Date post: | 27-Mar-2015 |
Category: |
Documents |
Upload: | blake-morrow |
View: | 216 times |
Download: | 0 times |
04/10/23Slide # 1
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Hardening Linux
By Gregg Rosenbergand Lee Leahu
04/10/23Slide # 2
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Contact Information
RICIS, Inc.
8018 Mallow Drive
Tinley Park IL 60477-2697
866-742-4777 Voice
708-444-2690 Voice
866-997-4247 Fax
708-444-2697 Fax
Gregory D. Rosenberg
Lee Leahu
04/10/23Slide # 3
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
What You Will Learn
• A review of basic security principals
• An overview of Common Criteria security certifications
• An introduction to hardening servers reasonably close to the CC EAL 4+ security assurance level.
04/10/23Slide # 4
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Achieving a State of Security
• Identify the assets you want to protect• Identify the risks to those assets• Identify who & how assets are accessed• Establish checks and balances• Develop an enforceable security policies• Use a layered approach• Plan for disasters• Get managements sign-off
04/10/23Slide # 5
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Why Security Policies Fail
• They impair user productivity
• No or Insufficient user education
• No policies for handling the unexpected
• No support from management
• Security policies are not enforced
• Laxed monitoring & auditing practices
• Users having too many privileges
04/10/23Slide # 6
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
The Real Threat
• Non malicious damage resulting from:– Human error– Denial of service– Inappropriate disclosure
• Policy Breakdown– Key under the doormat– Checks and balances bypassed– Rogues on your network
04/10/23Slide # 7
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
The Basic Security Tenet
Deny all except that which is specifically permitted
04/10/23Slide # 8
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Security Policy Lifecycle
1. Identify the assets you are protecting
2. Assess risk to those assets
3. Develop security policy
4. Implement and test the security policy
5. Educate your user population
6. Monitor and enforce security policy
7. Audit security policy, go back to step 1
04/10/23Slide # 9
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Evaluation Criteria
• TCSEC (aka Orange Book)
• FIPS 140
• Common Criteria
• SSE-CMM
04/10/23Slide # 10
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
CC Evaluation Assurance Levels
• EAL 1: Functionally tested• EAL 2: Structurally tested• EAL 3: Methodically tested and checked• EAL 4: Methodically designed, tested, reviewed• EAL 5: Semi-formally designed and tested• EAL 6: Semi-formally verified design and tested• EAL 7: Formally verified design and tested
04/10/23Slide # 11
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Planning for Disasters• Securely install your operating system• Accurate time source• Know every file on your system• Validate system integrity• Centralize logging• Monitor and audit your system regularly• Documentation and procedures• Emergency response team• Backup, backup, backup (Make sure you test
your restore procedures periodically)
04/10/23Slide # 12
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Linux Security Certifications
• SUSE Linux Enterprise Server archieves– CC EAL 2 in August 2003 (SLES8)– CC EAL 3+ in December 2003 (SLES8)– CC EAL 4+ in December 2004 (SLES9)– CC EAL 5 in March 2005 (SLES9)
• Red Hat Linux is nearly a year behind SUSE LINUX, but catching up fast
• IBM, HP, and others are helping both
04/10/23Slide # 13
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Overview of Security Functions
• Identification and authentication
• Audit
• Object reuse
• Discretionary Access Control
• Security management and system protection
• Secure communication
04/10/23Slide # 14
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Identification and Authentication
• Pluggable Authentication Module (PAM)
• OpenSSH
• vsftpd
• su
• sudo
04/10/23Slide # 15
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Linux Auditing Subsystem (LAUS)
• The audit subsystem was implemented by the SUSE Security Team members Olaf Kirch and Thomas Biege
• The audit subsystem is intended to be the central interface for collecting and viewing the record of security relevant events
• All authentication done through the PAM library, including the identity and location of the user and the success or failure result.
04/10/23Slide # 16
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Linux Auditing Subsystem (2)• Use of su to change identity. All actions done as
part of a su session are marked in the audit record with the original user’s login user ID.
