diff options
Diffstat (limited to 'doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml')
-rw-r--r-- | doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml | 209 |
1 files changed, 0 insertions, 209 deletions
diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml deleted file mode 100644 index 294d67e..0000000 --- a/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml +++ /dev/null | |||
@@ -1,209 +0,0 @@ | |||
1 | <?xml version="1.0" encoding="ISO-8859-1"?> | ||
2 | <chapter id="intro_hardentools_tech"> | ||
3 | <title>A Brief Introduction to Hardening Tools and Technologies</title> | ||
4 | |||
5 | <para>Linux by default, is not a secure operating system however, it has | ||
6 | many features and tools that can help secure it thoroughly. Detailed below | ||
7 | are several useful tools and features available for Linux which can help | ||
8 | harden the Linux system to really high degrees.</para> | ||
9 | |||
10 | <section id="namespaces"> | ||
11 | <title>Namespaces</title> | ||
12 | |||
13 | <para>Namespaces are a feature of the Linux kernel that isolate and | ||
14 | virtualize system resources for a collection of processes. Examples of | ||
15 | resources that can be virtualized are:</para> | ||
16 | |||
17 | <itemizedlist> | ||
18 | <listitem> | ||
19 | <para>Process IDs</para> | ||
20 | </listitem> | ||
21 | |||
22 | <listitem> | ||
23 | <para>Hostnames</para> | ||
24 | </listitem> | ||
25 | |||
26 | <listitem> | ||
27 | <para>User IDs</para> | ||
28 | </listitem> | ||
29 | |||
30 | <listitem> | ||
31 | <para>Network access</para> | ||
32 | </listitem> | ||
33 | |||
34 | <listitem> | ||
35 | <para>UTS</para> | ||
36 | </listitem> | ||
37 | |||
38 | <listitem> | ||
39 | <para>Control Group (cgroup)</para> | ||
40 | </listitem> | ||
41 | |||
42 | <listitem> | ||
43 | <para>Interprocess communication (IPC)</para> | ||
44 | </listitem> | ||
45 | |||
46 | <listitem> | ||
47 | <para>Filesystems (mnt)</para> | ||
48 | </listitem> | ||
49 | </itemizedlist> | ||
50 | |||
51 | <para>Namespaces are a fundamental aspect of containers on Linux. Tools | ||
52 | like Docker make isolating Linux processes into their own little system | ||
53 | environments easy. This makes it possible to run a whole range of | ||
54 | applications on a single real Linux machine and ensure that no processes | ||
55 | can interfere with each other, without having to resort to using virtual | ||
56 | machines. </para> | ||
57 | </section> | ||
58 | |||
59 | <section id="intrusion_prev_dev"> | ||
60 | <title>Linux Intrusion Prevention/Detection Systems</title> | ||
61 | |||
62 | <para>An Intrusion Prevention System (IPS) and an Intrusion Detection | ||
63 | System (IDS) provide an effective layer of security. The Linux Intrusion | ||
64 | Detection System (LIDS) is a patch to the Linux kernel and associated | ||
65 | administrative tools, and enhances the kernel's security by implementing | ||
66 | Mandatory Access Control (MAC).</para> | ||
67 | |||
68 | <para>When a LIDS system is booted, file restrictions are enforced | ||
69 | immediately. Once the system has come on, the <command>lidsadm | ||
70 | -I</command> command will seal off the kernel, preventing any additional | ||
71 | kernel modules from affecting it.</para> | ||
72 | </section> | ||
73 | |||
74 | <section id="kernel_hardening"> | ||
75 | <title>Kernel Hardening</title> | ||
76 | |||
77 | <para>Kernel hardening is primarily about the kernel protecting itself, | ||
78 | eliminating classes of exploits, and reducing its attack surface. Two | ||
79 | approaches to hardening the standard Linux kernel are: </para> | ||
80 | |||
81 | <itemizedlist> | ||
82 | <listitem> | ||
83 | <para>Address space (memory) protection</para> | ||
84 | </listitem> | ||
85 | |||
86 | <listitem> | ||
87 | <para>Advance Access Control System</para> | ||
88 | </listitem> | ||
89 | </itemizedlist> | ||
90 | |||
91 | <para>Buffer overflows (in languages such as C) are one of the leading | ||
92 | vulnerabilities exploited to gain control of a system. The problem arises | ||
93 | when a user can insert more data into a buffer than it was originally | ||
94 | allocated for. Restrictions however, on an application's address space | ||
