28 - Linux Hardening

# Updates & Patching - Performing periodic updates will remove most of the "low hanging fruit" that can be leveraged for privesc - On Ubuntu, the package [unattended-upgrades](https://packages.ubuntu.com/jammy/admin/unattended-upgrades) is installed by default from 18.04 onwards and can be manually enabled - On Red Hat based systems, the [yum-cron](https://man7.org/linux/man-pages/man8/yum-cron.8.html) package performs a similar role # Config Mgmt - Non-exhaustive list of simple hardening measures: - Audit writable files and directories and any binaries set with the SUID bit. - Ensure that any cron jobs and sudo privileges specify any binaries using the absolute path. - Do not store credentials in cleartext in world-readable files. - Clean up home directories and bash history. - Ensure that low-privileged users cannot modify any custom libraries called by programs. - Remove any unnecessary packages and services that potentially increase the attack surface. - Consider implementing [SELinux](https://www.redhat.com/en/topics/linux/what-is-selinux), which provides additional access controls on the system. # User Mgmt - Limit the number of user accounts and admin accounts on each system - Ensure that logon attempts (valid/invalid) are logged and monitored - Enforce a strong password policy - For example, use the `/etc/security/opasswd` file with the PAM module - Check that users are not placed into groups that give them excessive rights not needed for their day-to-day tasks and limit `sudo` rights according to the principle of least privilege - Templates exist for configuration management automation tools such as [Puppet](https://puppet.com/use-cases/configuration-management/), [SaltStack](https://github.com/saltstack/salt), [Zabbix](https://en.wikipedia.org/wiki/Zabbix) and [Nagios](https://en.wikipedia.org/wiki/Nagios) to automate such checks and can be used to push messages via email or the like # Auditing & Pentesting - Perform periodic security and configuration checks of all systems - There are several security baselines such as the DISA [Security Technical Implementation Guides (STIGs)](https://public.cyber.mil/stigs/) that can be followed to set a standard for security across all operating system types and devices - Many compliance frameworks exist, such as [ISO27001](https://www.iso.org/isoiec-27001-information-security.html), [PCI-DSS](https://www.pcisecuritystandards.org/pci_security/), and [HIPAA](https://www.hhs.gov/hipaa/for-professionals/security/index.html) which can be used by an organization to help establish security baselines - However, keep in inf that an audit and configuration review is not a replacement for a pentest or other hands-on assessments - This is because an audit is often seen as a "box-checking" exercise in which an organization is "passed" on a controls audit for performing the bare minimum - One useful tool for auditing Unix-based systems (Linux, macOS, BDS, etc.) is [Lynis](https://github.com/CISOfy/lynis) - `Lynis` audits the current configuration of a system and provides additional hardening tips, taking into consideration various standards ```bash ./lynis audit system ``` - The resulting `lynis` scan will be broken down into - warnings - suggestions - overall scan details