Presentation is loading. Please wait.

Presentation is loading. Please wait.

01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

Published byFrancis Lamb Modified over 8 years ago

Similar presentations

Presentation on theme: "01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security."— Presentation transcript:

1 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security

2 01/03/11 Centre for Development of Advanced Computing ChennaiSecurity Means hardening the linux system(ie, protecting the kernel from the external intrusions) RULE: Deny ALL and then ALLOW

3 01/03/11 Centre for Development of Advanced Computing Chennai 1) Grub password The GRUB menu does not allow access to the editor or command interface ( boot up screen) without first pressing 'p' followed by the GRUB password. 2) Partitioning Separate user-writable data, non-system data, and rapidly changing run-time data to their own partitions Set nosuid,noexec,nodev mount options in /etc/fstab on ext3 partitions such as /tmp

4 01/03/11 Centre for Development of Advanced Computing Chennai 3) Password and login security Set a good root password with minimum charecter length as 8 and maximum as 40 Enabled passwordqc module for password/passphrase strength checking and enforcement Implemented the old password history which remembers upto 7 passwords. Implemented the fail delay of password Authentication for the login program is 10 Seconds.

5 01/03/11 Centre for Development of Advanced Computing Chennai 4) Secure Kernel All the security Functionalities & ext3 File system residing inside the kernel space not in the User Space to make operating System more secure. 5) Restricting system reboots through the console When the three finger salute (a.k.a. ctrl+alt+del) is given the program will check if any of the users listed in the file are logged in. If none of them is, shutdown will not reboot the system.

6 01/03/11 Centre for Development of Advanced Computing Chennai 6) File system limits and control Keep the quotas small enough, so users do not eat up your disk space. Use quotas on all user-writable areas, on /home as well as on /tmp. 7) Restricting user's access The users who are all in the file /etc/nologin will not be able to access the system.

7 01/03/11 Centre for Development of Advanced Computing Chennai 8) Encrypting File System The encryption process will obscure certain information, making it unreadable without a special password or passcode. This new partition will be encrypted at all times and reading the files in it won't be possible unless the proper password is used. 9) Selinux SELinux is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. SELinux allows more fine grained access controls than traditional Unix permissions offer.

8 01/03/11 Centre for Development of Advanced Computing Chennai 10) Audit it provides tools that help the administrative user extract specific types of audit events, audit events for specific users, audit events related to specific file system objects or audit events within a specific time frame. It's responsible for writing audit records to the disk. Linux audit files to see who made changes based on program, database files and system calls.

9 01/03/11 Centre for Development of Advanced Computing Chennai 11) Multi User Environment Linux is a true multiuser environment. This means that the system can support different users with different privileges. Each user has access to a predefined set of system services and his/her own private data. The private data in turn can be shared with other users by granting access privileges to them.

10 01/03/11 Centre for Development of Advanced Computing Chennai 12) Admin group for the su Program The administrator has to change the group ownership to admin group. Then the admin group members only able to access the su program. The rest of the users can not run the su program. 13) Disable drivers Floppy, cdrom and USB must be disabled. 14) Disable Services Disable the services like telnet, rsh imap and http through iptables.

11 01/03/11 Centre for Development of Advanced Computing Chennai 15) Extended Attributes Extended attributes are arbitrary name/value pairs which are associated with files or directories. They can be used to store system objects like capabilities of executables and access control lists, as well as user objects. 16) ACL The file mode contains nine bits that determine access permissions of a file, plus three special bits. This mechanism allows to define access permissions for three classes of users: the file owner, the file group, and others. This mechanism is very simple. With a couple of bits, many permission scenarios can be modeled.

12 01/03/11 Centre for Development of Advanced Computing Chennai 17) Secure Communications a) SSH Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices.[1] The encryption used by SSH is intended to provide confidentiality and integrity of data over an insecure network, such as the Internet. b) SSL SSL uses a cryptographic system that uses two keys to encrypt data − a public key known to everyone and a private or secret key known only to the recipient of the message.

13 01/03/11 Centre for Development of Advanced Computing Chennai 18) Tripwire A file integrity checker for linux systems. If Tripwire detects that a monitored file has been changed, it notifies the system administrator via email. Because Tripwire can positively identify files that have been added, modified, or deleted, it can speed recovery from a break-in by keeping the number of files which must be restored to a minimum. 19) LTP The test suites to the open source community that validate the reliability, robustness, and stability of Linux

14 01/03/11 Centre for Development of Advanced Computing Chennai 18) Iptables It's a user level application program to define the tables/rules for linux kernel firewall. Implemented as a Netfilter modules Apply Chain of rules to decide ultimate packet fate Complex Administration Firestarter – Front-end GUI for Iptables Easy to configure and administrator

15 01/03/11 Centre for Development of Advanced Computing Chennai Limit physical access and booting capabilities Enable BIOS password Disable all other booting options like cdrom,usb Set the GRUB password set /boot/grub/menu.lst configuration file is read- protected.

