book

Security Strategies in Linux Platforms and Applications

by Michael Jang

October 2010

Intermediate to advanced

512 pages

15h 1m

English

Jones & Bartlett Learning

Read now

Unlock full access

Purpose of This BookLearning FeaturesAudience
The Fundamentals of Linux Information SecuritySecurity As a Process in the Open Source WorldLaws and Regulatory Requirements in Information SecurityMeasuring Information SecurityConfidentialityPossession or ControlIntegrityAuthenticityAvailabilityUtilityThe Open Source Security Testing Methodology ManualMeasures of OSSTMM ComplianceOSSTMM ChannelsOSSTMM Test MethodologiesRegulatory PhaseDefinitions PhaseInformation PhaseInteractive Controls PhaseAlert and Log Review PhaseOSSTMM CertificationsLinux and the Seven Domains of a Typical IT InfrastructureLinux in the User DomainLinux in the Workstation DomainLinux in the LAN DomainLinux in the LAN-to-WAN DomainLinux in the System/Application DomainLinux in the Remote Access DomainLinux in the WAN DomainAttacks on Open Source SoftwareSecurity in an Open Source WorldCosts and Benefits of Linux Security MeasuresThe Costs of SecurityThe Benefits of SecurityThe Effects of VirtualizationCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 1 ASSESSMENT
Linux Security Starts with the KernelThe Basic Linux Kernel PhilosophyBasic Linux KernelsDistribution-Specific Linux KernelsCustom Linux KernelsLinux Kernel Security OptionsSecurity in the Boot ProcessPhysical SecurityThe Threat of the Live CDBoot Process SecurityMore Boot Process IssuesVirtual Physical SecurityLinux Security Issues Beyond the Basic Operating SystemService Process SecuritySecurity Issues with the GUIThe User Authentication DatabasesFile Ownership, Permissions, and Access ControlsFirewalls and Mandatory Access ControlsFirewall Support OptionsMandatory Access Control SupportNetworks and Encrypted CommunicationThe Latest Linux Security UpdatesLinux Security Updates for Regular UsersLinux Security Updates for Home HobbyistsLinux Security Updates for Power UsersSecurity Updates for Linux AdministratorsLinux Security Update AdministrationContinuity and Resiliency with VirtualizationVariations Between DistributionsA Basic Comparison: Red Hat and UbuntuMore Diversity in ServicesCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 2 ASSESSMENT
Security in the Server Room and the Physical ServerPhysical and Environmental Security FactorsSecurity and Form FactorsPhysical Access PortsSecurity Beyond the ServerOpen Source Trusted Platform Modules and Open Trusted ComputingThe Basics of Trusted ComputingMeasurementsRoots of TrustChain of TrustObjections to TPMTPM in an Open Source WorldTPM PackagesConfigure TPM on a Linux SystemSecurity on Virtual Hosts and GuestsSecurity on Virtual HostsSecurity with Virtual ApplicationsSecurity with Platform Virtual MachinesSecurity with ParavirtualizationSecurity with Hardware Virtual MachinesSecurity with Bare Metal VirtualizationSecurity on Virtual GuestsLocking Down Boot HardwareLocking Down Boot LoadersBack Up the Current Boot LoaderSecuring LILOSecurity and Traditional GRUBSecurity and GRUB 2.0Configure TrustedGRUBChallenges with a Standard Supported KernelQuestions with Standard KernelsStandard Virtual Machine KernelsLimits on Standard KernelsThe Costs and Benefits of ObscurityObscurity in the Boot MenusObscurity in the Linux Boot LoaderObscurity in Other Linux Boot Configuration FilesObscurity in ServicesBasic Security and the Five Process ControlsNonrepudiationConfidentialityPrivacyIntegrityAlarmBest Practices: Basic SecurityCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 3 ASSESSMENT
The Shadow Password Suite/etc/passwd/etc/group/etc/shadow/etc/gshadowDefaults for the Shadow Password SuiteShadow Password Suite CommandsA Variety of Choices with User PrivilegesSecuring Groups of UsersUser Private Group SchemeCreate a Special GroupA Hierarchy of Administrative PrivilegesAdministrative Privileges in ServicesThe su and sg CommandsOptions with sudo and /etc/sudoersBasic Options in /etc/sudoersMore Detailed Options with /etc/sudoersUse the sudo CommandRegular and Special PermissionsThe Set User ID BitThe Set Group ID BitThe Sticky BitTracking Access Through LogsAuthorization Log OptionsAuthorization Log FilesPluggable Authentication ModulesThe Structure of a PAM Configuration FilePAM Configuration for UsersAuthorizing Access with the PolicyKitHow the PolicyKit WorksPolicyKit ConceptsMore on the PolicyKit ConfigurationThe PolicyKit and Local AuthorityThe ck-history CommandThe ck-list-sessions CommandThe ck-launch-session CommandNetwork User Verification ToolsNIS If You MustLDAP Shares AuthenticationBest Practices: User Privileges and PermissionsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 4 ASSESSMENT

