Securing Linux Systems Before Deployment

Similar documents
RedHat Certified Engineer

Operating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07

LINUX ADMINISTRATION TYBSC-IT SEM V

Linux Administration

Security Design in. Avaya Aura Presence Services. Release 5.2. Issue 1

TELE 301 Lecture 8: Post

SERVER HARDENING CHECKLIST

California State Polytechnic University, Pomona. Server and Network Security Standard and Guidelines

Introduction to UNIX/LINUX Security. Hu Weiwei

10 Defense Mechanisms

Network security session 9-2 Router Security. Network II

Advanced Security Measures for Clients and Servers

Strategic Infrastructure Security

Why secure the OS? Operating System Security. Privilege levels in 80X86 processors. The basis of protection: Seperation. Privilege levels - A problem

Pre-Assessment Answers-1

Forescout. Configuration Guide. Version 3.5

Veritas NetBackup Appliance Security Guide

HP-UX Security I. Ideal candidate for this course Experienced system and network administrators responsible for securing and monitoring HP-UX systems

Configuring the Cisco NAM 2220 Appliance

Securing CS-MARS C H A P T E R

Course Outline: Linux Professional Institute-LPI 202. Learning Method: Instructor-led Classroom Learning. Duration: 5.00 Day(s)/ 40 hrs.

VII. Corente Services SSL Client

HP ArcSight Port and Protocol Information

Overview of the Cisco NCS Command-Line Interface

MsActivator (VSOC 8.2) Administration Guide

Integrating Hitachi ID Suite with WebSSO Systems

Inspection of Router-Generated Traffic

Control Center Planning Guide

IBM Tivoli Directory Server

Information System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000)

Linux Security & Firewall

Sysgem Enterprise Manager

Network Working Group. Category: Informational July 1997

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

macos Security Checklist:

Chapter 4. Network Security. Part II

SUN SOLARIS. Course Catalog

IBM AIX Operating System Courses

Global Information Assurance Certification Paper

Linux for UNIX Administrators

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Extended ACL Configuration Mode Commands

UNIX/Linux Auditing. Baccam Consulting, LLC Training Events

User and System Administration

CSE 565 Computer Security Fall 2018

Locking down a Hitachi ID Suite server

Veritas NetBackup Appliance Security Guide

CounterACT Syslog Plugin

Control Center Planning Guide

Operating system security models

IBM Tivoli Identity Manager V5.1 Fundamentals

50+ Incident Response Preparedness Checklist Items.

UDP-based Amplification Attacks and its Mitigations

Network Configuration Example

Sair 3X Linux Security, Privacy and Ethics (Level 1)

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. AIX 5.3 and 6.1

Contents at a Glance COPYRIGHTED MATERIAL. Introduction...1 Part I: Becoming Familiar with Enterprise Linux...7

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

Selecting Software Packages for Secure Database Installations

Preface to the First Edition Preface to the Second Edition Acknowledgments UNIX Operating System Environment p. 1 UNIX: Past and Present p.

Standard Req # Requirement D20MX Security Mechanisms D20ME II and Predecessors Security Mechanisms

10 FOCUS AREAS FOR BREACH PREVENTION

Granular Protocol Inspection

SYLLABUS. Title: Unix Network Administration II

Numerics INDEX. 2.4-GHz WMIC, contrasted with 4.9-GHz WMIC g 3-6, x authentication 4-13

VERTIV. Avocent ACS8xxx Advanced Console System Release Notes VERSION 2.4.2, AUGUST 24, Release Notes Section Outline. 1 Update Instructions

2 SCANNING, PROBING, AND MAPPING VULNERABILITIES

Security Guidelines. OVOC Product Suite OVOC. Version 7.6

Subtitle: Join Sun Solaris Systems to Active Directory with Likewise

Security Guidelines. AudioCodes One Voice Operations Center Product Suite OVOC. Version 7.4

Unit 2: Manage Files Graphically with Nautilus Objective: Manage files graphically and access remote systems with Nautilus

