Linux HardeningLocking Down Linux To Increase SecurityMichael Boelenmichael.boelen@cisofy.com‘s-Hertogenbosch, 1 March 2016Meetup: Den Bosch Linux User Group
Goals1. Learn what to protect2. Know some strategies3. Learn toolingFocus: Linux2
AgendaToday1. System Hardening2. Security Auditing3. Guides and ToolsBonus: Lynis demo3
Michael Boelen Open Source Security rkhunter (malware scan) Lynis (security audit) 150 blog posts at Linux-Audit.com Founder of CISOfy4
System Hardening
Q: What is Hardening?
7
Q: Why Hardening?
Q: What if we don’t?
11
12
13
14
15
16
Hardening Basics
Hardening New defenses Existing defenses Reduce weaknessesPhoto Credits: (attack surface)18
MythAfter hardening I’m done19
Fact Security is an ongoing process It is never finished New attacks more hardening POODLE Hearthbleed20
HardeningWhat to harden? Operating System Software Configuration Access controls21
HardeningOperating System Packages Services Configuration22
HardeningSoftware Minimal installation Configuration Permissions23
HardeningAccess Controls Who can access what Password policies Accountability24
HardeningEncryption Good: Encryption solves a lot Bad:Knowledge required Ugly:Easy to forget, or do it incorrectly25
Technical Auditing
AuditingWhy audit? Checking defenses Assurance Quality Control27
Common Strategy1. Audit2. Get a lot of findings3. Start hardening4. .5. Quit28
Improved Strategy1. Focus2. Audit3. Focus4. Harden5. Repeat!29
Hardening Resources
Options Guides Tools (SCAP / Lynis) Other resources31
Hardening Guides Center for Internet Security (CIS) NIST / NSA OWASP Vendors32
Hardening GuidesProsConsFree to useDetailedYou are in controlTime intensiveUsually no toolingLimited distributionsDelayed releasesMissing follow-up33
Tooling
ToolsTools make life easier, right?Not always.35
ToolsProblem:There aren’t many good tools36
ToolsCause 1: Usually outdated37
ToolsCause 2: Limited in their support38
ToolsCause 3: Hard to use39
Tool 1: SCAP
SCAP Security Content Automation Protocol41
SCAPCombination of: MarkupRulesToolingScripts42
SCAP features Common Vulnerabilities and Exposures (CVE)Common Configuration Enumeration (CCE)Common Platform Enumeration (CPE)Common Vulnerability Scoring System (CVSS)Extensible Configuration Checklist Description Format (XCCDF)Open Vulnerability and Assessment Language (OVAL)Starting with SCAP version 1.1 Open Checklist Interactive Language (OCIL) Version 2.0Starting with SCAP version 1.2 Asset Identification Asset Reporting Format (ARF) Common Configuration Scoring System (CCSS) Trust Model for Security Automation Data (TMSAD)43
Complexity?List of Tables (Common Configuration Scoring System (CCSS))Table 1. Access Vector Scoring Evaluation .8Table 2. Authentication Scoring Evaluation .9Table 3. Access Complexity Scoring Evaluation.10Table 4. Confidentiality Impact Scoring Evaluation.11Table 5. Integrity Impact Scoring Evaluation .12Table 6. Availability Impact Scoring Evaluation .12Table 7. General Exploit Level Scoring Evaluation.13Table 8. General Remediation Level Scoring Evaluation .14Table 9. Local Vulnerability Prevalence Scoring Evaluation.15Table 10. Perceived Target Value Scoring Evaluation .15Table 11. Local Remediation Level Scoring Evaluation.16Table 12. Collateral Damage Potential Scoring Evaluation .1744
SCAP OverviewProsConsFree to useFocused on automationLimited distributionsComplexityHard to customize45
Tool 2: Lynis
Lynis47
LynisGoals In-depth security scan Quick and easy to use Define next hardening steps48
LynisBackground Since 2007 Goals Flexible Portable49
LynisOpen Source Software GPLv3 Shell Community50
LynisSimple No installation needed Run with just one parameter No configuration needed51
LynisFlexibility No dependencies* Can be easily extended Custom tests* Besides common tools like awk, grep, ps52
LynisPortability Run on all Unix platforms Detect and use “on the go” Usable after OS version upgrade53
How it works1. Initialise2. OS detection3. Detect binaries4. Run helpers/plugins/tests5. Show report54
Running1. lynis2. lynis audit system3. lynis audit system --quick4. lynis audit system --quick --quiet55
Demo?