16 01/03/11 Centre for Development of Advanced Computing ChennaiPartitioning Separate root partition (/root) Separate System data(/etc,/bin,/sbin,/usr) Separate user-writable data(/home), non- system data(/opt,/var,/media,/mnt,/tmp), and rapidly changing run-time data to other partitions(like audit log) Set nosuid,noexec,nodev mount options in /etc/fstab on ext2 partitions Encryption is enabled

17 01/03/11 Centre for Development of Advanced Computing Chennai Password and login security Password has minimum character length 8 and maximum character length 40. The password passphrases has ability to check upto 3 classes(numeric,uppercase alphabets, lowercase alphabets, special characters) The old password history remembers upto 7 passwords. The faildelay of password authentication in login program is 10 seconds.

18 01/03/11 Centre for Development of Advanced Computing Chennai Setuid Bit Programs /bin/ping /bin/su /usr/bin/at /usr/bin/chage /usr/bin/chsh /usr/bin/crontab /usr/bin/gpasswd /usr/bin/passwd /usr/bin/lpq /usr/bin/lpr /usr/bin/lprm /usr/bin/lpstat

19 01/03/11 Centre for Development of Advanced Computing Chennai Setgid Bit Programs /usr/sbin/postdrop /usr/sbin/postqueue

20 01/03/11 Centre for Development of Advanced Computing Chennai REQUIRED Services The following services are REQUIRED for runlevel 2 atdssh auditdgdm cronirqbalance networkinghalt sysklogcupsys postfixanacron urandom hwclock Disable USB

21 01/03/11 Centre for Development of Advanced Computing Chennai Useradd program Useradd program defaultly creates the user under the directory /home/$username. #useradd test7 User can change the home directory to anywhere like /var/www/$username #useradd -d /var/www/test8 test8

22 01/03/11 Centre for Development of Advanced Computing Chennai Locking the user after failed login attempts Used to set the login failure limits for user. #faillog -u test5 -m 4 Display the faillog records #faillog -a

23 01/03/11 Centre for Development of Advanced Computing ChennaiAudit Set Audit rule based on three types Programs /bin/login,/usr/bin/passwd,/bin/su Databases /etc/passwd, /etc/shadow,/etc/login.defs System Calls open,chmod,chown

24 01/03/11 Centre for Development of Advanced Computing Chennai SSH(Secure Shell) Direct root login is disabled. SSH protocol version 1 is disabled. SSH protocol version 2 is enabled. The permitted authentication mechanisms are per­ user (nonempty) passwords and per­user AES (aes128-cbc algorithm) public key authentication.

25 01/03/11 Centre for Development of Advanced Computing ChennaiDAC Control which are all the users can read or modify the files by setting the Unix permission bits and user/group Ids Using POSIX-style access control lists (ACLs). The administrators (’root’) are able to override these permissions and access all files on the system.

26 01/03/11 Centre for Development of Advanced Computing Chennai Security Monitoring  Created /var/log/btmp to log bad login attempts. # touch /var/log/btmp # lastb

27 01/03/11 Centre for Development of Advanced Computing Chennai List of process List of process currently running on the system ps aux

28 01/03/11 Centre for Development of Advanced Computing Chennai Network Analysis List of ports currently open on the system netstat -plntu Live Network Traffic Analysis tcpdump

29 01/03/11 Centre for Development of Advanced Computing Chennai List of services List of services currently running on the system lsof -i

30 01/03/11 Centre for Development of Advanced Computing Chennai Thank You Ashok Kumar J Sanket Bajoria

Download ppt "01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security."

Similar presentations

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.

1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Linux+ Guide to Linux Certification, Second Edition Chapter 3 Linux Installation and Usage.

Linux+ Guide to Linux Certification, Second Edition Chapter 3 Linux Installation and Usage.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.

Security SIG: Introduction to Tripwire Chris Harwood John Ives.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Linux Security.

Linux Security.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
Linux System Administration LINUX SYSTEM ADMINISTRATION.

Linux System Administration LINUX SYSTEM ADMINISTRATION.
File System and Directory Structure in Linux. What is File System In a computer, a file system is the way in which files are named and where they are.

File System and Directory Structure in Linux. What is File System In a computer, a file system is the way in which files are named and where they are.
Configuring Disk Quotas Linux System Administration To implement disk quotas, use the following steps: Enable quotas per file system by modifying /etc/fstab.

Configuring Disk Quotas Linux System Administration To implement disk quotas, use the following steps: Enable quotas per file system by modifying /etc/fstab.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.

Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.

Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.

Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Week #7 Objectives: Secure Windows 7 Desktop

Week #7 Objectives: Secure Windows 7 Desktop

Similar presentations

Ads by Google