03 installing linux
TRANSCRIPT
-
7/29/2019 03 Installing Linux
1/38
InstallingLinux
-
7/29/2019 03 Installing Linux
2/38
ObjectivesAftercompletingthisunit,youshouldbeableto:
InstallaLinuxdistributionusinginstallationCDs
oroveranetwork UnderstandaRedHatkickstart fileandhavea
basicgraspofitssyntax
Understandtheimportanceofdifferent
partitioningstrategies Beabletochooseapurposeforanewsystem
andinstallonlywhat'snecessary
Knowhowtoupdatesoftwareonyoursystem Performsomepost-installationhardening
Performsystembaselining
-
7/29/2019 03 Installing Linux
3/38
StartingOffSecure Whenconsideringmethodstosecureasystem,
installationiswhereitshouldallbegin.
Preparingandinstallingasystemsecurelyhelpstoensure:
Thatitwillnotbecompromisedbefore
youcanupdateit. Thatyouwon'thavetoworryaboutyour
installationchoicesfurtherdownthe
line. Thatyourdatawillbeassecureas
possiblefromthelowestlevelofthesystemtothehighest.
-
7/29/2019 03 Installing Linux
4/38
WhyConsiderSecurityDuring
Installation? Installationisusuallynotthetimewhenpeople
worryaboutsecurity.
Alittleplanningduringinstallationcanmakeiteasiertoenforcecertainpolicies,maintainsystemavailability,andprovideforsystemexpandabilitylater.
Therehavebeendocumentedcasesofasystembeingcompromisedimmediatelyafterinstallation.
Itgivesyouachancetodefineaspecificroleforthesystem.
Youcan'thaveasolidbuildingwithoutasolidfoundation;thesameconceptappliestoyourorganization'ssystems.
-
7/29/2019 03 Installing Linux
5/38
BenefitsandDrawbacks
ofInstallationSecurityBenefits
Reducesrisks
Preparessystemformaintainabilityandupgradability
Allowssystemtoscalemoreeasily
Withagoodinstallationbase,youcanmakea
kickstart configurationfilethatmakesinstallationeasieronothermachines
Drawbacks
Takesmoretime
Somepartitionscanfillupmuchmorequicklythanothers,causing
youtohavetoupgradestoragesooner
Requiresamoreintimateknowledgeof
theinstallationprocessforyourdistributionofchoice
-
7/29/2019 03 Installing Linux
6/38
InstallationConcepts
-
7/29/2019 03 Installing Linux
7/38
PlanningBeforeyouinstallasystem,besureyouhaveput
somethoughtintothefollowingthings:
Whatwillthissystembeusedfor? Howshouldyoupartitionitforitsrole?
Whatfilesystemswillyouuseonthose
partitions? Howwillyoubeinstalling?
Shouldarootpasswordbedecideduponaheadoftime,baseduponyourorganization'spassword
policies? Arethereanyknownout-of-boxvulnerabilities
withthedistributionandreleaseyouareinstalling?
-
7/29/2019 03 Installing Linux
8/38
SystemPurposeandPartitioning Asystem'sintendedpurposeorfunctioninyour
organizationdefineswhat softwareshouldbe
installedfromthedistribution. Onlyinstallwhatisneeded,nothingmore.
Thestructureusedforpartitioningrelatesdirectlytothesystem'srole.
Allotspacetoaparticularpartition(andmountpoint)dependingonwhatitisusedfor.
Howmuchswapspacewillthesystemneed?
Allofthisinformationwillbeusedwhendeployingthesystem.
