to be a member of the trusted group, otherwise system administration will ONLY be possible from the system console.

44 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 44 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Setting up ssh SSH protocol version 1 MUST be disabled. The ssh client MUST NOT be set up SUID root The SSH Server MUST be configured to reject attempts to log in as root. The permitted authentication mechanisms are per-user (nonempty) passwords and per-user RSA/DSA public key authentication. All other authentication methods MUST be disabled. The setting PAMAuthenticationViaKbdInt MUST be disabled, since this would otherwise circumvent the disabled root logins over the network.

45 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 45 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum /etc/ssh/sshd.conf # Cryptographic settings. Disallow obsolete insecure protocol version 1, and hardcode a strong cipher. Protocol 2 Ciphers aes256-cbc # Configure password-based login. This MUST use the PAM library # exclusively, and turn off the builtin password authentication code. UsePAM yes ChallengeResponseAuthentication yes PasswordAuthentication no PermitRootLogin no PermitEmptyPasswords no # No other authentication methods allowed IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PubkeyAuthentication yes RSAAuthentication no KerberosAuthentication no GSSAPIAuthentication no # Other settings, MAY change "X11Forwarding" to "yes" X11Forwarding no Subsystem sftp /usr/lib/ssh/sftp-server

46 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 46 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Setting up the Audit Subsystem Setting up the audit configuration files For all platforms, it is RECOMMENDED to use the following settings in the /etc/sysconfig/audit file: AUDIT_ALLOW_SUSPEND=1 AUDIT_ATTACH_ALL=0 AUDIT_MAX_MESSAGES=1024 AUDIT_PARANOIA=0 The laus package by default installs these files with the RECOMMENDED contents: /etc/audit/audit.conf /etc/audit/filter.conf /etc/audit/filesets.conf Make auditd start at boot, insserv audit

47 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 47 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Ensure PAM is Audit Enabled grep laus_open ldd /bin/login | awk /libpam.so/ { print $3 } Binary file /lib/libpam.so.0 matches If the grep command produces no output, you MUST reinstall the pam-laus package from CD #2 # cd to the directory containing the RPM file, # then reinstall the package: rpm --oldpackage --force --nodeps -Uhv pam-laus i586.rpm

48 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 48 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Configure PAM The other fallback MUST be disabled by specifying the pam deny.so module for each module-type in the other configuration. Add the pam wheel.so module to the auth configuration for the su service You MUST add the pam tally.so module to the auth and account module type configurations of login, sshd, and vsftpd (not good for remotely managed machines.) You MUST use the pam passwdqc.so password quality checking module w/ use the md5 and use cracklib options

49 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 49 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Configuring PAM (2) The remember=XX option must be added to the /etc/security/pam pwcheck.conf file to force users to create new passwords and not re-use In general, you MAY add PAM modules that add additional restrictions. You MUST NOT weaken the restrictions

50 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 50 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Setup Login Controls Disable login if we cant cd to the home directory Set a 3 second delay before being allowed another attempt after a login failure Disable logging and display of /var/log/faillog login failure info. Enable logging and display of /var/log/lastlog login time info. Disable display of unknown usernames when login failures are recorded.

51 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 51 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Setup Login Controls (2) Set max number of login retries to <= 3 if password is bad Set max time to <= 60 seconds for login Require password before chfn/chsh can make any changes. Restrict fields to rwh that may be changed by regular users using chfn

52 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 52 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Setup Login Controls (3) The default umask for logged-in users is set in the /etc/profile file, not here. Umask to 077 which is used by useradd and newusers for creating new home directories. Password aging controls (used by useradd): –PASS_MAX_DAYS 60 –PASS_MIN_DAYS 1 –PASS_WARN_AGE 7 –PASS_MIN_LEN 8

53 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 53 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Configure the Boot Loader Ensure the system boots exclusively from the disk partition containing Linux Make sure you use BIOS password to protect access to this configuration. Use the password command in /boot/grub/menu.lst to prevent unauthorized use of the boot loader interface. Use md5 encoded passwords, run the command grub-md5-crypt to generate the encoded version of a password.