• Adding, changing, or deleting users or groups
• Changes and change attempts to the contents of security critical files
• Changes to the access permissions or ownership of any files or IPC objects
• Binding network ports and accepting connections
04/10/23Slide # 17
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Discretionary Access Control• Linux is a multi-user operating system. You can
control which other users will be able to read or modify your files by setting the Unix permission bits and user/group IDs
• You can achieve more precise control using POSIX-style access control lists (ACLs).
• The administrators (’root’) are able to override these permissions and access all files on the system.
• Use of encryption is RECOMMENDED for additional protection of sensitive data.
04/10/23Slide # 18
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Objects Reuse
• the kernel automatically ensures that new objects (disk files, memory, IPC) do not contain any traces of previous contents
04/10/23Slide # 19
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Installation Considerations
• Ensure the hardware clock is accurately set to the current date, time, and time zone.
• Install the latest system BIOS and firmware• Ensure that all hardware interfaces or devices
that are not required are disabled in BIOS• Password protect BIOS and boot menus• Consider using a remote management solution
and losing the keyboard, and mouse• Carefully consider disk controllers / spindles
04/10/23Slide # 20
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Installation Considerations (2)• Carefully plan your partition layout before
beginning your base operating system installation
• Verify your installation source is authentic• Build and harden the system before plugging it
into your network• You can also build from a package distribution
server if you and it are on a trusted internal network
• Do a less than minimum installation• Do not install a GUI
04/10/23Slide # 21
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Example MD5 Checksums• SLES-9-i386-RC5-CD1.iso
cc419d86f3f5ff99395ca4de9d967600• SLES-9-i386-RC5-CD2.iso
86e97184aae42ba6013ea7460372ffe5• SLES-9-i386-RC5-CD3.iso
f880b3ba92fc43add18259c9437f648d• SLES-9-i386-RC5-CD4.iso
bc7b88f34a8142bacbdd4d1fddd3fc50• SLES-9-i386-RC5-CD5.iso
7844c76fc9f39a2af9ef6751ec18af60• SLES-9-i386-RC5-CD6.iso
9e0fdd835e52f53906dff110515eb002
04/10/23Slide # 22
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Partition Layout
• /boot 128MBs• SWAP 1GBs => 1 to 1.5 times the
amount of physical memory or more• / Size as required (i.e. 12GBs)• /tmp 512MBs, size as required • /home 512MBs, size as required• /var Size as required (i.e. 4GBs)• /var/log Size as required (i.e. 20GBs)
04/10/23Slide # 23
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Partition Layout (2)
• Although it violates the rules • /usr Size as required (i.e. 4GBs)• /opt Size as required (i.e. 2GBs)• Set file system type to ext3, although xfs is
considered more secure by many.• In Fstab options enable Access Control
Lists, Optionally enable “No access times”, “Mount read-only”, and “Extended User Attributes” as required.
04/10/23Slide # 24
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Trusted, Tolerated, and Unknown Software
• Trusted software has been evaluated and can be well trusted.
• Tolerated software has been evaluated, but should be carefully considered before use.
• Unknown software is any other software you intend to install on the system that has not been formally evaluated
04/10/23Slide # 25
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Additional Required Packages
• laus - The Linux Audit System
• laus-64bit - ONLY for ppc64 (pSeries, iSeries) systems
• pam-laus - Audit-enabled version of the PAM libraries
• The above packages should be installed after you finish the base minimum install.