-
7/29/2019 03 Installing Linux
9/38
InstallationMethods(1of2)Threechoicesformostdistributions:
CD-ROMorDVD-ROM
Simple
Effective
Well-supported
Worksonmachineswithnofloppydrive
Network(NFS,HTTP,FTP,andsoon)
Centralized
Nomediatocarryaroundorkeeptrackof
Canbefaster
NoswappingCDs
-
7/29/2019 03 Installing Linux
10/38
InstallationMethods(2of2) Harddrive
Providedmostlyforcompatibility
reasonsforsystemsthatcan'tinstallfromCD-ROM
UsesISOimagesthatarebotheasyto
movebetweenservers(onlyonefileperCD)aswellasusableforburningnewCDs
-
7/29/2019 03 Installing Linux
11/38
Kickstart AnautomatedinstallationmethodavailableinRed
HatLinux.
Kickstart configurationfileisonafloppyorCD. Afterinstallation(beginningwithrelease7.2orlater),
afilecalledanaconda-ks.cfg iscreatedintherootuser'shomedirectory.Thisisakickstart file
containingparametersofthecurrentinstallation.Theonlythingthatneedscleaninguparetheclearpartlinesandthepartlines.
MakeabootfloppyusingtheimagesontheRedHat
LinuxCDandcopyyourkickstart configurationfiletothefloppy,withthenameks.cfg.
Whenbootingoffofabootfloppywithaks.cfg file,typelinux ks=floppyatthebootprompt.
-
7/29/2019 03 Installing Linux
12/38
InstallationProcessDuringtheinstallation,youwillhaveto
addressthefollowingtopics:
Creatingthepartitionlayoutandchoosingthefilesystemsfor
thosepartitions Choosingandenteringtherootpassword
Configuringauthenticationmethods
Selectingthepackagesyouwishtoinstall
-
7/29/2019 03 Installing Linux
13/38
PartitioningandFileSystems Foreachpartitionthatyoucreate,youneedto
selectafilesystemforit.
Differentdistributionssupportdifferentfilesystems.Forexample,
RedHatLinux8.0supports:
ext2 ext3
Reiserfs
JFS Forswappartitions,youwillusuallywantatleast
twicethesystem'sinstalledphysicalmemory.
-
7/29/2019 03 Installing Linux
14/38
Passwords Duringinstallation,youareaskedtochoosea
rootpassword.Makesurethepasswordyou
entermeetsyourorganization'spasswordpolicies.Whileitcanbechangedlater,ifyouenteragoodpasswordnowyouwillnothavetoworryabouttakingcareofitafterinstallation.
Beforepackagegroupselection,youweregiventheopportunitytoselectabootloader(eitherGRUBorLILO)password.Whetherornotyou
areusingabootloaderpassworddependsonyourorganization'spolicyonsuchthings.
-
7/29/2019 03 Installing Linux
15/38
ConfiguringAuthentication
Methods MD5passwords
Shadowpasswords
NIS
LDAP
Kerberos5
SMB
-
7/29/2019 03 Installing Linux
16/38
Packages(1of2) Mostdistributionscomewithmanypackage
groups(listedinyourstudentnotes).
Youcaneitherinstallornotinstallthewholegroup,oryoucanselectindividualpackagesfromthegroups.
Ingeneral,amultiuserserverwillnotneedthefollowingpackagegroups(exactnamesmayvary):
XWindowSystem
GNOMEDesktopEnvironment
KDEDesktopEnvironment GraphicalInternet
-
7/29/2019 03 Installing Linux
17/38
Packages(2of2) Ingeneral,amultiuserserverwillnotneedthe
followingpackagegroups(exactnamesmay
vary): Office/Productivity
SoundandVideo
Graphics GamesandEntertainment
XSoftwareDevelopment
GNOMESoftwareDevelopment
KDESoftwareDevelopment
-
7/29/2019 03 Installing Linux
18/38
Updating Everyoperatingsystemandeverypieceof
softwarehasbugsandsecurityflaws.
OneoftheOpenSourceadvantagesisthatanyonecanfixtheseholesandcan(orevenmust)providethefixtothecommunity
Vendorsthatreleasedistributions(RedHat,
SuSE,SCO,andsoon)taketheseupdatedandpatchedpiecesofsoftwareandrepackagethemtodistributetotheircustomersthroughtheappropriatechannels.
