Hardening Linux - UniForum Chicago
Download
Report
Transcript Hardening Linux - UniForum Chicago
Hardening Linux
By Gregg Rosenberg
and Lee Leahu
7/17/2015
Slide # 1
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Contact Information
RICIS, Inc.
8018 Mallow Drive
Tinley Park IL 60477-2697
866-742-4777 Voice
708-444-2690 Voice
866-997-4247 Fax
708-444-2697 Fax
7/17/2015
Slide # 2
Gregory D. Rosenberg
[email protected]
Lee Leahu
[email protected]
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
What You Will Learn
• A review of basic security principals
• An overview of Common Criteria security
certifications
• An introduction to hardening servers
reasonably close to the CC EAL 4+
security assurance level.
7/17/2015
Slide # 3
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Achieving a State of Security
•
•
•
•
•
•
•
•
Identify the assets you want to protect
Identify the risks to those assets
Identify who & how assets are accessed
Establish checks and balances
Develop an enforceable security policies
Use a layered approach
Plan for disasters
Get managements sign-off
7/17/2015
Slide # 4
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Why Security Policies Fail
•
•
•
•
•
•
•
They impair user productivity
No or Insufficient user education
No policies for handling the unexpected
No support from management
Security policies are not enforced
Laxed monitoring & auditing practices
Users having too many privileges
7/17/2015
Slide # 5
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
The Real Threat
• Non malicious damage resulting from:
– Human error
– Denial of service
– Inappropriate disclosure
• Policy Breakdown
– Key under the doormat
– Checks and balances bypassed
– Rogues on your network
7/17/2015
Slide # 6
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
The Basic Security Tenet
Deny all
except that which is
specifically permitted
7/17/2015
Slide # 7
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Security Policy Lifecycle
1.
2.
3.
4.
5.
6.
7.
Identify the assets you are protecting
Assess risk to those assets
Develop security policy
Implement and test the security policy
Educate your user population
Monitor and enforce security policy
Audit security policy, go back to step 1
7/17/2015
Slide # 8
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Evaluation Criteria
•
•
•
•
TCSEC (aka Orange Book)
FIPS 140
Common Criteria
SSE-CMM
7/17/2015
Slide # 9
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
CC Evaluation Assurance Levels
•
•
•
•
•
•
•
EAL 1: Functionally tested
EAL 2: Structurally tested
EAL 3: Methodically tested and checked
EAL 4: Methodically designed, tested, reviewed
EAL 5: Semi-formally designed and tested
EAL 6: Semi-formally verified design and tested
EAL 7: Formally verified design and tested
7/17/2015
Slide # 10
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Planning for Disasters
•
•
•
•
•
•
•
•
•
Securely install your operating system
Accurate time source
Know every file on your system
Validate system integrity
Centralize logging
Monitor and audit your system regularly
Documentation and procedures
Emergency response team
Backup, backup, backup (Make sure you test
your restore procedures periodically)
7/17/2015
Slide # 11
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Linux Security Certifications
•
SUSE Linux Enterprise Server archieves
–
–
–
–
•
•
CC EAL 2 in August 2003 (SLES8)
CC EAL 3+ in December 2003 (SLES8)
CC EAL 4+ in December 2004 (SLES9)
CC EAL 5 in March 2005 (SLES9)
Red Hat Linux is nearly a year behind
SUSE LINUX, but catching up fast
IBM, HP, and others are helping both
7/17/2015
Slide # 12
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Overview of Security Functions
•
•
•
•
•
Identification and authentication
Audit
Object reuse
Discretionary Access Control
Security management and system
protection
• Secure communication
7/17/2015
Slide # 13
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Identification and Authentication
•
•
•
•
•
Pluggable Authentication Module (PAM)
OpenSSH
vsftpd
su
sudo
7/17/2015
Slide # 14
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Linux Auditing Subsystem (LAUS)
• The audit subsystem was implemented by
the SUSE Security Team members Olaf Kirch
and Thomas Biege
• The audit subsystem is intended to be the
central interface for collecting and viewing the
record of security relevant events
• All authentication done through the PAM
library, including the identity and location of the
user and the success or failure result.
