Linux Hardening
-
Upload
michael-boelen -
Category
Internet
-
view
496 -
download
3
Transcript of Linux Hardening
![Page 1: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/1.jpg)
Linux HardeningLocking Down Linux To Increase Security
‘s-Hertogenbosch, 1 March 2016Meetup: Den Bosch Linux User Group
Michael [email protected]
![Page 2: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/2.jpg)
Goals
1. Learn what to protect2. Know some strategies3. Learn tooling
Focus: Linux
2
![Page 3: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/3.jpg)
Agenda
Today1. System Hardening2. Security Auditing3. Guides and Tools
Bonus: Lynis demo
3
![Page 4: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/4.jpg)
Michael Boelen
● Open Source Security○ rkhunter (malware scan)
○ Lynis (security audit)
● 150+ blog posts at Linux-Audit.com
● Founder of CISOfy
4
![Page 5: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/5.jpg)
System Hardening
![Page 6: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/6.jpg)
Q: What is Hardening?
![Page 7: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/7.jpg)
7
![Page 8: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/8.jpg)
Q: Why Hardening?
![Page 9: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/9.jpg)
![Page 10: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/10.jpg)
Q: What if we don’t?
![Page 11: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/11.jpg)
11
![Page 12: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/12.jpg)
12
![Page 13: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/13.jpg)
13
![Page 14: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/14.jpg)
14
![Page 15: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/15.jpg)
15
![Page 16: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/16.jpg)
16
![Page 17: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/17.jpg)
Hardening Basics
![Page 18: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/18.jpg)
Hardening
● New defenses
● Existing defenses
● Reduce weaknesses
(attack surface)
18
Photo Credits: http://commons.wikimedia.org/wiki/User:Wilson44691
![Page 19: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/19.jpg)
Myth
After hardening I’m done
19
![Page 20: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/20.jpg)
Fact
● Security is an ongoing process
● It is never finished
● New attacks = more hardening○ POODLE
○ Hearthbleed
20
![Page 21: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/21.jpg)
Hardening
What to harden?
● Operating System
● Software + Configuration
● Access controls
21
![Page 22: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/22.jpg)
Hardening
Operating System
● Packages
● Services
● Configuration
22
![Page 23: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/23.jpg)
Hardening
Software
● Minimal installation
● Configuration
● Permissions
23
![Page 24: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/24.jpg)
Hardening
Access Controls
● Who can access what
● Password policies
● Accountability
24
![Page 25: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/25.jpg)
Hardening
Encryption
● Good: Encryption solves a lot
● Bad: Knowledge required
● Ugly: Easy to forget, or do it incorrectly
25
![Page 26: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/26.jpg)
Technical Auditing
![Page 27: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/27.jpg)
Auditing
Why audit?
● Checking defenses
● Assurance
● Quality Control
27
![Page 28: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/28.jpg)
Common Strategy
1. Audit
2. Get a lot of findings
3. Start hardening
4. …….
5. Quit28
![Page 29: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/29.jpg)
Improved Strategy
1. Focus
2. Audit
3. Focus
4. Harden
5. Repeat!29
![Page 30: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/30.jpg)
Hardening Resources
![Page 31: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/31.jpg)
Options
● Guides
● Tools (SCAP / Lynis)
● Other resources
31
![Page 32: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/32.jpg)
Hardening Guides
● Center for Internet Security (CIS)
● NIST / NSA
● OWASP
● Vendors
32
![Page 33: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/33.jpg)
Hardening Guides
ProsFree to useDetailedYou are in control
33
ConsTime intensiveUsually no toolingLimited distributionsDelayed releasesMissing follow-up
![Page 34: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/34.jpg)
Tooling
![Page 35: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/35.jpg)
Tools
Tools make life easier, right?
Not always...
