Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITIS 3110 System Hardening.

Published byMaximilian Daniels Modified over 6 years ago

Similar presentations

Presentation on theme: "ITIS 3110 System Hardening."— Presentation transcript:

1 ITIS 3110 System Hardening

2 system hardening Act of modifying a system to make it more secure
Protecting against internal and external threats Usually a balance between security and usability More usability  less secure Higher security  harder to use Balance required is different for every organization

3 hardening practices Removing unneeded:
Privileges Applications Services Updating installed packages on a regular basis Maintaining user lists with up-to-date information Providing an audit trail Detect changes in files and behaviors

4 nsa security guides The NSA publishes security guides for various operating systems and applications Linux guide is written for Red Hat Enterprise Linux 5 Guide can be adapted for other Linux distributions

5 nsa security guides Guides are just a reference
Never follow them without understanding what you are doing Many of the security recommendations may not make sense in your environment Adapt and modify as needed

6 nsa security guides uration_guides/index.shtml

7 vulnerability databases
Vulnerability databases are an important resource for determining if your software needs to be patched Often contain mitigation information as well as available update paths

8 vulnerability databases
Interesting article:

9 Typical Resources to Monitor

10 inetd inetd is the Internet “super-server”
A super-server listens to network ports and starts the appropriate server when a connection is received Configuration is in /etc/inetd.conf Note: xinetd is the new improved version

11 /etc/inetd.conf One service per line 7 tab-delimited fields
Lines can be commented out by preceding with a # 7 tab-delimited fields service-name socket-type Protocol wait|nowait User server-program server-args “The wait/nowait entry specifies whether the server that is invoked...will take over the socket...and thus whether inetd should wait for the server to exit before listening for new service requests.” (man inetd)

12 /etc/inetd.conf service-name socket-type protocol wait | nowait user
server-program server-args ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l #ntalk dgram udp wat root /usr/libexec/ntalkd ntalkd telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd

13 xinetd Secure replacement for inetd
Configuration is stored in /etc/xinetd.conf and /etc/xinetd.d/ Most services have their own file in the configuration directory Allows services to be added when a package is installed

14 xinetd Configuration files allow both enabled and disabled keyword
Convention is to only use disabled keyword On Red Hat-like systems chkconfig can control xinetd services

15 /etc/xinetd.d/tftp } service tftp { socket_type = dgram protocol = udp
wait = yes user = root server = /usr/sbin/in.tftpd server_args = -s /tftpboot disable = yes }

16 disabling services Red Hat Debian Standard Service inetd xinetd
chkconfig update-rc.d inetd - update-inetd xinetd edit manually

17 Elevated Privileges

18 su switch user “Anyone can use” su [options] [commands] [-] [username]
If no user specified root is assumed “Anyone can use” Still must know the password  all administers for the system must share the password  Don’t know who changed something while root

19 sudo sudo allows a user id to perform actions as root or another user
sudo -V | -h | -l | -L | -v | -k | -K | -s | [ -H ] [-P ] [-S ] [ -b ] | [ -p prompt ] [ -c class|- ] [ -a auth_type ] [-r role ] [-t type ] [ -u username|#uid ] command sudo -V | -h | -l | -L | -v | -k | -K | -s | [ -H ] [-P ] [-S ] [ -b ] | [ -p prompt ] [ -c class|- ] [ -a auth_type ] [-r role ] [-t type ] [ -u username|#uid ] command sudo -V | -h | -l | -L | -v | -k | -K | -s | [ -H ] [-P ] [-S ] [ -b ] | [ -p prompt ] [ -c class|- ] [ -a auth_type ] [-r role ] [-t type ] [ -u username|#uid ] command sudo sudo allows a user id to perform actions as root or another user More flexible than su which is all or nothing Authenticates user with their password su requires user to know root or other user’s password Can filter which actions they may perform Simplified syntax: sudo command Executes command as root (if set up)

20 sudo All root-level work should be done using sudo
Allows tracking of what users were using root privileges Configuration is in /etc/sudoers sudoers should be edited with visudo checked after editing with visudo –c

