Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How Many Linux Security Layers Are Enough?

6,226 views

Published on

Talk about Linux security and the related possibilities to secure your systems. Several areas are discussed, like what is possible, how to select the right security measures and tips to implement them.

Some subjects passing by in the presentation are file integrity (IMA/EVM), containers like Docker, virtualization.

The referenced tool Lynis can be downloaded freely from https://cisofy.com/downloads/

Published in: Technology

How Many Linux Security Layers Are Enough?

  1. 1. NLUUG - November 2014 1 Linux Security How Many Security Layers are Enough? Michael Boelen Twitter@mboelen Google++MichaelBoelen Webhttps://cisofy.com Bloghttp://linux-audit.com
  2. 2. 2 whoami Michael Boelen ◼Founder of CISOfy ◼Open Source developer: Rootkit Hunter and Lynis ◼Passion for Unix security / auditing ◼Blogging about it: Linux-Audit.com
  3. 3. 3 Our Goal of Today Photo credits: imagebase.net Linux Security Options Selection Implementation Insights
  4. 4. 4 Mission It's all about data..
  5. 5. 5 Mission Now let's protect it..
  6. 6. 6 Mission How? Why?
  7. 7. 7 Options
  8. 8. 8 Options The Kernel ◼Linux Security Modules ◼Namespaces / cgroups / containers ◼Monitoring and File Integrity ◼Interfacing with kernel
  9. 9. 9 Options Linux Security Modules ◼Hooks ◼LSM = Restrict ◼SELinux / AppArmor / Smack
  10. 10. 10 Options LSM: Yama ◼Disables or limits ptracing ◼From unlimited to none ◼kernel.yama.ptrace_scopevalues: 0 → 3
  11. 11. 11 Options Seccomp ◼Secure computing mode ◼Filters syscalls with BPF ◼Isolation, not virtualization ◼Used in Chrome, OpenSSH, vsftpd, LXD and Mbox
  12. 12. 12 Options Namespaces ◼Separates parts of the OS ◼PID namespaces ◼User namespaces ◼Network namespaces
  13. 13. 13 Options Namespaces (cont.) ◼IPC namespaces ◼UTS namespaces (hostname/NIS) ◼Mount namespaces
  14. 14. 14 Options Control Groups (cgroups) ◼Restrict resources ◼Prioritize ◼Accounting ◼Control
  15. 15. 15 Options Containers ◼Namespaces and cgroups ◼Is it mature enough? ◼Updates needed! Copyright Docker, Inc
  16. 16. 16 Options Monitoring and File Integrity ◼Audit subsystem ◼Tools ◼IMA/EVM
  17. 17. 17 Options Audit subsystem ◼Developed by Red Hat ◼Files / system calls ◼Monitors the system / file integrity
  18. 18. 18 Options Audit (example) # Time related calls-a always,exit -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -S clock_settime -k time-change# Hostname and domain-a always,exit -S sethostname -S setdomainname -k system-locale # Password files-w /etc/group -p wa -k identity-w /etc/passwd -p wa -k identity-w /etc/shadow -p wa -k identity-w /etc/sudoers -p wa -k identity
  19. 19. 19 Options Tools ◼AIDE ◼Samhain ◼Tripwire
  20. 20. 20 Options IMA ◼Integrity Measurement Architecture ◼Protects file content ◼Hashing / signing ◼Mode: learn or block
  21. 21. 21 Options IMA ◼Collect → before usage ◼Store → measurements list ◼Attest → for storage with TPM
  22. 22. 22 Options
  23. 23. 23 Options
  24. 24. 24 Options
  25. 25. 25 Options EVM ◼Extended Verification Module ◼Similar to IMA ◼Protects meta data
  26. 26. 26 Options IMA/EVM - Setup ◼Run in fix mode ◼Mount fs with iversion and xattr support ◼Set-up keys ◼'Hit' files to hash/sign ◼Reboot
  27. 27. 27 Options IMA/EVM - Usage ◼Run in appraise mode ◼Mount fs with iversion and xattr support ◼Load keys for IMA/EVM ◼Enable module ◼(check your logs)
  28. 28. 28 Options Interfacing with kernel ◼Use sysctl ◼Check /proc ◼Look for security /sys/kernel/security(securityfs needed)
  29. 29. 29 Selection
  30. 30. 30 Selection Method - Basic Hardening ◼Quick and easy ◼Minimal install ◼Limit users/services/network ◼Can be automated ◼Apply to: all machines
  31. 31. 31 Selection Method - Kernel Hardening ◼Quick and easy ◼Sysctl ◼Automate! ◼Apply to: all machines
  32. 32. 32 Selection Method - File Integrity ◼Relatively easy to configure ◼Needs monitoring and follow-up ◼Needs tuning ◼Apply to: web servers, data sensitive systems
  33. 33. 33 Selection Method - Malware Scanning ◼Easy to configure ◼Needs updates and monitoring ◼Apply to: all systems
  34. 34. 34 Selection Method - Software Hardening ◼Very specific ◼Knowledge required ◼Needs updates (e.g. Poodle) ◼Apply to: all systems
  35. 35. 35 Implementation
  36. 36. 36 Implementation Resources ◼Guides ◼Tools ◼Automation
  37. 37. 37 Implementation Guides ◼CIS ◼NSA ◼OS vendor
  38. 38. 38 Implementation Tools ◼Simplify work ◼Usually better updated ◼Less reading.. :)
  39. 39. 39 Implementation
  40. 40. 40 Implementation Lynis Open source, GPLv3 Scans within few minutes Focus on hardening and automation In-depth auditing of Unix/Linux/Mac
  41. 41. 41 Insights
  42. 42. 42 Insights Start Small ◼New systems ◼Monitor logs
  43. 43. 43 Insights Manual versus Tools ◼Manual: short term + ◼Automatic: short term -, long term +
  44. 44. 44 Insights Automation Apply hardening on first boot Use configuration management Discover exceptions quickly
  45. 45. 45 Insights Remote syslogging ◼Limited effort, much benefits ◼Prevention VS Detection ◼Monitor your efforts
  46. 46. 46 Insights Monitoring ◼Audit subsystem = stable ◼Great integration (e.g. systemd, IMA, EVM) ◼Intrusion detection
  47. 47. 47 Insights File Integrity (IMA/EVM) ◼Audit subsystem supported ◼Not stable yet.. ◼Keep an eye on updates
  48. 48. 48 Insights Assumptions.. ◼Do not assume ◼Monitor and audit ◼Security scans
  49. 49. 49 Freebies Check out Linux-Audit.com Audit your systems → Lynis Connect with me: E-mailmichael@cisofy.com Twitter@mboelen Google++MichaelBoelen Webhttps://cisofy.com Bloghttp://linux-audit.com
  50. 50. 50 Feedback / Questions?
  51. 51. 51

×