1 / 30

ITIS 3110 System Hardening

ITIS 3110 System Hardening. system hardening. Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security and usability Where balance is achieved is different for every organization . hardening practices.

howard
Télécharger la présentation

ITIS 3110 System Hardening

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITIS 3110 System Hardening

  2. system hardening • Act of modifying a system to make it more secure • Protecting against internal and external threats • Usually a balance between security and usability • Where balance is achieved is different for every organization

  3. hardening practices • Removing unneeded privileges, applications, or services • Updating installed packages on a regular basis • Maintaining user lists with up-to-date information • Providing an audit trail to detect changes in files and behaviors

  4. nsa security guides • The NSA publishes security guides for various operating systems and applications • Linux guide is written for Red Hat Enterprise Linux 5 • Guide can be adapted for other Linux distributions

  5. nsa security guides • Guides are just a reference • Never follow them without understanding what you are doing • Many of the security recommendations may not make sense in your environment

  6. nsa security guides • http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/index.shtml

  7. vulnerability databases • Vulnerability databases are an important resource for determining if your software needs to be patched • Often contain mitigation information as well as available update paths

  8. vulnerability databases • http://www.cert.org • http://www.us-cert.gov/cas/techalerts/index.html • http://nvd.nist.gov • http://www.cio.com/article/730250/US_NIST_39_s_Vulnerability_Database_Hacked

  9. inetd • inetd is the Internet “super-server” • A super-server listens to network ports and starts the appropriate server when a connection is received • Configuration is in /etc/inetd.conf

  10. /etc/inetd.conf • One service per lineLines can be commented out by preceding with a # • 7 tab-delimited fields • service-name • socket-type • Protocol • wait|nowait • User • server-program • server-args • “The wait/nowait entry specifies whether the server that is invoked...will take over the socket...and thus whether inetd should wait for the server to exit before listening for new service requests.” (man inetd)

  11. ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l #ntalk dgram udp wait root /usr/libexec/ntalkd ntalkd telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd /etc/inetd.conf

  12. xinetd • Secure replacement for inetd • Configuration is stored in /etc/xinetd.conf and /etc/xinetd.d/ • Most services have their own file in the configuration directory • Allows services to be added when a package is installed

  13. xinetd Configuration files allow both enabled and disabled keyword • Convention is to only use disabled keyword • On Red Hat-like systems chkconfig can control xinetd services

  14. service tftp { socket_type = dgram protocol = udp wait = yes user = root server = /usr/sbin/in.tftpd server_args = -s /tftpboot disable = yes } /etc/xinetd.d/tftp

  15. disabling services

  16. sudo • sudo is a command that allows a normal user to perform actions as root or another user • More flexible than su which is all or nothing • Authenticates user with their password • su requires user to know root or other user’s password

  17. sudo • All root-level work should be done using sudo • Allows tracking of what users were using root privileges for • Configuration is in /etc/sudoers • sudoers should be edited with visudo or checked after editing with visudo –c

  18. #%group hostlist=(runas) cmd %wheel ALL=(ALL) ALL #user hostlist=(runas) cmd rgharaib ALL=(ALL) /etc/init.d/maui [a-z]* rgharaib ALL=(ALL) /sw/torque/bin/pbsnodes -[co] [a-z0-9]* rgharaib ALL=(ALL) /opt/xcat/bin/rpower b[0-9]* [a-z]* rgharaib ALL=(ALL) /usr/bin/ssh ananke reboot rgharaib ALL=(ALL) /usr/bin/ssh aether reboot /etc/sudoers Xyz ALL=(ALL) ALL Userid Xyz can run on any server as any target user for any command Xyz ALL=(root) vi Userid Xyz can run on any server as root for the vi command

  19. selinux • Security-Enhanced Linux adds access-control mechanisms to the Linux kernel • Most common mechanism is Mandatory Access Control (MAC) • Developed primarily by the NSA

  20. selinux • All files are assigned a security context • policies exist for every application detailing the security contexts they can access

  21. selinux in red hat • Red Hat includes decent SELinux support out of the box • Can be enabled by editing /etc/selinux/config • Usually type should be targeted and mode should be enforcing

  22. selinux • Having SELinux enabled may break some necessary functionality • Booleans can be used to change SELinux behavior • getsebool -a • will show available booleans • setsebool • can modify them

  23. auditd • Audit daemon that tracks security operations on a system • SELinux problems are logged to the audit daemon • Can be configured to meet federal, DoD or other requirements • Logs written to /var/log/audit/

  24. selinux + auditd • audit2allow • will generate a SELinux ruleset from denied actions recorded by auditd • Simple mechanism to update SELinux policies for your environment

  25. monitoring changes • Host-based intrusion detection systems • Designed to detect changes to files on the system • Normally used in extremely paranoid environments • AIDE (Advanced Intrusion Detection Environment) is one example

  26. aide • Works by creating a database containing hashes of important files on the filesystem • Periodically verifies that file hashes have not changed • Must be turned off to update anything • Database must be rebuilt after an update

  27. logging • Centralized log management is key • Once logs are centralized, you need a way to condense them into something useful • logwatch is one such tool

  28. logwatch • Tool to generate summary of system logs • can generate one email containing all systems or an email for each system • Split into different components that check for certain patterns • Easy to write new components

  29. configuration management • Tools and concepts that help maintain systems consistency • Administrators use tools to write policies and apply them to multiple systems • Policies are verified periodically and any changes on the local system can be backed out • Some tools allow administrators to roll back changes that were pushed out via configuration management

  30. configuration management • Large organizations and organizations concerned about security can benefit from configuration management • Example tools are cfengine and puppet • Will have a complete module on configuration management

More Related