• Star - Data archival tool with ACL support
04/10/23Slide # 26
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Recommended Packages
• texinfo - Info documentation viewer
• man-pages - Manual pages
• howtoenh - how-to documentation (HTML format)
• sles-admin_en - Administrator Manual
04/10/23Slide # 27
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Optional Packages
• lprng - Print spooler• cups – May be a better choice, but it is not on
the trusted or tollerated list.• xinetd - XInetd (only used for vsftpd)• vsftpd - FTP daemon (needs xinetd)• stunnel - set up encrypted SSL tunnels
There are additional packages on the trusted or tolerated list that can be installed
04/10/23Slide # 28
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Hardware• Any storage devices and backup devices supported by
the operating system, but not USB storage devices• All Ethernet and Token Ring network adapters
supported by the operating system• You can use a USB keyboard and mouse, as long as they installed before booting the system.• Any printers supported by the operating system• Operator console consisting of a keyboard, video
monitor, and optionally mouse, as well as a serially attached terminal
• but not modems, ISDN cards, or other remote access terminals
04/10/23Slide # 29
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Installation
• Disconnect network cables
• Verify authenticity of installation source
• Boot from Service Pack 2 CD # 1
• Launch installer
• You may use text mode or a serial console
• Accept EULA
• Select English language
04/10/23Slide # 30
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Installation (2)
• On the “Installation Settings” screen: • Select “New Installation” for mode• Select appropriate keyboard • Customize partitioning• Select minimum software installation and add /
remove additional packages discussed in the prior slides
• Keep default boot options (no other OS allowed)
04/10/23Slide # 31
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Installation (3)
• Keep hardware clock on UTC and select your local time zone
• Choose “Accept” to start installation
• The installer will reboot
• Secure boot settings in BIOS to HDD only
• Configure network interface with static IP, host name, default gateway, no DHCP
• Do not enable LDAP, use local only
04/10/23Slide # 32
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Secure Initial System Config• Enable the SUSE Firewall 2 and only permit
ssh. Later you can open other ports that are required.
• Setup /etc/hosts.allow to restrict access further.• Lockdown removable media (CD/DVD) devices,
-t ISO9660 -o ro,nodev,nosuid,noauto• Disable usbfs• Disable all unneeded services• Remove or rename links to their startup and
shutdown scripts in /etc/init.d
04/10/23Slide # 33
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Secure Initial System Config (2)
• If not using NIS, removed NIS on the automount line in /etc/nsswitch.conf.
• It is a good idea to setup an ntp client to draw time from a reliable and accurate local time source.
• You can use the “ntpq –c peer” command to verify that time synchronization is working correctly.
04/10/23Slide # 34
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Secure Initial System Config (3)
• Install the optional CC EAL 4+ Security Update.rpm -Uvh /root/rpm/certification-sles-ibm-eal4*.noarch.rpm
• Please check the file/usr/share/doc/packages/certification-sles-ibm-eal4/README-eal4.txt from the certification-sles-ibm-eal4.rpm for the latest errata information.
04/10/23Slide # 35
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Disable Services
• Disable the following services using the run level editor:– Nfs– Nfsboot– Powersaved– ACPI modules– Slpd– xdm - although it is not installed– fbset
04/10/23Slide # 36
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Disable Services (2)• The system runlevel as
specified in the ’initdefault’ entry in /etc/inittab MUST BE ’3’
• The following services are REQUIRED for runlevel 3:atd auditcoldplug cronhwscan networkrandom syslogrpmconfigcheck
• The following services are OPTIONAL for runlevel 3:hotplug kbdlpd postfixsshd xinetd
– Disable usbfs
04/10/23Slide # 37
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Restricted Execution Environment
• Setup a chroot directory structure
• Enable chroot support for those services that can be chroot’d
• Some services can be installed into your chroot’d environment
04/10/23Slide # 38
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Remove SUID/SGID• Remove SUID / SGID root settings from binaries
find / \( ! -fstype ext3 -prune -false \) -o \-type f \( -perm -4000 -o -perm -2000 \) \-exec chmod u-s,g-s {} \; -print
• Make sure that /etc/sysconfig/security has the following two variables set:– CHECK_PERMISSIONS=set– PERMISSION_SECURITY="eal4"
• Then run “chkstat -set /etc/permissions.eal4” to set the needed SUID and SGID bits.
