diff options
Diffstat (limited to 'doc/book-enea-nfv-access-user-hardening-guide/doc/guidelines_hardening_linux.xml')
-rw-r--r-- | doc/book-enea-nfv-access-user-hardening-guide/doc/guidelines_hardening_linux.xml | 212 |
1 files changed, 0 insertions, 212 deletions
diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/guidelines_hardening_linux.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/guidelines_hardening_linux.xml deleted file mode 100644 index 46245da..0000000 --- a/doc/book-enea-nfv-access-user-hardening-guide/doc/guidelines_hardening_linux.xml +++ /dev/null | |||
@@ -1,212 +0,0 @@ | |||
1 | <?xml version="1.0" encoding="ISO-8859-1"?> | ||
2 | <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" | ||
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | ||
4 | <chapter id="linux_hardening"> | ||
5 | <title>Guidelines on How to Harden a Linux System</title> | ||
6 | |||
7 | <para>In order to effectively create apt security layers to harden your | ||
8 | system correctly, you must first analyze your needs and answer several | ||
9 | ideas/questions which are detailed below.</para> | ||
10 | |||
11 | <orderedlist> | ||
12 | <listitem> | ||
13 | <para><emphasis role="bold">Analyzing and defining Roles for your | ||
14 | system</emphasis></para> | ||
15 | |||
16 | <itemizedlist> | ||
17 | <listitem> | ||
18 | <para>What purpose does the system have?</para> | ||
19 | </listitem> | ||
20 | |||
21 | <listitem> | ||
22 | <para>What security risks apply to the system?</para> | ||
23 | </listitem> | ||
24 | |||
25 | <listitem> | ||
26 | <para>Is it host/server? Does it need to do remote access? Public | ||
27 | use?</para> | ||
28 | </listitem> | ||
29 | |||
30 | <listitem> | ||
31 | <para>How hardened the system need to be? (This depends on what role | ||
32 | it has).</para> | ||
33 | </listitem> | ||
34 | </itemizedlist> | ||
35 | </listitem> | ||
36 | |||
37 | <listitem> | ||
38 | <para><emphasis role="bold">Review Policies and | ||
39 | Compliances</emphasis></para> | ||
40 | |||
41 | <para>What policies and compliances must your system adhere to? Examples | ||
42 | of possible standards and polices, among many others, are:</para> | ||
43 | |||
44 | <itemizedlist> | ||
45 | <listitem> | ||
46 | <para>PCI DSS (confidentiality of credit card consumer data)</para> | ||
47 | </listitem> | ||
48 | |||
49 | <listitem> | ||
50 | <para>HIPAA (protects patient data in health care system)</para> | ||
51 | </listitem> | ||
52 | |||
53 | <listitem> | ||
54 | <para>FISMA (Federal Information Security Management Act)</para> | ||
55 | </listitem> | ||
56 | |||
57 | <listitem> | ||
58 | <para>ISO 27001 family (Information Security Management | ||
59 | Systems)</para> | ||
60 | </listitem> | ||
61 | </itemizedlist> | ||
62 | </listitem> | ||
63 | |||
64 | <listitem> | ||
65 | <para><emphasis role="bold">Keep the Software | ||
66 | up-to-date</emphasis></para> | ||
67 | |||
68 | <para>Apply software updates and security fixes regularly. Upgrade as | ||
69 | soon a new version is available. It is easier to hack a system which is | ||
70 | running publicly known vulnerable software but this can be avoided. | ||
71 | Linux provides all necessary tools to keep the system updated. All | ||
72 | security updates should be reviewed and applied as soon as | ||
73 | possible.</para> | ||
74 | </listitem> | ||
75 | |||
76 | <listitem> | ||
77 | <para><emphasis role="bold">Mandatory Access Control | ||
78 | (MAC)</emphasis></para> | ||
79 | |||
80 | <para>SELinux, TOMOYO, SMACK (Simplified Mandatory Access Control | ||
81 | Kernel).</para> | ||
82 | </listitem> | ||
83 | |||
84 | <listitem> | ||
85 | <para><emphasis role="bold">Memory Protection and ASLR | ||
86 | </emphasis></para> | ||
87 | |||
88 | <para>There are two major mechanisms in place to protect memory access | ||
89 | which turned on by default on most x86-64 Linux systems. The first is | ||
90 | the so-called NX bit, which is a setting that gives finer-grained | ||
91 | permissions to mapped memory regions. The second is address space layout | ||
92 | randomization (ASLR) which randomizes where certain parts of a program | ||
93 | are loaded into memory. For further reading on this, see <ulink | ||
94 | url="https://eklitzke.org/memory-protection-and-aslr">here</ulink>.</para> | ||
95 | </listitem> | ||
96 | |||
97 | <listitem> | ||
