Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.
-
Upload
roberta-wilkinson -
Category
Documents
-
view
215 -
download
1
Transcript of Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.
![Page 1: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/1.jpg)
Linux Security Baseline Implementation Efforts at the INL
Jason Miller
NLIT 2009
![Page 2: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/2.jpg)
Linux Minimum Security Configurations• Informational
– Some Numbers– Project Specific Stuff– General Information
• Technical– In-depth how it works– Some Gotcha's– If I could do it over…
![Page 3: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/3.jpg)
INL’s IT By The Numbers• 12,000 IT Devices owned by INL• 9,000 Devices on the Network• 5,500 Desktop & Laptop Computers• Windows Shop (85% Windows, 9% MAC’s, 6% Linux)
![Page 4: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/4.jpg)
Linux Install Base
SuSE 80%
Ubuntu 12%
RHE 7%
Gentoo 1%
![Page 5: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/5.jpg)
• 45% of all internet servers POSIX based – www.netcraft.com
• Hard drive Storage Capacities
Information Security Is Paramount
![Page 6: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/6.jpg)
Why Do We Have Linux Users?• High Performance Computing• GPL/GNU Available software (Open Source)• More Control of their own PC’s• Want to be cool!
![Page 7: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/7.jpg)
Who’s Responsible For What?• Managed Devices
– Patches, Vulnerability Scans, Upgrades…• Self-Managed Devices
– Require more in-depth support– Might be Rev-locked
• Collaboration… little of both– Linux users that have no time to manage their PC’s
![Page 8: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/8.jpg)
Linux Minimum Security Configuration Project Goals• Primary Goals
– Verify Compliance level– Apply necessary changes– Report to some kind of database
• While keeping in mind:– Modular (upgradable, easily expandable)– Platform Diversity– User Friendly
![Page 9: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/9.jpg)
End User Responses• As we expected they were wary…
– Will I lose root privileges?– Will this slow my PC down?– If I do this, will you people promise to leave me alone
forever…
• MSCs were demonstrated and our users responded– Provided multiple implementation suggestions– Received Kudos
![Page 10: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/10.jpg)
Linux Minimum Security Configuration Project Build Time• MSC Installer & Individual MSC scripts
– 360 Hours, One individual• Reporting Database
– 15 Hours, One individual• Additional hours:
– MSC Installer add-ons to suit our customer’s needs– Chronological adjustments (crontab)– Diverse Platforms require modifications to code
![Page 11: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/11.jpg)
??
?
?
??
?
?
??
?
?
??
?
? ??
?
?
??
?
???
? ?
![Page 12: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/12.jpg)
Linux Minimum Security Configuration Installer• Simple BASH
scripting• Easy to
understand• User can opt-out
![Page 13: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/13.jpg)
Linux Minimum Security Configuration Installer – For the Technicians• Quick Installer• Allows for on the fly
modifications
![Page 14: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/14.jpg)
Reporting• An IT perspective
– PCs report daily– Compliance history
![Page 15: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/15.jpg)
User Friendly• It’s more than just a benchmark
– Keeps the PC compliant– Several runtime methods to choose from– Non-intrusive, helpful information pop-ups
Enforce ModeVerify Mode
![Page 16: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/16.jpg)
• Installer invokes individual MSC script MSC scripts apply/verify
settings• Installer invokes next individual
MSC script
• When all MSC scripts are complete, the installer sends off the report
Modular Code
![Page 17: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/17.jpg)
Individual MSC scripts in-depth
• There are two types of MSC scripts– Configure Services
• chkconfig• sysvconfig, runlevel, /etc/rc2.d… (Ubuntu)
– Modify Configuration files• awk, sed, grep…
![Page 18: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/18.jpg)
Gotcha's!• Platform differences• Third party application dependencies• Delivery methods had to meet MSC compliance• Exceptions to the CIS benchmarks
– esound– cups– …
![Page 19: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/19.jpg)
Spin-Off Projects– Let’s use LANDesk!
– We’re already using LANDesk for 85% of our install base
– Perform extremely detailed queries
![Page 20: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/20.jpg)
Spin-off Projects
– Quest Authentication Services (aka Vintela or VAS)– Brings Linux into Active Directory– Centralized management tool– Another way to distribute MSC scripts
![Page 21: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/21.jpg)
If I Could Do It Over Again• ‘Configuration file code’ could be more modular
– What configuration file do you have in mind? – sshd.conf– What do you want me to find? – Protocol 1– OK, what do I change it to – Protocol 2 (all as a variable)
• Include a definitions file for all text based responses– A centralized file for all grammar used in the scripts
• Better package management… somehow– Negate the need for a user to satisfy dependencies
![Page 22: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/22.jpg)
QuestionsJason MillerDesktop ManagementIdaho National LaboratoryEmail: [email protected]
![Page 23: Linux Security Baseline Implementation Efforts at the INL Jason Miller NLIT 2009.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e315503460f94b21e3d/html5/thumbnails/23.jpg)