The documentation on various aspects of local and network security is extensive. This is just a brief overview of a few things to be aware of.
Be sure to monitor enabled services. To list all enabled services -- that is, those services that are automatically started:
$ systemctl list-unit-files | grep enabled | less $ # comment: Or: $ systemctl list-units
Imagine we want to be sure that bluetooth is disabled and not running:
$ systemctl status bluetooth.target ● bluetooth.target - Bluetooth Loaded: loaded (/lib/systemd/system/bluetooth.target; static; vendor preset: enabl Active: inactive (dead) Docs: man:systemd.special(7)
Good. It's not running. If it were running, then we could disable it like so:
$ sudo systemctl disable bluetooth.target
Logs are an important way to identify and understand how the machine is being
used and what it is doing. Depending on the level of security you might need,
you may want to send logs off site or off the server.
rsyslogd is helpful
rsyslogd -- reliable and extended syslogd
As you may remember, the
syslogd service is used to log kernel,
application, and other programs or services.
in a number of ways, but one of the important extensions is to allow remote
logging -- or forwarding logs to a remote and perhaps more secure machine (that
is, a machine that is not exposed to the internet).
Visit /var/log/ and read the README file.
SELinux is a kernel module used to set policies for access controls.
man 8 selinux page:
SELinux -- NSA Security-Enhances Linux
There are books on using SELinux. Briefly, we should know a few things -- e.g., how to know how SELinux works with various software and various users. When we install and configure, e.g., Apache2, we'll need to work with SELinux to allow Apache2 to do various things.
To start and to check whether it is enabled:
$ cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
$ getenforce Enforcing
$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
man 8 selinux page:
SELinux enabled values:
SELinux type policy values:
man 8 selinux page:
For example, httpd has the
httpd_selinux(8) man page. To see what's active
on our systems, then we:
$ man -k selinux selinux (8) - NSA Security-Enhanced Linux (SELinux) audit2allow (1) - generate SELinux policy allow/dontaudit rules from logs of ... ... <truncated>
To view current policy settings:
# semanage boolean -l | less # semanage boolean -l | grep "(on" less # semanage boolean -l | grep httpd # getsebool httpd_enable_cgi # setsebool httd_enable_cgi off # getsebool httpd_enable_cgi # setsebool httd_enable_cgi on
semanage-user-- SELinux Policy Management SELinux User mapping tool
From RedHat Docs:
xguest_tdomains can only run set user ID (setuid) applications if SELinux policy permits it (for example,
passwd). These users cannot run the su and sudo setuid applications, and therefore cannot use these applications to become root.
xguest_tdomains can log in using the X Window System and a terminal.
xguest_tdomains cannot execute applications in their home directories or the
/tmpdirectory, preventing them from executing applications, which inherit users' permissions, in directories they have write access to. This helps prevent flawed or malicious applications from modifying users' files.
user_tdomains can execute applications in their home directories and
/tmp. See Section 6.6, "Booleans for Users Executing Applications" for information about allowing and preventing users from executing applications in their home directories and
xguest_tdomain have is Firefox connecting to web pages.
## comment: see list of selinux users on system # semanage user --list ## comment: see mapping of logins to user roles # semanage login -l # exit $ id -Z # comment: print security context
Let's check our user captkirk:
$ su captkirk $ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 $ exit
Let's change captkirk's SELinux role to user_u from unconfined_u:
# semanage login -a -s user_u captkirk # semanage login -l