98 | <para><emphasis role="bold">Block unauthorized access to a network and | ||
99 | Restrict Access</emphasis></para> | ||
100 | |||
101 | <itemizedlist> | ||
102 | <listitem> | ||
103 | <para>Enable the firewall (see what rules are already configured | ||
104 | iptables -L)</para> | ||
105 | </listitem> | ||
106 | |||
107 | <listitem> | ||
108 | <para>Use Intrusion Detection/Intrusion Prevention</para> | ||
109 | </listitem> | ||
110 | |||
111 | <listitem> | ||
112 | <para>Disable unused accounts, create user groups and domain | ||
113 | policy</para> | ||
114 | </listitem> | ||
115 | |||
116 | <listitem> | ||
117 | <para>Remove unused/unsecure/obsolete software</para> | ||
118 | </listitem> | ||
119 | |||
120 | <listitem> | ||
121 | <para>Disable unused services</para> | ||
122 | </listitem> | ||
123 | |||
124 | <listitem> | ||
125 | <para>Restrict remote access and administration</para> | ||
126 | </listitem> | ||
127 | </itemizedlist> | ||
128 | </listitem> | ||
129 | |||
130 | <listitem> | ||
131 | <para><emphasis role="bold">Use tools to detect | ||
132 | vulnerabilities</emphasis></para> | ||
133 | |||
134 | <itemizedlist> | ||
135 | <listitem> | ||
136 | <para>Vulnerability scanner, such as Nessus, SAINT, OpenVAS.</para> | ||
137 | </listitem> | ||
138 | |||
139 | <listitem> | ||
140 | <para>Network analyzer, such as Nmap, Wireshark.</para> | ||
141 | </listitem> | ||
142 | |||
143 | <listitem> | ||
144 | <para>Baseline Analyzer, such as Bastille which can view OS | ||
145 | configuration and try to optimize.</para> | ||
146 | </listitem> | ||
147 | </itemizedlist> | ||
148 | </listitem> | ||
149 | |||
150 | <listitem> | ||
151 | <para><emphasis role="bold">Create a Secure logging | ||
152 | System</emphasis></para> | ||
153 | |||
154 | <para>Create a secure Linux logging system that can be expanded to other | ||
155 | types of systems for secure logging. By using logs, data can be | ||
156 | collected in order to discern why a server crashed. If the server is | ||
157 | unrecoverable, remote logs allow you the ability to see what happened | ||
158 | prior to the crash, even without the system running. If the crash was | ||
159 | related to an intrusion, any information that describes how the system | ||
160 | was compromised can help determine new approaches so further intrusions | ||
161 | can be prevented.</para> | ||
162 | </listitem> | ||
163 | |||
164 | <listitem> | ||
165 | <para><emphasis role="bold">Backup & recovery</emphasis></para> | ||
166 | |||
167 | <para>If a system is compromised, the first concern is how to recover. | ||
168 | To ensure that there is something to recove, backup the data and | ||
169 | configurations continually.</para> | ||
170 | </listitem> | ||
171 | |||
172 | <listitem> | ||
173 | <para><emphasis role="bold">Physical Security</emphasis></para> | ||
174 | |||
175 | <para>No matter how many security features may be implemented, there is | ||
176 | always a way that an attacker with physical access to the system | ||
177 | (hardware and software) may by-pass them. To make this as difficult as | ||
178 | possible, there are several actions that can be taken to provide a | ||
179 | degree of security against an attacker with physical access to the | ||
180 | machine:</para> | ||
181 | |||
182 | <itemizedlist> | ||
183 | <listitem> | ||
184 | <para>Make sure unauthorized persons don’t have easy access to | ||
185 | the hardware and software.</para> | ||
186 | </listitem> | ||
187 | |||
188 | <listitem> | ||
189 | <para>Prevent an attacker from booting from another disk/USB.</para> | ||
190 | </listitem> | ||
191 | |||
192 | <listitem> | ||
193 | <para>Set permissions and login restrictions as well as a firmware | ||
194 | password. It is also important to set a secondary bootloader | ||
195 | password (LILO or GRUB) to prevent malicious users from | ||
196 | booting.</para> | ||
197 | </listitem> | ||
198 | |||
199 | <listitem> | ||
200 | <para>Encrypt disks before they are installed.</para> | ||
201 | </listitem> | ||
202 | </itemizedlist> | ||
203 | </listitem> | ||
204 | |||
205 | <listitem> | ||
206 | <para><emphasis role="bold">Review Process</emphasis></para> | ||
207 | |||
208 | <para>Review your security process and security policies often, and | ||
209 | continually seek to improve them.</para> | ||
210 | </listitem> | ||
211 | </orderedlist> | ||
212 | </chapter> \ No newline at end of file | ||