Date post: | 11-Jan-2016 |
Category: |
Documents |
Upload: | roberta-wilkinson |
View: | 216 times |
Download: | 1 times |
Linux Security Baseline Implementation Efforts at the INL
Jason Miller
NLIT 2009
Linux Minimum Security Configurations• Informational
– Some Numbers– Project Specific Stuff– General Information
• Technical– In-depth how it works– Some Gotcha's– If I could do it over…
INL’s IT By The Numbers• 12,000 IT Devices owned by INL• 9,000 Devices on the Network• 5,500 Desktop & Laptop Computers• Windows Shop (85% Windows, 9% MAC’s, 6% Linux)
Linux Install Base
SuSE 80%
Ubuntu 12%
RHE 7%
Gentoo 1%
• 45% of all internet servers POSIX based – www.netcraft.com
• Hard drive Storage Capacities
Information Security Is Paramount
Why Do We Have Linux Users?• High Performance Computing• GPL/GNU Available software (Open Source)• More Control of their own PC’s• Want to be cool!
Who’s Responsible For What?• Managed Devices
– Patches, Vulnerability Scans, Upgrades…• Self-Managed Devices
– Require more in-depth support– Might be Rev-locked
• Collaboration… little of both– Linux users that have no time to manage their PC’s
Linux Minimum Security Configuration Project Goals• Primary Goals
– Verify Compliance level– Apply necessary changes– Report to some kind of database
• While keeping in mind:– Modular (upgradable, easily expandable)– Platform Diversity– User Friendly
End User Responses• As we expected they were wary…
– Will I lose root privileges?– Will this slow my PC down?– If I do this, will you people promise to leave me alone
forever…
• MSCs were demonstrated and our users responded– Provided multiple implementation suggestions– Received Kudos
Linux Minimum Security Configuration Project Build Time• MSC Installer & Individual MSC scripts
– 360 Hours, One individual• Reporting Database
– 15 Hours, One individual• Additional hours:
– MSC Installer add-ons to suit our customer’s needs– Chronological adjustments (crontab)– Diverse Platforms require modifications to code
??
?
?
??
?
?
??
?
?
??
?
? ??
?
?
??
?
???
? ?
Linux Minimum Security Configuration Installer• Simple BASH
scripting• Easy to
understand• User can opt-out
Linux Minimum Security Configuration Installer – For the Technicians• Quick Installer• Allows for on the fly
modifications
Reporting• An IT perspective
– PCs report daily– Compliance history
User Friendly• It’s more than just a benchmark
– Keeps the PC compliant– Several runtime methods to choose from– Non-intrusive, helpful information pop-ups
Enforce ModeVerify Mode
• Installer invokes individual MSC script MSC scripts apply/verify
settings• Installer invokes next individual
MSC script
• When all MSC scripts are complete, the installer sends off the report
Modular Code
Individual MSC scripts in-depth
• There are two types of MSC scripts– Configure Services
• chkconfig• sysvconfig, runlevel, /etc/rc2.d… (Ubuntu)
– Modify Configuration files• awk, sed, grep…
Gotcha's!• Platform differences• Third party application dependencies• Delivery methods had to meet MSC compliance• Exceptions to the CIS benchmarks
– esound– cups– …
Spin-Off Projects– Let’s use LANDesk!
– We’re already using LANDesk for 85% of our install base
– Perform extremely detailed queries
Spin-off Projects
– Quest Authentication Services (aka Vintela or VAS)– Brings Linux into Active Directory– Centralized management tool– Another way to distribute MSC scripts
If I Could Do It Over Again• ‘Configuration file code’ could be more modular
– What configuration file do you have in mind? – sshd.conf– What do you want me to find? – Protocol 1– OK, what do I change it to – Protocol 2 (all as a variable)
• Include a definitions file for all text based responses– A centralized file for all grammar used in the scripts
• Better package management… somehow– Negate the need for a user to satisfy dependencies
QuestionsJason MillerDesktop ManagementIdaho National LaboratoryEmail: [email protected]