Scribd
Upload
24 views32 pages

Linuxsec3e PPT ch02

Uploaded by

Pham Hung Thinh (K17 DN)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
24 views32 pages

Linuxsec3e PPT ch02

Uploaded by

Pham Hung Thinh (K17 DN)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 32

CHAPTER 2

Basic
Components of
Linux Security

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Learning Objective(s) and Key Concepts

Learning Objective(s) Key Concepts

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Describe basic components of  The Linux kernel and boot process
Linux and configure settings to
 Basic security options for users,
secure a Linux platform.
groups, and files
 Basic security features for networks
 Appropriate resources for the latest
security updates
 Diversity in distributions and
services
Basic Terms

 Linux kernel

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 The core of the Linux operating system
 Includes a monolithic core and modular components
 Linux distribution
 A unified collection of applications, services, drivers, and libraries configured
with a Linux kernel
 Managed by either a company or a group of volunteers
Linux Security Relates to the Kernel (1 of 3)

 Kernel philosophy
 Kernel is robust

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Includes a core and supplemental modular components
 Monolithic part of kernel contains drivers and options essential to the kernel
boot process
 Modular part of kernel adds everything else needed for smooth operation
 Basic kernels
 Development work is managed by the Linux Kernel Organization
 Source code for the kernel can be acquired at https://kernel.org
 Building a custom kernel requires Linux source code
Linux Security Relates to the Kernel (2 of 3)

 Distribution-specific kernels
 Distribution-specific kernel has been compiled and built with the intended

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
hardware in mind
 Name of the kernel file generally includes the version number as well as the
hardware architecture
 Example: Debian Linux has a kernel named vmlinuz-5.10.0-8-amd64
 Custom kernels
 Linux kernel is highly customizable
 Example of a standard customization menu on next slide
 Different configuration interfaces exist, including a text-based one using the
ncurses library
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
A Linux Kernel Configuration Menu
Linux Security Relates to the Kernel (3 of 3)

 Security options
 AppArmor

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 SELinux
 iptables-based firewalls
 Configuration settings for kernel-based stack protections:
 CONFIG_HAVE_STACKPROTECTOR=y
 CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
 CONFIG_STACKPROTECTOR=y
 CONFIG_STACKPROTECTOR_STRONG=y
Securing a System During the Boot Process (1 of 2)

 Unified Extensible Firmware Interface (UEFI)


 Can introduce capabilities for attackers to insert themselves into the boot

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
process
 Allows for secure boot
 Physical security
 Limit access to live CDs
 The threat of the live CD
 Malicious users can boot functional version with full root administrative
access
 Examples: Knoppix, Ubuntu, CentOS
Securing a System During the Boot Process (2 of 2)

 Boot process security


 Grand Unified Boot (GRUB) loader

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Unless password protected, the GRUB boot loader can be used to boot a
system into single-user mode, with full administrative privileges
 Other boot loaders: Microsoft NTLDR and bootmgr
 Other third-party options, such as BootIt and Partition Magic
 Use nonstandard port numbers for key services
 Virtual physical security
 Anyone who gains access to a virtual machine can more easily change
virtual physical components
 Physical systems run a similar risk but virtual machines are even more
at risk
Linux Security Issues Beyond the Basic Operating
System

 Service process security


 Runlevel defines the services to be run

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Patch management and update process
 Disable if not used: Apache web server, Samba file server, Network File
System service, sendmail email service, Very Secure FTP server
 Security issues with the graphical user interface (GUI)
 Programs written for GUIs have a larger set of libraries that get added
during the build; more code that can be broken
 Reduce the number of installed packages to reduce the potential for
vulnerabilities
Linux User Authentication Databases (1 of 3)

 Major user authentication databases


 Shadow password suite (local)

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 /etc/passwd
 /etc/group
 /etc/shadow
 /etc/gshadow
 Network-based databases
 Network Information Service (NIS)
 Lightweight Directory Access Protocol (LDAP)
 Winbind
Linux User Authentication Databases (2 of 3)

 /etc/nsswitch.conf file
 Linux uses /etc/nsswitch.conf (also known as the name service switch file) to

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
manage authentication databases
 File lists databases associated with different configuration files in the /etc/
directory, in some specific order
 Order determines where the local system looks first to verify a username and
password
 Command-line tool used on CentOS/RedHat Enterprise Linux for managing
authentication sources is authselect
 << Insert CH02_FIG02 >>
Linux User Authentication Databases (3 of 3)

 Pluggable authentication modules (PAMs)


 Configuration files that provide dynamic authentication for administrative

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
and other services
 Determine how a user is to be authenticated
 Determine whether password policies are associated with the password
databases
 Rules associated with PAM files in the /etc/pam.d/ directory can further
specify local access limits for different administrative tools and commands
Protecting Files with Ownership, Permissions, and
Access Controls (1 of 2)

 Files
 Directory is a special kind of file

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Hardware devices also represented by files
 Character devices (sound cards)
 Block devices (drives and partitions)
 Soft links
 Permissions
 Every file and directory on a Linux system owned by a specific user and
group
 Access controls lists (ACLs) provide more control
 Target Linux filesystem(s) must be configured and mounted with the access
control list option to use ACLs
Protecting Files with Ownership, Permissions, and
Access Controls (2 of 2)

 Discretionary access controls (DACs)


 Read, write, and execute permissions implemented at the discretion of the

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
data owner
 Access control lists (ACLs)
 Provide a second layer of discretionary access control
 Mandatory access controls (MACs)
 Systems like SELinux and AppArmor
Firewalls and Mandatory Access Controls in a Layered
Defense

 ipfwadm
 Based on BSD’s ipf and included with Linux 2.0

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 ipchains
 Included with Linux 2.2

 iptables
 Replaced ipchains, included with Linux 2.4

 nftables
 Included with Linux 3.13

 Ubuntu systems include uncomplicated firewall, an interface to iptables


 firewalld is managed through the command-line option firewall-cmd
Firewall Support Options (1 of 2)

 iptables
 Allows changes to be made in memory; have to dump rules from memory into a file

