Book Image

Mastering Linux Security and Hardening - Third Edition

By : Donald A. Tevault

3.7 (7)

Book Image

Mastering Linux Security and Hardening - Third Edition

3.7 (7)

By: Donald A. Tevault

Overview of this book

The third edition of Mastering Linux Security and Hardening is an updated, comprehensive introduction to implementing the latest Linux security measures, using the latest versions of Ubuntu and AlmaLinux. In this new edition, you will learn how to set up a practice lab, create user accounts with appropriate privilege levels, protect sensitive data with permissions settings and encryption, and configure a firewall with the newest firewall technologies. You’ll also explore how to use sudo to set up administrative accounts with only the privileges required to do a specific job, and you’ll get a peek at the new sudo features that have been added over the past couple of years. You’ll also see updated information on how to set up a local certificate authority for both Ubuntu and AlmaLinux, as well as how to automate system auditing. Other important skills that you’ll learn include how to automatically harden systems with OpenSCAP, audit systems with auditd, harden the Linux kernel configuration, protect your systems from malware, and perform vulnerability scans of your systems. As a bonus, you’ll see how to use Security Onion to set up an Intrusion Detection System. By the end of this new edition, you will confidently be able to set up a Linux server that will be secure and harder for malicious actors to compromise.

Preface

Who this book is for

What this book covers

To get the most out of this book

Section 1: Setting up a Secure Linux System

Section 1: Setting up a Secure Linux System

Free Chapter

Running Linux in a Virtual Environment

Running Linux in a Virtual Environment

Looking at the threat landscape

Why do security breaches happen?

Keeping up with security news

Differences between physical, virtual, and cloud setups

Introducing VirtualBox and Cygwin

Keeping the Linux systems updated

Further reading

Securing Administrative User Accounts

Securing Administrative User Accounts

The dangers of logging in as the root user

The advantages of using sudo

Setting up sudo privileges for full administrative users

Setting up sudo for users with only certain delegated privileges

Advanced tips and tricks for using sudo

New sudo features

Special sudo considerations for SUSE and OpenSUSE

Further reading

Securing Normal User Accounts

Securing Normal User Accounts

Locking down users’ home directories the Red Hat way

Locking down users’ home directories the Debian/Ubuntu way

Enforcing strong password criteria

Setting and enforcing password and account expiration

Configuring default expiry data for useradd for Red Hat-type systems only

Setting expiry data on a per-account basis with useradd and usermod

Setting expiry data on a per-account basis with chage

Preventing brute-force password attacks

Locking user accounts

Locking the root user account

Setting up security banners

Detecting compromised passwords

Understanding centralized user management

Further reading

Securing Your Server with a Firewall – Part 1

Securing Your Server with a Firewall – Part 1

Technical requirements

An overview of the Linux firewall

An overview of iptables

nftables – a more universal type of firewall system

Further reading

Securing Your Server with a Firewall — Part 2

Securing Your Server with a Firewall — Part 2

Technical requirements

The Uncomplicated Firewall for Ubuntu systems

firewalld for Red Hat systems

Further reading

Encryption Technologies

Encryption Technologies

GNU Privacy Guard (GPG)

Encrypting partitions with Linux Unified Key Setup (LUKS)

Encrypting directories with eCryptfs

Encrypting the swap partition with eCryptfs

Using VeraCrypt for cross-platform sharing of encrypted containers

OpenSSL and the Public Key Infrastructure

Introducing quantum-resistant encryption algorithms

Further reading

SSH Hardening

Ensuring that SSH protocol 1 is disabled

Creating and managing keys for passwordless logins

Configuring access control with whitelists and TCP Wrappers

Configuring automatic logouts and security banners

Configuring other miscellaneous security settings

Setting different configurations for different users and groups

Creating different configurations for different hosts

Setting up a chroot environment for SFTP users

Sharing a directory with SSHFS

Remotely connecting from Windows desktops

Further reading

Section 2: Mastering File and Directory Access Control (DAC)

Section 2: Mastering File and Directory Access Control (DAC)

