Security Strategies in Linux Platforms and Applications, 2nd Edition

Book description

The Second Edition of Security Strategies in Linux Platforms and Applications covers every major aspect of security on a Linux system. Written by an industry expert, this book is divided into three natural parts to illustrate key concepts in the field. It opens with a discussion of the risks, threats, and vulnerabilities associated with Linux as an operating system using current examples and cases. Part 2 discusses how to take advantage of the layers of security available to Linux--user and group options, filesystems, and security options for important services, as well as the security modules associated with AppArmor and SELinux. The book closes with a look at the use of both open source and proprietary tools when building a layered security strategy for Linux operating system environments. Using real-world examples and exercises, this useful resource incorporates hands-on activities to walk readers through the fundamentals of security strategies related to the Linux system.

Table of contents

  1. Cover
  2. Title Page
  3. Copyright
  4. Contents
  5. Dedication
  6. Preface
  7. Acknowledgments
  8. Part One Is Linux Really Secure?
    1. Chapter 1 Security Threats to Linux
      1. The Origins of Linux
      2. Security in an Open Source World
      3. Linux Distributions
      4. The C-I-A Triad
      5. Linux as a Security Device
      6. Linux in the Enterprise
      7. Recent Security Issues
      8. Chapter Summary
      9. Key Concepts and Terms
      10. Chapter 1 Assessment
    2. Chapter 2 Basic Components of Linux Security
      1. Linux Security Relates to the Kernel
        1. The Basic Linux Kernel Philosophy
        2. Basic Linux Kernels
        3. Distribution-Specific Linux Kernels
        4. Custom Linux Kernels
        5. Linux Kernel Security Options
      2. Securing a System During the Boot Process
        1. Physical Security
        2. The Threat of the Live CD
        3. Boot Process Security
        4. More Boot Process Issues
        5. Virtual Physical Security
      3. Linux Security Issues Beyond the Basic Operating System
        1. Service Process Security
        2. Security Issues with the GUI
      4. Linux User Authentication Databases
      5. Protecting Files with Ownership, Permissions, and Access Controls
      6. Firewalls and Mandatory Access Controls in a Layered Defense
        1. Firewall Support Options
        2. Mandatory Access Control Support
      7. Protecting Networks Using Encrypted Communication
      8. Tracking the Latest Linux Security Updates
        1. Linux Security Updates for Regular Users
        2. Linux Security Updates for Home Hobbyists
        3. Linux Security Updates for Power Users
        4. Security Updates for Linux Administrators
        5. Linux Security Update Administration
      9. The Effect of Virtualization on Security
      10. Variations Between Distributions
        1. A Basic Comparison: Red Hat and Ubuntu
        2. More Diversity in Services
      11. Chapter Summary
      12. Key Concepts and Terms
      13. Chapter 2 Assessment
  9. Part Two Layered Security and Linux
    1. Chapter 3 Starting Off: Getting Up and Running
      1. Picking a Distribution
      2. Picking a Delivery Platform
        1. Physical System
        2. Virtual Machines
        3. Cloud Services
      3. Choosing a Boot Loader
        1. Linux Loader
        2. Grand Unified Boot Loader
      4. Services
        1. Runlevels
        2. Wrappers
      5. inetd and xinetd
      6. R-services
      7. Chapter Summary
      8. Key Concepts and Terms
      9. Chapter 3 Assessment
    2. Chapter 4 User Privileges and Permissions
      1. The Shadow Password Suite
        1. /etc/passwd
        2. /etc/group
        3. /etc/shadow
        4. /etc/gshadow
        5. Defaults for the Shadow Password Suite
        6. Shadow Password Suite Commands
      2. Available User Privileges
      3. Securing Groups of Users
        1. User Private Group Scheme
        2. Create a Special Group
      4. Configuring the Hierarchy of Administrative Privileges
        1. Administrative Privileges in Services
        2. The su and sg Commands
        3. Options with sudo and /etc/sudoers
      5. Regular and Special Permissions
        1. The Set User ID Bit
        2. The Set Group ID Bit
        3. The Sticky Bit
