Tip: If anyone wants to speed up the lecture videos a little,
inspect the page, go to the browser console, and paste this in:
document.querySelector('video').playbackRate = 1.2
1.2 Reading
https://doc.opensuse.org/documentation/leap/security/html/book.security/index.html
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/
https://debian-handbook.info/browse/stable/security.html 21a-OSHardening/10b-LinuxSecurity.pdf
(reading, not slides)
https://en.wikipedia.org/wiki/Unix_security
http://etutorials.org/Linux+systems/linux+security/
1.3 Introduction
What is OS hardening?
Hardening process that includes planning, installation,
configuration, update, and maintenance of the operating system and the
key applications in use.
OS architecture:
* Each of these layers of code needs appropriate hardening measures in
place to provide appropriate security services.
* And each layer is vulnerable to attack from below,
should the lower layers not also be secured appropriately.
* Is the same true from above?
1.3.1 Planning
1.3.1.1 Things to consider during
enterprise hardening
The purpose of the system, the type of information
stored, the applications and services provided, and their security
requirements.
The categories of users of the system, the
privileges they have, and the types of information they can access.
How the users are authenticated.
How access to the information stored on the system
is managed.
What access the system has to information stored on other
hosts, such as file or database servers, and how this is
managed.
Who will administer the system, and how they will
manage the system (via local or remote access).
Any additional security measures required on the system, including
the use of host firewalls, anti-virus, or other malware
protection mechanisms, and logging.
1.4 System hardening
Hardware is the most important layer (in some
ultimate context, maybe not a practical one), but a compromise at any
layer is sufficient to break any of the CIA triad.
Lower levels can control or weaken higher layers, but the inverse is
not always true.
Applications and software are easier to verify, design, and program,
and are more likely to be open-source.
Hardware is much less accessible, and manufacturing details are kept
secret.
Most hardware is not open-source, e.g.,
Intel chips, firmware blobs, closed BIOS.
For an alternative, see IBM’s power8, openmoko, and new RISC chips,
etc.
1.4.1 Operating system
hardening
Overview:
* Install and patch the operating
system.
* Harden and configure the operating system to adequately address the
identified security needs of the system by:
* Removing unnecessary services, applications, and
protocols.
* Configuring users, groups, and permissions.
* Configuring resource controls.
* Install and configure additional security controls, such as host-based
firewalls or intrusion detection systems (IDS), if
needed.
* Test the security of the basic operating system to
ensure that the steps taken adequately address its security needs!
1.4.2 Installation
1.4.2.1 Secure installation
procedures
System security begins with the installation of the
operating system.
Check hash of install media to insure validity
Encrypt full hard disk during installation
Install only the minimum needed software
Install in an isolated environment (OS is
vulnerable until patched)
Setup BIOS boot and configuration password
Avoid installing non-open binary drivers,
especially with kernel access
Patch operating system to most current, and enable
updates
1.4.2.2 Minimize base install
Minimizing attack surface
Ideally, install only the minimum installed
software needed
However, if a standard install is required, then remove
extras
Further, disable any unneeded protocols and
services!
1.4.3 Users, Groups,
Authentication
Determine the needed permissions for each user of the system
Map user permissions to groups of users
Minimize the time that administrators will work under the state of
elevated privilege
Remove any default or guest accounts, change any default
passwords!!!
1.4.4 Configure resource
controls
Once the users and their associated groups are defined,
appropriate permissions can be set on data and
resources to match the specified policy.
Some users access limited software
Some users access limited directories or files
1.4.5 Extras
Install or configure extra security-related software
Host based firewall (e.g., iptables/netfilter)
White-list applications, allowing only a specific
list
Ask: how does this compare to a black-list?
1.4.6 Test your install
Check assumptions about system behavior
Test non-whitelisted applications
nmap and wireshark to probe network behavior,
etc.
1.5 Application security
Once the base operating system is installed and appropriately
secured, the required services and applications must next be installed
and configured.
1.5.1 Selection: Which software to
install?
Selection may be from additional packages provided with the
operating system distribution, or from a separate third-party
package.
As with the base operating system, utilizing an isolated,
secure build network is preferred.
OS repositories employ secure signature and hashing
on install files to insure integrity; use it
For third party applications, always check signature reported by
developer
Do not install un-trusted applications, with the
minimum requirement excluding anything closed source or
for which you do not have access to the source code, and the ideal being
highly scrutinized projects
1.5.2 Configure applications
Check default configurations
For example permissions granted to the web serving software on your
server may allow the software merely serving a static site to write
files
1.5.3 File and network
encryption
Application level encryption
In addition to the whole disk, you can encrypt particular folders,
or an entire home directory.
Setup key exchange and signing, for example for your
website’s certificate, by getting a CA to sign your
keys
Setup and choose secure options for your SSH
configuration, create and exchange keys with clients
1.6 Maintenance, logging,
backup
Monitoring and analyzing logging information
Performing regular backups (availability is
security too!)
Recovering from security compromises
Regularly testing system security
Using appropriate software maintenance processes to patch and update
all critical software, and to monitor and revise configuration as
needed
1.6.1 Logging
Logging is a reactive approach that can only inform you about bad
things that have already happened.
But, effective logging helps ensure that in the event of a system
breach or failure, system administrators can more quickly and accurately
identify what happened and thus most effectively focus their remediation
and recovery efforts.
1.6.2 Backup and archive
Backup should be a first-class security consideration!!
Are backups on-site or off?
Are backups encrypted?
Does the backup procedure transfer data across the
network, how?
1.7 Linux/Unix
Most servers will be Linux/Unix
* Extensive documentation base for hardening
1.7.1 Patching: System updates
Modern Unix and Linux distributions typically include tools for
automatically downloading and installing software updates, including
security updates, which can minimize the time a system is vulnerable to
known vulnerabilities for which patches exist.
Packages are cryptographically signed by packager and signatures are
checked before installation
Red Hat / Fedora uses dnf, Open SuSE uses
zypper, debian uses apt and
apt-get, etc
1.7.2 Application and service
configuration
Configuration of applications and services on Unix and Linux systems
is most commonly implemented using separate text files for each
application and service.
System-wide configuration details are generally located either in
the /etc directory or in the installation tree for a specific
application.
Where appropriate, individual user configurations that can override
the system defaults are located in hidden “dot” files in each user’s
home directory.
The name, format, and usage of these files are very much dependent
on the particular system version and applications in use.
1.7.3 Users, Groups,
Permissions
Set permissions on:
* Unix and Linux systems implement discretionary access control (DAC)
for all file system resources.
* These include not only files and directories but devices, processes,
memory, and indeed most system resources, like devices, etc
* Use chmod, chown, getfacl, setfacl, and other user
and group management commands to configure permissions and access
* Information on user accounts and group membership are traditionally
stored in the /etc/passwd and
/etc/group files
* Remove default or guest users, change default
passwords, if any
* Minimize the number of programs that need to run as
root
1.7.4 Remote access
Setup remote access controls
Minimize the ability to access your system remotely, if at
all!
Close unnecessary incoming ports
Use iptables/netfilter for Linux, or pf for BSD-based systems
