Presentation is loading. Please wait.

Presentation is loading. Please wait.

system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security.

Published bySibyl Kellie Wilkins Modified over 8 years ago

Similar presentations

Presentation on theme: "system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security."— Presentation transcript:

1

2 system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security and usability Where balance is achieved is different for every organization

3 hardening practices Removing unneeded privileges, applications, or services Updating installed packages on a regular basis Maintaining user lists with up-to-date information Providing an audit trail to detect changes in files and behaviors

4 nsa security guides The NSA publishes security guides for various operating systems and applications Linux guide is written for Red Hat Enterprise Linux 5 Guide can be adapted for other Linux distributions

5 nsa security guides Guides are just a reference Never follow them without understanding what you are doing Many of the security recommendations may not make sense in your environment

6 nsa security guides http://www.nsa.gov/ia/mitigation_guidance/security_config uration_guides/index.shtml http://www.nsa.gov/ia/mitigation_guidance/security_config uration_guides/index.shtml

7 vulnerability databases Vulnerability databases are an important resource for determining if your software needs to be patched Often contain mitigation information as well as available update paths

8 vulnerability databases http://www.cert.org http://www.us-cert.gov/cas/techalerts/index.html http://nvd.nist.gov Interesting article: http://www.cio.com/article/730250/US_NIST_39_s_Vulnerability_ Database_Hacked http://www.cio.com/article/730250/US_NIST_39_s_Vulnerability_ Database_Hacked

9 inetd inetd is the Internet “super-server” A super-server listens to network ports and starts the appropriate server when a connection is received Configuration is in /etc/inetd.conf

10 /etc/inetd.conf One service per line Lines can be commented out by preceding with a # 7 tab-delimited fields service-name socket-type Protocol wait|nowait User server-program server-args “The wait/nowait entry specifies whether the server that is invoked...will take over the socket...and thus whether inetd should wait for the server to exit before listening for new service requests.” (man inetd)

11 /etc/inetd.conf service-name socket-type protocol wait | nowait user server-program server-args ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l #ntalk dgram udp wat root /usr/libexec/ntalkd ntalkd telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd

12 xinetd Secure replacement for inetd Configuration is stored in /etc/xinetd.conf and /etc/xinetd.d/ Most services have their own file in the configuration directory Allows services to be added when a package is installed

13 xinetd Configuration files allow both enabled and disabled keyword Convention is to only use disabled keyword On Red Hat-like systems chkconfig can control xinetd services

14 /etc/xinetd.d/tftp service tftp { socket_type = dgram protocol = udp wait = yes user = root server = /usr/sbin/in.tftpd server_args = -s /tftpboot disable = yes }

15 disabling services Red HatDebian Standard Service chkconfigupdate-rc.d inetd -update-inetd xinetd chkconfigedit manually

16 sudo sudo is a command that allows a normal user to perform actions as root or another user More flexible than su which is all or nothing Authenticates user with their password su requires user to know root or other user’s password

17 sudo All root-level work should be done using sudo Allows tracking of what users were using root privileges for Configuration is in /etc/sudoers sudoers should be edited with visudo checked after editing with visudo –c

18 /etc/sudoers #%group hostlist=(runas) cmd %wheel ALL=(ALL) ALL #user hostlist=(runas) cmd rgharaib ALL=(ALL) /etc/init.d/maui [a-z]* rgharaib ALL=(ALL) /sw/torque/bin/pbsnodes -[co] [a-z0-9]* rgharaib ALL=(ALL) /opt/xcat/bin/rpower b[0-9]* [a-z]* rgharaib ALL=(ALL) /usr/bin/ssh ananke reboot rgharaib ALL=(ALL) /usr/bin/ssh aether reboot Xyz ALL=(ALL) ALL Userid Xyz can run on any server as any target user for any command Xyz ALL=(root) vi Userid Xyz can run on any server as root for the vi command

19 selinux Security-Enhanced Linux adds access-control mechanisms to the Linux kernel Most common mechanism is Mandatory Access Control (MAC) Developed primarily by the NSA

20 selinux All files are assigned a security context policies exist for every application detailing the security contexts they can access

21 selinux in red hat Red Hat includes decent SELinux support out of the box Can be enabled by editing /etc/selinux/config Usually type should be targeted and mode should be enforcing

22 selinux Having SELinux enabled may break some necessary functionality Booleans can be used to change SELinux behavior getsebool -a will show available booleans setsebool can modify them

23 auditd Audit daemon that tracks security operations on a system SELinux problems are logged to the audit daemon Can be configured to meet federal, DoD or other requirements Logs written to /var/log/audit/

24 selinux + auditd audit2allow will generate a SELinux ruleset from denied actions recorded by auditd Simple mechanism to update SELinux policies for your environment

25 monitoring changes Host-based intrusion detection systems Designed to detect changes to files on the system Normally used in extremely paranoid environments AIDE (Advanced Intrusion Detection Environment) is one example

26 aide Works by creating a database containing hashes of important files on the filesystem Periodically verifies that file hashes have not changed Must be turned off to update anything Database must be rebuilt after an update

27 logging Centralized log management is key Once logs are centralized, you need a way to condense them into something useful logwatch is one such tool

28 logwatch Tool to generate summary of system logs Can generate one email containing all systems or an email for each system Split into different components that check for certain patterns Easy to write new components

29 configuration management Tools and concepts that help maintain systems consistency Administrators use tools to write policies and apply them to multiple systems Policies are verified periodically and any changes on the local system can be backed out Some tools allow administrators to roll back changes that were pushed out via configuration management

30 configuration management Large organizations and organizations concerned about security can benefit from configuration management Example tools are cfengine and puppet Will have a complete module on configuration management

Download ppt "system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security."

Similar presentations

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
System Center Configuration Manager Push Software By, Teresa Behm.

System Center Configuration Manager Push Software By, Teresa Behm.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Netprog: daemons and inetd1 Daemons & inetd Refs: Chapter 13.

Netprog: daemons and inetd1 Daemons & inetd Refs: Chapter 13.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.

1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.

This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.
Instructor: Michael Teske BI222.  Lab follow up  Current events  Linux/Unix best practices  Project Management.

Instructor: Michael Teske BI222.  Lab follow up  Current events  Linux/Unix best practices  Project Management.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Similar presentations

Ads by Google