Linux Operating System Security

Joen A. Sinamag
What is Linux ?
 Linux is a free open source operating system (OS) based on UNIX that was created in 1991 by Linus Torvalds. Users can modify and cr
variations of the source code, known as distributions, for computers and other devices. The most common use is as a server, but Linu
also used in desktop computers, smartphones, e-book readers and gaming consoles etc.

 It is also used by Hackers

 Linux Types :

 Ubuntu

 Redhat

 Suse

 Debian

 Centos

 Oracle
Hardening
 Hardening refers to providing various means of protection in a computer system. Protection

is provided in various layers and is often referred to as defense in depth. Protecting in layers

means to protect at the host level, the application level, the operating system level, the user

level, the physical level and all the sublevels in between. Each level requires a unique

method of security.

 A hardened computer system is a more secure computer system.  Hardening is also known

as system hardening.

 Guides :

 Guides : CIS Benchmark

 Tools : Scap , Lynis

What if we don’t Hardening ?
Users and Groups
 Users and Groups are used to control access to files and resources . Different permissions
are also applied depending on users and groups.
 Users:
 Every user of the system is assigned a unique user id known as UID.
 Users names and UID’S are stored in this location -/etc/passwd. Users can’t read ,write or
executable each other’s file without permissions.
 Groups:

 Users are assigned to groups with unique group id numbers known as the gid.
 Each user is given their own group . gids are stored in this location - /etc/group
File Security
File Permissions:

 Every file and directory in your UNIX/Linux system has following 3 permissions defined for all the 3

owners discussed above.

 Read (r): This permission give you the authority to open and read a file. Read permission on a directory

gives you the ability to lists its content.

 Write (w): The write permission gives you the authority to modify the contents of a file. The write

permission on a directory gives you the authority to add, remove and rename files stored in the directory.

Consider a scenario where you have to write permission on file but do not have write permission on the

directory where the file is stored. You will be able to modify the file contents. But you will not be able to

rename, move or remove the file from the directory.

 Execute (x): In Windows, an executable program usually has an extension ".exe" and which you can easily run. In Unix/Linux, you
cannot run a program unless the execute permission is set. If the execute permission is not set, you might still be able to
see/modify the program code(provided read & write permissions are set), but not run it.
 Special Permissions:
 In this we have four cases. They are :
1. SUID (Set – user Identification) for an execution.
2. SGID (set group ID) for an execution.
3. SGID (set group ID) for an Directory.
4. Sticky bit for a directory
LINK: https://thegeeksalive.com/linux-special-permissions/
INODES :
 An inode is a data structure on a traditional Unix-style file system such as UFS or ext3. An inode stores basic information about a
regular file, directory, or other file system object.
 https://www.cyberciti.biz/tips/understanding-unixlinux-filesystem-inodes.html
Linux Server Hardening
 Boot Security
 Patching Linux Kernel
 Remove Unused Software
 Strong Password Policy
STEP 

Securing Root Login
Process Security
Operating System
 Patching and Software Updates: periodically patches are released for included software either due to security
flaws or to include additional functionality.
 File System Configuration:
 Create Separate Partition for /tmp: grep “[[:Space:]]/tmp[[:space:]]” /etc/fstab
 Create Separate Partition for /var: grep “[[:Space:]]/var[[:space:]]” /etc/fstab
 Secure Boot Settings :
 Set permissions on boot loader config: chmod og-rwx/boot/grub/grub.cfg
 Set Boot Loader Password : grub-mkpasswd-pbkdf2
 Os Services:
 Ensure rsh server is not enabled
 Ensure telnet server is not enabled
SELinux
 Security-Enhanced Linux (SELinux) is a security architecture for Linux systems that
allows administrators to have more control over who can access the system. It was
originally developed by the United States National Security Agency (NSA) as a series of
patches to the Linux kernel using Linux Security Modules (LSM). In SELinux has MAC and
DAC
DAC MAC
User has complete control overall Administrators manages the access
programs it owns and execute. controls unlike the users in DAC

Administrators have no way to control Administrators define the access policy

users.
Reference
 Linux kernel versions 2.6
 SUSE Linux Enterprise Server 10
 SUSE Linux Enterprise Server 11
  Red Hat Enterprise Linux 4
 Red Hat Enterprise Linux 5
 Red Hat Enterprise Linux 6
Thank You!!!!!!