Case Studies in Access Control

INSE 6130 Operating System Security

SA2 v6 Linux System Administration II Net Configuration, Software, Troubleshooting

Security for All Jaqui Lynch

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Red Hat Enterprise Linux 5

File Services. File Services at a Glance

1Z Oracle Linux 5 and 6 System Administration Exam Summary Syllabus Questions

Oracle Diameter Signalling Router (DSR) Security Guide

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

How to Use This Lab Manual

GSS Administration and Troubleshooting

HP-UX Security H3541S

Case Study: Access Control. Steven M. Bellovin October 4,

Secure Configuration Guide for Oracle9iR2

EMS, SEM and IP Phone Manager

IT Services IT LOGGING POLICY

jk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022

FUJITSU Server PRIMEQUEST 2000 Series Linux Design Guide -Red Hat Enterprise Linux-

macos Security Checklist:

IPM Secure Hardening Guidelines

How to Secure SSH with Google Two-Factor Authentication

Symantec Enterprise Security Manager Baseline Policy Manual for Security Essentials. Solaris 10

Platform Settings for Classic Devices

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

ADempiere Community Document. Virtual Appliance 3.5.3a

CompTIA SY CompTIA Security+

Chapter 2. Switch Concepts and Configuration. Part II

ITEM Y N N/A 1. ACCOUNT ADMINISTRATION 2. SYSTEM ADMINISTRATION

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Transcription:

Securing Linux Systems Before Deployment Richard Williams Senior Support Services Specialist Symark

Why secure Linux systems? Your Linux enterprise installation is growing Assets on Linux systems are becoming increasingly more valuable as enterprise applications support Linux Current organizational security plans do not necessarily address Linux-specific concerns, although Linux may be on their IT roadmap Emerging financial audit requirements do not specifically address Linux Regulatory and legislative regulations do not specifically address Linux 2

The Increasing Importance of Linux Security What are the information assets you would least like to lose? 3

Information Security Requires Executive Direction Executive Staff should establish overall direction in protecting assets Establish Standards of Conduct for maintaining information security Information Management: should correspond to regulatory requirements Name and description of data Responsible department Required length of storage Information Asset Clarification: classification level and owner Should identify what is and is not allowed outside of the organization Should include merits as well as disciplinary actions 4

Introductory Security Planning Before Deployment Understand departmental needs e.g., R&D needs secure remote access, legal needs to securely dispose of digital information Identify one internal source for policy ownership Typically different departments have their own policies causing inconsistencies Should always be Information Security Department Centralized information security training Consistency is absolutely essential as the organization gets larger Any department (HR) can do the training as long as IS is the publisher of the policies Buy in from above Executive champion to give policies weight 5

Detailed Security Planning Efforts Diagram the who, what, when, where, and why for system access by users Include commands allowed per user (or group) Include access methods allowed per user (or group) 6

Detailed Security Planning Efforts 7

Layered Security Approach to Linux Physical Security Network Layer Security Operating System Layer Security OS Configurations & Patches User Accounts and Passwords Access Control Application Security Complement layers with detailed Audit Trails uid/processes rpm/patches User-specific audits for accountability Physical Security Network & Perimeter Applications Linux OS 8

Physical Security Server rooms have limited access On/off keys removed from servers Racks closed and locked Makes it more difficult to create a denial of service condition for a system simply by powering it off Even if an intruder gains access to the server room, they cannot gain single-user root access by power cycling a system with a local terminal plugged into a console port Systems with consoles attached should be logged off, and systems with multi-console switches should be checked for any open sessions 9

Network Security Disable all unnecessary network services Often inetd/xinetd.conf comes with many services enabled that are never used, or that have secure alternatives Examples: echo, chargen, daytime, discard, talk Can use netstat or lsof to identify other open default services Disable telnet, FTP, TFTP, r-commands, and imap/pop Install SSH (www.openssh.org) Configure so that both the ssh client and server are running only SSH protocol 2 SSH removes the need for any of the default inet services discussed above, like telnet, FTP, or r-commands 10