      6. Tracking Access Through Logs
        1. Authorization Log Options
        2. Authorization Log Files
      7. Pluggable Authentication Modules
        1. The Structure of a PAM Configuration File
        2. PAM Configuration for Users
      8. Authorizing Access with the Polkit
        1. How the Polkit Works
        2. Polkit Concepts
        3. The Polkit and Local Authority
      9. Network User Verification Tools
        1. NIS If You Must
        2. LDAP Shares Authentication
      10. Best Practices: User Privileges and Permissions
      11. Chapter Summary
      12. Key Concepts and Terms
      13. Chapter 4 Assessment
    3. Chapter 5 Filesystems, Volumes, and Encryption
      1. Filesystem Organization
        1. Filesystem Basics
        2. The Filesystem Hierarchy Standard
        3. Good Volume Organization Can Help Secure a System
        4. Read-Only Mount Points
      2. How Options for Journals, Formats, and File Sizes Affect Security
        1. Partition Types
        2. The Right Format Choice
        3. Available Format Tools
      3. Using Encryption
        1. Encryption Tools
        2. Encrypted Files
        3. Encrypted Directories
        4. Encrypted Partitions and Volumes
      4. Local File and Folder Permissions
        1. Basic File Ownership Concepts
        2. Basic File-Permission Concepts
        3. Changing File Permissions
      5. Networked File and Folder Permissions
        1. NFS Issues
        2. Samba/CIFS Network Permissions
        3. Network Permissions for the vsftp Daemon
      6. Configuring and Implementing Quotas on a Filesystem
        1. The Quota Configuration Process
        2. Quota Management
        3. Quota Reports
      7. How to Configure and Implement Access Control Lists on a Filesystem
        1. Configure a Filesystem for ACLs
        2. ACL Commands
        3. Configure Files and Directories with ACLs
      8. Best Practices: Filesystems, Volumes, and Encryption
      9. Chapter Summary
      10. Key Concepts and Terms
      11. Chapter 5 Assessment
    4. Chapter 6 Securing Services
      1. Starting a Hardened System
      2. Service Management
        1. SysV Init
        2. Upstart
        3. Systemd
      3. Hardening Services
      4. Using Mandatory Access Controls
        1. Security Enhanced Linux
        2. AppArmor
      5. Servers Versus Desktops
      6. Protecting Against Development Tools
      7. Chapter Summary
      8. Key Concepts and Terms
      9. Chapter 6 Assessment
    5. Chapter 7 Networks, Firewalls, and More
      1. Services on Every TCP/IP Port
        1. Protocols and Numbers in /etc/services
        2. Protection by the Protocol and Number
      2. Obscurity and the Open Port Problem
        1. Obscure Ports
        2. Opening Obscure Open Ports
        3. Obscurity by Other Means
      3. Protect with TCP Wrapper
        1. What Services Are TCP Wrapped?
        2. Configure TCP Wrapper Protection
      4. Packet-Filtering Firewalls
        1. Basic Firewall Commands
        2. Firewalld
        3. A Firewall for the Demilitarized Zone
        4. A Firewall for the Internal Network
      5. Alternate Attack Vectors
        1. Attacks Through Nonstandard Connections
        2. Attacks on Scheduling Services
      6. Wireless-Network Issues
        1. Linux and Wireless Hardware
        2. Encrypting Wireless Networks
        3. Bluetooth Connections
      7. Security Enhanced Linux
        1. The Power of SELinux
        2. Basic SELinux Configuration
        3. Configuration from the Command Line
        4. The SELinux Administration Tool
        5. The SELinux Troubleshooter
        6. SELinux Boolean Settings
      8. Setting Up AppArmor Profiles
        1. Basic AppArmor Configuration
        2. AppArmor Configuration Files
        3. AppArmor Profiles
        4. AppArmor Access Modes
        5. Sample AppArmor Profiles
        6. AppArmor Configuration and Management Commands
        7. An AppArmor Configuration Tool
      9. Best Practices: Networks, Firewalls, and TCP/IP Communications
      10. Chapter Summary
      11. Key Concepts and Terms
      12. Chapter 7 Assessment
    6. Chapter 8 Networked Filesystems and Remote Access
      1. Basic Principles for Systems with Shared Networking Services
        1. Configure an NTP Server
        2. Install and Configure a Kerberos Server
        3. Basic Kerberos Configuration
