+ All Categories
Home > Documents > 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

Date post: 12-Jan-2016
Category:
Upload: francis-lamb
View: 212 times
Download: 0 times
Share this document with a friend
30
01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security BOSS Desktop Security
Transcript
Page 1: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

BOSS Desktop SecurityBOSS Desktop Security

Page 2: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

SecuritySecurity

Means hardening the linux system(ie, protecting the kernel from the external intrusions)

RULE: Deny ALL and then ALLOW

Page 3: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

1) Grub passwordThe GRUB menu does not allow access to the editor or

command interface ( boot up screen) without first pressing 'p' followed by the GRUB password.

2) Partitioning Separate user-writable data, non-system data, and rapidly

changing run-time data to their own partitions

Set nosuid,noexec,nodev mount options in /etc/fstab on ext3 partitions such as /tmp

Page 4: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

3) Password and login security Set a good root password with minimum charecter

length as 8 and maximum as 40

Enabled passwordqc module for password/passphrase strength checking and enforcement

Implemented the old password history which remembers upto 7 passwords.

Implemented the fail delay of password Authentication for the login program is 10 Seconds.

Page 5: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

4) Secure KernelAll the security Functionalities & ext3 File system

residing inside the kernel space not in the User Space to make operating System more secure.

5) Restricting system reboots through the console

When the three finger salute (a.k.a. ctrl+alt+del) is given the program will check if any of the users listed in the file are logged in. If none of them is, shutdown will not reboot the system.

Page 6: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

6) File system limits and controlKeep the quotas small enough, so users do not eat

up your disk space.Use quotas on all user-writable areas, on /home as

well as on /tmp.

7) Restricting user's accessThe users who are all in the file /etc/nologin will

not be able to access the system.

Page 7: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

8) Encrypting File SystemThe encryption process will obscure certain

information, making it unreadable without a special password or passcode.

This new partition will be encrypted at all times and reading the files in it won't be possible unless the proper password is used.

9) SelinuxSELinux is a Mandatory Access Control (MAC)

system which is a kernel (LSM) enhancement to confine programs to a limited set of resources.

SELinux allows more fine grained access controls than traditional Unix permissions offer.

Page 8: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

10) Audit

it provides tools that help the administrative user extract specific types of audit events, audit events for specific users, audit events related to specific file system objects or audit events within a specific time frame .

It's responsible for writing audit records to the disk. Linux audit files to see who made changes based on program, database files and system calls.

Page 9: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

11) Multi User Environment

Linux is a true multiuser environment. This means that the system can support different users with different privileges. Each user has access to a predefined set of system services and his/her own private data. The private data in turn can be shared with other users by granting access privileges to them.

Page 10: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

12) Admin group for the su ProgramThe administrator has to change the group

ownership to admin group. Then the admin group members only able to access the su program. The rest of the users can not run the su program.

13) Disable driversFloppy, cdrom and USB must be disabled.

14) Disable ServicesDisable the services like telnet, rsh imap and http

through iptables.

Page 11: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

15) Extended AttributesExtended attributes are arbitrary name/value

pairs which are associated with files or directories. They can be used to store system objects like capabilities of executables and access control lists, as well as user objects.

16) ACLThe file mode contains nine bits that determine

access permissions of a file, plus three special bits. This mechanism allows to define access permissions for three classes of users: the file owner, the file group, and others. This mechanism is very simple. With a couple of bits, many permission scenarios can be modeled.

Page 12: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

17) Secure Communications

a) SSHSecure Shell or SSH is a network protocol that

allows data to be exchanged using a secure channel between two networked devices.[1] The encryption used by SSH is intended to provide confidentiality and integrity of data over an insecure network, such as the Internet.

b) SSLSSL uses a cryptographic system that uses two

keys to encrypt data − a public key known to everyone and a private or secret key known only to the recipient of the message.