7/17/2015
Slide # 15
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Linux Auditing Subsystem (2)
• Use of su to change identity. All actions done as
part of a su session are marked in the audit
record with the original user’s login user ID.
• Adding, changing, or deleting users or
groups
• Changes and change attempts to the
contents of security critical files
• Changes to the access permissions or
ownership of any files or IPC objects
• Binding network ports and accepting
connections
7/17/2015
Slide # 16
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Discretionary Access Control
• Linux is a multi-user operating system. You can
control which other users will be able to read or
modify your files by setting the Unix permission
bits and user/group IDs
• You can achieve more precise control using
POSIX-style access control lists (ACLs).
• The administrators (’root’) are able to override
these permissions and access all files on the
system.
• Use of encryption is RECOMMENDED for
additional protection of sensitive data.
7/17/2015
Slide # 17
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Objects Reuse
• the kernel automatically ensures that new
objects (disk files, memory, IPC) do not
contain any traces of previous contents
7/17/2015
Slide # 18
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Installation Considerations
• Ensure the hardware clock is accurately set to
the current date, time, and time zone.
• Install the latest system BIOS and firmware
• Ensure that all hardware interfaces or devices
that are not required are disabled in BIOS
• Password protect BIOS and boot menus
• Consider using a remote management solution
and losing the keyboard, and mouse
• Carefully consider disk controllers / spindles
7/17/2015
Slide # 19
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Installation Considerations (2)
• Carefully plan your partition layout before
beginning your base operating system
installation
• Verify your installation source is authentic
• Build and harden the system before plugging it
into your network
• You can also build from a package distribution
server if you and it are on a trusted internal
network
• Do a less than minimum installation
• Do not install a GUI
7/17/2015
Slide # 20
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Example MD5 Checksums
• SLES-9-i386-RC5-CD1.iso
cc419d86f3f5ff99395ca4de9d967600
• SLES-9-i386-RC5-CD2.iso
86e97184aae42ba6013ea7460372ffe5
• SLES-9-i386-RC5-CD3.iso
f880b3ba92fc43add18259c9437f648d
• SLES-9-i386-RC5-CD4.iso
bc7b88f34a8142bacbdd4d1fddd3fc50
• SLES-9-i386-RC5-CD5.iso
7844c76fc9f39a2af9ef6751ec18af60
• SLES-9-i386-RC5-CD6.iso
9e0fdd835e52f53906dff110515eb002
7/17/2015
Slide # 21
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Partition Layout
• /boot 128MBs
• SWAP 1GBs => 1 to 1.5 times the
amount of physical memory or more
• /
Size as required (i.e. 12GBs)
• /tmp
512MBs, size as required
• /home 512MBs, size as required
• /var
Size as required (i.e. 4GBs)
• /var/log Size as required (i.e. 20GBs)
7/17/2015
Slide # 22
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Partition Layout (2)
•
•
•
•
Although it violates the rules
/usr
Size as required (i.e. 4GBs)
/opt
Size as required (i.e. 2GBs)
Set file system type to ext3, although xfs is
considered more secure by many.
• In Fstab options enable Access Control
Lists, Optionally enable “No access
times”, “Mount read-only”, and
“Extended User Attributes” as required.
7/17/2015
Slide # 23
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Trusted, Tolerated, and Unknown
Software
• Trusted software has been evaluated and
can be well trusted.
• Tolerated software has been evaluated,
but should be carefully considered before
use.
• Unknown software is any other software
you intend to install on the system that has
not been formally evaluated
7/17/2015
Slide # 24
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Additional Required Packages
• laus - The Linux Audit System
• laus-64bit - ONLY for ppc64 (pSeries,
iSeries) systems
• pam-laus - Audit-enabled version of the
PAM libraries
• The above packages should be installed
after you finish the base minimum install.
• Star - Data archival tool with ACL support
7/17/2015
Slide # 25
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Recommended Packages
• texinfo - Info documentation viewer
• man-pages - Manual pages
• howtoenh - how-to documentation (HTML
format)
• sles-admin_en - Administrator Manual
7/17/2015
Slide # 26
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Optional Packages
• lprng - Print spooler
• cups – May be a better choice, but it is not on
the trusted or tollerated list.