Filesystem OrganizationFilesystem BasicsThe Filesystem Hierarchy Standard (FHS)Good Volume Organization Can Help Secure a SystemThe /boot/ FilesystemThe /home/ FilesystemThe /opt/ FilesystemThe /srv/ FilesystemThe /tmp/ FilesystemThe /var/ FilesystemRead-Only FilesystemsJournals, Formats, and File SizesPartition TypesThe Right Format ChoiceAvailable Format ToolsUsing EncryptionEncryption ToolsEncrypted FilesEncryption With a PassphraseEncryption with a Public/Private Key PairEncrypted DirectoriesEncrypted Partitions and VolumesLocal File and Folder PermissionsBasic File Ownership ConceptsBasic File-Permission ConceptsChanging File PermissionsNetworked File and Folder PermissionsNFS IssuesBasic NFS Security IssuesNFS Permissions and AuthenticationSamba/CIFS Network PermissionsNetwork Permissions for the vsFTP DaemonFilesystems and QuotasThe Quota Configuration ProcessQuota ManagementQuota ReportsFilesystems and Access Control ListsConfigure a Filesystem for ACLsACL CommandsConfigure Files and Directories with ACLsBest Practices: Filesystems, Volumes, and EncryptionCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 5 ASSESSMENT
Basic Bastion HardeningA Minimal Ubuntu InstallationA Minimal Red Hat InstallationService ReviewsPackage ReviewsThe Dynamic Host Configuration Protocol Server IssueInstallation and Removal on Red Hat SystemsInstallation and Removal on Ubuntu SystemsBastions in a Virtualized EnvironmentSystems Customized for a Virtual MachineVirtual Machine NetworksThe Risks of Source Code and Development ToolsDevelopment ToolsBuild PackagesUninstalling Default ServicesUninstall When PossibleDeactivate if Still in WorkStop a ServiceChange the Service DefaultsThe update-rc.d CommandThe chkconfig CommandServices in QuestionManaging Super Servers and Deactivating Service ScriptsThe Original Super ServerThe Extended Internet Super ServerRegular Service ScriptsIsolate with chroot JailsAvoid X Servers and X Clients Where PossibleIf You Must Have a GUIThe Surprising Generic Text ToolTest with Text ToolsThe Risks of Productivity ToolsBrowsersOffice SuitesE-mailBest Practices: Service DeploymentCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 6 ASSESSMENT
Services on Every TCP/IP PortProtocols and Numbers in /etc/servicesProtection by the Protocol and NumberObscurity and the Open Port ProblemObscure PortsOpening Obscure Open PortsObscurity by Other MeansProtect with TCP WrappersWhat Services Are TCP Wrapped?Configure TCP Wrapper ProtectionPacket Filtering FirewallsBasic Firewall CommandsThe iptables Table OptionOptions and Directions for the iptables CommandPackets and Patterns for the iptables CommandActions for the iptables CommandSample iptables CommandsAdditional iptables RulesDenial of Service Rules.Change Default Rules.Restrict the ping and Related Messages.Block Information from Suspicious IP Addresses.Slow attacks on SSH Services.The iptables ServiceExamples of Firewall-Management ToolsA Firewall for the Demilitarized Zone (DMZ)A Firewall for the Internal NetworkAlternate Attack Vectors—Modems and MoreAttacks Through Nonstandard ConnectionsThe Telephone Modem and Related DevicesSerial PortsTracking Other Electromagnetic OutputAttacks on Nonstandard ServicesThe cron ServiceThe at ServiceWireless-Network IssuesThe OSSTMM Wireless Security ExpertDefault Wireless HardwareLinux and Wireless HardwareCracks in Wireless SecurityBluetooth ConnectionsSecurity-Enhanced Linux (SELinux)The Power of SELinuxBasic SELinux ConfigurationConfiguration from the Command LineThe SELinux Administration ToolThe SELinux TroubleshooterSELinux Boolean SettingsAdminCompatibilityCronCVSDatabasesFTPGamesHTTPD ServiceKerberosMemory ProtectionMountName ServiceNFSNISPolyinstatiationpppdPrintingrsyncSambaSASL Authentication ServerSELinux Service ProtectionSpamAssassinSquidSSHUniversal SSL TunnelUser PrivsWeb ApplicationsX ServerZebraSetting Up AppArmor ProfilesBasic AppArmor ConfigurationAppArmor Configuration Fileslogprof.confThe [settings] Stanza.The [qualifiers] Stanza.notify.confseverity.dbsubdomain.confAppArmor ProfilesAppArmor Access ModesSample AppArmor ProfilesAppArmor Configuration and Management CommandsAn AppArmor Configuration ToolBest Practices: Networks, Firewalls, and TCP/IP CommunicationsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 7 ASSESSMENT