Vendorsalsoputrigoroustestingintothepackagestheyrelease.
Vendorsstandbehindtheirsecurityfixesandpackageupdates.
-
7/29/2019 03 Installing Linux
19/38
WheretoGoforUpdates HerearesomeURLsforvariousvendorupdatesites:
RedHat
http://www.redhat.com/apps/support/errata/ SuSE
http://support.suse.de/psdb/
SCO(formerlyCaldera) http://www.sco.com/support/updates/
http://www.sco.com/support/security/index.html#OpenLinux
TurboLinux: http://www.turbolinux.com/support/
-
7/29/2019 03 Installing Linux
20/38
WhattoLookfor(1of2) Ingeneral,usinganautomatedupdatetoolsuch
asRedHat'sUpdateAgent(withaRedHat
Networksubscription)orSuSE's YaST OnlineUpdate(YOU)makesthejobofstayingcurrentmucheasieronthepackageandsoftwaremanagementside.
CheckingFTPandWebsitesmanuallymeansyoumustknowwhatyoucurrentlyhave,whatyouneed,andhowtoupgradeit.
-
7/29/2019 03 Installing Linux
21/38
WhattoLookfor(2of2) SomecommonRPMcommandsformanagingpackages
are:
rpm-ipackage- Installpackage
rpm-epackage- Uninstallpackage
rpm-qa - Generatealistofallinstalledpackages
rpm-qi package- Getinfoonpackage
rpm-Kpackage- Checkpackage'sGPGsignature Namingscheme:name-version-release.architecture.rpm
name- Packagename
version- Versionofthesoftwarethispackageincludes
release- Packagerelease;aversionnumberforpackages architecture- Whatsystemit'sintendedfor
-
7/29/2019 03 Installing Linux
22/38
VendorversusAuthor OnecommonoccurrenceintheLinuxcommunity
isthatacriticalfixwilloftencomeoutmerehoursafteravulnerabilitywasdiscovered.
Whenthisoccurs,youmust:
Evaluatewhetherornotthevulnerabilitywouldorcouldaffectyou.
Ifthethreatishigh,downloadthenewsoftwareorpatchandbuild
itbyhand.
Ifthethreatisminor,youcansimplywait
forthevendortoprovide theirpackage.
OneotheroptiontothoselistedaboveistolookonmailinglistsorWebsitesforworkarounds.
-
7/29/2019 03 Installing Linux
23/38
HowtoUpgrade IfyouareusinganautomatedupgradingtoolsuchasRedHat's
UpdateAgentorSuSE's YOU,orathird-partysolution,refertothattool'sdocumentationforinstructionsonitsuse.
Ifyouareupgradingbyhand,hereiswhatyouneedtoknow:
rpm-U- Upgradesthepackageifanearlierversionis
alreadyinstalled,orinstallsthepackageifnoearlierversionisfound.
rpm-F- Upgradesthepackageifanearlierversionisalreadyinstalled,ordoesnothingifnoearlierversionisinstalled.
Forallpackagesexceptkernelbinarypackages,youcan
safelyinstallthemusingeitherofthetwoRPMcommandsabove.
Kernelbinarypackages(kernel-kernelversion-release.arch.rpm)areaspecialcase;theymustbeinstalledusingtherpm-isyntax,nottherpm-Uorrpm-Fsyntax.
-
7/29/2019 03 Installing Linux
24/38
Hardening Hardeningasystemreducesthechancethat
someonecangainunauthorizedprivileges
higherthanwhattheyshouldhave. Whileyoucanhardenthesystemmanually,we
onlycoverthatconceptuallyinthiscourse.
WegointogreaterdepthontheuseoftheautomaticsystemhardeningtoolBastille.
