Week 11

Ubuntu and Red Hat Security

 Quick Review
• What is the SystemD journal viewer
called?
journalctl
• What command kills processes by name?
pkill
• What is the common printer server in
Linux?
CUPS
 Principle of least privilege
The principle of least privilege is to give a user only the
resources and privileges that they need to accomplish their
tasks. Doing this minimizes the risk when a user account is
compromised.

The root account has absolute privilege and should only be used
when necessary.
 Account types
Root : The main administrator user account. UID value of 0.
Permissions to access all files and directories on the system
Standard : Used to log into the system and perform standard
tasks. Assigned a $HOME directory, with permissions to
store files and create subdirectories. Cannot access files
outside of their $HOME directory unless given permission by
the file or directory owner. UIDs start at 1000.
Service : Used for applications that start in the background,
such as servers. Restricted so that they cannot log into the
system by setting the password value in the shadow file to an
asterisk. Login shell defined in /etc/passwd is set to the
/sbin/nologin value to prevent access to shell. UID less than
1000.
 Ubuntu root account
Ubuntu and derivatives disable the root account from logging
in to minimize attack surface.

getent passwd root

root:x:0:0:root:/root:/bin/bash

sudo getent shadow root

[sudo] password for sysadmin:
root:*:18474:0:99999:7:::

repudiation environment: multiple admin share an account so it is difficult

to track bad behaviors.
nonrepudiation environment: each admin has their own account so
actions can be traced to users.
 sudo
sudo command allows users to run commands as root/super
user.

To use sudo, users must be listed in correct group.

Ubuntu: sudo
Red Hat: wheel

Config file for sudo: /etc/sudoers

Use visudo to modify sudoers

sudoedit allows users to edit a file with default editor, using

root privileges.
 su
su “super user” or “substitute user” allows the shell to be run
as another user.

su [user_name] If user_name is blank, the root user will

be called.
 In Class Task: sudo

Complete the Real World Scenario: Determining Your Privilege Elevation

Status in Ch 17
 ssh
ssh secure-shell procides encrypted remote connections to
terminal interface on a linux computer. This allows a secure
way to administer servers remotely across open networks.

To check if ssh is installed:

sudo apt list openssh-server
sudo apt list openssh-client

To connect remotely via ssh:

ssh [ options ] username@hostname

Always confirm the fingerprint!

ECDSA key fingerprint is SHA256:4K3wFeVOFMUXgmeAGWWkUogxe6
gP+QpQ+ROCuZr7aW0.
 ssh configuration
ssh client config files:
• client user: ~/.ssh/config
• client user global:: /etc/ssh/ssh_config

ssh server config file: /etc/ssh/sshd_config

Key Directives:
PermitRootLogin: Permits the root user to log in through an SSH
connection. (The default is prohibit-password.) Typically, this
should be set to no.
Port: Sets the port number on which the OpenSSH daemon
(sshd ) listens for incoming connection requests. (The default
is 22. CHANGE IT!)
 ssh host key generation
ssh uses shared keys to exchange encrypted information. To
do this, host keys must be generated.

sudo ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

keys are stored in /etc/ssh

options for encryption include key length and method:
dsa, rsa, ecdsa, ed25519
 ssh authentication keys
ssh can use encryption keys to log in instead of typing a
password.

ssh-keygen -t ecdsa -f ~/.ssh/id_ecdsa

to copy the key to a remote server:

ssh-copy-id [-i ~/.ssh/ id_ecdsa] user@host

ssh [-i ~/.ssh/ id_ecdsa] user@host

For current user and default key you do not need to use –i
and specify a key.
 In Class Task: ssh

Complete the Real World Scenario: Using OpenSSH to Log Into a

System in Ch 17

Also, generate a user authentication key, use ssh-copy-id to transfer to a

remote server, and remote login using the key.
 AppArmor
AppArmour is a mandatory access control system that blocks
port and file access unless part of an allowed list.

Lists are called profiles and stored in /etc/apparmor.d.

sudo apt install apparmor-utils apparmor-profiles

Variables called tunables can be stored for each profile. This

simplifies customization without having to modify the base
profile.
sudo aa-status to check AppArmor status.
sudo aa-unconfined to see applications running without profiles.
 AppArmor modes
aa-status list profiles running in 3 modes in AppArmor

enforce mode: This is the default mode, and profile violations are logged
and blocked.

complain mode: Any violations of the profile are logged, but not blocked,
except in the case when deny rules exist in the profile.

disable mode: Violations are ignored because the profile is unloaded

and will not be loaded for any reason, until the mode is changed .

To set an application to a specific mode use:

sudo aa-[complain/enforce/disable] /use/bin/_application_name_
 Firewalls
Firewalls control and limit network traffic. In Linux, networking
is handled at the kernel layer, and part of this kernel based
networking is called netfilter. netfilter allows firewalls to
interface with the kernel land perform packet filtering.