• xinetd - XInetd (only used for vsftpd)
• vsftpd - FTP daemon (needs xinetd)
• stunnel - set up encrypted SSL tunnels
There are additional packages on the trusted or
tolerated list that can be installed
7/17/2015
Slide # 27
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Hardware
• Any storage devices and backup devices supported
by the operating system, but not USB storage devices
• All Ethernet and Token Ring network adapters
supported by the operating system
• You can use a USB keyboard and mouse, as
long as they installed before booting the system.
• Any printers supported by the operating system
• Operator console consisting of a keyboard, video
monitor, and optionally mouse, as well as a serially
attached terminal
• but not modems, ISDN cards, or other remote access
terminals
7/17/2015
Slide # 28
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Installation
•
•
•
•
•
•
•
Disconnect network cables
Verify authenticity of installation source
Boot from Service Pack 2 CD # 1
Launch installer
You may use text mode or a serial console
Accept EULA
Select English language
7/17/2015
Slide # 29
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Installation (2)
•
•
•
•
•
On the “Installation Settings” screen:
Select “New Installation” for mode
Select appropriate keyboard
Customize partitioning
Select minimum software installation and add /
remove additional packages discussed in the
prior slides
• Keep default boot options (no other OS allowed)
7/17/2015
Slide # 30
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Installation (3)
• Keep hardware clock on UTC and select
your local time zone
• Choose “Accept” to start installation
• The installer will reboot
• Secure boot settings in BIOS to HDD only
• Configure network interface with static IP,
host name, default gateway, no DHCP
• Do not enable LDAP, use local only
7/17/2015
Slide # 31
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Secure Initial System Config
• Enable the SUSE Firewall 2 and only permit
ssh. Later you can open other ports that are
required.
• Setup /etc/hosts.allow to restrict access further.
• Lockdown removable media (CD/DVD) devices,
-t ISO9660 -o ro,nodev,nosuid,noauto
• Disable usbfs
• Disable all unneeded services
• Remove or rename links to their startup and
shutdown scripts in /etc/init.d
7/17/2015
Slide # 32
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Secure Initial System Config (2)
• If not using NIS, removed NIS on the
automount line in /etc/nsswitch.conf.
• It is a good idea to setup an ntp client to
draw time from a reliable and accurate
local time source.
• You can use the “ntpq –c peer” command
to verify that time synchronization is
working correctly.
7/17/2015
Slide # 33
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Secure Initial System Config (3)
• Install the optional CC EAL 4+ Security
Update.
rpm -Uvh /root/rpm/certification-slesibm-eal4*.noarch.rpm
• Please check the file
/usr/share/doc/packages/certificationsles-ibm-eal4/README-eal4.txt from
the certification-sles-ibm-eal4.rpm
for the latest errata information.
7/17/2015
Slide # 34
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Disable Services
• Disable the following services using the
run level editor:
– Nfs
– Nfsboot
– Powersaved
– ACPI modules
– Slpd
– xdm - although it is not installed
– fbset
7/17/2015
Slide # 35
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Disable Services (2)
• The system runlevel as
specified in the
’initdefault’ entry in
/etc/inittab MUST BE ’3’
• The following services
are REQUIRED for
runlevel 3:
atd
audit
coldplug
cron
hwscan
network
random
syslog
rpmconfigcheck
7/17/2015
Slide # 36
•
The following services
are OPTIONAL for
runlevel 3:
hotplug
lpd
sshd
kbd
postfix
xinetd
– Disable usbfs
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Restricted Execution Environment
• Setup a chroot directory structure
• Enable chroot support for those services
that can be chroot’d
• Some services can be installed into your
chroot’d environment
7/17/2015
Slide # 37
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Remove SUID/SGID
• Remove SUID / SGID root settings from binaries
find / \( ! -fstype ext3 -prune -false \) -o \
-type f \( -perm -4000 -o -perm -2000 \) \
-exec chmod u-s,g-s {} \; -print
• Make sure that /etc/sysconfig/security has the
following two variables set:
– CHECK_PERMISSIONS=set
– PERMISSION_SECURITY="eal4"
• Then run “chkstat -set /etc/permissions.eal4”
to set the needed SUID and SGID bits.
