Security Strategies in Linux

Platforms and Applications

Lesson 5
Filesystems, Volumes, and Encryption

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
 Learning Objective
 Examine the flexibility of various options
with file permissions and filesystem settings
and how granular control isolates data
access.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 2
All rights reserved.
 Key Concepts
 Linux filesystem hierarchy standard (FHS)
 Filesystem mounting options
 Remote filesystems
 Filesystem encryption
 Filesystem quotas

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 3
All rights reserved.
 DISCOVER: CONCEPTS

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 4
All rights reserved.
 The Filesystem Hierarchy
Standard
 What is it?
 What is the purpose?

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 5
All rights reserved.
 Linux Partition Type Identifiers

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 6
All rights reserved.
 Filesystem Encryption
 Encryption adds another layer of security for
data that is considered confidential.
 Documents such as customer personal
information, social security numbers, credit
card information, and business plans can be
encrypted.
 There are many regulations and laws for
protecting consumer's personal data.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 7
All rights reserved.
 Filesystem Encryption
Techniques
Kernel Space
 Disk encryption subsystem (dm_Crypt)
• Linux unified key setup (LUKS)
 Loop-Advanced Encryption Standard (AES)
 TrueCrypt
 Enterprise cryptographic filesystem (eCryptfs)

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 8
All rights reserved.
 Filesystem Encryption
Techniques (Continued)
User Space
 LUKS
 Encrypted File System (EncFS)

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 9
All rights reserved.
 Pros and Cons of Filesystem
Encryption
• Simple to implement
• Transparent to the user
Pros • Difficult to hack

• All data in filesystem is encrypted,

including data you don’t want
Cons encrypted
• Resizing the filesystem later is difficult

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 10
All rights reserved.
 DISCOVER: PROCESS

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 11
All rights reserved.
 Securing a Filesystem Using FHS

 Format with an appropriate filesystem type.

 Confine to read-only if there is no need for
users to write or edit data.
 Restrict executing files in the /tmp/ directory.
 Encrypt directories that contain sensitive data.
 Consider using quotas.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 12
All rights reserved.
 Configuring Remote Mounting
Data server with an Network File
System (NFS) share /etc/exports file on data.is418.local

/share *.is418.local.(ro,all_squash)

data.is418.local

Entry on each client server's

/etc/fstab file

Web servers mount data.is418.local:/share /data nfs defaults 0 0

the share at boot

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 13
All rights reserved.
 Enabling Quotas
Step 1
Configure filesystem to allow quotas in
/home ext4 defaults,usrquota 1 2
/etc/fstab using the command :

Step 2
Remount the home filesystem using
mount -o remount /home
the command :

Step 3
Initialize the quota database using the
quotacheck –cm /home
command :

Step 4
Turn quotas on using the command: quotaon /home

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 14
All rights reserved.
 Editing a User Quota

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 15
All rights reserved.
 Quota Grace Periods

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 16
All rights reserved.
 DISCOVER: ROLES

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 17
All rights reserved.
 Securing the Linux Filesystem
Linux system administrator should:
 Use binaries placed in /sbin/ directory.
 Group files or create separate partitions for
directories such as /var/, /home/, and /tmp/.
 Isolate root account home directory from other
users that are typically located in
/home/<user>.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 18
All rights reserved.
 DISCOVER: CONTEXTS

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 19
All rights reserved.
 NFS
 Use the root_squash option to ensure
requests to filesystem are not given root
privileges.
 Use the all_squash option for read-only
shares.
 Use the showmount command to verify that
the correct shares are exported or not
exported to various clients.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 20
All rights reserved.
 Samba
 Is very flexible with its security settings
 Can restrict access based on network or
host address
 Can restrict access and permissions to
share for a particular group or list of users
 Can be used for workstation and mixed
environments with Windows operating
system

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 21
All rights reserved.
 DISCOVER: RATIONALE

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 22
All rights reserved.
 Linux FHS
 It helps users to locate data and files.
 Fedora, Ubuntu, and other Linux distributions
abide by the FHS.
 It would be difficult to work efficiently across
various Linux distributions if each distribution
followed a completely different standard.
 It helps administrators to systematically create
and mount various partitions with desired
options.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 23
All rights reserved.
 Filesystem Encryption
 Stolen or compromised customer data is
typically not encrypted.
 If any organization's confidential data is
compromised, it can have the following
repercussions:
• The organization’s image is damaged
• The organization would be fined
• The organization would incur extra cost for
fixing the problem later

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 24
All rights reserved.
 Setting Quotas
 Once a directory or a partition becomes 100%
full due to downloads, installs, archived data,
and even personal music and movies, many
processes stop working and can cause an
operating system to be unavailable.
 Enabling quotas for each user or group, or
singling out a single user can prevent many
problems.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 25
All rights reserved.
 Summary
 Importance of FHS
 Advantages and disadvantages of
filesystem encryption
 Process to use for securing a filesystem,
configuring remote mounting, and enabling
quotas
 Use of NFS and Samba in Linux

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 26
All rights reserved.
 Virtual Lab
 Applying Hardened Linux File System
Security Controls

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 27
All rights reserved.