Ubuntu uses Uncomplicated Firewall (ufw) as it’s default

firewall service. ufw is disabled by default, but this service is
not handled by systemctl.
ufw commands

Christine Bresnahan and Richard Blum, Mastering Linux System Administration, 2021
 ufw status verbose
• Status : Service is running and will start on system boot (active ), or
the service is stopped and a system boot does not change this
(disabled ).
• Logging: The service ’ s logging feature can be set to off ; log all
blocked packets ( low ), which is the default; log all blocked, invalid,
no-policy-match, and new connection packets (medium ) with rate
limiting; log medium-log-level packets and all other packets ( high )
with rate limiting; and log everything with no rate limits (full ).
• Default: Shows the default policy for incoming , outgoing , and routed
packets, which can be set to allow the packet, drop (deny ) the packet,
or reject the packet and send a rejection message back.
• New profiles : Shows the default policy for automatically loading new
profiles into the firewall, which can be set to ACCEPT , DROP ,
REJECT , or SKIP , where ACCEPT is considered a security risk.
 ufw configuration
Simple syntax:

sudo ufw allow 22/tcp

Full syntax:

sudo ufw deny from 192.168.0.0/24 to any port 80

sudo ufw show added to see the new rules

ufw arguments

Christine Bresnahan and Richard Blum, Mastering Linux System Administration, 2021
ufw settings

Christine Bresnahan and Richard Blum, Mastering Linux System Administration, 2021
 In Class Task: ufw

Complete the Real World Scenario: Viewing and Configuring UFW in Ch

17
Red Hat security
 Red Hat root access
Unlike Ubuntu , Red Hat based distros do not block root
access to login.

getent passwd root

root:x:0:0:root:/root:/bin/bash

sudo getent shadow root

[sudo] password for sysadmin:
root:
$6$P92P.wjWGerpM8Zz4PqYcSfIn6UqS1hLY.K7aNEdpEssj
K8ES6C1::0:99999:7:::

Compare this to the Ubuntu system...

 aulast
aulast command displays a list of who logged in, from where,
and when:

Christine Bresnahan and Richard Blum, Mastering Linux System Administration, 2021
 ssh root lockdown
ssh logins can access all functionality and privileges of the
logged in user. If the root account has login enabled, an
attacker can potentially gain access via ssh.

To prevent this, disable root login in /etc/ssh/sshd_config

PermitRootLogin yes -> PermitRootLogin no
sudo systemctl restart sshd

The root user can no longer log in over ssh, but can still log
in locally.
 automatic bash logout
Setting a timeout on logins helps prevent unauthorized
access.

In bash this is controlled by the TMOUT setting in /etc/profile

or in a custom file in /etc/profile.d

TMOUT=_seconds_
readonly TMOUT
 In Class Task: Timeout

Complete the Real World Scenario: Testing the Timeout Feature in Ch 18

 Prevent root Access
Unlike Debian/Ubuntu based distros, Red Hat based systems
allow root login by default. This can create security problems.
There are 2 ways to disable root login:

edit /etc/shadow and place an asterisk in the password hash field:

root:*:18515:0:99999:7:::

and/or modify /etc/password, set the shell to /sbin/nologin

root:x:0:0:root:/root:/sbin/nologin

This will display the text in /etc/nologin.txt when a user tries to log
in.

**Make sure to have an admin account set up BEFOREHAND**

 SELinux
Security Enhanced Linux is a project run by the US NSA to
improve security for critical computer infrastructure. SELinux is a
form of Mandatory Access Control (MAC) security. It allows setting
policies for users, files, directories, memory networking and
processes. This greatly minimizes the damage done if any single
file/process is compromised. Config file: /etc/selinux
 SELinux (continued)
SELINUX: {enforcing/permissive/disabled}
enforcing blocks access and logs violations based on policies,
permissive only logs violations.
SELINUXTYPE: {targeted/mls/strict}
Targeted only acts on items with existing policies, mls uses
multilayer security and implements BellLaPadula method. Strict
acts on all daemons.

setenforce [ Enforcing | Permissive | 1 | 0 ]

getenforce

sestatus
 SELinux Contexts
SELinux uses contexts to label each onject in a system. The
context tells SELIniux which policies to apply to each object.

Format:

user:role:type:level

you can display conexts with the –Z option in ls and ps

chcon -u newuser -r newrole -t newtype filename

 SELinux Policies
SELinux uses policies to control access to system resources. This
is a form of type enforcement

The directory /etc/selinux contains policy groups known as

modules with predefined policies for a variety of objects.

getsebool can be used check if a policy is enabled or disabled.

getsebool –a will display all policies and there on/off status.

sesebool _policy_name_ {on/off}

 firewalld
Red Hat uses firewalld for its firewall. firewalld uses zones to
define protection on interfaces.

Here A is in the relatively safe home zone and b is on the

dangerous internet zone. But both devices need rules for ACL’s.

Christine Bresnahan and Richard Blum, Mastering Linux System Administration, 2021
firewalld zones

Christine Bresnahan and Richard Blum, Mastering Linux System Administration, 2021
 firewalld config
firewalld can be configured through text files, or through the
firewall-cmd program:
sudo firewall-cmd –state

sudo firewall-cmd --get-zones

sudo firewall-cmd --get-active-zones

sudo firewall-cmd --zone=public --list-all

default : Rejects all packets not matching the zone rules, but sends an
ICMP packet to the client indicating why.
ACCEPT : Accepts packets not matching the zone rules.
DROP : Drop packets not matching the zone rules.
%%REJECT%%: Rejects all packets not matching the zone rules.
 firewall-cmd zones/rules
firewall-cmd can create a new zone:

sudo firewall-cmd --permanent --new-zone=mytest

sudo firewall-cmd --reload
sudo firewall-cmd –zone=mytest --add-interface=enp0s8

check for existing ACL’s:

sudo firewall-cmd --zone=mytest --list-all

create a new rule:

sudo firewall-cmd --zone=mytest --add-service=https –permanent

sudo firewall-cmd --reload
 firewall-cmd rules continued
firewall-cmd can create rules for udp/tcp ports:

sudo firewall-cmd --zone=mytest --add-port=631/tcp –permanent

sudo firewall-cmd --reload

rich rules provide more detailed settings:

sudo firewall-cmd --zone=mytest --permanent --add-rich-rule='rule

family=ipv4 source address=192.168.1.70 port port=22 protocol=tcp
reject’

sudo firewall-cmd --reload