Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Linux Hardening

819 views

Published on

So you think the systems at your employer can actually use a little bit more security? Or what about your own system to gain more privacy? In this talk, we discuss the reasons for Linux server and system hardening. First we learn why we should protect our crown jewels, and what can wrong if we ignore information security. Next is getting a better understanding of the possible resources we can use. And since system hardening can be time-consuming, we discuss some tools to help in the system hardening quest.

Published in: Internet
  • Be the first to comment

Linux Hardening

  1. 1. Linux Hardening Locking Down Linux To Increase Security ‘s-Hertogenbosch, 1 March 2016 Meetup: Den Bosch Linux User Group Michael Boelen michael.boelen@cisofy.com
  2. 2. Goals 1. Learn what to protect 2. Know some strategies 3. Learn tooling Focus: Linux 2
  3. 3. Agenda Today 1. System Hardening 2. Security Auditing 3. Guides and Tools Bonus: Lynis demo 3
  4. 4. Michael Boelen ● Open Source Security ○ rkhunter (malware scan) ○ Lynis (security audit) ● 150+ blog posts at Linux-Audit.com ● Founder of CISOfy 4
  5. 5. System Hardening
  6. 6. Q: What is Hardening?
  7. 7. 7
  8. 8. Q: Why Hardening?
  9. 9. Q: What if we don’t?
  10. 10. 11
  11. 11. 12
  12. 12. 13
  13. 13. 14
  14. 14. 15
  15. 15. 16
  16. 16. Hardening Basics
  17. 17. Hardening ● New defenses ● Existing defenses ● Reduce weaknesses (attack surface) 18 Photo Credits: http://commons.wikimedia.org/wiki/User:Wilson44691
  18. 18. Myth After hardening I’m done 19
  19. 19. Fact ● Security is an ongoing process ● It is never finished ● New attacks = more hardening ○ POODLE ○ Hearthbleed 20
  20. 20. Hardening What to harden? ● Operating System ● Software + Configuration ● Access controls 21
  21. 21. Hardening Operating System ● Packages ● Services ● Configuration 22
  22. 22. Hardening Software ● Minimal installation ● Configuration ● Permissions 23
  23. 23. Hardening Access Controls ● Who can access what ● Password policies ● Accountability 24
  24. 24. Hardening Encryption ● Good: Encryption solves a lot ● Bad: Knowledge required ● Ugly: Easy to forget, or do it incorrectly 25
  25. 25. Technical Auditing
  26. 26. Auditing Why audit? ● Checking defenses ● Assurance ● Quality Control 27
  27. 27. Common Strategy 1. Audit 2. Get a lot of findings 3. Start hardening 4. ……. 5. Quit 28
  28. 28. Improved Strategy 1. Focus 2. Audit 3. Focus 4. Harden 5. Repeat! 29
  29. 29. Hardening Resources
  30. 30. Options ● Guides ● Tools (SCAP / Lynis) ● Other resources 31
  31. 31. Hardening Guides ● Center for Internet Security (CIS) ● NIST / NSA ● OWASP ● Vendors 32
  32. 32. Hardening Guides Pros Free to use Detailed You are in control 33 Cons Time intensive Usually no tooling Limited distributions Delayed releases Missing follow-up
  33. 33. Tooling
  34. 34. Tools Tools make life easier, right? Not always... 35
  35. 35. Tools Problem: There aren’t many good tools 36
  36. 36. Tools Cause 1: Usually outdated 37
  37. 37. Tools Cause 2: Limited in their support 38
  38. 38. Tools Cause 3: Hard to use 39
  39. 39. Tool 1: SCAP
  40. 40. SCAP ● Security ● Content ● Automation ● Protocol 41
  41. 41. SCAP Combination of: ● Markup ● Rules ● Tooling ● Scripts 42
  42. 42. SCAP features ● Common Vulnerabilities and Exposures (CVE) ● Common Configuration Enumeration (CCE) ● Common Platform Enumeration (CPE) ● Common Vulnerability Scoring System (CVSS) ● Extensible Configuration Checklist Description Format (XCCDF) ● Open Vulnerability and Assessment Language (OVAL) Starting with SCAP version 1.1 ● Open Checklist Interactive Language (OCIL) Version 2.0 Starting with SCAP version 1.2 ● Asset Identification ● Asset Reporting Format (ARF) ● Common Configuration Scoring System (CCSS) ● Trust Model for Security Automation Data (TMSAD) 43
  43. 43. Complexity? List of Tables (Common Configuration Scoring System (CCSS)) Table 1. Access Vector Scoring Evaluation ..................................................................................8 Table 2. Authentication Scoring Evaluation ..................................................................................9 Table 3. Access Complexity Scoring Evaluation.........................................................................10 Table 4. Confidentiality Impact Scoring Evaluation.....................................................................11 Table 5. Integrity Impact Scoring Evaluation ..............................................................................12 Table 6. Availability Impact Scoring Evaluation ..........................................................................12 Table 7. General Exploit Level Scoring Evaluation.....................................................................13 Table 8. General Remediation Level Scoring Evaluation ...........................................................14 Table 9. Local Vulnerability Prevalence Scoring Evaluation.......................................................15 Table 10. Perceived Target Value Scoring Evaluation ...............................................................15 Table 11. Local Remediation Level Scoring Evaluation..............................................................16 Table 12. Collateral Damage Potential Scoring Evaluation ........................................................17 44
  44. 44. SCAP Overview Pros Free to use Focused on automation 45 Cons Limited distributions Complexity Hard to customize
  45. 45. Tool 2: Lynis
  46. 46. Lynis 47
  47. 47. Lynis Goals ● In-depth security scan ● Quick and easy to use ● Define next hardening steps 48
  48. 48. Lynis Background ● Since 2007 ● Goals ○ Flexible ○ Portable 49
  49. 49. Lynis Open Source Software ● GPLv3 ● Shell ● Community 50
  50. 50. Lynis Simple ● No installation needed ● Run with just one parameter ● No configuration needed 51
  51. 51. Lynis Flexibility ● No dependencies* ● Can be easily extended ● Custom tests * Besides common tools like awk, grep, ps 52
  52. 52. Lynis Portability ● Run on all Unix platforms ● Detect and use “on the go” ● Usable after OS version upgrade 53
  53. 53. How it works 1. Initialise 2. OS detection 3. Detect binaries 4. Run helpers/plugins/tests 5. Show report 54
  54. 54. Running 1. lynis 2. lynis audit system 3. lynis audit system --quick 4. lynis audit system --quick --quiet 55
  55. 55. Demo?
  56. 56. Conclusions 1. Know your crown jewels (properly) 2. Determine hardening level 3. Perform regular checks 57
  57. 57. You finished this presentation Success!
  58. 58. Learn more? Follow ● Blog Linux Audit (linux-audit.com) ● Twitter @mboelen This presentation can be found on michaelboelen.com 59

×