Network Security: Install TCP Wrappers ipchains and iptables Configure NTP 11

Network Security ipchains and iptables At first glance, ipchains and iptables appear to be quite similar. Both methods of packet filtering use chains of rules operating within the Linux kernel to decide not only which packets to let in or out, but also what to do with packets that match certain rules. However, iptables offers a much more extensible way of filtering packets, giving the administrator a greater amount of control without building a great deal of complexity into the system. 12

Network Security NTP Network Time Protocol NTP is a protocol designed to synchronize the clocks of computers over a network. NTP version 3 is an internet draft standard, formalized in RFC 1305. NTP version 4 is a significant revision of the NTP standard, and is the current development version, but has not been formalized in an RFC. Simple NTP (SNTP) version 4 is described in RFC 2030. 13

Linux OS Security Install latest OS patches from vendor Minimize or disable unnecessary boot services: Email server GUI login (xdm, cde) X Font server (xfs) Any other unnecessary boot services Samba services NFS daemon and client NIS server and client RPC tools netfs Print daemon Web server SNMP DNS SQL Webmin remote administration Squid web cache services Kudzu hardware detection 14

Linux OS Security Kernel Tuning Disable core dumps Only required for developers systems; protect system information that may be contained therein Restrict NFS client requests to only privileged ports Blocks potential attacks while maintaining normal NFS activities Network Parameter Modifications Re-route default IP traffic routes 15

Access Control: Securing User Accounts Disable infrequently used and orphaned accounts Verify no accounts with empty password fields Verify no UID 0 accounts exist other than root Verify no legacy "+" entries exist in passwd, shadow, and group files User home directories should be mode 750 or more restrictive No user dot-files should be group/world writable Remove user.netrc files Set default umask for users Remove unnecessary psuedo acocunts 16

Access Control: Securing Passwords & Login Employ shadow passwords Password encryption Password aging Set LILO/GRUB password Secure single user access Password security using PAM modules Define specific character set requirements Length, alphanumeric characters, punctuations, case Account lockout on 3 or more failed login attempts Use Dictionary (or other list) checking Password history and reuse Many other PAM modules available at: http://www.kernel.org/pub/linux/libs/pam/modules.html. 17

Access Control on Linux: Securing Login Access Control Banner warnings at login Restrict root login to local console Force remote users to login as themselves before su Remove.rhosts support in /etc/pam.conf Restricts remote logins via PAM 18

Access Control on Linux: Securing Directories and Files Secure configurations for root and generic accounts Disallow direct logins; require su Find unauthorized SUID/SGID system executables Set sticky bit for user file access Disable group and outside file access permissions Develop and implement ACLs Determine what level of access is appropriate 19

Securing Applications Patches Update open source applications like Apache and SendMail to close known security holes Generic accounts Eliminate if possible Ensure no hard coded accounts/passwords in programs Logging Create a separate, secured log server with limited access Always encrypt logs 20

System Logging Capture messages sent to syslog AUTHPRIV Captures su attempts, failed login attempts and root logins Capture detailed FTP daemon logs (when using FTP) Confirm permissions on system log files Protect these files from persons that should not view them 21

About Symark UNIX/Linux security experts Founded in 1985 Large installed customer base of Global 2000 enterprises Technical Alliances with HP, IBM, Sun, RedHat Affiliations with SANS, CSI, MISTI 22

Symark Provides Access Control Solutions Across UNIX/Linux Platforms Centralized UNIX/Linux user account management Detailed host login access control Password security policies Aging & history Define character sets Random and one-time passwords Reset & synchronization Manage inactive/orphan accounts Account lock out SSH integration Detailed logs No kernel modifications Delegate root privileges Delegate any account (e.g. Oracle) privilege Restrict access to 3rd party applications (e.g. CRM, ERP) Control access to files & directories Keystroke logging Central administration of uniform security policies 23

This is a standard quote slide type your quoted content inside the quotation marks. Jordan Doe CIO, ABC Company

Co-produced by:

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback