01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security.

Slides:



Advertisements
Similar presentations
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Advertisements

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Linux+ Guide to Linux Certification, Second Edition Chapter 3 Linux Installation and Usage.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Linux Security.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
Linux System Administration LINUX SYSTEM ADMINISTRATION.
File System and Directory Structure in Linux. What is File System In a computer, a file system is the way in which files are named and where they are.
Configuring Disk Quotas Linux System Administration To implement disk quotas, use the following steps: Enable quotas per file system by modifying /etc/fstab.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Week #7 Objectives: Secure Windows 7 Desktop
Gorman, Stubbs, & CEP Inc. 1 Introduction to Operating Systems Lesson 12 Windows 2000 Server.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Unix Operating Systems Module 7. Unix Operating System Versions Basic Information User and Group Settings File Permissions Local Firewall Local Security.
CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.
Lesson 17-Windows 2000/Windows 2003 Server Security Issues.
File Permission and Access. Module 6 File Permission and Access ♦ Introduction Linux is a multi-user system where users can assign different access permission.
Linux Administration. Pre-Install Different distributions –Redhat, Caldera, mandrake, SuSE, FreeBSD Redhat Server Install –Check HCL –Significant issues.
10.1 Silberschatz, Galvin and Gagne ©2005 Operating System Principles 10.4 File System Mounting A file system must be mounted before it can be accessed.
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.
There are three types of users in linux  System users: ?  Super user: ?  Normal users: ?
Managing Users  Each system has two kinds of users:  Superuser (root)  Regular user  Each user has his own username, password, and permissions that.
Unix Security.  Security architecture  File system and user accounts  Integrity management  Auditing and intrusion detection.
NT4 SP4 Security Jack Schmidt - Fermilab
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.
1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
1 LINUX SECURITY. 2 Outline Introduction Introduction - UNIX file permission - UNIX file permission - SUID / SGID - SUID / SGID - File attributes - File.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.
NetTech Solutions Security and Security Permissions Lesson Nine.
Securing the Linux Operating System Erik P. Friebolin.
SCSC 455 Computer Security Chapter 3 User Security.
Privilege Management Chapter 22.
CSC414 “Introduction to UNIX/ Linux” Lecture 6. Schedule 1. Introduction to Unix/ Linux 2. Kernel Structure and Device Drivers. 3. System and Storage.
SUSE Linux Enterprise Desktop Administration Chapter 9 Manage Users, Groups, and Permissions.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
File System Security in Unix Annie Calpe. Overview Unix Basics File System Security: - Account Security: Passwords - File Permissions - Access Control.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Working at a Small-to-Medium Business or ISP – Chapter 8
Configuring Windows Firewall with Advanced Security
Chapter 11: Managing Users
Securing the Network Perimeter with ISA 2004
Chapter 2: System Structures
IS3440 Linux Security Unit 3 User Account Management
IS3440 Linux Security Unit 6 Using Layered Security for Access Control
Chapter 27: System Security
IS3440 Linux Security Unit 2 Securing a Linux Platform―Core Components
Lesson 16-Windows NT Security Issues
SECURITY IN THE LINUX OPERATING SYSTEM
LINUX SYSTEM ADMINISTRATION
Welcome to all Participants
PLANNING A SECURE BASELINE INSTALLATION
Convergence IT Services Pvt. Ltd
Configuring Disk Quotas
Presentation transcript:

01/03/11 Centre for Development of Advanced Computing Chennai BOSS Desktop Security

01/03/11 Centre for Development of Advanced Computing ChennaiSecurity Means hardening the linux system(ie, protecting the kernel from the external intrusions) RULE: Deny ALL and then ALLOW

01/03/11 Centre for Development of Advanced Computing Chennai 1) Grub password The GRUB menu does not allow access to the editor or command interface ( boot up screen) without first pressing 'p' followed by the GRUB password. 2) Partitioning Separate user-writable data, non-system data, and rapidly changing run-time data to their own partitions Set nosuid,noexec,nodev mount options in /etc/fstab on ext3 partitions such as /tmp

01/03/11 Centre for Development of Advanced Computing Chennai 3) Password and login security Set a good root password with minimum charecter length as 8 and maximum as 40 Enabled passwordqc module for password/passphrase strength checking and enforcement Implemented the old password history which remembers upto 7 passwords. Implemented the fail delay of password Authentication for the login program is 10 Seconds.

01/03/11 Centre for Development of Advanced Computing Chennai 4) Secure Kernel All the security Functionalities & ext3 File system residing inside the kernel space not in the User Space to make operating System more secure. 5) Restricting system reboots through the console When the three finger salute (a.k.a. ctrl+alt+del) is given the program will check if any of the users listed in the file are logged in. If none of them is, shutdown will not reboot the system.

01/03/11 Centre for Development of Advanced Computing Chennai 6) File system limits and control Keep the quotas small enough, so users do not eat up your disk space. Use quotas on all user-writable areas, on /home as well as on /tmp. 7) Restricting user's access The users who are all in the file /etc/nologin will not be able to access the system.

01/03/11 Centre for Development of Advanced Computing Chennai 8) Encrypting File System The encryption process will obscure certain information, making it unreadable without a special password or passcode. This new partition will be encrypted at all times and reading the files in it won't be possible unless the proper password is used. 9) Selinux SELinux is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. SELinux allows more fine grained access controls than traditional Unix permissions offer.

01/03/11 Centre for Development of Advanced Computing Chennai 10) Audit it provides tools that help the administrative user extract specific types of audit events, audit events for specific users, audit events related to specific file system objects or audit events within a specific time frame. It's responsible for writing audit records to the disk. Linux audit files to see who made changes based on program, database files and system calls.

