Day 7: Securing Linux Systems

Protecting Priv Esc Techniques

chroot Jail

Controls what a process can access on a file system by changing the root directory for the environment
Process and children cannot "break out" of the defined directory

chroot

Encryption

LUKS:

uses dm-crypt subsystem to map between an encrypted device and a virtual device name.

cryptsetup - Front end to LUKS and dm-crypt.

shred - Used to overwrite a drive with random data

Network Security Best Practices

Enable SSL/TLS on all web server

Configure SSH to disable root access

/etc/ssh(d)/sshd_config
/etc/ssh(d)/ssh_config3

Deny unknown hosts

/etc/hosts.allow
/etc/hosts.deny

Change default ports

Enable auditd service

Identity and Access Management

SSH:

~/.ssh/
/authorized_keys = File used by server to authenticate clients
/known-hosts = File used by client to authenticate to server

ssh-keygen (local machine)
ssh-copy-id (copy public key to remote machine)
ssh-add - Add private keys to ssh agent

PAM

Pluggable Authentication Modules

/etc/pam.d

/etc/securetty:

used by PAM to determine root access to terminals

PKI

Both keys must be from same pair
No one has anyone else's Private Key
Confidentiality encrypts with receivers public key
Digital signatures are created with Sender's Private Key

SELINUX Policies

/etc/selinux

getenforce - Check SELinux enforcing setting
getsebool - Check on/off status
sestatus - Check SELinux stats
sealert - Check SELinux violations

sealert -a /var/log/audit/audit.log
audit2why

UFW

Firewall management tool used to configure iptables

Become a router: sysctl net.ipv4.ip_forward

System Logs

Tracked by syslogd
Supports remote and local logging

syslog = Everything but authentication messages
messages = Non-critical system events
auth.log = Authentication messages in Debian
secure = Authentication messages in RHEL
kern.log = Kernel messages

rsyslogd = /etc/rsyslog.conf

Specify the format and where to send longs to

journalctl

View and query log files created by systemd

Configured in: /etc/systemd/jounrmald.conf

last = Display user logins and logouts

Retreives info from /var/log/wtmp

rsync = transfers file differences, not all files

can use ssh or rsync daemon with same command args

LAB

shred
shred -v --iterations=1 /dev/sda/yada/yada = Overwrite data to erase exisiting data

Securing a drive with LUKS
cryptsetup -v --verify-passphrase luksFormat /dev/sda/yada/yada

Opening drive with cryptsetup
`cryptsetup luksOpen /dev/sda/yada/yada databack

mkfs on the new databack
mount /dev/mapper/databack to mountpoint

Add encrypted volume to /etc/crypttab and /etc/fstab
bash -c "echo databk /dev/sda/yada/yada none >> /etc/crypttab"

sestatus = Current status of SELinux

Apache
/etc/httpd/conf/httpd.conf = Edit web root

semanage fcontext Apply selinux context to files

Firewalls
firewall-cmd --get-zones = Default zones
firewall-cmd --zone=dmz --list-all = list all dmz zones
firewall-cmd --get-active-zones = Get active zones
firewall-cmd --zone=dmz --add-service=https --permanent
firewall-cmd --zone=dmz --add-port=8843 --permanent
firewall --reload

rsyslog
vim /etc/rsyslog.conf = Configurations for remote logging/rules for logging
sudo systemctl restart rsyslog = Apply changes

journalctl
journalctl -p notice - Filter on notice logs only
journalctl --since "2 hours ago" --until "30 minutes ago"
journalctl -u httpd.service = Filter on apache logs

last
last = Login/logout events
lastb = Login failures
lastlog = Last time a user logged in

rsync
rsync -av /files/to/sync /where/to/sync/them