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
and then read that file in at boot time to make them persistent
 Manages the in-memory settings that determine how to categorize and then filter
packets flowing through a system
 Can perform network address translation, where Internet Protocol (IP) addresses
are manipulated as a packet passes through the filter
 A common set of packet filter rules look like the following:
iptables -A INPUT -s 100.0.0.0 /8 -d 192.168.1.10 -p tcp -m
tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -j LOG
iptables -A OUTPUT -j ACCEPT
Firewall Support Options (2 of 2)

 firewalld

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Found in latest release of Red Hat
 Uses zones to categorize rules
 Can associate different rules with different zones and use different
interfaces with different zones to pick up different rules
 Changes can be made to rules in memory or permanently to disk
 Keeps track of services installed on the system rather than specifying rules
by port numbers (like iptables)
 Helps to protect the system by not opening up ports for services that are not
installed appropriately
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
The firewalld Interface
Mandatory Access Control Support

 SELinux and AppArmor


 Provide protections at the host level rather than at the network level

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Check access to services and commands to make sure they’re run only by
intended users, in properly labeled directories
 Include a monitoring mode, where violations are logged

 AppArmor
 Includes profiles for specific commands
 Uses profiles to achieve application protection

 SELinux
 Requires a fairly steep learning curve but is possible to have a system that is less
prone to infiltration
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
SELinux Administration Tool
Protecting Networks Using Encrypted Communication

 Unsecure
 Cleartext

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Telnet
 Unencrypted protocols

 Secure methods of communication


 ssh command
 Secure Shell (SSH) server
 Passphrases
 Are more secure than passwords
Tracking the Latest Linux Security Updates

 Linux security updates for:


 Regular users

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Home hobbyists
 Power users
 Linux administrators
 Update administration
The Effect of Virtualization on Security (1 of 2)

 Categories of virtualization:
 Applications

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Linux application-level virtualization tool Wine Is Not an Emulator (WINE)
 Containerization with packages like Linux Containers (LXC) or Docker
 Platform-level virtual machines
 Virtual machines installed as applications
 Include VMware Player, VMware Workstation, Virtualbox (open-source edition), and
Parallels Desktop
 Called Type 2 hypervisors
 A hypervisor is the software that manages and runs virtual machines. A host operating
system sits between the machine (or bare metal) and the hypervisor, or virtualization
software.
The Effect of Virtualization on Security (2 of 2)

 Categories of virtualization (cont.):


 Paravirtualization

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 A software interface for virtual machines with limited resources, such as for older CPUs
 Hardware-assisted virtualization
 Processor has extensions to support various supervisory functions in hardware rather
than having to support something like an emulator in software
 AMD and Intel have supported virtualization extensions in their CPUs
 Bare metal virtualization
 Type 1 hypervisors
 Virtualization software runs directly on the hardware without a host operating system
 Examples: VMWare ESX Server, Citrix Xen Server, and Microsoft Virtual Server
Variations Between Distributions (1 of 2)

 Red Hat
 Uses the Red Hat Package Manager (RPM) to build and install packages

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Uses Yellowdog Update, Modified (yum) or Dandified yum (dnf) to install RPM
packages
 Ubuntu
 Uses the Debian Package Manager to build and install packages
 Includes a minimal installation option for its server
Variations Between Distributions (2 of 2)

 Red Hat and Canonical (Ubuntu)


 Release distributions with long-term support

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Offer subscriptions to a web-based support tool that allows authorized users
to administer groups of Linux systems remotely
 Use some of the same applications
 Web servers: Apache or Nginx
 Mail servers: Postfix or Exim
 Desktop graphical desktop: GNU Network Object Model Environment
(GNOME)
More Diversity in Services (1 of 4)

FUNCTION SERVICE OPTIONS

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Berkeley Internet Name Domain (BIND) Daniel
Domain Name System (DNS)
J. Bernstein’s DNS (djbdns)
Professional FTP Daemon (ProFTPD)
Troll FTP
File transfer
vsftp
Trivial File Transfer Protocol (TFTP)

GNOME
K Desktop Environment (KDE)
Xfce
Graphical desktop environment
Lightweight X11 Desktop Environment (LXDE)
Cinnamon
Mate
More Diversity in Services (2 of 4)

FUNCTION SERVICE OPTIONS

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
X.org
Graphical user interface XFree86
Freedesktop.org
GNOME Display Manager (GDM)
KDE Display Manager (KDM)
Graphical login manager
X Display Manager (XDM)
LightDM
Cyrus
Mail user agents
Dovecot
More Diversity in Services (3 of 4)

FUNCTION SERVICE OPTIONS

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
CUPS
Printing System V
Line Printer next generation (LPRng)
SSH
Remote Shell (RSH)
Remote connections
Telnet
Kerberos Telnet
Postfix
sendmail
Mail transport agents Sendmail
Exim
Qmail
More Diversity in Services (4 of 4)

FUNCTION SERVICE OPTIONS

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
MySQL
MariaDB
Structured Query Language (SQL)
PostgreSQL
databases
Proprietary options from Sybase
Oracle
Apache
Boa
Caudium
Lighthttpd
Web server
Nginx
Roxen
Sun Java
Zeus
Summary

 The Linux kernel and boot process

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Basic security options for users, groups, and files
 Basic security features for networks
 Appropriate resources for the latest security updates
 Diversity in distributions and services

You might also like