1 21a-OSHardening

Previous: 20-PasswordUserGroup.html


1.1 Screencasts

1.2 Reading

21a-OSHardening/10b-LinuxSecurity.pdf (reading, not slides)

1.3 Introduction

What is OS hardening?

Hardening process that includes planning, installation, configuration, update, and maintenance of the operating system and the key applications in use.

OS architecture:
* Each of these layers of code needs appropriate hardening measures in place to provide appropriate security services.
* And each layer is vulnerable to attack from below, should the lower layers not also be secured appropriately.
* Is the same true from above?

1.3.1 Planning Things to consider during enterprise hardening

1.4 System hardening

Hardware is the most important layer (in some ultimate context, maybe not a practical one), but a compromise at any layer is sufficient to break any of the CIA triad.

1.4.1 Operating system hardening

* Install and patch the operating system.
* Harden and configure the operating system to adequately address the identified security needs of the system by:
* Removing unnecessary services, applications, and protocols.
* Configuring users, groups, and permissions.
* Configuring resource controls.
* Install and configure additional security controls, such as host-based firewalls or intrusion detection systems (IDS), if needed.
* Test the security of the basic operating system to ensure that the steps taken adequately address its security needs!

1.4.2 Installation Secure installation procedures Minimize base install

Minimizing attack surface

1.4.3 Users, Groups, Authentication

1.4.4 Configure resource controls

1.4.5 Extras

Install or configure extra security-related software

Ask: how does this compare to a black-list?

1.4.6 Test your install

1.5 Application security

1.5.1 Selection: Which software to install?

1.5.2 Configure applications

1.5.3 File and network encryption

Application level encryption

1.6 Maintenance, logging, backup

1.6.1 Logging

1.6.2 Backup and archive

1.7 Linux/Unix

Most servers will be Linux/Unix
* Extensive documentation base for hardening

1.7.1 Patching: System updates

1.7.2 Application and service configuration

1.7.3 Users, Groups, Permissions

Set permissions on:
* Unix and Linux systems implement discretionary access control (DAC) for all file system resources.
* These include not only files and directories but devices, processes, memory, and indeed most system resources, like devices, etc
* Use chmod, chown, getfacl, setfacl, and other user and group management commands to configure permissions and access
* Information on user accounts and group membership are traditionally stored in the /etc/passwd and /etc/group files
* Remove default or guest users, change default passwords, if any
* Minimize the number of programs that need to run as root

1.7.4 Remote access

Setup remote access controls

1.8 Re-writes of API-compatible major OS’s

Next: 21b-Virtualization.html