One System, One Shared Network ServiceConfigure an NTP ServerInstall and Configure a Kerberos ServerBasic Kerberos ConfigurationAdditional Kerberos Configuration OptionsSecure NFS as if It Were LocalConfigure NFS Kerberos TicketsConfigure NFS Shares for KerberosKeeping vsFTP Very SecureConfiguration Options for vsFTPAdditional vsFTP Configuration FilesLinux as a More Secure Windows ServerSamba Global OptionsNetwork-Related OptionsLogging OptionsStandalone Server OptionsDomain Members OptionsDomain Controller OptionsBrowser Control OptionsName ResolutionPrinting OptionsSamba as a Primary Domain Controller (PDC)Make Sure SSH Stays SecureThe Secure Shell ServerThe Secure Shell ClientSSH LoginsSecure SSH CopyingCreate a Secure Shell PassphraseNetworks and EncryptionHost-to-Host IPSec on Red HatHost-to-Host IPSec on UbuntuNetwork-to-Network IPSec on Red HatNetwork-to-Network IPSec on UbuntuWhen You "Must" Use TelnetPersuade Users to Convert to SSHInstall More Secure Telnet Servers and ClientsRemember the ModemThe Basics of RADIUSRADIUS Configuration FilesMoving Away from Clear-Text AccessThe Simple rsync SolutionE-mail ClientsBest Practices: Networked Filesystems and Remote AccessCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 8 ASSESSMENT
Web Services: Apache and FriendsThe LAMP StackMySQL and ApacheApache and Scripting LanguagesApache ModulesSecurity-Related Apache DirectivesKeepAlive DirectivesMulti-Processing Modules (MPMs)An Apache User and GroupDo Not Allow Overrides with .htaccessDo Not Allow Access to User DirectoriesMinimize Available OptionsConfigure Protection on a Web SiteConfigure a Secure Web siteConfigure a Certificate AuthorityWorking with SquidBasic Squid ConfigurationSecurity-Related Squid DirectivesLimit Remote Access with SquidDNS: BIND and MoreThe Basics of DNS on the InternetDNS Network ConfigurationSecure BIND ConfigurationA BIND DatabaseDNS Targets to ProtectMail Transfer Agents: sendmail, Sendmail, Postfix, and MoreOpen Source sendmailCommercial SendmailThe Postfix AlternativeDovecot for POP and IMAPMore E-mail ServicesIf You AsteriskBasic Asterisk ConfigurationSecurity Risks with AsteriskDenial of Service on AsteriskAsterisk AuthenticationMore Asterisk Security OptionsLimit Those PrintersPrinter AdministratorsShared PrintersRemote AdministrationThe CUPS Administrative ToolProtect Your Time ServicesOptions for Obscurity: Different Ports, Alternative ServicesBest Practices: Networked Application SecurityCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 9 ASSESSMENT
Functional Kernels for Your DistributionKernels by ArchitectureKernels for Different FunctionsThe Stock KernelKernel Numbering SystemsProduction Releases and MoreDownload the Stock KernelStock Kernel Patches and UpgradesSecurity and Kernel Update IssuesStock Kernel Security IssuesDistribution-Specific Kernel Security IssuesInstalling an Updated KernelKernel Development SoftwareRed Hat Kernel Development SoftwareUbuntu Kernel Development SoftwareKernel Development ToolsBefore Customizing a KernelStart the Kernel Customization ProcessKernel Configuration OptionsGeneral SetupEnable Loadable Module SupportEnable the Block LayerProcessor Type and FeaturesPower Management and ACPI OptionsBus OptionsExecutable File Formats/EmulationsNetworking SupportDevice DriversFirmware DriversFilesystemsKernel HackingSecurity OptionsCryptographic APIVirtualizationLibrary RoutinesBuild Your Own Secure KernelDownload Kernel Source CodeDownload Ubuntu Kernel Source CodeDownload Red Hat Kernel Source CodeInstall Required Development ToolsNavigate to the Directory with the Source CodeOpen a Kernel Configuration ToolCompile the Kernel with the New Custom ConfigurationCompile a Kernel on Ubuntu SystemsCompile a Kernel on Red Hat SystemsCompile a Stock KernelInstall the New Kernel and MoreCheck the BootloaderTest the ResultKernels and the /proc/ FilesystemDon't Reply to BroadcastsProtect from Bad ICMP MessagesProtect from SYN FloodsActivate Reverse Path FilteringClose Access to Routing TablesAvoid Source RoutingDon't Pass Traffic Between NetworksLog Spoofed, Source-Routed, and Redirected PacketsBest Practices: Kernel Security Risk MitigationCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 10 ASSESSMENT