7/17/2015
Slide # 38
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Set User ID (SUID)
Only the following may
have SUID bits set
•
•
•
•
•
/bin/ping
/bin/su
/usr/bin/at
/usr/bin/chage
/usr/bin/chfn
7/17/2015
Slide # 39
•
•
•
•
•
•
•
•
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/gpasswd
/usr/bin/lpq
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/lpstat
/usr/bin/passwd
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Set Group ID (SGID)
The SGID bit MUST NOT be used to give
group ”root” privileges to any binary.
• /usr/sbin/postdrop - group "maildrop"
• /usr/sbin/postqueue - group "maildrop"
• /usr/sbin/utempter - group "tty"
7/17/2015
Slide # 40
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Disable root Login Over Network
• Login from the network with user ID 0 (’root’) MUST NOT
be permitted over the network.
• Administrators MUST use an ordinary user ID to log in,
and then use the /bin/su - command to switch identities.
• The restriction for direct root logins is enforced through
two separate mechanisms.
• For network logins using ssh, the PermitRootLogin no
entry in /etc/ssh/sshd config MUST be set.
• logins use the pam securetty.so PAM module in the
/etc/pam.d/login file that verifies that the terminal
character device used is listed in the file /etc/securetty.
7/17/2015
Slide # 41
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Reminder Alias for su
• It is RECOMMENDED that you remind
administrators of this by adding the
following alias to the bash configuration
file /etc/bash.bashrc.local that disables the
pathless ’su’ command:
alias su="echo \"Always use ’/bin/su -’ (see
Configuration Guide)\""
• This alias can be disabled for the root user
in /root/.bashrc:
unalias su
7/17/2015
Slide # 42
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Update permissions for su
• The ’su’ binary MUST be restricted to members
of the ’trusted’ group. This will be enforced both
with PAM configuration (configured later) and the
binary’s permissions.
– chgrp trusted /bin/su
– chmod 4750 /bin/su
• You MUST have at least one user account other
than ’root’ configured to be a member of the
’trusted’ group, otherwise system administration
will ONLY be possible from the system console.
7/17/2015
Slide # 43
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Setting up ssh
• SSH protocol version 1 MUST be disabled.
• The ssh client MUST NOT be set up SUID root
• The SSH Server MUST be configured to reject attempts
to log in as root.
• The permitted authentication mechanisms are per-user
(nonempty) passwords and per-user RSA/DSA public
key authentication. All other authentication methods
MUST be disabled.
• The setting PAMAuthenticationViaKbdInt MUST be
disabled, since this would otherwise circumvent the
disabled root logins over the network.
7/17/2015
Slide # 44
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
/etc/ssh/sshd.conf
# Cryptographic settings. Disallow obsolete insecure protocol version 1, and hardcode a strong cipher.
Protocol 2
Ciphers aes256-cbc
# Configure password-based login. This MUST use the PAM library
# exclusively, and turn off the builtin password authentication code.
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
# No other authentication methods allowed
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PubkeyAuthentication yes
RSAAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
# Other settings, MAY change "X11Forwarding" to "yes"
X11Forwarding no
Subsystem sftp /usr/lib/ssh/sftp-server
7/17/2015
Slide # 45
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Setting up the Audit Subsystem
• Setting up the audit configuration files
• For all platforms, it is RECOMMENDED to use the following settings
in the /etc/sysconfig/audit file:
AUDIT_ALLOW_SUSPEND=1
AUDIT_ATTACH_ALL=0
AUDIT_MAX_MESSAGES=1024
AUDIT_PARANOIA=0
• The laus package by default installs these files with the
RECOMMENDED contents:
/etc/audit/audit.conf
/etc/audit/filter.conf
/etc/audit/filesets.conf
• Make auditd start at boot, insserv audit
7/17/2015
Slide # 46
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Ensure PAM is Audit Enabled
grep laus_open ‘ldd /bin/login | awk
’/libpam.so/ { print $3 }’‘
• Binary file /lib/libpam.so.0 matches
• If the grep command produces no output, you
MUST reinstall the pam-laus package from CD
#2
• # ’cd’ to the directory containing the RPM file,
• # then reinstall the package:
rpm --oldpackage --force --nodeps -Uhv pam-laus0.77-4.3.i586.rpm
7/17/2015
Slide # 47
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Configure PAM
• The ’other’ fallback MUST be disabled by
specifying the pam deny.so module for each
module-type in the ’other’ configuration.