01/03/11 Centre for Development of Advanced Computing Chennai 11) Multi User Environment Linux is a true multiuser environment. This means that the system can support different users with different privileges. Each user has access to a predefined set of system services and his/her own private data. The private data in turn can be shared with other users by granting access privileges to them.

01/03/11 Centre for Development of Advanced Computing Chennai 12) Admin group for the su Program The administrator has to change the group ownership to admin group. Then the admin group members only able to access the su program. The rest of the users can not run the su program. 13) Disable drivers Floppy, cdrom and USB must be disabled. 14) Disable Services Disable the services like telnet, rsh imap and http through iptables.

01/03/11 Centre for Development of Advanced Computing Chennai 15) Extended Attributes Extended attributes are arbitrary name/value pairs which are associated with files or directories. They can be used to store system objects like capabilities of executables and access control lists, as well as user objects. 16) ACL The file mode contains nine bits that determine access permissions of a file, plus three special bits. This mechanism allows to define access permissions for three classes of users: the file owner, the file group, and others. This mechanism is very simple. With a couple of bits, many permission scenarios can be modeled.

01/03/11 Centre for Development of Advanced Computing Chennai 17) Secure Communications a) SSH Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices.[1] The encryption used by SSH is intended to provide confidentiality and integrity of data over an insecure network, such as the Internet. b) SSL SSL uses a cryptographic system that uses two keys to encrypt data − a public key known to everyone and a private or secret key known only to the recipient of the message.

01/03/11 Centre for Development of Advanced Computing Chennai 18) Tripwire A file integrity checker for linux systems. If Tripwire detects that a monitored file has been changed, it notifies the system administrator via . Because Tripwire can positively identify files that have been added, modified, or deleted, it can speed recovery from a break-in by keeping the number of files which must be restored to a minimum. 19) LTP The test suites to the open source community that validate the reliability, robustness, and stability of Linux

01/03/11 Centre for Development of Advanced Computing Chennai 18) Iptables It's a user level application program to define the tables/rules for linux kernel firewall. Implemented as a Netfilter modules Apply Chain of rules to decide ultimate packet fate Complex Administration Firestarter – Front-end GUI for Iptables Easy to configure and administrator

01/03/11 Centre for Development of Advanced Computing Chennai Limit physical access and booting capabilities Enable BIOS password Disable all other booting options like cdrom,usb Set the GRUB password set /boot/grub/menu.lst configuration file is read- protected.

01/03/11 Centre for Development of Advanced Computing ChennaiPartitioning Separate root partition (/root) Separate System data(/etc,/bin,/sbin,/usr) Separate user-writable data(/home), non- system data(/opt,/var,/media,/mnt,/tmp), and rapidly changing run-time data to other partitions(like audit log) Set nosuid,noexec,nodev mount options in /etc/fstab on ext2 partitions Encryption is enabled

01/03/11 Centre for Development of Advanced Computing Chennai Password and login security Password has minimum character length 8 and maximum character length 40. The password passphrases has ability to check upto 3 classes(numeric,uppercase alphabets, lowercase alphabets, special characters) The old password history remembers upto 7 passwords. The faildelay of password authentication in login program is 10 seconds.

01/03/11 Centre for Development of Advanced Computing Chennai Setuid Bit Programs /bin/ping /bin/su /usr/bin/at /usr/bin/chage /usr/bin/chsh /usr/bin/crontab /usr/bin/gpasswd /usr/bin/passwd /usr/bin/lpq /usr/bin/lpr /usr/bin/lprm /usr/bin/lpstat

01/03/11 Centre for Development of Advanced Computing Chennai Setgid Bit Programs /usr/sbin/postdrop /usr/sbin/postqueue

01/03/11 Centre for Development of Advanced Computing Chennai REQUIRED Services The following services are REQUIRED for runlevel 2 atdssh auditdgdm cronirqbalance networkinghalt sysklogcupsys postfixanacron urandom hwclock Disable USB

01/03/11 Centre for Development of Advanced Computing Chennai Useradd program Useradd program defaultly creates the user under the directory /home/$username. #useradd test7 User can change the home directory to anywhere like /var/www/$username #useradd -d /var/www/test8 test8

01/03/11 Centre for Development of Advanced Computing Chennai Locking the user after failed login attempts Used to set the login failure limits for user. #faillog -u test5 -m 4 Display the faillog records #faillog -a

01/03/11 Centre for Development of Advanced Computing ChennaiAudit Set Audit rule based on three types Programs /bin/login,/usr/bin/passwd,/bin/su Databases /etc/passwd, /etc/shadow,/etc/login.defs System Calls open,chmod,chown

01/03/11 Centre for Development of Advanced Computing Chennai SSH(Secure Shell) Direct root login is disabled. SSH protocol version 1 is disabled. SSH protocol version 2 is enabled. The permitted authentication mechanisms are per­ user (nonempty) passwords and per­user AES (aes128-cbc algorithm) public key authentication.

01/03/11 Centre for Development of Advanced Computing ChennaiDAC Control which are all the users can read or modify the files by setting the Unix permission bits and user/group Ids Using POSIX-style access control lists (ACLs). The administrators (’root’) are able to override these permissions and access all files on the system.

01/03/11 Centre for Development of Advanced Computing Chennai Security Monitoring  Created /var/log/btmp to log bad login attempts. # touch /var/log/btmp # lastb

01/03/11 Centre for Development of Advanced Computing Chennai List of process List of process currently running on the system ps aux

01/03/11 Centre for Development of Advanced Computing Chennai Network Analysis List of ports currently open on the system netstat -plntu Live Network Traffic Analysis tcpdump

01/03/11 Centre for Development of Advanced Computing Chennai List of services List of services currently running on the system lsof -i

01/03/11 Centre for Development of Advanced Computing Chennai Thank You Ashok Kumar J Sanket Bajoria

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.