        4. Additional Kerberos Configuration Options
      2. Securing NFS as If It Were Local
        1. Configure NFS Kerberos Tickets
        2. Configure NFS Shares for Kerberos
      3. Keeping vsftp Very Secure
        1. Configuration Options for vsftp
        2. Additional vsftp Configuration Files
      4. Linux as a More Secure Windows Server
        1. Samba Global Options
        2. Samba as a Primary Domain Controller
      5. Making Sure SSH Stays Secure
        1. The Secure Shell Server
        2. The Secure Shell Client
        3. Create a Secure Shell Passphrase
      6. Basic Principles of Encryption on Networks
        1. Host-to-Host IPSec on Red Hat
        2. Host-to-Host IPSec on Ubuntu
        3. Network-to-Network IPSec on Red Hat
        4. Network-to-Network IPSec on Ubuntu
      7. Helping Users Who Must Use Telnet
        1. Persuade Users to Convert to SSH
        2. Install More Secure Telnet Servers and Clients
      8. Securing Modem Connections
        1. The Basics of RADIUS
        2. RADIUS Configuration Files
      9. Moving Away from Cleartext Access
        1. The Simple rsync Solution
        2. E-mail Clients
      10. Best Practices: Networked Filesystems and Remote Access
      11. Chapter Summary
      12. Key Concepts and Terms
      13. Chapter 8 Assessment
    7. Chapter 9 Networked Application Security
      1. Options for Secure Web Sites with Apache
        1. The LAMP Stack
        2. Apache Modules
        3. Security-Related Apache Directives
        4. Configure Protection on a Web Site
        5. Configure a Secure Web site
        6. Configure a Certificate Authority
        7. mod_security
      2. Working with Squid
        1. Basic Squid Configuration
        2. Security-Related Squid Directives
        3. Limit Remote Access with Squid
      3. Protecting DNS Services with BIND
        1. The Basics of DNS on the Internet
        2. DNS Network Configuration
        3. Secure BIND Configuration
        4. A BIND Database
        5. DNS Targets to Protect
        6. Domain Name System Security Extensions
      4. Mail Transfer Agents
        1. Open Source sendmail
        2. The Postfix Alternative
        3. Dovecot for POP and IMAP
        4. More E-mail Services
      5. Using Asterisk
        1. Basic Asterisk Configuration
        2. Security Risks with Asterisk
      6. Limiting Printers
        1. Printer Administrators
        2. Shared Printers
        3. Remote Administration
        4. The CUPS Administrative Tool
      7. Protecting Time Services
      8. Obscuring Local and Network Services
      9. Best Practices: Networked Application Security
      10. Chapter Summary
      11. Key Concepts and Terms
      12. Chapter 9 Assessment
    8. Chapter 10 Kernel Security Risk Mitigation
      1. Distribution-Specific Functional Kernels
        1. Kernels by Architecture
        2. Kernels for Different Functions
      2. The Stock Kernel
        1. Kernel Numbering Systems
        2. Production Releases and More
        3. Download the Stock Kernel
        4. Stock Kernel Patches and Upgrades
      3. Managing Security and Kernel Updates
        1. Stock Kernel Security Issues
        2. Distribution-Specific Kernel Security Issues
        3. Installing an Updated Kernel
      4. Development Software for Custom Kernels
        1. Red Hat Kernel Development Software
        2. Ubuntu Kernel Development Software
      5. Kernel-Development Tools
        1. Before Customizing a Kernel
        2. Start the Kernel Customization Process
        3. Kernel Configuration Options
      6. Building Your Own Secure Kernel
        1. Download Kernel Source Code
        2. Download Ubuntu Kernel Source Code
        3. Download Red Hat Kernel Source Code
        4. Install Required Development Tools
        5. Navigate to the Directory with the Source Code
        6. Compile a Kernel on Ubuntu Systems
        7. Compile a Kernel on Red Hat Systems
        8. Compile a Stock Kernel
        9. Install the New Kernel and More
        10. Check the Boot Loader
        11. Test the Result
      7. Increasing Security Using Kernels and the /proc/ Filesystem
        1. Don’t Reply to Broadcasts
        2. Protect from Bad ICMP Messages
        3. Protect from SYN Floods
        4. Activate Reverse Path Filtering
        5. Close Access to Routing Tables
        6. Avoid Source Routing