• Add the pam wheel.so module to the ’auth’
configuration for the ’su’ service
• You MUST add the pam tally.so module to the
auth and account module type configurations of
login, sshd, and vsftpd (not good for remotely
managed machines.)
• You MUST use the pam passwdqc.so password
quality checking module w/ use the ’md5’ and
’use cracklib’ options
7/17/2015
Slide # 48
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Configuring PAM (2)
• The ’remember=XX’ option must be added
to the /etc/security/pam pwcheck.conf file
to force users to create new passwords
and not re-use
• In general, you MAY add PAM modules
that add additional restrictions. You MUST
NOT weaken the restrictions
7/17/2015
Slide # 49
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Setup Login Controls
• Disable login if we can’t cd to the home directory
• Set a 3 second delay before being allowed
another attempt after a login failure
• Disable logging and display of /var/log/faillog
login failure info.
• Enable logging and display of /var/log/lastlog
login time info.
• Disable display of unknown usernames when
login failures are recorded.
7/17/2015
Slide # 50
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Setup Login Controls (2)
• Set max number of login retries to <= 3 if
password is bad
• Set max time to <= 60 seconds for login
• Require password before chfn/chsh can
make any changes.
• Restrict fields to “rwh” that may be
changed by regular users using chfn
7/17/2015
Slide # 51
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Setup Login Controls (3)
• The default umask for logged-in users is set in
the /etc/profile file, not here.
• Umask to 077 which is used by useradd and
newusers for creating new home directories.
• Password aging controls (used by useradd):
–
–
–
–
PASS_MAX_DAYS 60
PASS_MIN_DAYS 1
PASS_WARN_AGE 7
PASS_MIN_LEN 8
7/17/2015
Slide # 52
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Configure the Boot Loader
• Ensure the system boots exclusively from the
disk partition containing Linux
• Make sure you use BIOS password to protect
access to this configuration.
• Use the password command in
/boot/grub/menu.lst to prevent unauthorized use
of the boot loader interface.
• Use md5 encoded passwords, run the command
grub-md5-crypt to generate the encoded version
of a password.
7/17/2015
Slide # 53
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Configure the Boot Loader
• Protect all menu entries other than the default
SLES boot with the lock option
• Add a line containing just the keyword lock after
the title entry in the /boot/grub/menu.lst file
• Remove group and world read permissions from
the grub configuration file if it contains a
password
chmod 600 /boot/grub/menu.lst
• All changes to the configuration take effect
automatically on the next boot
7/17/2015
Slide # 54
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Adding Additional Software
• Kernel modules other than those provided as
part of the evaluated configuration MUST NOT
be installed or loaded.
• You MUST NOT load the tux kernel module (the
in-kernel web server is not supported).
• You MUST NOT add support for non-ELF binary
formats or foreign binary format emulation that
circumvents system call auditing.
• You MUST NOT activate knfsd or export NFS file
systems.
7/17/2015
Slide # 55
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Adding Additional Software (2)
• Device special nodes MUST NOT be added to
the system
• SUID root or SGID root programs MUST NOT be
added to the system.
• Programs which use the SUID or SGID bits to
run with identities other than ’root’ MAY be
added.
• The content, permissions, and ownership of all
existing file-system objects (including directories
and device-nodes) that are part of the evaluated
configuration MUST NOT be modified.
7/17/2015
Slide # 56
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Adding additional Software (4)
• Programs automatically launched with ’root’
privileges MUST NOT be added to the system.
• Processes that immediately and permanently
switch to a non privileged identity on launch are
permitted,
• Automatic launch mechanisms are:
• – Entries in /etc/inittab
• – Executable files or links in /etc/init.d/ and its
subdirectories
7/17/2015
Slide # 57
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Document your system
• Rebooted server to implement new SMP kernel.