54 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 54 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Configure the Boot Loader Protect all menu entries other than the default SLES boot with the lock option Add a line containing just the keyword lock after the title entry in the /boot/grub/menu.lst file Remove group and world read permissions from the grub configuration file if it contains a password chmod 600 /boot/grub/menu.lst All changes to the configuration take effect automatically on the next boot

55 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 55 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Adding Additional Software Kernel modules other than those provided as part of the evaluated configuration MUST NOT be installed or loaded. You MUST NOT load the tux kernel module (the in-kernel web server is not supported). You MUST NOT add support for non-ELF binary formats or foreign binary format emulation that circumvents system call auditing. You MUST NOT activate knfsd or export NFS file systems.

56 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 56 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Adding Additional Software (2) Device special nodes MUST NOT be added to the system SUID root or SGID root programs MUST NOT be added to the system. Programs which use the SUID or SGID bits to run with identities other than root MAY be added. The content, permissions, and ownership of all existing file-system objects (including directories and device-nodes) that are part of the evaluated configuration MUST NOT be modified.

57 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 57 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Adding additional Software (4) Programs automatically launched with root privileges MUST NOT be added to the system. Processes that immediately and permanently switch to a non privileged identity on launch are permitted, Automatic launch mechanisms are: – Entries in /etc/inittab – Executable files or links in /etc/init.d/ and its subdirectories

58 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 58 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Document your system Rebooted server to implement new SMP kernel. # uname –a Linux avflyer-asp smp #1 SMP Thu Aug 25 06:20:45 UTC 2005 i686 i686 i386 GNU/Linux List services now running on the system. # chkconfig | grep -v "off" | more List directories with the sticky bit set # find / -type d -perm ls

59 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 59 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Document Your System (2) List files with Set User ID (SUID) bit set. find / -type f -perm ls List files with Set Group ID (SGID) bit set. find / -type f -perm –ls List files that are world writeable. find / -type f -perm ls List all installed packages. rpm -qa --qf '%-25{NAME}\t%-20{VERSION}\t%- 8{RELEASE}\t%{Summary}\n' | sort > /root/rpmpackagelist

60 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 60 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Security monitoring & management Setup tripwire to monitor system file integrity and to audit changes. Setup and implement log file rotation policies. Setup a central syslog server (syslog-ng) Use a log analyzer, such as logcheck. Setup a monitoring system like Nagios or Argus on your network.

61 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 61 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Sec Monitoring & Management (2) Created /var/log/btmp to log bad login attempts. # touch /var/log/btmp # lastb btmp begins Sun Sep 11 13:58:

62 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 62 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Log and Status Files In addition to the syslog messages, various other log files and status files are generated in /var/log by other programs: File - Source YaST2 Directory for YaST2 log files audit.d Directory for LAuS logs boot.msg Messages from system startup lastlog Last successful log in (see lastlog(8)) vsftpd.log Transaction log of the VSFTP daemon

63 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 63 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Log and Status Files (2) localmessages - Written by syslog. mail - Written by syslog, contains messages from the MTA (postfix). messages - Written by syslog, contains messages from su and ssh. News - syslog news entries. warn - Written by syslog. wtmp - Written by the PAM susbystem. btmp – Written by the PAM subsystem. xinetd.log Written by xinetd, logging all connection.

64 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 64 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Auditing Your System It is RECOMMENDED that you review the systems configuration at regular intervals to verify if it still agrees with the evaluated configuration. This primarily concerns those processes that may run with root privileges. The permissions of the device files /dev/* MUST NOT be modified. In particular, review settings in the following files and directories to ensure that the contents and permissions have not been modified:

65 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 65 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum System Files to Review /etc/at.allow /etc/at.deny /etc/audit/* /etc/cron.d/* /etc/cron.daily/* /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/* /etc/crontab /etc/ftpusers /etc/group /etc/gshadow /etc/hosts /etc/init.d/* /etc/inittab /etc/ld.so.conf /etc/login.defs /etc/modules.conf /etc/pam.d/* /etc/passwd /etc/securetty /etc/security/opasswd