21 sudoers syntax user hosts = (runas) commands Can have aliases for each
One or more users (or %group) hosts List of hosts (or ALL), eg. Remote machines allowed to run on runas List of users (or ALL) that can run as for the command Groups can follow a : Root is default commands List of commands (or ALL) that can be run as root Can have aliases for each

22 /etc/sudoers #%group hostlist=(runas) cmd %wheel ALL=(ALL) ALL
#user hostlist=(runas) cmd rgharaib ALL=(ALL) /etc/init.d/maui [a-z]* rgharaib ALL=(ALL) /sw/torque/bin/pbsnodes -[co] [a-z0-9]* rgharaib ALL=(ALL) /opt/xcat/bin/rpower b[0-9]* [a-z]* rgharaib ALL=(ALL) /usr/bin/ssh ananke reboot rgharaib ALL=(ALL) /usr/bin/ssh aether reboot Xyz ALL=(ALL) ALL Userid Xyz can run on any server as any target user for any command Xyz ALL=(root) vi Userid Xyz can run on any server as root for the vi command

23 Sudo Benefits Disable root
No more generic root editing/configuring Who did it? Give individual sudo access to specific users Can be as general as all access Can be specific to a particular command and options If errors or sabotage Know who did it from the log records

24 Sudo examples operator ALL= /sbin/poweroff SuperMary ALL=(ALL) ALL
UID operator can shut down the system SuperMary ALL=(ALL) ALL UID SuperMary can do anything as “root” %supergroup ALL=(ALL) ALL Anyone in the group supergroup has “root” authority msnider ALL= NOPASSWD: /sbin/halt UID msnider can halt the system, no password required trusty dev02 = /usr/bin/* UID trusty can run any command in the /usr/bin directory on system dev02

25 selinux

26 selinux Security-Enhanced Linux adds access-control mechanisms to the Linux kernel Most common mechanism is Mandatory Access Control (MAC) Developed primarily by the NSA

27 selinux All files are assigned a security context
policies exist for every application detailing the security contexts they can access

28 selinux in red hat Red Hat includes decent SELinux support out of the box Can be enabled by editing /etc/selinux/config Usually type should be targeted and mode should be enforcing

29 selinux Having SELinux enabled may break some necessary functionality
Booleans can be used to change SELinux behavior getsebool -a will show available booleans setsebool can modify them

30 auditd Audit daemon that tracks security operations on a system
SELinux problems are logged to the audit daemon Can be configured to meet federal, DoD or other requirements Logs written to /var/log/audit/

31 selinux + auditd audit2allow
will generate a SELinux ruleset from denied actions recorded by auditd Simple mechanism to update SELinux policies for your environment

32 Other

33 monitoring changes Host-based intrusion detection systems
Software is on the computer itself Designed to detect changes to files on the system Normally used in extremely paranoid environments AIDE (Advanced Intrusion Detection Environment) is one example

34 aide Creates a database containing hashes of important files on the filesystem Periodically verifies that file hashes have not changed Must be turned off to update anything Database must be rebuilt after an update

35 logging Centralized log management is key
Once logs are centralized, you need a way to condense them into something useful logwatch is one such tool Note: enable sudo to monitor who makes system changes

36 logwatch Tool to generate summary of system logs
Can generate one containing all systems or an for each system Split into different components that check for certain patterns Easy to write new components

37 configuration management
Tools and concepts that help maintain systems consistency Administrators use tools to write policies and apply them to multiple systems Policies are verified periodically and any changes on the local system can be backed out Some tools allow administrators to roll back changes that were pushed out via configuration management

38 configuration management
Large organizations and organizations concerned about security can benefit from configuration management Example tools are cfengine and puppet Will have a complete module on configuration management

Download ppt "ITIS 3110 System Hardening."

Similar presentations

Linux Users and Groups Management

Linux Users and Groups Management
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.

1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW  Understand the difference between service.

11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW  Understand the difference between service.
Linux Operations and Administration

Linux Operations and Administration
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.

Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.
system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security.

system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security.

Similar presentations

Ads by Google