# uname –a
Linux avflyer-asp 2.6.5-7.201-smp #1 SMP Thu Aug
25 06:20:45 UTC 2005 i686 i686 i386 GNU/Linux
• List services now running on the system.
# chkconfig | grep -v "off" | more
• List directories with the sticky bit set
# find / -type d -perm -1000 -ls
7/17/2015
Slide # 58
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Document Your System (2)
• List files with Set User ID (SUID) bit set.
find / -type f -perm -4000 -ls
• List files with Set Group ID (SGID) bit set.
find / -type f -perm -2000 –ls
• List files that are world writeable.
find / -type f -perm -0002 -ls
• List all installed packages.
rpm -qa --qf '%-25{NAME}\t%-20{VERSION}\t%8{RELEASE}\t%{Summary}\n' | sort >
/root/rpmpackagelist
7/17/2015
Slide # 59
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Security monitoring & management
• Setup tripwire to monitor system file
integrity and to audit changes.
• Setup and implement log file rotation
policies.
• Setup a central syslog server (syslog-ng)
• Use a log analyzer, such as logcheck.
• Setup a monitoring system like Nagios or
Argus on your network.
7/17/2015
Slide # 60
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Sec Monitoring & Management (2)
• Created /var/log/btmp to log bad login
attempts.
# touch /var/log/btmp
# lastb
btmp begins Sun Sep 11 13:58:05 2005
7/17/2015
Slide # 61
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Log and Status Files
• In addition to the syslog messages, various
other log files and status files are generated in
/var/log by other programs:
• File - Source
• YaST2 Directory for YaST2 log files
• audit.d Directory for LAuS logs
• boot.msg Messages from system startup
• lastlog Last successful log in (see lastlog(8))
• vsftpd.log Transaction log of the VSFTP
daemon
7/17/2015
Slide # 62
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Log and Status Files (2)
• localmessages - Written by syslog.
• mail - Written by syslog, contains messages
from the MTA (postfix).
• messages - Written by syslog, contains
messages from su and ssh.
• News - syslog news entries.
• warn - Written by syslog.
• wtmp - Written by the PAM susbystem.
• btmp – Written by the PAM subsystem.
• xinetd.log Written by xinetd, logging all
connection.
7/17/2015
Slide # 63
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Auditing Your System
• It is RECOMMENDED that you review the
system’s configuration at regular intervals to
verify if it still agrees with the evaluated
configuration.
• This primarily concerns those processes that
may run with ’root’ privileges.
• The permissions of the device files /dev/* MUST
NOT be modified.
• In particular, review settings in the following files
and directories to ensure that the contents and
permissions have not been modified:
7/17/2015
Slide # 64
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
System Files to Review
•
•
•
•
•
•
•
•
•
•
•
/etc/at.allow
/etc/at.deny
/etc/audit/*
/etc/cron.d/*
/etc/cron.daily/*
/etc/cron.hourly/*
/etc/cron.monthly/*
/etc/cron.weekly/*
/etc/crontab
/etc/ftpusers
/etc/group
7/17/2015
Slide # 65
•
•
•
•
•
•
•
•
•
•
•
/etc/gshadow
/etc/hosts
/etc/init.d/*
/etc/inittab
/etc/ld.so.conf
/etc/login.defs
/etc/modules.conf
/etc/pam.d/*
/etc/passwd
/etc/securetty
/etc/security/opasswd
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
System Files to Review (2)
• /etc/security/pam_pwch
eck.conf
• /etc/security/pam_unix2
.conf
• /etc/shadow
• /etc/ssh/ssh_config
• /etc/ssh/sshd_config
• /etc/stunnel/*
• /etc/sysconfig/*
• /etc/vsftpd.conf
7/17/2015
Slide # 66
•
•
•
•
•
•
•
•
•
/etc/xinetd.conf
/usr/lib/cracklib_dict.*
/var/log/audit.d/*
/var/log/faillog
/var/log/lastlog
/var/spool/atjobs/*
/var/spool/cron/*
/var/spool/cron/allow
/var/spool/cron/deny
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Auditing Your System (2)
• Use the command lastlog and lastlogb to detect
unusual patterns of logins.