        7. Don’t Pass Traffic Between Networks
        8. Log Spoofed, Source-Routed, and Redirected Packets
      8. Best Practices: Kernel Security Risk Mitigation
      9. Chapter Summary
      10. Key Concepts and Terms
      11. Chapter 10 Assessment
  10. Part Three Building a Layered Linux Security Strategy
    1. Chapter 11 Managing Security Alerts and Updates
      1. Keeping Up with Distribution Security
        1. Red Hat Alerts
        2. Red Hat Enterprise Linux
        3. CentOS Linux
        4. Fedora Core Linux
        5. Ubuntu Alerts
      2. Keeping Up with Application Security
        1. The OpenOffice.org Suite
        2. Web Browsers
        3. Adobe Applications
        4. Service Applications
      3. Antivirus Options for Linux Systems
        1. The Clam AntiVirus System
        2. AVG Antivirus
        3. The Kaspersky Antivirus Alternative
        4. SpamAssassin
        5. Detecting Other Malware
      4. Using Bug Reports
        1. Ubuntu’s Launchpad
        2. Red Hat’s Bugzilla
        3. Application-Specific Bug Reports
      5. Security in an Open Source World
        1. The Institute for Security and Open Methodologies
        2. The National Security Agency
        3. The Free Software Foundation
        4. User Procedures
      6. Deciding Between Automated Updates or Analyzed Alerts
        1. Do You Trust Your Distribution?
        2. Do You Trust Application Developers?
        3. Do You Trust Service Developers?
      7. Linux Patch Management
        1. Standard yum Updates
        2. Updates on Fedora
        3. Updates on Red Hat Enterprise Linux
        4. Standard apt-* Updates
      8. Options for Update Managers
        1. Configuring Automated Updates
        2. Automatic Red Hat Updates
        3. Pushing or Pulling Updates
        4. Local or Remote Repositories
        5. Configuring a Local Repository
      9. Commercial Update Managers
        1. The Red Hat Network
        2. Canonical Landscape
        3. Novell’s ZENworks
      10. Open Source Update Managers
        1. Various apt-* Commands
        2. Various yum commands
        3. Red Hat Spacewalk
      11. Best Practices: Security Operations Management
      12. Chapter Summary
      13. Key Concepts and Terms
      14. Chapter 11 Assessment
    2. Chapter 12 Building and Maintaining a Security Baseline
      1. Configuring a Simple Baseline
        1. A Minimal Red Hat Baseline
        2. A Minimal Ubuntu Baseline
      2. Read-Only or Live Bootable Operating Systems
        1. Appropriate Read-Only Filesystems
        2. Live CDs and DVDs
      3. Keeping the Baseline Up to Date
        1. A Gold Baseline
        2. Baseline Backups
      4. Monitoring Local Logs
        1. The System and Kernel Log Services
        2. Logs from Individual Services
      5. Consolidating and Securing Remote Logs
        1. Default rsyslog Configuration
        2. The Standard rsyslog Configuration File
      6. Identifying a Baseline System State
        1. Collect a List of Packages
        2. Compare Files, Permissions, and Ownership
        3. Define the Baseline Network Configuration
        4. Collect Runtime Information
      7. Checking for Changes with Integrity Scanners
        1. Tripwire
        2. Advanced Intrusion Detection Environment
      8. Best Practices: Building and Maintaining a Secure Baseline
      9. Chapter Summary
      10. Key Concepts and Terms
      11. Chapter 12 Assessment
    3. Chapter 13 Testing and Reporting
      1. Testing Every Component of a Layered Defense
        1. Testing a Firewall
        2. Testing Various Services
        3. Testing Passwords
        4. Testing Mandatory Access Control Systems
      2. Checking for Open Network Ports
        1. The telnet Command
        2. The netstat Command
        3. The lsof Command
        4. The nmap Command
      3. Running Integrity Checks of Installed Files and Executables
        1. Verifying a Package
        2. Performing a Tripwire Check
        3. Testing with the Advanced Intrusion Detection Environment
      4. Ensuring that Security Does Not Prevent Legitimate Access
        1. Reasonable Password Policies
        2. Allowing Access from Legitimate Systems
      5. Monitoring Virtualized Hardware
        1. Virtual Machine Hardware
        2. Virtual Machine Options
        3. Monitoring the Kernel-Based Virtual Machine (KVM)
      6. Standard Open Source Security-Testing Tools