-
7/29/2019 03 Installing Linux
25/38
IdentificationandAuthentication Hardeningofthesetwosubsystems
prevents:
Theabilitytoposeasanotherperson
Theabilitytogainaccesstoanotherperson'saccount
Themaincomponentsinvolvedare:
PAM
/etc/passwd and/etc/shadow
/bin/login
-
7/29/2019 03 Installing Linux
26/38
AccessControland
Authorization Hardeningthesetwosubsystemsprevents:
Theabilitytoaccessresourcesbelongingtosomeoneelse
Circumventingofsecuritymeasuresdesignedtopreventharmtothesystem
Theabilitytoaccessresourcesoutsideofyourscope
Themaincomponentsinvolvedare:
Filesystempermissions
PAM
ACLtoolsandsubsystems
Variouskernelextensions
-
7/29/2019 03 Installing Linux
27/38
AvailabilityandSystemIntegrity Hardeningforavailabilityreducesthelikelihoodof,or
evenprevents,asuccessfuldenialofserviceattack.
Themaincomponentsinvolvedare:
Partitioning
Diskquotas
Kerneltuning
Hardwareconfiguration Hardeningforsystemintegritypreventsimportant
systemservicesfrombeingcompromisedandmodified.
Themaincomponentsinvolvedare: Permissionsandprivileges
Filesystems
Activevigilanceinmonitoring
-
7/29/2019 03 Installing Linux
28/38
AuditingandIntrusionDetection Hardeningforauditingprotectsyourlogfiles,log
monitors,andothersystemmonitoringsystems.
Themaincomponentsinvolvedare:
Logfilesin/var/log
Logmonitoringtools
Effectivepoliciesforlogmanagementandarchiving
Preparationandhardeningforthepossibilityofanintrusiontypicallyinvolvesinstallingsomeintrusiondetectionand/orlogmonitoringsoftware.
Themaincomponentsinvolveddependentirelyonlogmonitoringandintrusiondetectionsoftwareyouuse.
-
7/29/2019 03 Installing Linux
29/38
KernelHardening Kernelhardeningistheprocessofaddingadditional
functionalitytothekernel(typicallythroughsourcepatches)tomakekernel-basedsecurityflawsorexploitsmoredifficulttotakeadvantageof.
Thethreekernelhardeningpackagescoveredinthiscourseare:
LIDS- Patch-basedkernelhardeningsystem
rsbac - Accesscontrolframeworkforhardeningsystems
selinux - AsecuredistributioncreatedbytheUnitedStates'
NationalSecurityAgency
Commonfeatures:
MandatoryAccessControl
Fileprotection
Processprotection
ACLcontrols
-
7/29/2019 03 Installing Linux
30/38
HostIntrusionToolsThiscoursecoversthefollowingintrusiondetectionsystems: Samhain - Fileintegrityandintrusionmonitoring
Providesfileintegritymonitoring,kernelmoduleprotection,
centralizedmonitoring,andotherfeatures. AIDE- AdvancedIntrusionDetectionEnvironment
Providesveryadvancedfileintegritymonitoring.
Wealsogooverthefollowinglogmonitors:
Swatch Areal-timelogmonitoringsystem,allowingyoutochoose
specificlogdatayouwishtosee.
logwatch
Acustomizableloganalysissystem,whichparsessystemlogsandreportsanyinformationyouspecify.
Othertools:
TARA;Tiger;COPS;CIS
-
7/29/2019 03 Installing Linux
31/38
Bastille Verypowerfulautomatedsystemhardeningtool.
Freelyavailable.
Supports: RedHatLinux
LinuxMandrake
Debian GNU/Linux
WalksyouthroughtheprocessofsecuringyoursystemwitheitheranXWindowGUIorconsoletextmodeinterface.
Handlesmostcommonsystemhardeningtasks
automatically,requiringyoutosimplyanswerquestions.
-
7/29/2019 03 Installing Linux
32/38
SystemBaselining (1of2) Baselining involvestakingasnapshotofyour
system'ssettingsinaconfigurationknowntobe
validandwatchingthedeviationfromthesesettingsovertime.
Watchinghowthesettingschangeovertimecanalertyoutopotentialproblems.