Conclusions1. Know your crown jewels (properly)2. Determine hardening level3. Perform regular checks57
Success!You finished this presentation
Learn more?Follow Blog TwitterLinux Audit (linux-audit.com)@mboelenThis presentation can be found on michaelboelen.com59
Linux Hardening Locking Down Linux To Increase Security ‘s-Hertogenbosch, 1 March 2016 Meetup: Den Bosch Linux User Group Michael Boelen michael.boelen@cisofy.com. Goals 1. Learn what to protect 2. Know some strategies 3. Learn tooling Focus: Linux 2. Agenda Today 1. System Hardening 2. Security Auditing 3. Guides and Tools Bonus: Lynis demo 3. Michael Boelen Open Source Security rkhunter .
Case Study: Laser Hardening By Markus A. Ruetering The hardening of materials by laser is a specialized and fast-growing field, as it offers improved wear resistance, . the industry — e.g., oven hardening, flame hardening, and induction hardening — mill - ing, shaping, and grinding are necessary after hardening. Hence, the necessary material
Linux in a Nutshell Linux Network Administrator’s Guide Linux Pocket Guide Linux Security Cookbook Linux Server Hacks Linux Server Security Running Linux SELinux Understanding Linux Network Internals Linux Books Resource Center linux.oreilly.comis a complete catalog of O’Reilly’s books on Linux and Unix and related technologies .
this study is IPv6-only hardening. Any other type of hardening (e.g. DC hardening, web server hardening, database hardening, etc.) are beyond the scope of this study. The services provided by the IPv6-capable servers do not rely on any IPv6 Extension header, or on any multicast traffic.
Thermal Methods of Hardening by Comparison FLAME HARDENING METHOD ADVANTAGES DISADVANTAGES 0,4% C 0,7% (Steel casting) Large parts Wall thickness 15 mm Localized hardening of functional surfaces Low technical complexity Poor reproducibility; Ledeburite hardening at high carbon content INDUCTIVE HARDENING LASER HARDENING Focus on Steel .
Other Linux resources from O’Reilly Related titles Building Embedded Linux Systems Linux Device Drivers Linux in a Nutshell Linux Pocket Guide Running Linux Understanding Linux Network Internals Understanding the Linux Kernel Linux Books Resource Center linu
Hardening Guide SUSE Linux Enterprise Server 12 SP5 Deals with the particulars of installing and setting up a secure SUSE Linux Enter-prise Server, and additional post-installation processes required to further secure . The SUSE Linux Enterprise Server Security and Hardening Guide deals with the particulars of in-
Perfection PC Perfection PC Inc. Philips Philips Electronics Planar Planar Systems Inc PLEXON Plexon, Inc. Pogo Linux Pogo Linux, Inc. Pogo Linux Altura M2 Pogo Linux, Inc. Pogo Linux Velocity -D50 Pogo Linux, Inc. Pogo Linux Verona 330 Pogo Linux, Inc. Pogo Linux Vor
Alfredo López Austin “Rayamiento (Tlahuahuanaliztli)” p. 15-22 : Juegos rituales aztecas Alfredo López Austin (versión, introducción y notas) México Universidad Nacional Autónoma de México . Instituto de Investigaciones Históricas : 1967 . 94 p. (Cuadernos Serie Documental 5) [Sin ISBN] Formato: PDF Publicado en línea: 21 de noviembre de 2018 . Disponible en: www.historicas.unam .