04/10/23Slide # 39
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Set User ID (SUID)
Only the following may have SUID bits set
• /bin/ping• /bin/su• /usr/bin/at• /usr/bin/chage• /usr/bin/chfn
• /usr/bin/chsh• /usr/bin/crontab• /usr/bin/gpasswd• /usr/bin/lpq• /usr/bin/lpr• /usr/bin/lprm• /usr/bin/lpstat• /usr/bin/passwd
04/10/23Slide # 40
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Set Group ID (SGID)
The SGID bit MUST NOT be used to give group ”root” privileges to any binary.
• /usr/sbin/postdrop - group "maildrop"
• /usr/sbin/postqueue - group "maildrop"
• /usr/sbin/utempter - group "tty"
04/10/23Slide # 41
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Disable root Login Over Network
• Login from the network with user ID 0 (’root’) MUST NOT be permitted over the network.
• Administrators MUST use an ordinary user ID to log in, and then use the /bin/su - command to switch identities.
• The restriction for direct root logins is enforced through two separate mechanisms.
• For network logins using ssh, the PermitRootLogin no entry in /etc/ssh/sshd config MUST be set.
• logins use the pam securetty.so PAM module in the /etc/pam.d/login file that verifies that the terminal character device used is listed in the file /etc/securetty.
04/10/23Slide # 42
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Reminder Alias for su
• It is RECOMMENDED that you remind administrators of this by adding the following alias to the bash configuration file /etc/bash.bashrc.local that disables the pathless ’su’ command:
alias su="echo \"Always use ’/bin/su -’ (see Configuration Guide)\""
• This alias can be disabled for the root user in /root/.bashrc:
unalias su
04/10/23Slide # 43
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Update permissions for su
• The ’su’ binary MUST be restricted to members of the ’trusted’ group. This will be enforced both with PAM configuration (configured later) and the binary’s permissions.– chgrp trusted /bin/su– chmod 4750 /bin/su
• You MUST have at least one user account other than ’root’ configured to be a member of the ’trusted’ group, otherwise system administration will ONLY be possible from the system console.
04/10/23Slide # 44
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Setting up ssh• SSH protocol version 1 MUST be disabled. • The ssh client MUST NOT be set up SUID root • The SSH Server MUST be configured to reject attempts
to log in as root.• The permitted authentication mechanisms are per-user
(nonempty) passwords and per-user RSA/DSA public key authentication. All other authentication methods MUST be disabled.
• The setting PAMAuthenticationViaKbdInt MUST be disabled, since this would otherwise circumvent the disabled root logins over the network.
04/10/23Slide # 45
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
/etc/ssh/sshd.conf# Cryptographic settings. Disallow obsolete insecure protocol version 1, and hardcode a strong cipher.
Protocol 2Ciphers aes256-cbc
# Configure password-based login. This MUST use the PAM library# exclusively, and turn off the builtin password authentication code.
UsePAM yesChallengeResponseAuthentication yesPasswordAuthentication noPermitRootLogin noPermitEmptyPasswords no
# No other authentication methods allowedIgnoreRhosts yesRhostsRSAAuthentication noHostbasedAuthentication noPubkeyAuthentication yesRSAAuthentication noKerberosAuthentication noGSSAPIAuthentication no
# Other settings, MAY change "X11Forwarding" to "yes"X11Forwarding noSubsystem sftp /usr/lib/ssh/sftp-server
04/10/23Slide # 46
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Setting up the Audit Subsystem
• Setting up the audit configuration files• For all platforms, it is RECOMMENDED to use the following settings
in the /etc/sysconfig/audit file:AUDIT_ALLOW_SUSPEND=1AUDIT_ATTACH_ALL=0AUDIT_MAX_MESSAGES=1024AUDIT_PARANOIA=0
• The laus package by default installs these files with the RECOMMENDED contents:/etc/audit/audit.conf/etc/audit/filter.conf/etc/audit/filesets.conf
• Make auditd start at boot, insserv audit
04/10/23Slide # 47
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Ensure PAM is Audit Enabledgrep laus_open ‘ldd /bin/login | awk
’/libpam.so/ { print $3 }’‘• Binary file /lib/libpam.so.0 matches• If the grep command produces no output, you
MUST reinstall the pam-laus package from CD #2
• # ’cd’ to the directory containing the RPM file,• # then reinstall the package:
rpm --oldpackage --force --nodeps -Uhv pam-laus-0.77-4.3.i586.rpm
04/10/23Slide # 48
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Configure PAM• The ’other’ fallback MUST be disabled by
specifying the pam deny.so module for each module-type in the ’other’ configuration.
