Mastering Linux Security and Hardening电子书

Title Page

Copyright and Credits

Mastering Linux Security and Hardening

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Running Linux in a Virtual Environment

The threat landscape

So, how does this happen?

Keeping up with security news

Introduction to VirtualBox and Cygwin

Installing a virtual machine in VirtualBox

The EPEL repository on the CentOS virtual machine

Configuring a network for VirtualBox virtual machines

Creating a virtual machine snapshot with VirtualBox

Using Cygwin to connect to your virtual machines

Installing Cygwin on your Windows host

Summary

Securing User Accounts

The dangers of logging in as the root user

The advantages of using sudo

Setting up sudo privileges for full administrative users

Method 1 – adding users to a predefined admin group

Method 2 – creating an entry in the sudo policy file

Setting up sudo for users with only certain delegated privileges

Hands-on lab for assigning limited sudo privileges

Advanced tips and tricks for using sudo

The sudo timer

Hands-on lab for disabling the sudo timer

Preventing users from having root shell access

Preventing users from using shell escapes

Preventing users from using other dangerous programs

Limiting the user's actions with commands

Letting users run as other users

Locking down users' home directories the Red Hat or CentOS way

Locking down users' home directories the Debian/Ubuntu way

useradd on Debian/Ubuntu

adduser on Debian/Ubuntu

Hands-on lab for configuring adduser

Enforcing strong password criteria

Installing and configuring pwquality

Hands-on lab for setting password complexity criteria

Setting and enforcing password and account expiration

Configuring default expiry data for useradd – for Red Hat or CentOS only

Setting expiry data on a per-account basis, with useradd and usermod

Setting expiry data on a per-account basis, with chage

Hands-on lab for setting account and password expiry data

Preventing brute-force password attacks

Configuring the pam_tally2 PAM module

Hands-on lab for configuring pam_tally2

Locking user accounts

Using usermod to lock a user account

Using passwd to lock user accounts

Locking the root user account

Setting up security banners

Using the motd file

Using the issue file

Using the issue.net file

Summary

Securing Your Server with a Firewall

An overview of iptables

Basic usage of iptables

Hands-on lab for basic iptables usage

Uncomplicated Firewall for Ubuntu systems

Basic usage of ufw

Hands-on lab for basic ufw usage

firewalld for Red Hat systems

Verifying the status of firewalld

firewalld zones

firewalld services

Adding ports to a firewalld zone

firewalld rich language rules

Hands-on lab for firewalld commands

nftables – a more universal type of firewall system

nftables tables and chains

Getting started with nftables

Using nft commands

Hands-on lab for nftables on Ubuntu

Summary

Encrypting and SSH Hardening

GNU Privacy Guard

Creating your GPG keys

Symmetrically encrypting your own files

Hands-on lab – combining gpg and tar for encrypted backups

Using private and public keys for asymmetric encryption and signing

Signing a file without encryption

Encrypting partitions with Linux Unified Key Setup – LUKS

Disk encryption during operating system installation

Adding an encrypted partition with LUKS

Configuring the LUKS partition to mount automatically

Encrypting directories with eCryptfs

Home directory and disk encryption during Ubuntu installation

Encrypting a home directory for a new user account

Creating a private directory within an existing home directory

Encrypting other directories with eCryptfs

Encrypting the swap partition with eCryptfs

Using VeraCrypt for cross-platform sharing of encrypted containers

Getting and installing VeraCrypt

Creating and mounting a VeraCrypt volume in console mode

Using VeraCrypt in GUI mode

Ensuring that SSH protocol 1 is disabled

Creating and managing keys for password-less logins

Creating a user's SSH key set

Transferring the public key to the remote server

Disabling root user login

Disabling username/password logins

Setting up a chroot environment for SFTP users

Creating a group and configuring the sshd_config file

Hands-on lab – setting up a chroot directory for sftpusers group

Summary

Mastering Discretionary Access Control

Using chown to change ownership of files and directories