35
![Page 36: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/36.jpg)
Tools
Problem:
There aren’t many good tools
36
![Page 37: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/37.jpg)
Tools
Cause 1: Usually outdated
37
![Page 38: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/38.jpg)
Tools
Cause 2: Limited in their support
38
![Page 39: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/39.jpg)
Tools
Cause 3: Hard to use
39
![Page 40: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/40.jpg)
Tool 1: SCAP
![Page 41: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/41.jpg)
SCAP
● Security
● Content
● Automation
● Protocol
41
![Page 42: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/42.jpg)
SCAP
Combination of:● Markup● Rules● Tooling● Scripts
42
![Page 43: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/43.jpg)
SCAP features● Common Vulnerabilities and Exposures (CVE)● Common Configuration Enumeration (CCE)● Common Platform Enumeration (CPE)● Common Vulnerability Scoring System (CVSS)● Extensible Configuration Checklist Description Format (XCCDF)● Open Vulnerability and Assessment Language (OVAL)
Starting with SCAP version 1.1● Open Checklist Interactive Language (OCIL) Version 2.0
Starting with SCAP version 1.2● Asset Identification● Asset Reporting Format (ARF)● Common Configuration Scoring System (CCSS)● Trust Model for Security Automation Data (TMSAD)
43
![Page 44: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/44.jpg)
Complexity?List of Tables (Common Configuration Scoring System (CCSS))Table 1. Access Vector Scoring Evaluation ..................................................................................8
Table 2. Authentication Scoring Evaluation ..................................................................................9
Table 3. Access Complexity Scoring Evaluation.........................................................................10
Table 4. Confidentiality Impact Scoring Evaluation.....................................................................11
Table 5. Integrity Impact Scoring Evaluation ..............................................................................12
Table 6. Availability Impact Scoring Evaluation ..........................................................................12
Table 7. General Exploit Level Scoring Evaluation.....................................................................13
Table 8. General Remediation Level Scoring Evaluation ...........................................................14
Table 9. Local Vulnerability Prevalence Scoring Evaluation.......................................................15
Table 10. Perceived Target Value Scoring Evaluation ...............................................................15
Table 11. Local Remediation Level Scoring Evaluation..............................................................16
Table 12. Collateral Damage Potential Scoring Evaluation ........................................................17
44
![Page 45: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/45.jpg)
SCAP Overview
ProsFree to useFocused on automation
45
ConsLimited distributionsComplexityHard to customize
![Page 46: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/46.jpg)
Tool 2: Lynis
![Page 47: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/47.jpg)
Lynis
47
![Page 48: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/48.jpg)
Lynis
Goals● In-depth security scan● Quick and easy to use● Define next hardening steps
48
![Page 49: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/49.jpg)
Lynis
Background● Since 2007● Goals
○ Flexible○ Portable
49
![Page 50: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/50.jpg)
Lynis
Open Source Software● GPLv3● Shell● Community
50
![Page 51: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/51.jpg)
Lynis
Simple● No installation needed● Run with just one parameter● No configuration needed
51
![Page 52: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/52.jpg)
Lynis
Flexibility● No dependencies*● Can be easily extended● Custom tests
* Besides common tools like awk, grep, ps
52
![Page 53: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/53.jpg)
Lynis
Portability● Run on all Unix platforms● Detect and use “on the go”● Usable after OS version upgrade
53
![Page 54: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/54.jpg)
How it works
1. Initialise
2. OS detection
3. Detect binaries
4. Run helpers/plugins/tests
5. Show report54
![Page 55: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/55.jpg)
Running
1. lynis
2. lynis audit system
3. lynis audit system --quick
4. lynis audit system --quick --quiet
55
![Page 56: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/56.jpg)
Demo?
![Page 57: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/57.jpg)
Conclusions
1. Know your crown jewels (properly)
2. Determine hardening level
3. Perform regular checks
57
![Page 58: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/58.jpg)
You finished this presentation
Success!
![Page 59: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/59.jpg)
Learn more?
Follow● Blog Linux Audit (linux-audit.com)● Twitter @mboelen
This presentation can be found on michaelboelen.com
59
![Page 60: Linux Hardening](https://reader030.fdocuments.us/reader030/viewer/2022020103/589b17b51a28abc1148b5c35/html5/thumbnails/60.jpg)