Keep Up to Speed with Distribution SecurityRed Hat AlertsRed Hat Enterprise LinuxCentOS LinuxFedora LinuxUbuntu AlertsKeep Up to Speed with Application SecurityUser ApplicationsThe OpenOffice.org SuiteWeb BrowsersAdobe ApplicationsService ApplicationsThe Apache Web ServerThe Samba File ServerFile Transfer Protocol ServersLinux Has Antivirus Systems TooThe Clam AntiVirus SystemAVG Antivirus OptionThe Kaspersky Antivirus AlternativeSpamAssassinDetecting Other MalwareGet Into the Details with Bug ReportsUbuntu's LaunchpadRed Hat's BugzillaApplication-Specific Bug ReportsGNOME Project BugsKDE Project BugsOther ApplicationsService-Specific Bug ReportsApacheSquidSambavsFTPSecurity in an Open Source WorldThe Institute for Security and Open MethodologiesThe National Security AgencyThe Free Software FoundationUser ProceduresAutomated Updates or Analyzed AlertsDo You Trust Your Distribution?Do You Trust Application Developers?Do You Trust Service Developers?Linux Patch ManagementStandard yum UpdatesUpdates on FedoraUpdates on Red Hat Enterprise LinuxStandard apt-* UpdatesOptions for Update ManagersHow to Configure Automated UpdatesAutomatic Ubuntu UpdatesAutomatic Red Hat UpdatesPushing or Pulling UpdatesLocal or Remote RepositoriesConfigure a Local RepositoryCommercial Update ManagersThe Red Hat NetworkRed Hat SatelliteRed Hat ProxyCanonical LandscapeNovell's ZENworksOpen Source Update ManagersVarious apt-* CommandsVarious yum CommandsRed Hat SpacewalkBest Practices: Security Operations ManagementCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 11 ASSESSMENT
Configure a Simple BaselineA Minimal Red Hat BaselineA Minimal Ubuntu BaselineRead-Only or a Live Bootable Operating SystemAppropriate Read-Only FilesystemsLive CDs and DVDsUpdate the BaselineA Gold BaselineSecurity UpdatesFunctional UpdatesBaseline BackupsMonitor Local LogsThe System and Kernel Log ServicesThe Ubuntu Log ConfigurationThe Red Hat Log ConfigurationLogs from Individual ServicesCUPS LogsApache LogsSamba LogsConsolidate and Secure Remote LogsDefault RSyslog ConfigurationThe Standard RSyslog Configuration FileRSyslog ModulesRSyslog Global DirectivesRSyslog Configuration RulesRSyslog Incorporates Syslog Configuration RulesIdentify a Baseline System StateCollect a List of PackagesCompare Files, Permissions, and OwnershipDefine the Baseline Network ConfigurationCollect Runtime InformationCheck for Changes with Integrity ScannersTripwireAdvanced Intrusion Detection Environment (AIDE)Best Practices: Build and Maintain a Secure BaselineCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 12 ASSESSMENT
Test Every Component of a Layered DefenseTest a FirewallTest Various ServicesTest TCP Wrappers ServicesTest ApacheTest SambaTesting Other ServicesAfter Service Tests Are CompleteTest PasswordsTest Mandatory Access Control SystemsCheck for Open Network PortsThe telnet CommandThe netstat CommandThe lsof CommandThe nmap CommandTarget SpecificationHost DiscoveryScan TechniquesPort Specification and Scan OrderService Version DetectionOperating System DetectionAuthentication (auth).Default.Discovery.Denial of Service and exploit.External.Fuzzer.Intrusive.Malware.Safe.Version.Vulnerability (vuln).Run Integrity Checks of Installed Files and ExecutablesVerify a PackageVerifying Ubuntu/Debian PackagesVerifying Red Hat PackagesPerform a Tripwire CheckTest with the Advanced Intrusion Detection Environment (AIDE)Ubuntu AIDERed Hat AIDEMake Sure Security Does Not Prevent Legitimate AccessReasonable Password PoliciesAllow Access from Legitimate SystemsMonitor That Virtualized HardwareVirtual Machine HardwareVirtual Machine OptionsMonitoring the Kernel-Based Virtual Machine (KVM)Standard Open Source Security Testing ToolsSnortSniffer ModePacket Logger ModeNetwork IDS ModeInline ModeNetcat and the nc CommandCommercial Security Test Tools for LinuxNessusSystem Administrator's Integrated Network Tool (SAINT)The Right Place to Install Security Testing ToolsHint: Not Where Crackers Can Use Them Against YouSome Tools Already Available on Live CDsBest Practices: Testing and ReportingCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 13 ASSESSMENT
