Linux Security 2016 GenCyber JMU Bootcamp for High School Teachers OS Security In General Applications Services OS OS Kernel CPU, I/O
Linux Some common OS security topics Manage user accounts OS update Enable firewall Disable guest account Monitor logs Check file permissions Manage services
2 Ubuntu Security Applications Services OS OS Kernel CPU, I/O Linux
Some common OS security topics Manage user accounts OS update Enable firewall Disable guest account Monitor logs Check file permissions Manage services 3
Manage User Accounts Manage User Accounts Manage User Accounts OS Updates OS Updates Ubuntu Firewall Install Gufw
Ubuntu Firewall Disable guest account Save the change Need to restart Set password policies Set password history Set account policy
Monitor logs Check file permissions For a file, Can its owner read/write/execute it? Can other users in the same group read/write/execute it? Can other users in the system read/write/execute it? Check file permissions
View file permission, ls l myfile Change file permission: chmod Set audit policy Manage services The Linux File System
Every user has a home directory (default location for his/her files) Find out what the current users home directory is: echo $HOME Associated with every shell is a location in the file system called the working directory
Find out what the current working directory is: pwd Listing Files and Directories To see what files and directories are in the current working directory use the ls command: ls
Most commands take options that affect their behaviour: ls -l show a long listing ls -a show all files and directories ls -la show a long listing of all files and directories Creating, Removing, and Changing Directories To create a new directory (in the current working directory) use the mkdir command: mkdir foo
To change the current working directory use the cd command: cd . go to the current directory cd .. go to the parent directory cd foo go to the foo directory cd go to the users home directory To remove an empty directory use the rmdir command:
rmdir foo Absolute and Relative Paths Relative specify a file or directory relative to the current directory cd foo cd ../..
Absolute specify a file or directory starting from the top (root) of the file system cd / cd /home/elvis/foo The Linux File System A hierarchy of files and directories: / bin/dev/
etc/ home/ alice/ memos/ bob/ report.doc root/
fred/ tmp/ Important Linux Directories /bin common commands (e.g. ls and ps) /boot files used at boot time
/dev files representing access points to system I/O devices (e.g. terminals, printers, disks, CDs) /etc system configuration files
/home user home directories /proc information about system resources /root home directory for root user
/sbin administrative command Viewing and Editing Files Many ways to display the contents of text files: cat command (no scrolling)
more and less commands (scrolling) Many editors available: pico/nano (simple) vi
emacs Permissions Define access rights of various users to each file
View file permissions with the ls l command: drwxr-xr-x 2 elvis elvis 4096 Jan 12 18:32 Desktop -rw-rw-r-- 1 elvis elvis 102 Jan 13 14:37 numbers Note: 10 permission bits
Bit 1 (leftmost): file type Bits 2-4 : owners permissions (read, write, and execute) Bits 5-7 : groups permissions (read, write, and execute) Bits 8-10 : worlds permissions (read, write, and execute) Permissions (cont)
Read (file) view contents Read (directory) see what files and subdirectories it contains Write (file) change contents of , rename, or delete the file Write (directory) add files or subdirectories
Execute (file) run the file as a program Execute (directory) cd into the directory Modifying Permissions Use the chmod command: chmod 777 file
Removing: rm file1 User database Stored in /etc/passwd Each line contains the account information for a single user:
Username UID GID Home directory Default shell
Shadowed and Salted Passwords Linux protects the password hashes: Password hashes usually stored in a protected file: /etc/ shadow A salt value is used
Password hashes can still be cracked Securing a Linux Server Best Practices:
Patches Accounts Audit Services Firewall Malware defense Mandatory Access Controls Security guides and tools Linux Patching As with Windows, patches for the Linux OS
and its applications and libraries are released often Tools: Red Hat: up2date Debian (including Ubuntu): apt-get/aptitude RHEL, Fedora, CentOS: yum Ubuntu Patching o Tools: - Update Manager (GUI) - apt-get/aptitude - Third party tools
(e.g. http://www.manageengine.com/products/security-manager) Apt-get Can be used to: Install/Remove/Update packages Example: Sudo apt-get install emacs Accounts Delete/disable unnecessary accounts Users settings GUI useradd/userdel commands