        1. Snort
        2. Netcat and the nc Command
      7. Vulnerability Scanners for Linux
        1. Nessus
        2. OpenVAS
        3. Nexpose
      8. Where to Install Security-Testing Tools
        1. Hint: Not Where Attackers Can Use Them Against You
        2. Some Tools Are Already Available on Live CDs
      9. Best Practices: Testing and Reporting
      10. Chapter Summary
      11. Key Concepts and Terms
      12. Chapter 13 Assessment
    4. Chapter 14 Detecting and Responding to Security Breaches
      1. Performing Regular Performance Audits
        1. The Basic Tools: ps and top
        2. The System Status Package
        3. For Additional Analysis
      2. Making Sure Users Stay Within Secure Limits
        1. Appropriate Policies
        2. Education
        3. User Installation of Problematic Services
      3. Logging Access into the Network
        1. Identifying Users Who Have Logged In
        2. System Authentication Logs
      4. Monitoring Account Behavior for Security Issues
        1. Downloaded Packages and Source Code
        2. Executable Files
      5. Creating an Incident Response Plan
        1. Increased Vigilance
        2. Should You Leave the System On?
        3. Acquiring the Memory Contents
      6. Having Live Linux CDs Ready for Forensics Purposes
        1. Helix Live Response
        2. SANS Investigative Forensics Toolkit
        3. Digital Evidence and Forensics Toolkit
        4. Build Your Own Media
        5. Forensic Live Media
      7. When You Put Your Plan into Action
        1. Confirming the Breach
        2. Identifying Compromised Systems
        3. Having Replacement Systems in Place
      8. Secure Backup and Recovery Tools
        1. Disk Images for Later Investigation
        2. The rsync Command
        3. Mount Encrypted Filesystems
      9. The Right Way to Save Compromised Data as Evidence
        1. Basic Principles for Evidence
        2. Remembering the Volatile Data
        3. Preserving the Hard Disks
      10. Disaster Recovery from a Security Breach
        1. Determining What Happened
        2. Prevention
        3. Replacement
      11. How and When to Share with the Open Source Community
        1. If the Security Issue Is Known…
        2. If the Security Issue Has Not Been Reported…
      12. Best Practices: Security Breach Detection and Response
      13. Chapter Summary
      14. Key Concepts and Terms
      15. Chapter 14 Assessment
    5. Chapter 15 Best Practices and Emerging Technologies
      1. Maintaining a Gold Baseline
        1. Monitoring Security Reports
        2. Working Through Updates
        3. Recalibrating System Integrity
      2. Ensuring Availability with Redundancy
        1. A Gold Physical Baseline
        2. A Gold Virtual Baseline Host
      3. Identifying Your Support Options
        1. Red Hat Support Options
        2. Canonical Support Options
        3. Open Source Community Support
      4. Checking Compliance with Security Policies
        1. User Security
        2. Administrator Security
      5. Keeping the Linux Operating System Up to Date
        1. Baseline Updates
        2. Functional Bugs
        3. New Releases
      6. Keeping Distribution-Related Applications Up to Date
        1. Server Applications
        2. Desktop Applications
      7. Managing Third-Party Applications
        1. Licensing Issues
        2. Support Issues
      8. Sharing Problems and Solutions with the Community
        1. Which Community?
        2. Sharing with Developers
        3. Sharing on Mailing Lists
      9. Testing New Components Before Putting Them into Production
        1. Testing Updates
        2. Documenting Results
        3. Beta Testing
      10. Keeping Up with Security on Your Systems
        1. A New Firewall Command
        2. More Mandatory Access Controls
        3. Penetration-Testing Tools
        4. Single Sign-On
        5. Incident Response
      11. Chapter Summary
      12. Key Concepts and Terms
      13. Chapter 15 Assessment
  11. Appendix A Answer Key
  12. Appendix B Standard Acronyms
  13. Glossary of Key Terms
  14. References
  15. Index

Product information

  • Title: Security Strategies in Linux Platforms and Applications, 2nd Edition
  • Author(s): Michael Jang, Ric Messier
  • Release date: October 2015
  • Publisher(s): Jones & Bartlett Learning
  • ISBN: 9781284090666