This is an old revision of the document!
# Notes on Network and Local Security ## Date: Fri Oct 26 2018
The documentation on various aspects of local and network security is extensive. This is just a brief overview of a few things to be aware of.
## Shutting down services
Be sure to monitor enabled services. To list all enabled services – that is, those services that are automatically started:
```bash $ systemctl list-unit-files | grep enabled | less $ # comment: Or: $ systemctl list-units ```
Imagine we want to be sure that bluetooth is disabled and not running:
```bash $ systemctl status bluetooth.target ● bluetooth.target - Bluetooth
Loaded: loaded (/lib/systemd/system/bluetooth.target; static; vendor preset: enabl Active: inactive (dead) Docs: man:systemd.special(7)
Good. It's not running. If it were running, then we could disable it like so:
```bash $ sudo systemctl disable bluetooth.target ```
## Remote logging
Logs are an important way to identify and understand how the machine is being used and what it is doing. Depending on the level of security you might need, you may want to send logs off site or off the server. ``rsyslogd`` is helpful here:
From the ``man`` page: ``rsyslogd`` – reliable and extended syslogd
As you may remember, the ``syslogd`` service is used to log kernel, application, and other programs or services. ``rsyslogd`` extends ``syslogd`` in a number of ways, but one of the important extensions is to allow remote logging – or forwarding logs to a remote and perhaps more secure machine (that is, a machine that is not exposed to the internet).
Visit */var/log/* and read the README file.
SELinux is a kernel module used to set policies for access controls.
From ``man 8 selinux`` page: ``SELinux`` – NSA Security-Enhances Linux
There are books on using SELinux. Briefly, we should know a few things – e.g., how to know how SELinux works with various software and various users. When we install and configure, e.g., Apache2, we'll need to work with SELinux to allow Apache2 to do various things.
To start and to check whether it is enabled:
```bash $ cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted ```
```bash $ getenforce Enforcing ```
```bash $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31 ```
From the ``man 8 selinux`` page:
SELinux enabled values:
- enforcing: enables SELinux for auditing and forces access denials - permissive: enables SELinux code for auditing only - disabled: completely disables SELinux protection
SELinux type policy values:
- targeted: a policy where most user processes operate without restrictions,
and only specific services are placed into distinct security domains that are confined by the policy
- mls (Multi-Level Security): a policy where all processes are partitioned into
fine-grained security domains and confined by policy
- booleans(8) - setsebool(8) - sepolicy(8) - system-config-selinux(8) - togglesebool(8) - fixfiles(8) - restorecon(8) - setfiles(8) - semanage(8) - seinfo(8) - sesearch(8)
From the ``man 8 selinux`` page:
- All files, directories, devices […] have a security context/label associated
- Every confined service on the system has a man page in the following format:
``` <servicename>_selinux(8) ```
For example, httpd has the ``httpd_selinux(8)`` man page. To see what's active on our systems, then we:
```bash $ man -k selinux selinux (8) - NSA Security-Enhanced Linux (SELinux) audit2allow (1) - generate SELinux policy allow/dontaudit rules from logs of … … <truncated> ```
To view current policy settings:
```bash # semanage boolean -l | less # semanage boolean -l | grep “(on” less # semanage boolean -l | grep httpd # getsebool httpd_enable_cgi # setsebool httd_enable_cgi off # getsebool httpd_enable_cgi # setsebool httd_enable_cgi on ```
## SELinux Users
- ``semanage-user`` – SELinux Policy Management SELinux User mapping tool
From [RedHat Docs]:
- Linux users in the ``user_t``, ``guest_t``, and ``xguest_t`` domains can only
run set user ID (setuid) applications if SELinux policy permits it (for example, ``passwd``). These users cannot run the su and sudo setuid applications, and therefore cannot use these applications to become root.
- Linux users in the ``sysadm_t``, ``staff_t``, ``user_t``, and ``xguest_t``
domains can log in using the X Window System and a terminal.
- By default, Linux users in the ``guest_t`` and ``xguest_t`` domains cannot
execute applications in their home directories or the ``/tmp`` directory, preventing them from executing applications, which inherit users' permissions, in directories they have write access to. This helps prevent flawed or malicious applications from modifying users' files.
- By default, Linux users in the ``staff_t`` and ``user_t`` domains can execute
applications in their home directories and ``/tmp``. See [Section 6.6, "Booleans for Users Executing Applications"] for information about allowing and preventing users from executing applications in their home directories and ``/tmp``.
- The only network access Linux users in the ``xguest_t`` domain have is
```bash # semanage login -a -s user_u captkirk # semanage login -l ```
:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-targeted_policy-confined_and_unconfined_users :https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications </markdown>