Linux Hardening Locking Down Linux To Increase Security Michael - - PowerPoint PPT Presentation

linux hardening
SMART_READER_LITE
LIVE PREVIEW

Linux Hardening Locking Down Linux To Increase Security Michael - - PowerPoint PPT Presentation

Nov 13, 2022 292 likes •920 views

Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com s-Hertogenbosch, 1 March 2016 Meetup: Den Bosch Linux User Group Goals 1. Learn what to protect 2. Know some strategies 3. Learn tooling Focus

slide-1
SLIDE 1

Linux Hardening

Locking Down Linux To Increase Security

‘s-Hertogenbosch, 1 March 2016 Meetup: Den Bosch Linux User Group

Michael Boelen

michael.boelen@cisofy.com

slide-2
SLIDE 2

Goals

  • 1. Learn what to protect
  • 2. Know some strategies
  • 3. Learn tooling

Focus: Linux

2

slide-3
SLIDE 3

Agenda

Today

  • 1. System Hardening
  • 2. Security Auditing
  • 3. Guides and Tools

Bonus: Lynis demo

3

slide-4
SLIDE 4

Michael Boelen

  • Open Source Security

○ rkhunter (malware scan) ○ Lynis (security audit)

  • 150+ blog posts at Linux-Audit.com
  • Founder of CISOfy

4

slide-5
SLIDE 5

System Hardening

slide-6
SLIDE 6

Q: What is Hardening?

slide-7
SLIDE 7

7

slide-8
SLIDE 8

Q: Why Hardening?

slide-9
SLIDE 9
slide-10
SLIDE 10

Q: What if we don’t?

slide-11
SLIDE 11

11

slide-12
SLIDE 12

12

slide-13
SLIDE 13

13

slide-14
SLIDE 14

14

slide-15
SLIDE 15

15

slide-16
SLIDE 16

16

slide-17
SLIDE 17

Hardening Basics

slide-18
SLIDE 18

Hardening

  • New defenses
  • Existing defenses
  • Reduce weaknesses

(attack surface)

18

Photo Credits: http://commons.wikimedia.org/wiki/User:Wilson44691

slide-19
SLIDE 19

Myth

After hardening I’m done

19

slide-20
SLIDE 20

Fact

  • Security is an ongoing process
  • It is never finished
  • New attacks = more hardening

○ POODLE ○ Hearthbleed

20

slide-21
SLIDE 21

Hardening

What to harden?

  • Operating System
  • Software + Configuration
  • Access controls

21

slide-22
SLIDE 22

Hardening

Operating System

  • Packages
  • Services
  • Configuration

22

slide-23
SLIDE 23

Hardening

Software

  • Minimal installation
  • Configuration
  • Permissions

23

slide-24
SLIDE 24

Hardening

Access Controls

  • Who can access what
  • Password policies
  • Accountability

24

slide-25
SLIDE 25

Hardening

Encryption

  • Good: Encryption solves a lot
  • Bad:

Knowledge required

  • Ugly:

Easy to forget, or do it incorrectly

25

slide-26
SLIDE 26

Technical Auditing

slide-27
SLIDE 27

Auditing

Why audit?

  • Checking defenses
  • Assurance
  • Quality Control

27

slide-28
SLIDE 28

Common Strategy

  • 1. Audit
  • 2. Get a lot of findings
  • 3. Start hardening
  • 4. …….
  • 5. Quit

28

slide-29
SLIDE 29

Improved Strategy

  • 1. Focus
  • 2. Audit
  • 3. Focus
  • 4. Harden
  • 5. Repeat!

29

slide-30
SLIDE 30

Hardening Resources

slide-31
SLIDE 31

Options

  • Guides
  • Tools (SCAP / Lynis)
  • Other resources

31

slide-32
SLIDE 32

Hardening Guides

  • Center for Internet Security (CIS)
  • NIST / NSA
  • OWASP
  • Vendors

32

slide-33
SLIDE 33

Hardening Guides

Pros

Free to use Detailed You are in control

33

Cons

Time intensive Usually no tooling Limited distributions Delayed releases Missing follow-up

slide-34
SLIDE 34

Tooling

slide-35
SLIDE 35

Tools

Tools make life easier, right? Not always...