95 | prevent many types of buffer overflows attacks.</para> | ||
96 | </section> | ||
97 | |||
98 | <section id="lsm"> | ||
99 | <title>Linux Security Modules (LSM)</title> | ||
100 | |||
101 | <para>LSM is a framework part of the Linux kernel. LSM API implements | ||
102 | hooks at all security-critical points within the kernel. The modules | ||
103 | currently accepted in the official kernel are:</para> | ||
104 | |||
105 | <itemizedlist> | ||
106 | <listitem> | ||
107 | <para>AppArmor</para> | ||
108 | </listitem> | ||
109 | |||
110 | <listitem> | ||
111 | <para>SELinux</para> | ||
112 | </listitem> | ||
113 | |||
114 | <listitem> | ||
115 | <para>Smack</para> | ||
116 | </listitem> | ||
117 | |||
118 | <listitem> | ||
119 | <para>TOMOYO Linux</para> | ||
120 | </listitem> | ||
121 | |||
122 | <listitem> | ||
123 | <para>Yama</para> | ||
124 | </listitem> | ||
125 | </itemizedlist> | ||
126 | |||
127 | <section id="selinux"> | ||
128 | <title>SELinux</title> | ||
129 | |||
130 | <para><emphasis role="bold">SELinux, Security Enhanced Linux</emphasis> | ||
131 | is a Kernel security mechanism for the supporting access control | ||
132 | security policy. SELinux has three configuration modes:</para> | ||
133 | |||
134 | <itemizedlist> | ||
135 | <listitem> | ||
136 | <para>Disabled: Turned-off</para> | ||
137 | </listitem> | ||
138 | |||
139 | <listitem> | ||
140 | <para>Permissive: Prints warnings</para> | ||
141 | </listitem> | ||
142 | |||
143 | <listitem> | ||
144 | <para>Enforcing: Policy is enforced</para> | ||
145 | </listitem> | ||
146 | </itemizedlist> | ||
147 | |||
148 | <para>Edit the selinux config file to change the | ||
149 | configuration:<programlisting># /etc/selinux/config | ||
150 | SELINUX=enforcing</programlisting></para> | ||
151 | </section> | ||
152 | </section> | ||
153 | |||
154 | <section id="acl"> | ||
155 | <title>POSIX Access Control Lists (ACL)</title> | ||
156 | |||
157 | <para>In addition to the file owner, the file group etc., additional users | ||
158 | and groups can be granted or denied access by using POSIX ACLs. For a | ||
159 | file, ACLs can be configured:</para> | ||
160 | |||
161 | <itemizedlist> | ||
162 | <listitem> | ||
163 | <para>Per user </para> | ||
164 | </listitem> | ||
165 | |||
166 | <listitem> | ||
167 | <para>Per group</para> | ||
168 | </listitem> | ||
169 | |||
170 | <listitem> | ||
171 | <para>Via the effective right mask</para> | ||
172 | </listitem> | ||
173 | |||
174 | <listitem> | ||
175 | <para>For users not in the user group, for the file</para> | ||
176 | </listitem> | ||
177 | </itemizedlist> | ||
178 | </section> | ||
179 | |||
180 | <section id="log_audit"> | ||
181 | <title>Logging and Auditing</title> | ||
182 | |||
183 | <para>Audit logs are useful for analyzing system behavior, and may help | ||
184 | detect attempts at compromising the system. Enea Linux distributions have | ||
185 | logging mechanisms that record all system activities. The syslog service | ||
186 | manages the logs in <command>/var/log/</command>. These logs are critical | ||
187 | for troubleshooting purposes.</para> | ||
188 | </section> | ||
189 | |||
190 | <section id="secure_net_coms"> | ||
191 | <title>Secure Network Communication</title> | ||
192 | |||
193 | <para>Encrypt and authenticate network communication using IPsec.</para> | ||
194 | </section> | ||
195 | |||
196 | <section id="hd_encrypting"> | ||
197 | <title>Hard Disk Encryption and Disk Protection</title> | ||
198 | |||
199 | <para>Encrypt the disks before they are installed. This is a crucial step | ||
200 | as it will prevent unauthorized access to data even when the hard disk is | ||
201 | connected to a different machine.</para> | ||
202 | |||
203 | <para>Disk protection is a key step in securing data. Make sure that you | ||
204 | backup data so that situations such as a damaged system and bugs in the OS | ||
205 | updates won't affect them. The backup must be transferred offsite | ||
206 | for major servers to keep data secure during unforeseen disasters. Backup | ||
207 | management must also be well-defined.</para> | ||
208 | </section> | ||
209 | </chapter> \ No newline at end of file | ||