Mastering Discretionary Access Control

Mastering Discretionary Access Control

Using chown to change ownership of files and directories

Further reading

Access Control Lists and Shared Directory Management

Access Control Lists and Shared Directory Management

Creating an ACL for either a user or a group

Creating an inherited ACL for a directory

Removing a specific permission by using an ACL mask

Using the tar --acls option to prevent the loss of ACLs during a backup

Creating a user group and adding members to it

Creating a shared directory

Setting the SGID bit and the sticky bit on the shared directory

Using ACLs to access files in the shared directory

Further reading

Section 3: Advanced System Hardening Techniques

Section 3: Advanced System Hardening Techniques

Implementing Mandatory Access Control with SELinux and AppArmor

Implementing Mandatory Access Control with SELinux and AppArmor

How SELinux can benefit a systems administrator

Setting security contexts for files and directories

Troubleshooting with setroubleshoot

Working with SELinux policies

How AppArmor can benefit a systems administrator

Exploiting a system with an evil Docker container

Further reading

Kernel Hardening and Process Isolation

Kernel Hardening and Process Isolation

Understanding the /proc filesystem

Setting kernel parameters with sysctl

Configuring the sysctl.conf file

Understanding process isolation

Further reading

Scanning, Auditing, and Hardening

Scanning, Auditing, and Hardening

Installing and updating ClamAV and maldet

Scanning with ClamAV and maldet

Scanning for rootkits with Rootkit Hunter

Performing a quick malware analysis with strings and VirusTotal

Understanding the auditd daemon

Using ausearch and aureport

Auditing files and directories with inotifywait

Applying OpenSCAP policies with oscap

Further reading

Logging and Log Security

Logging and Log Security

Understanding the Linux system log files

Understanding rsyslog

Understanding journald

Making things easier with Logwatch

Setting up a remote log server

Maintaining Logs in Large Enterprises

Further reading

Vulnerability Scanning and Intrusion Detection

Vulnerability Scanning and Intrusion Detection

Introduction to Snort and Security Onion

Using Security Onion

IPFire and its built-in Intrusion Prevention System (IPS)

Scanning and hardening with Lynis

Finding vulnerabilities with the Greenbone Security Assistant

Web server scanning with Nikto

Further reading

Prevent Unwanted Programs from Running

Prevent Unwanted Programs from Running

Mount Partitions with the no options

Understanding fapolicyd

Further reading

Security Tips and Tricks for the Busy Bee

Security Tips and Tricks for the Busy Bee

Technical requirements

Auditing system services

Password-protecting the GRUB2 bootloader

Securely configuring BIOS/UEFI

Using a security checklist for system setup

Further reading

Other Books You May Enjoy

Other Books You May Enjoy

Index

Customer Reviews

3.7 (7)

5 star

42.9%

4 star

28.6%

3 star

0

2 star

14.3%

1 star

14.3%

To get the most out of this book

A working knowledge of basic Linux commands and how to navigate through the Linux filesystem.
A basic knowledge about tools such as less and grep.
Familiarity with command-line editing tools, such as vim or nano.
A basic knowledge of how to control systemd services with systemctl commands.

For hardware, you don’t need anything fancy. All you need is a machine that’s capable of running 64-bit virtual machines. So, you can use any host machine that runs with almost any modern CPU from either Intel or AMD. (There are a couple of exceptions, though. First, some Intel Core i3 and Core i5 CPUs lack the required hardware acceleration to run virtual machines. Also, AlmaLinux 9, which we’ll be using, won’t run on the first generation of x86_64 CPUs. So, if you have an x86_64 machine that was made prior to 2010, AlmaLinux 9 won’t run on it.) For memory, I’d recommend using a host machine with at least 8 GB.

You can run any of the three major desktop operating systems on your machine, because the virtualization software that we’ll be using comes in flavors for Windows, macOS, and Linux.

Download the example code files

The code bundle for the book is hosted on GitHub at https://github.com/PacktPublishing/Mastering-Linux-Security-and-Hardening-3E. We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://packt.link/wcaG3

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. For example: “open Firefox and navigate to https://localhost:9392"

A block of code is set as follows:

HTTP TRACK method is active, suggesting the host is vulnerable to XST
Cookie wordpress_test_cookie created without the httponly flag

Any command-line input or output is written as follows:

sudo apt update
sudo apt install podman

Bold: Indicates a new term, an important word, or words that you see on the screen. For instance, words in menus or dialog boxes appear in the text like this. For example: “Set one to Bridged mode and leave the other in NAT mode.”

Warnings or important notes appear like this.

Tips and tricks appear like this.