35

slide-36
SLIDE 36

Tools

Problem: There aren’t many good tools

36

slide-37
SLIDE 37

Tools

Cause 1: Usually outdated

37

slide-38
SLIDE 38

Tools

Cause 2: Limited in their support

38

slide-39
SLIDE 39

Tools

Cause 3: Hard to use

39

slide-40
SLIDE 40

Tool 1: SCAP

slide-41
SLIDE 41

SCAP

  • Security
  • Content
  • Automation
  • Protocol

41

slide-42
SLIDE 42

SCAP

Combination of:

  • Markup
  • Rules
  • Tooling
  • Scripts

42

slide-43
SLIDE 43

SCAP features

  • Common Vulnerabilities and Exposures (CVE)
  • Common Configuration Enumeration (CCE)
  • Common Platform Enumeration (CPE)
  • Common Vulnerability Scoring System (CVSS)
  • Extensible Configuration Checklist Description Format (XCCDF)
  • Open Vulnerability and Assessment Language (OVAL)

Starting with SCAP version 1.1

  • Open Checklist Interactive Language (OCIL) Version 2.0

Starting with SCAP version 1.2

  • Asset Identification
  • Asset Reporting Format (ARF)
  • Common Configuration Scoring System (CCSS)
  • Trust Model for Security Automation Data (TMSAD)

43

slide-44
SLIDE 44

Complexity?

List of Tables (Common Configuration Scoring System (CCSS))

Table 1. Access Vector Scoring Evaluation ..................................................................................8 Table 2. Authentication Scoring Evaluation ..................................................................................9 Table 3. Access Complexity Scoring Evaluation.........................................................................10 Table 4. Confidentiality Impact Scoring Evaluation.....................................................................11 Table 5. Integrity Impact Scoring Evaluation ..............................................................................12 Table 6. Availability Impact Scoring Evaluation ..........................................................................12 Table 7. General Exploit Level Scoring Evaluation.....................................................................13 Table 8. General Remediation Level Scoring Evaluation ...........................................................14 Table 9. Local Vulnerability Prevalence Scoring Evaluation.......................................................15 Table 10. Perceived Target Value Scoring Evaluation ...............................................................15 Table 11. Local Remediation Level Scoring Evaluation..............................................................16 Table 12. Collateral Damage Potential Scoring Evaluation ........................................................17

44

slide-45
SLIDE 45

SCAP Overview

Pros

Free to use Focused on automation

45

Cons

Limited distributions Complexity Hard to customize

slide-46
SLIDE 46

Tool 2: Lynis

slide-47
SLIDE 47

Lynis

47

slide-48
SLIDE 48

Lynis

Goals

  • In-depth security scan
  • Quick and easy to use
  • Define next hardening steps

48

slide-49
SLIDE 49

Lynis

Background

  • Since 2007
  • Goals

○ Flexible ○ Portable

49

slide-50
SLIDE 50

Lynis

Open Source Software

  • GPLv3
  • Shell
  • Community

50

slide-51
SLIDE 51

Lynis

Simple

  • No installation needed
  • Run with just one parameter
  • No configuration needed

51

slide-52
SLIDE 52

Lynis

Flexibility

  • No dependencies*
  • Can be easily extended
  • Custom tests

* Besides common tools like awk, grep, ps

52

slide-53
SLIDE 53

Lynis

Portability

  • Run on all Unix platforms
  • Detect and use “on the go”
  • Usable after OS version upgrade

53

slide-54
SLIDE 54

How it works

  • 1. Initialise
  • 2. OS detection
  • 3. Detect binaries
  • 4. Run helpers/plugins/tests
  • 5. Show report

54

slide-55
SLIDE 55

Running

  • 1. lynis
  • 2. lynis audit system
  • 3. lynis audit system --quick
  • 4. lynis audit system --quick --quiet

55

slide-56
SLIDE 56

Demo?

slide-57
SLIDE 57

Conclusions

  • 1. Know your crown jewels (properly)
  • 2. Determine hardening level
  • 3. Perform regular checks

57

slide-58
SLIDE 58

You finished this presentation Success!

slide-59
SLIDE 59

Learn more?

Follow

  • Blog

Linux Audit (linux-audit.com)

  • Twitter

@mboelen

This presentation can be found on michaelboelen.com

59

slide-60
SLIDE 60