Download presentation
Presentation is loading. Please wait.
Published byRoberta Wilkinson Modified over 9 years ago
1
Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009
2
Linux Minimum Security Configurations Informational – Some Numbers – Project Specific Stuff – General Information Technical – In-depth how it works – Some Gotcha's – If I could do it over…
3
INL’s IT By The Numbers 12,000 IT Devices owned by INL 9,000 Devices on the Network 5,500 Desktop & Laptop Computers Windows Shop (85% Windows, 9% MAC’s, 6% Linux)
4
Linux Install Base SuSE 80% Ubuntu 12% RHE 7% Gentoo 1%
5
45% of all internet servers POSIX based – www.netcraft.com Hard drive Storage Capacities Information Security Is Paramount
6
Why Do We Have Linux Users? High Performance Computing GPL/GNU Available software (Open Source) More Control of their own PC’s Want to be cool!
7
Who’s Responsible For What? Managed Devices – Patches, Vulnerability Scans, Upgrades… Self-Managed Devices – Require more in-depth support – Might be Rev-locked Collaboration… little of both – Linux users that have no time to manage their PC’s
8
Linux Minimum Security Configuration Project Goals Primary Goals – Verify Compliance level – Apply necessary changes – Report to some kind of database While keeping in mind: – Modular (upgradable, easily expandable) – Platform Diversity – User Friendly
9
End User Responses As we expected they were wary… – Will I lose root privileges? – Will this slow my PC down? – If I do this, will you people promise to leave me alone forever… MSCs were demonstrated and our users responded – Provided multiple implementation suggestions – Received Kudos
10
Linux Minimum Security Configuration Project Build Time MSC Installer & Individual MSC scripts – 360 Hours, One individual Reporting Database – 15 Hours, One individual Additional hours: – MSC Installer add-ons to suit our customer’s needs – Chronological adjustments (crontab) – Diverse Platforms require modifications to code
11
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
12
Linux Minimum Security Configuration Installer Simple BASH scripting Easy to understand User can opt-out
13
Linux Minimum Security Configuration Installer – For the Technicians Quick Installer Allows for on the fly modifications
14
Reporting An IT perspective – PCs report daily – Compliance history
15
User Friendly It’s more than just a benchmark – Keeps the PC compliant – Several runtime methods to choose from – Non-intrusive, helpful information pop-ups Enforce Mode Verify Mode
16
Installer invokes individual MSC script MSC scripts apply/verify settings Installer invokes next individual MSC script When all MSC scripts are complete, the installer sends off the report Modular Code Installer() Determine Platform Create Recovery Code Apply Setting Generate Report Report to Server
17
Individual MSC scripts in-depth There are two types of MSC scripts – Configure Services chkconfig sysvconfig, runlevel, /etc/rc2.d… (Ubuntu) – Modify Configuration files awk, sed, grep…
18
Gotcha's! Platform differences Third party application dependencies Delivery methods had to meet MSC compliance Exceptions to the CIS benchmarks – esound – cups – …
19
Spin-Off Projects – Let’s use LANDesk! – We’re already using LANDesk for 85% of our install base – Perform extremely detailed queries
20
Spin-off Projects – Quest Authentication Services (aka Vintela or VAS) – Brings Linux into Active Directory – Centralized management tool – Another way to distribute MSC scripts
21
If I Could Do It Over Again ‘Configuration file code’ could be more modular – What configuration file do you have in mind? – sshd.conf – What do you want me to find? – Protocol 1 – OK, what do I change it to – Protocol 2 (all as a variable) Include a definitions file for all text based responses – A centralized file for all grammar used in the scripts Better package management… somehow – Negate the need for a user to satisfy dependencies
22
Questions Jason Miller Desktop Management Idaho National Laboratory Email: jason.miller@inl.gov
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.