Using chmod to set permissions values on files and directories

Setting permissions with the symbolic method

Setting permissions with the numerical method

Using SUID and SGID on regular files

The security implications of the SUID and SGID permissions

Finding spurious SUID or SGID files

Hands-on lab – searching for SUID and SGID files

Preventing SUID and SGID usage on a partition

Using extended file attributes to protect sensitive files

Setting the a attribute

Setting the i attribute

Hands-on lab – setting security-related extended file attributes

Summary

Access Control Lists and Shared Directory Management

Creating an access control list for either a user or a group

Creating an inherited access control list for a directory

Removing a specific permission by using an ACL mask

Using the tar --acls option to prevent the loss of ACLs during a backup

Creating a user group and adding members to it

Adding members as we create their user accounts

Using usermod to add an existing user to a group

Adding users to a group by editing the /etc/group file

Creating a shared directory

Setting the SGID bit and the sticky bit on the shared directory

Using ACLs to access files in the shared directory

Setting the permissions and creating the ACL

Charlie tries to access Vicky's file with an ACL set for Cleopatra

Hands-on lab – creating a shared group directory

Summary

Implementing Mandatory Access Control with SELinux and AppArmor

How SELinux can benefit a systems administrator

Setting security contexts for files and directories

Installing the SELinux tools

Creating web content files with SELinux enabled

Fixing an incorrect SELinux context

Using chcon

Using restorecon

Using semanage

Hands-on lab – SELinux type enforcement

Troubleshooting with setroubleshoot

Viewing setroubleshoot messages

Using the graphical setroubleshoot utility

Troubleshooting in permissive mode

Working with SELinux policies

Viewing the Booleans

Configuring the Booleans

Protecting your web server

Protecting network ports

Creating custom policy modules

Hands-on lab – SELinux Booleans and ports

How AppArmor can benefit a systems administrator

Looking at AppArmor profiles

Working with AppArmor command-line utilities

Troubleshooting AppArmor problems

Summary

Scanning, Auditing, and Hardening

Installing and updating ClamAV and maldet

Installing ClamAV and maldet

Configuring maldet

Updating ClamAV and maldet

Scanning with ClamAV and maldet

SELinux considerations

Scanning for rootkits with Rootkit Hunter

Installing and updating Rootkit Hunter

Scanning for rootkits

Controlling the auditd daemon

Creating audit rules

Auditing a file for changes

Auditing a directory

Auditing system calls

Using ausearch and aureport

Searching for file change alerts

Searching for directory access rule violations

Searching for system call rule violations

Generating authentication reports

Using predefined rules sets

Applying OpenSCAP policies with oscap

Installing OpenSCAP

Viewing the profile files

Scanning the system

Remediating the system

Using SCAP Workbench

More about OpenSCAP profiles

Applying an OpenSCAP profile during system installation

Summary

Vulnerability Scanning and Intrusion Detection

Looking at Snort and Security Onion

Obtaining and installing Snort

Graphical interfaces for Snort

Getting Snort in prebuilt appliances

Using Security Onion

Scanning and hardening with Lynis

Installing Lynis on Red Hat/CentOS

Installing Lynis on Ubuntu

Scanning with Lynis

Finding vulnerabilities with OpenVAS

Web server scanning with Nikto

Nikto in Kali Linux

Installing and updating Nikto on Linux

Scanning a web server with Nikto

Summary

Security Tips and Tricks for the Busy Bee

Auditing system services

Auditing system services with systemctl

Auditing network services with netstat

Auditing network services with Nmap

Port states

Scan types

Password-protecting the GRUB 2 bootloader

Resetting the password for Red Hat/CentOS

Resetting the password for Ubuntu

Preventing kernel parameter edits on Red Hat/CentOS

Preventing kernel parameter edits on Ubuntu

Password-protecting boot options

Disabling the submenu for Ubuntu

Password-protecting boot option steps for both Ubuntu and Red Hat

Securely configuring BIOS/UEFI

Using a security checklist for system setup

Summary

Other Books You May Enjoy

Leave a review – let other readers know what you think