66 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 66 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum System Files to Review (2) /etc/security/pam_pwch eck.conf /etc/security/pam_unix2.conf /etc/shadow /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/stunnel/* /etc/sysconfig/* /etc/vsftpd.conf /etc/xinetd.conf /usr/lib/cracklib_dict.* /var/log/audit.d/* /var/log/faillog /var/log/lastlog /var/spool/atjobs/* /var/spool/cron/* /var/spool/cron/allow /var/spool/cron/deny

67 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 67 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Auditing Your System (2) Use the command lastlog and lastlogb to detect unusual patterns of logins. Also verify the output of the following commands (run as root): # atq # crontab -l # find / \( -perm o -perm \) -ls # find / \( -type f -o -type d -o -type b \) -perm ls # find /bin /boot /etc /lib /sbin /usr \ ! -type l \( ! -uid 0 -o -perm +022 \)

68 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 68 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Auditing Your System (3) Use the aucat(8) and augrep(8) tools to retrieve information from the audit logs. The information available for retrieval depends on the active filter configuration. –# view the last 100 audit records aucat | tail -100 –# view all successful PAM authentications augrep -e TEXT -U AUTH_success –# all actions recorded for a specified login UID (this includes –# actions done by this user with a different effective UID, –# for example, via SUID programs or as part of a "su" session) augrep -l kw –# file removals augrep -e SYSCALL -S unlink

69 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 69 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Secure Communication SSH V2 Stunnel with OpenSSL X11 Forwarding through an SSH tunnel Secure FTP Externally signed SSL certificate

70 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 70 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum System maintenance Download, verify, and carefully review each patch before you install it. If possible test patches in a non- production environment. Keep a manual logbook, as well as a README file in the /root home directory with any updates or changes you make to the system.

71 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 71 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Considerations for Servers Customize firewall (iptables) Port restrictions Ensure current directory is not in any ones (root or a regular user) path Configures standard system cron jobs, like deletion of old files in /tmp or update of the man databases. The settings are read by the shell scripts /etc/cron.daily/*. Configures some system variables for the boot process. IP_DYNIP=no # The system only has a static address IP_TCP_SYNCOOKIES=yes # Syn Flood protection IP_FORWARD=no # Set to yes if the system acts as a router. ENABLE_SYSRQ=no # System request key MUST be disabled.

72 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 72 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Considerations for DNS Servers Enable bind chroot support. Apply port restrictions in firewall. Customize logging as desired. Authoritative DNS servers should not be used as resolving or caching DNS servers. Disable recursive queries on authoritative servers. Enable numerous security settings in /etc/named.conf to suit your environment.

73 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 73 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Considerations for Servers Chroot postfix (manual process) Ensure unauthorized parties cant relay Establish port restrictions and access control with iptables. Configure smtp restrictions in postfix. Use ldap or access file to restrict inbound mail to valid users Anti-virus / Anti-Spam

74 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 74 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Useful Resources Practical Unix & Internet Security, 3rd Edition by Simson Garfinkel, Gene Spafford, Alan Schwartz Publisher: O'Reilly; 3 edition (February 21, 2003) ISBN: Hardening Linux by John H. Terpstra, Paul Love, Ronald P. Reck Publisher McGraw Hill Osborne ISBN: There are way too many books to list even a fraction of the good ones I keep handy on my shelf here.

75 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 75 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Useful resources (2) If there are conflicting recommendations in this guide and in one of the sources listed here, the Configuration Guide has precedence concerning the evaluated configuration. SuSE Linux Enterprise Server Installation Guide, –/usr/share/doc/packages/sles-inst-x86+x86-64 en/ –/usr/share/doc/packages/sles-inst-ipseries en/ –/usr/share/doc/packages/sles-inst-zseries en/ SuSE Linux Enterprise Server Administrator Guide, – /usr/share/doc/packages/sles-admin-x86+x86-64 en/ –/usr/share/doc/packages/sles-admin-ipseries en/ – /usr/share/doc/packages/sles-admin-zseries en/

76 By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 76 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Questions


Download ppt "By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 1 Hardening Linux Copyright © 2005 RICIS, Inc. and Uniforum Hardening Linux By Gregg Rosenberg and Lee."

Similar presentations


Ads by Google