ITIS 3110 System Hardening

ITIS 3110System Hardeningsystem hardeningAct of modifying a system to make it more secureProtecting against internal and external threatsUsually a balance between security and usabilityWhere balance is achieved is different for every organization hardening practicesRemoving unneeded privileges, applications, or servicesUpdating installed packages on a regular basisMaintaining user lists with up-to-date informationProviding an audit trail to detect changes in files and behaviors nsa security guidesThe NSA publishes security guides for various operating systems and applicationsLinux guide is written for Red Hat Enterprise Linux 5Guide can be adapted for other Linux distributions

nsa security guidesGuides are just a referenceNever follow them without understanding what you are doingMany of the security recommendations may not make sense in your environment nsa security guideshttp://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/index.shtml vulnerability databasesVulnerability databases are an important resource for determining if your software needs to be patchedOften contain mitigation information as well as available update paths vulnerability databaseshttp://www.cert.org http://www.us-cert.gov/cas/techalerts/index.html http://nvd.nist.govInteresting article:http://www.cio.com/article/730250/US_NIST_39_s_Vulnerability_Database_Hacked inetdinetd is the Internet super-serverA super-server listens to network ports and starts the appropriate server when a connection is receivedConfiguration is in /etc/inetd.conf /etc/inetd.confOne service per lineLines can be commented out by preceding with a #7 tab-delimited fieldsservice-namesocket-typeProtocolwait|nowaitUserserver-programserver-argsThe wait/nowait entry specifies whether the server that is invoked...will take over the socket...and thus whether inetd should wait for the server to exit before listening for new service requests. (man inetd)

/etc/inetd.confservice-namesocket-typeprotocolwait | nowaituserserver-programserver-args

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l#ntalk dgram udp wat root /usr/libexec/ntalkd ntalkdtelnet stream tcp6 nowait root /usr/libexec/telnetd telnetdxinetdSecure replacement for inetdConfiguration is stored in /etc/xinetd.conf and /etc/xinetd.d/Most services have their own file in the configuration directoryAllows services to be added when a package is installed

xinetdConfiguration files allow both enabled and disabled keywordConvention is to only use disabled keywordOn Red Hat-like systems chkconfig can control xinetd services

/etc/xinetd.d/tftpservice tftp{ socket_type = dgram protocol = udp wait = yes user = root server = /usr/sbin/in.tftpd server_args = -s /tftpboot disable = yes}disabling servicesRed HatDebianStandard Servicechkconfigupdate-rc.dinetd-update-inetdxinetdchkconfigedit manuallysudosudo is a command that allows a normal user to perform actions as root or another userMore flexible than su which is all or nothingAuthenticates user with their passwordsu requires user to know root or other users password

sudoAll root-level work should be done using sudoAllows tracking of what users were using root privileges forConfiguration is in /etc/sudoerssudoers should beedited with visudochecked after editing with visudo c

/etc/sudoers#%group hostlist=(runas) cmd%wheel ALL=(ALL) ALL

#user hostlist=(runas) cmdrgharaib ALL=(ALL) /etc/init.d/maui [a-z]*rgharaib ALL=(ALL) /sw/torque/bin/pbsnodes -[co] [a-z0-9]*rgharaib ALL=(ALL) /opt/xcat/bin/rpower b[0-9]* [a-z]*rgharaib ALL=(ALL) /usr/bin/ssh ananke rebootrgharaib ALL=(ALL) /usr/bin/ssh aether rebootXyz ALL=(ALL) ALLUserid Xyz can run on any server as any target user for any command

Xyz ALL=(root) viUserid Xyz can run on any server as root for the vi command

selinuxSecurity-Enhanced Linux adds access-control mechanisms to the Linux kernelMost common mechanism is Mandatory Access Control (MAC)Developed primarily by the NSA selinuxAll files are assigned a security contextpolicies exist for every application detailing the security contexts they can access

selinux in red hatRed Hat includes decent SELinux support out of the boxCan be enabled by editing /etc/selinux/config Usually type should be targeted and mode should be enforcing

selinuxHaving SELinux enabled may break some necessary functionalityBooleans can be used to change SELinux behaviorgetsebool -a will show available booleanssetsebool can modify them

auditdAudit daemon that tracks security operations on a systemSELinux problems are logged to the audit daemonCan be configured to meet federal, DoD or other requirementsLogs written to /var/log/audit/ selinux + auditdaudit2allow will generate a SELinux ruleset from denied actions recorded by auditdSimple mechanism to update SELinux policies for your environment

monitoring changesHost-based intrusion detection systemsDesigned to detect changes to files on the systemNormally used in extremely paranoid environmentsAIDE (Advanced Intrusion Detection Environment) is one example

aideWorks by creating a database containing hashes of important files on the filesystemPeriodically verifies that file hashes have not changedMust be turned off to update anythingDatabase must be rebuilt after an update

loggingCentralized log management is keyOnce logs are centralized, you need a way to condense them into something usefullogwatch is one such tool

logwatchTool to generate summary of system logsCan generate one email containing all systems or an email for each systemSplit into different components that check for certain patternsEasy to write new components

configuration managementTools and concepts that help maintain systems consistencyAdministrators use tools to write policies and apply them to multiple systemsPolicies are verified periodically and any changes on the local system can be backed outSome tools allow administrators to roll back changes that were pushed out via configuration management

configuration managementLarge organizations and organizations concerned about security can benefit from configuration managementExample tools are cfengine and puppetWill have a complete module on configuration management