• Add the pam wheel.so module to the ’auth’ configuration for the ’su’ service
• You MUST add the pam tally.so module to the auth and account module type configurations of login, sshd, and vsftpd (not good for remotely managed machines.)
• You MUST use the pam passwdqc.so password quality checking module w/ use the ’md5’ and ’use cracklib’ options
04/10/23Slide # 49
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Configuring PAM (2)
• The ’remember=XX’ option must be added to the /etc/security/pam pwcheck.conf file to force users to create new passwords and not re-use
• In general, you MAY add PAM modules that add additional restrictions. You MUST NOT weaken the restrictions
04/10/23Slide # 50
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Setup Login Controls
• Disable login if we can’t cd to the home directory• Set a 3 second delay before being allowed
another attempt after a login failure• Disable logging and display of /var/log/faillog
login failure info.• Enable logging and display of /var/log/lastlog
login time info.• Disable display of unknown usernames when
login failures are recorded.
04/10/23Slide # 51
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Setup Login Controls (2)
• Set max number of login retries to <= 3 if password is bad
• Set max time to <= 60 seconds for login
• Require password before chfn/chsh can make any changes.
• Restrict fields to “rwh” that may be changed by regular users using chfn
04/10/23Slide # 52
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Setup Login Controls (3)
• The default umask for logged-in users is set in the /etc/profile file, not here.
• Umask to 077 which is used by useradd and newusers for creating new home directories.
• Password aging controls (used by useradd): – PASS_MAX_DAYS 60– PASS_MIN_DAYS 1– PASS_WARN_AGE 7– PASS_MIN_LEN 8
04/10/23Slide # 53
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Configure the Boot Loader• Ensure the system boots exclusively from the
disk partition containing Linux• Make sure you use BIOS password to protect
access to this configuration.• Use the password command in
/boot/grub/menu.lst to prevent unauthorized use of the boot loader interface.
• Use md5 encoded passwords, run the command grub-md5-crypt to generate the encoded version of a password.
04/10/23Slide # 54
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Configure the Boot Loader• Protect all menu entries other than the default
SLES boot with the lock option• Add a line containing just the keyword lock after
the title entry in the /boot/grub/menu.lst file• Remove group and world read permissions from
the grub configuration file if it contains a password chmod 600 /boot/grub/menu.lst
• All changes to the configuration take effect automatically on the next boot
04/10/23Slide # 55
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Adding Additional Software• Kernel modules other than those provided as
part of the evaluated configuration MUST NOT be installed or loaded.
• You MUST NOT load the tux kernel module (the in-kernel web server is not supported).
• You MUST NOT add support for non-ELF binary formats or foreign binary format emulation that circumvents system call auditing.
• You MUST NOT activate knfsd or export NFS file systems.
04/10/23Slide # 56
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Adding Additional Software (2)• Device special nodes MUST NOT be added to
the system• SUID root or SGID root programs MUST NOT be
added to the system. • Programs which use the SUID or SGID bits to
run with identities other than ’root’ MAY be added.
• The content, permissions, and ownership of all existing file-system objects (including directories and device-nodes) that are part of the evaluated configuration MUST NOT be modified.
04/10/23Slide # 57
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Adding additional Software (4)
• Programs automatically launched with ’root’ privileges MUST NOT be added to the system.