Alsousefulformakingsureotheradministratorsaren'treconfiguringserverswithoutgoingthroughtheproperchannels.
-
7/29/2019 03 Installing Linux
33/38
SystemBaselining (1of2) Thereareseveralwaystomanuallycapturedata
aboutaproperlyconfiguredsystem,including:
rpm-qa - Gathersinformationaboutinstalledpackages
rpm-Va - VerifiespackagesandtheirMD5sums,filemodificationtimes,andotherfileproperties
The/procfilesystemcontainslotsofusefulinformationabout
hardware,amongotherthings.
Automatedsolutions,suchasTripwire,AIDE,
FTimes,orFCheck,canmakethistaskmucheasier.
-
7/29/2019 03 Installing Linux
34/38
ConfigurationCapturing
Makingasnapshotofamachine'sconfigurationsothatitcanbecomparedtofutureconfigurationstoseethedifferences.
Dependingonthetoolsused,mayoutputtoplaintextfilesoraproprietary binaryformat.
Don'tstorethesnapshotsonthesystemyou'recapturing,asacraftyinfiltratorcaneasilymodify
ordeletethesefiles. Establishapolicyregardinghowsnapshotswillbe
taken,whentheywillbetaken,wheretheywillbestored,andhowtheywillbestored.
Startwithsystemsthatyouknowareclean;freshlyinstalledsystemsarebest.
-
7/29/2019 03 Installing Linux
35/38
Monitoring
Onceapolicyforsnapshotfrequencyhasbeendetermined,automatedsnapshotscanbetakenfairlyeasily.
Comparingthelatestsnapshottotheprevioussnapshotgivesyouanideaofwhatchanged.
Achainofsnapshotsgivesyouamovingpictureofthesystem'sstate.
Anythingthatisnotexpected,suchassomethingthathasneverchangedbeforesuddenlychanging,orviceversa,shouldbeimmediatelyinvestigated.
Dependingonthetoolortoolsyouuse,theremaybealotof"falsepositives"thatcanbeoverlooked.
-
7/29/2019 03 Installing Linux
36/38
Baselining Strategies
Bewareofautomatedfilters.
Knowyoursystems.
Knowyourcapturingmethods. Communicateallintentionalchangestoall
administratorsbeforetouchinganything.Dependingonyourorganization'spolicy,youmayneedtowaitforsomeoralloftheirapprovalfirst.
Anorganizeddirectorystructureand/orfilenamingconventionforallofyourcaptureddatacanmakelocatingandidentifyingtimeswhenspecificchangesoccurredmucheasier.
Everystepofcapturingdatashouldbewell-documentedsothatnewadministratorswillbeabletohavedatafromtheirsystemsmatchtherestoftheorganization'sdata.
-
7/29/2019 03 Installing Linux
37/38
Checkpoint
1.Whyisitimportanttohaveagoodsecurityplaninmindbeforestartingwithasystem?
2.Trueorfalse:Thepurposebehindpartitioningaserverforitspurposeissothatitwillbemorescalableinthefuture.
3.Namethreepackagegroupsthatarenottypically
necessaryonaserver.4.Nametwosubsystemsoraspectsofasystem
whichmayrequirehardening.
5.Trueorfalse:Configurationcapturingonlyneedstobedoneonce,afteryoufirstinstallamachine.
-
7/29/2019 03 Installing Linux
38/38
UnitSummary
Securityissomethingthatmustbeconsideredfromthestart.
Severalstepscanbetakentoensureyoursystems
aremoresecureimmediatelyafterinstallation,includingproperpartitioning,appropriatepackagegroupselection,andrestrictivedefaultsettings.
Adefinedsystempurposemakesiteasierto
manageandsecureasystem. UseofasystemhardeningtoolsuchasBastilleisa
requiredstepfollowinganyinstallation.
Keepyoursystemsupdated.
Baselining andconfigurationcapturingutilitiescanmakeitmucheasiertospotaholeorbreachbeforeseriousdamageoccurs.