Regular Performance AuditsThe Basic Tools: ps and topThe System Status PackageFor Additional AnalysisAnalyze Processes with lsofIdentify Associated Libraries with lddTrace System Calls with straceMake Sure Users Stay Within Secure LimitsAppropriate PoliciesEducationUser Installation of Problematic ServicesLog Access into the NetworkIdentify Users Who Have Logged InSystem Authentication LogsMonitor Account Behavior for Security IssuesDownloaded Packages and Source CodeExecutable FilesCreate an Incident Response PlanIncreased VigilanceKeep the System On (At Least for Now)Have Live Linux CDs Ready for Forensics PurposesMedia to Recover Dynamic Data from Compromised SystemsHelix Live ResponseThe Sleuth KitMaster Key LinuxBuild Your Own MediaForensic Live MediaWhen You Put Your Plan into ActionConfirm the BreachIdentify Compromised SystemsHave Gold Replacement Systems in PlaceBackup and Recovery ToolsDisk Images for Later InvestigationThe rsync CommandMount Encrypted FilesystemsThe Right Way to Save Compromised Data as EvidenceBasic Principles for EvidenceRemember the Dynamic DataPreserve the Hard DisksDisaster Recovery from a Security BreachDetermine What HappenedPreventionReplacementOpen Source Security Works Only If Everyone SharesIf the Security Issue Is KnownIf the Security Issue Has Not Been ReportedBest Practices: Security Breach Detection and ResponseCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 14 ASSESSMENT
Maintain a Gold BaselineMonitor Security ReportsWork Through UpdatesRecalibrate System IntegrityRedundancy Can Help Ensure AvailabilityA Gold Physical BaselineA Gold Virtual Baseline HostHardware Requirements for a Gold Virtual HostA Gold Baseline Virtual GuestService-Specific Gold Baseline SystemsTrust But Verify Corporate SupportRed Hat Support OptionsCanonical Support OptionsOpen Source Community SupportCheck Conformance with Security PoliciesUser SecurityAdministrator SecurityKeep the Linux Operating System Up to DateBaseline UpdatesFunctional BugsNew ReleasesKeep Distribution-Related Applications Up to DateServer ApplicationsInstall a New Distribution ReleaseInstall the New Release from Source CodeDesktop ApplicationsManage Third-Party Applications CarefullyLicensing IssuesNon-Open Source LicensesSoftware with Different Legal IssuesSupport IssuesWhen Possible, Share Problems and Solutions with the CommunityWhich Community?Share with DevelopersShare on Mailing ListsTest New Components Before Putting Them into ProductionTest UpdatesDocument ResultsBeta TestingFuture Trends in Linux SecurityA New Firewall CommandMore Mandatory Access ControlsApplication Armor (AppArmor)Security Enhanced Linux (SELinux)Penetration Testing ToolsSingle Sign-OnCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 15 ASSESSMENT

Content preview from Security Strategies in Linux Platforms and Applications

Chapter 6. Every Service Is a Potential Risk

IN AN IDEAL WORLD, every system would be self-contained, with everything a user needs, isolated from the network. But that's not realistic. You can minimize risks, however. To that end, every service is a potential risk.

If you're running a service such as an Apache Web server, you realize that service is subject to risks. You're probably watching for news on Apache, ready to pounce on updates that address security issues.

But what if a print server is already running on the same server? Is it okay if a different file server is installed, but just not running? While there are services with their own control scripts, you also need to remember those services controlled by the internet super server. What ...