• Processes that immediately and permanently switch to a non privileged identity on launch are permitted,
• Automatic launch mechanisms are:• – Entries in /etc/inittab• – Executable files or links in /etc/init.d/ and its
subdirectories
04/10/23Slide # 58
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Document your system
• Rebooted server to implement new SMP kernel.# uname –a
Linux avflyer-asp 2.6.5-7.201-smp #1 SMP Thu Aug 25 06:20:45 UTC 2005 i686 i686 i386 GNU/Linux
• List services now running on the system.# chkconfig | grep -v "off" | more
• List directories with the sticky bit set# find / -type d -perm -1000 -ls
04/10/23Slide # 59
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Document Your System (2)• List files with Set User ID (SUID) bit set.
find / -type f -perm -4000 -ls
• List files with Set Group ID (SGID) bit set.find / -type f -perm -2000 –ls
• List files that are world writeable.find / -type f -perm -0002 -ls
• List all installed packages.rpm -qa --qf '%-25{NAME}\t%-20{VERSION}\t%-
8{RELEASE}\t%{Summary}\n' | sort > /root/rpmpackagelist
04/10/23Slide # 60
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Security monitoring & management
• Setup tripwire to monitor system file integrity and to audit changes.
• Setup and implement log file rotation policies.
• Setup a central syslog server (syslog-ng)
• Use a log analyzer, such as logcheck.
• Setup a monitoring system like Nagios or Argus on your network.
04/10/23Slide # 61
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Sec Monitoring & Management (2)
• Created /var/log/btmp to log bad login attempts.# touch /var/log/btmp
# lastb
btmp begins Sun Sep 11 13:58:05 2005
04/10/23Slide # 62
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Log and Status Files• In addition to the syslog messages, various
other log files and status files are generated in /var/log by other programs:
• File - Source• YaST2 Directory for YaST2 log files• audit.d Directory for LAuS logs• boot.msg Messages from system startup• lastlog Last successful log in (see lastlog(8))• vsftpd.log Transaction log of the VSFTP
daemon
04/10/23Slide # 63
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Log and Status Files (2)• localmessages - Written by syslog.• mail - Written by syslog, contains messages
from the MTA (postfix).• messages - Written by syslog, contains
messages from su and ssh.• News - syslog news entries.• warn - Written by syslog.• wtmp - Written by the PAM susbystem.• btmp – Written by the PAM subsystem.• xinetd.log Written by xinetd, logging all
connection.
04/10/23Slide # 64
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Auditing Your System• It is RECOMMENDED that you review the
system’s configuration at regular intervals to verify if it still agrees with the evaluated configuration.
• This primarily concerns those processes that may run with ’root’ privileges.
• The permissions of the device files /dev/* MUST NOT be modified.
• In particular, review settings in the following files and directories to ensure that the contents and permissions have not been modified:
04/10/23Slide # 65
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
System Files to Review• /etc/at.allow• /etc/at.deny• /etc/audit/*• /etc/cron.d/*• /etc/cron.daily/*• /etc/cron.hourly/*• /etc/cron.monthly/*• /etc/cron.weekly/*• /etc/crontab• /etc/ftpusers• /etc/group
• /etc/gshadow• /etc/hosts• /etc/init.d/*• /etc/inittab• /etc/ld.so.conf• /etc/login.defs• /etc/modules.conf• /etc/pam.d/*• /etc/passwd• /etc/securetty• /etc/security/opasswd
04/10/23Slide # 66
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
System Files to Review (2)• /etc/security/
pam_pwcheck.conf• /etc/security/
pam_unix2.conf• /etc/shadow• /etc/ssh/ssh_config• /etc/ssh/sshd_config• /etc/stunnel/*• /etc/sysconfig/*• /etc/vsftpd.conf
• /etc/xinetd.conf• /usr/lib/cracklib_dict.*• /var/log/audit.d/*• /var/log/faillog• /var/log/lastlog• /var/spool/atjobs/*• /var/spool/cron/*• /var/spool/cron/allow• /var/spool/cron/deny
04/10/23Slide # 67
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Auditing Your System (2)
• Use the command lastlog and lastlogb to detect unusual patterns of logins.