Page 13: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

18) Tripwire A file integrity checker for linux systems.If Tripwire detects that a monitored file has been

changed, it notifies the system administrator via email. Because Tripwire can positively identify files that have been added, modified, or deleted, it can speed recovery from a break-in by keeping the number of files which must be restored to a minimum.

19) LTPThe test suites to the open source community that

validate the reliability, robustness, and stability of Linux

Page 14: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

18) Iptables It's a user level application program to define the tables/rules for linux kernel firewall. Implemented as a Netfilter modules Apply Chain of rules to decide ultimate packet fate Complex Administration Firestarter – Front-end GUI for Iptables Easy to configure and administrator

Page 15: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

Limit physical access and booting Limit physical access and booting capabilitiescapabilities

Enable BIOS password

Disable all other booting options like cdrom,usb

Set the GRUB password

set /boot/grub/menu.lst configuration file is read-protected.

Page 16: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

PartitioningPartitioningSeparate root partition (/root)Separate System

data(/etc,/bin,/sbin,/usr)

Separate user-writable data(/home), non-system data(/opt,/var,/media,/mnt,/tmp), and rapidly changing run-time data to other partitions(like audit log)

Set nosuid,noexec,nodev mount options in /etc/fstab on ext2 partitions

Encryption is enabled

Page 17: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

Password and login securityPassword and login security

Password has minimum character length 8 and maximum character length 40.

The password passphrases has ability to check upto 3 classes(numeric,uppercase alphabets, lowercase alphabets, special characters)

The old password history remembers upto 7 passwords.

The faildelay of password authentication in login program is 10 seconds.

Page 18: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

Setuid Bit ProgramsSetuid Bit Programs

/bin/ping/bin/su/usr/bin/at/usr/bin/chage/usr/bin/chsh/usr/bin/crontab/usr/bin/gpasswd/usr/bin/passwd/usr/bin/lpq/usr/bin/lpr/usr/bin/lprm/usr/bin/lpstat

Page 19: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

Setgid Bit ProgramsSetgid Bit Programs

/usr/sbin/postdrop/usr/sbin/postqueue

Page 20: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

REQUIRED ServicesREQUIRED Services

The following services are REQUIRED for runlevel 2

atd sshauditd gdmcron irqbalancenetworking haltsysklog cupsyspostfix anacronurandom hwclock

Disable USB

Page 21: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

Useradd programUseradd program

Useradd program defaultly creates the user under the directory /home/$username.

#useradd test7

User can change the home directory to anywhere like /var/www/$username

#useradd -d /var/www/test8 test8

Page 22: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

Locking the user after failed login Locking the user after failed login attemptsattempts

Used to set the login failure limits for user.

#faillog -u test5 -m 4

Display the faillog records

#faillog -a

Page 23: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

AuditAudit

Set Audit rule based on three types

Programs /bin/login ,/usr/bin/passwd,/bin/su

Databases /etc/passwd,

/etc/shadow,/etc/login.defsSystem Calls open,chmod,chown

Page 24: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

SSH(Secure Shell)SSH(Secure Shell)

Direct root login is disabled.

SSH protocol version 1 is disabled.

SSH protocol version 2 is enabled.

The permitted authentication mechanisms are per user (nonempty) passwords and per user

AES (aes128-cbc algorithm) public key authentication.

Page 25: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

DACDAC

Control which are all the users can read or modify the files by setting the Unix permission bits and user/group Ids

Using POSIX-style access control lists (ACLs).

The administrators (’root’) are able to override these permissions and access all files on the system.

Page 26: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

Security MonitoringSecurity Monitoring

Created /var/log/btmp to log bad login attempts.

# touch /var/log/btmp# lastb

Page 27: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

List of process List of process

List of process currently running on the system

ps aux

Page 28: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

Network Analysis

List of ports currently open on the system

netstat -plntu

Live Network Traffic Analysis

tcpdump

Page 29: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

List of services

List of services currently running on the system

lsof -i

Page 30: 01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

01/03/11 Centre for Development of Advanced Computing

Chennai

Thank YouAshok Kumar JSanket Bajoria


Recommended