Never have any account with no/default password Change all passwords to good ones Account policies: /etc/pam.d/common-password password policies chage command - used to view/set password expiration options of individual users Logging Most log files are text files located in /var/log: auth.log account log in and log out lastlog binary file used by lastlog program to display
most recent log in of all users wtmp binary file used by last program to display listing of last users logged in Certain applications also store their logs in subdirectories in /var/log: Apache, mysql, etc. Reviewing Logs Manually inspect log files System Log Viewer GUI Automated tools:
The services GUI Starting/stopping of all services is controlled by scripts in /etc/rcX.d (where X is a run level 0-6) Use invoke-rc.d program to start/stop services immediately sudo invoke-rc.d apache2 stop Use update-rc.d program to enable/disable a service at boot time Services (cont) Secure all necessary services Dont install untrusted software
Consider the source Consider the signature Host-based Firewall Uncomplicated Firewall (ufw) firewall configuration utility $ sudo ufw allow ssh/tcp $ sudo ufw logging on $ sudo ufw enable $ sudo ufw status Rules and configuration stored in /etc/ufw
Firewall (cont) Block all unnecessary/unauthorized traffic Allow traffic to necessary services Other network security options: TCP Wrappers network access control list PortSentry protect against port scans http://sourceforge.net/projects/sentrytools/ Port scan attack detector (psad) http://www.cipherdyne.org/psad/
Chkrootkit (http://www.chkrootkit.org/) Mandatory Access Controls Users (thorough file permissions) can define discretionary access controls (DAC) on files Mandatory Access Controls (MAC) are rules enforced by the system regardless of the users DAC Several On-going Projects:
Security-Enhanced Linux GRSecurity Linux Intrusion Detection System Rule-Set Based Access Control SELinux Project originally developed by National Security Agency to implement Mandatory Access Controls within the Linux Kernel Incorporated into 2.6 Linux kernel
System Checks DAC then MAC policy before granting access to a resource Ubuntu supports SELinux (but it is not installed by default) Bastille Linux (cont) An interactive Linux-hardening tool See https://help.ubuntu.com/community/BastilleLinux Helps check/configure:
File permissions Account security System auditing Services Mail server Web server FTP server Firewall
Linux Security Guides Many are available Ubuntu Community: https://help.ubuntu.com/community/Security Summary Best Practices:
Patches Accounts Audit Services Firewall Malware defense Mandatory Access Control Security guides and tools (i.e. Bastille)
Chapter 2 A Critique of Methods and Approaches in Language Teaching Setting the Stage Two concepts: Content-based instruction Teachers provide practice in academic skills and tasks common to mainstream classes Interactive instruction Involves active engagement between teacher and student which...
Non-native plants are species introduced with human assistance to a new landscape (Walker & Bellingham 2011). Invasive species are "an alien plant spreading naturally [without further human assistance] and producing a significant change in terms of composition, structure and ecosystem...
Arial Cambria Calibri Baskerville Old Face Wingdings Adjacency Kingdom Protista The catch-all kingdom Protozoa Characteristics Sexual reproduction Asexual reproduction Classification 4 Phyla of Protozoans Specialisation Evolution of Protista Endosymbiotic Theory Phylums…
What is impact of affirmative action policy on the formation of racial stereotypes? [CL-AER 1993 showed how a 'patronizing equilibrium' can arise under AA] When will AA policies undercut incentives to acquire skils? [CL-1994 showed too ambitious goals imply bottlenecks;...
Qualified Chartered Financial Analyst and has a Masters in Mathematics from the University of Waterloo. Jennifer Tory. Chief Administrative Officer. Providing leadership and oversight of transformational initiatives and focus on how the enterprise works together to further RBC's success. ICD.D...
Woodward (1819) Defended by Daniel Webster - graduate. Court ruled that the charter of Dartmouth was a private . contract . agreement between two or more parties that can be enforced by law. Constitution protects private contracts. Court is protecting...
Lab Safety: Everyone Is Responsible! Safety In the Science Lab Rules and Symbols Mrs. Hammons Safety First Science is a hands-on laboratory class. You will be doing many laboratory activities, which require the use of hazardous chemicals and expensive lab...
Ready to download the document? Go ahead and hit continue!