• Also verify the output of the following commands (run as ’root’):# atq
# crontab -l
# find / \( -perm -4000 -o -perm -2000 \) -ls
# find / \( -type f -o -type d -o -type b \) -perm -0002 -ls
# find /bin /boot /etc /lib /sbin /usr \
! -type l \( ! -uid 0 -o -perm +022 \)
04/10/23Slide # 68
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Auditing Your System (3)• Use the aucat(8) and augrep(8) tools to retrieve
information from the audit logs. The information available for retrieval depends on the active filter configuration.– # view the last 100 audit records
aucat | tail -100– # view all successful PAM authentications
augrep -e TEXT -U AUTH_success– # all actions recorded for a specified login UID (this includes– # actions done by this user with a different effective UID,– # for example, via SUID programs or as part of a "su" session)
augrep -l kw– # file removals
augrep -e SYSCALL -S unlink
04/10/23Slide # 69
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Secure Communication
• SSH V2
• Stunnel with OpenSSL
• X11 Forwarding through an SSH tunnel
• Secure FTP
• Externally signed SSL certificate
04/10/23Slide # 70
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
System maintenance
• Download, verify, and carefully review each patch before you install it.
• If possible test patches in a non-production environment.
• Keep a manual logbook, as well as a README file in the /root home directory with any updates or changes you make to the system.
04/10/23Slide # 71
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Considerations for Servers• Customize firewall (iptables)• Port restrictions• Ensure current directory is not in any ones (root or a
regular user) path• Configures standard system cron jobs, like deletion of
old files in /tmp or update of the man databases. The settings are read by the shell scripts /etc/cron.daily/*.
• Configures some system variables for the boot process.IP_DYNIP=no # The system only has a static addressIP_TCP_SYNCOOKIES=yes # Syn Flood protectionIP_FORWARD=no # Set to yes if the system acts as a router.ENABLE_SYSRQ=no # System request key MUST be disabled.
04/10/23Slide # 72
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Considerations for DNS Servers
• Enable bind chroot support.• Apply port restrictions in firewall.• Customize logging as desired.• Authoritative DNS servers should not be used as
resolving or caching DNS servers.• Disable recursive queries on authoritative
servers.• Enable numerous security settings in
/etc/named.conf to suit your environment.
04/10/23Slide # 73
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Considerations for Email Servers
• Chroot postfix (manual process)
• Ensure unauthorized parties can’t relay
• Establish port restrictions and access control with iptables.
• Configure smtp restrictions in postfix.
• Use ldap or access file to restrict inbound mail to valid users
• Anti-virus / Anti-Spam
04/10/23Slide # 74
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Useful Resources• Practical Unix & Internet Security, 3rd Edition
by Simson Garfinkel, Gene Spafford, Alan Schwartz Publisher: O'Reilly; 3 edition (February 21, 2003) ISBN: 0596003234
• Hardening Linux by John H. Terpstra, Paul Love, Ronald P. Reck Publisher McGraw Hill Osborne ISBN: 0-07-225497-1
• There are way too many books to list even a fraction of the good ones I keep handy on my shelf here.
04/10/23Slide # 75
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Useful resources (2)• If there are conflicting recommendations in this guide
and in one of the sources listed here, the Configuration Guide has precedence concerning the evaluated configuration.
• SuSE Linux Enterprise Server Installation Guide,– /usr/share/doc/packages/sles-inst-x86+x86-64 en/– /usr/share/doc/packages/sles-inst-ipseries en/ – /usr/share/doc/packages/sles-inst-zseries en/
• SuSE Linux Enterprise Server Administrator Guide,– /usr/share/doc/packages/sles-admin-x86+x86-64 en/– /usr/share/doc/packages/sles-admin-ipseries en/– /usr/share/doc/packages/sles-admin-zseries en/
04/10/23Slide # 76
Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenbergand Lee Leahu
Questions
Questions