• Also verify the output of the following commands
(run as ’root’):
# atq
# crontab -l
# find / \( -perm -4000 -o -perm -2000 \) -ls
# find / \( -type f -o -type d -o -type b \) -perm -0002 -ls
# find /bin /boot /etc /lib /sbin /usr \
! -type l \( ! -uid 0 -o -perm +022 \)
7/17/2015
Slide # 67
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Auditing Your System (3)
• Use the aucat(8) and augrep(8) tools to retrieve
information from the audit logs. The information
available for retrieval depends on the active filter
configuration.
– # view the last 100 audit records
aucat | tail -100
– # view all successful PAM authentications
augrep -e TEXT -U AUTH_success
– # all actions recorded for a specified login UID (this includes
– # actions done by this user with a different effective UID,
– # for example, via SUID programs or as part of a "su" session)
augrep -l kw
– # file removals
augrep -e SYSCALL -S unlink
7/17/2015
Slide # 68
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Secure Communication
•
•
•
•
•
SSH V2
Stunnel with OpenSSL
X11 Forwarding through an SSH tunnel
Secure FTP
Externally signed SSL certificate
7/17/2015
Slide # 69
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
System maintenance
• Download, verify, and carefully review
each patch before you install it.
• If possible test patches in a nonproduction environment.
• Keep a manual logbook, as well as a
README file in the /root home directory
with any updates or changes you make to
the system.
7/17/2015
Slide # 70
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Considerations for Servers
• Customize firewall (iptables)
• Port restrictions
• Ensure current directory is not in any ones (root or a
regular user) path
• Configures standard system cron jobs, like deletion of
old files in /tmp or update of the man databases. The
settings are read by the shell scripts /etc/cron.daily/*.
• Configures some system variables for the boot process.
IP_DYNIP=no # The system only has a static address
IP_TCP_SYNCOOKIES=yes # Syn Flood protection
IP_FORWARD=no # Set to yes if the system acts as a router.
ENABLE_SYSRQ=no # System request key MUST be disabled.
7/17/2015
Slide # 71
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Considerations for DNS Servers
•
•
•
•
Enable bind chroot support.
Apply port restrictions in firewall.
Customize logging as desired.
Authoritative DNS servers should not be used as
resolving or caching DNS servers.
• Disable recursive queries on authoritative
servers.
• Enable numerous security settings in
/etc/named.conf to suit your environment.
7/17/2015
Slide # 72
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Considerations for Email Servers
• Chroot postfix (manual process)
• Ensure unauthorized parties can’t relay
• Establish port restrictions and access
control with iptables.
• Configure smtp restrictions in postfix.
• Use ldap or access file to restrict inbound
mail to valid users
• Anti-virus / Anti-Spam
7/17/2015
Slide # 73
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Useful Resources
• Practical Unix & Internet Security, 3rd Edition
by Simson Garfinkel, Gene Spafford, Alan
Schwartz Publisher: O'Reilly; 3 edition
(February 21, 2003) ISBN: 0596003234
• Hardening Linux by John H. Terpstra, Paul
Love, Ronald P. Reck Publisher McGraw Hill
Osborne ISBN: 0-07-225497-1
• There are way too many books to list even a
fraction of the good ones I keep handy on my
shelf here.
7/17/2015
Slide # 74
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Useful resources (2)
• If there are conflicting recommendations in this guide
and in one of the sources listed here, the Configuration
Guide has precedence concerning the evaluated
configuration.
• SuSE Linux Enterprise Server Installation Guide,
– /usr/share/doc/packages/sles-inst-x86+x86-64 en/
– /usr/share/doc/packages/sles-inst-ipseries en/
– /usr/share/doc/packages/sles-inst-zseries en/
• SuSE Linux Enterprise Server Administrator Guide,
– /usr/share/doc/packages/sles-admin-x86+x86-64 en/
– /usr/share/doc/packages/sles-admin-ipseries en/
– /usr/share/doc/packages/sles-admin-zseries en/
7/17/2015
Slide # 75
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu
Questions
Questions
7/17/2015
Slide # 76
Hardening Linux
Copyright © 2005 RICIS, Inc.™ and Uniforum
By Gregg Rosenberg
and Lee Leahu