User Tools

Site Tools


linux:local-network-security

This is an old revision of the document!


# Notes on Network and Local Security ## Date: Fri Oct 26 2018

The documentation on various aspects of local and network security is extensive. This is just a brief overview of a few things to be aware of.

## Shutting down services

Be sure to monitor enabled services. To list all enabled services – that is, those services that are automatically started:

```bash $ systemctl list-unit-files | grep enabled | less $ # comment: Or: $ systemctl list-units ```

Imagine we want to be sure that bluetooth is disabled and not running:

```bash $ systemctl status bluetooth.target ● bluetooth.target - Bluetooth

 Loaded: loaded (/lib/systemd/system/bluetooth.target; static; vendor preset: enabl
 Active: inactive (dead)
   Docs: man:systemd.special(7)

```

Good. It's not running. If it were running, then we could disable it like so:

```bash $ sudo systemctl disable bluetooth.target ```

## Remote logging

Logs are an important way to identify and understand how the machine is being used and what it is doing. Depending on the level of security you might need, you may want to send logs off site or off the server. ``rsyslogd`` is helpful here:

From the ``man`` page: ``rsyslogd`` – reliable and extended syslogd

As you may remember, the ``syslogd`` service is used to log kernel, application, and other programs or services. ``rsyslogd`` extends ``syslogd`` in a number of ways, but one of the important extensions is to allow remote logging – or forwarding logs to a remote and perhaps more secure machine (that is, a machine that is not exposed to the internet).

Visit */var/log/* and read the README file.

## SELinux

SELinux is a kernel module used to set policies for access controls.

From ``man 8 selinux`` page: ``SELinux`` – NSA Security-Enhances Linux

There are books on using SELinux. Briefly, we should know a few things – e.g., how to know how SELinux works with various software and various users. When we install and configure, e.g., Apache2, we'll need to work with SELinux to allow Apache2 to do various things.

To start and to check whether it is enabled:

```bash $ cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted ```

Alternatively:

```bash $ getenforce Enforcing ```

Additional info:

```bash $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31 ```

From the ``man 8 selinux`` page:

SELinux enabled values:

- enforcing: enables SELinux for auditing and forces access denials - permissive: enables SELinux code for auditing only - disabled: completely disables SELinux protection

SELinux type policy values:

- targeted: a policy where most user processes operate without restrictions,

and only specific services are placed into distinct security domains that are
confined by the policy 

- mls (Multi-Level Security): a policy where all processes are partitioned into

fine-grained security domains and confined by policy

See also:

- booleans(8) - setsebool(8) - sepolicy(8) - system-config-selinux(8) - togglesebool(8) - fixfiles(8) - restorecon(8) - setfiles(8) - semanage(8) - seinfo(8) - sesearch(8)

From the ``man 8 selinux`` page:

- All files, directories, devices […] have a security context/label associated

with them.

- Every confined service on the system has a man page in the following format:

``` <servicename>_selinux(8) ```

For example, httpd has the ``httpd_selinux(8)`` man page. To see what's active on our systems, then we:

```bash $ man -k selinux selinux (8) - NSA Security-Enhanced Linux (SELinux) audit2allow (1) - generate SELinux policy allow/dontaudit rules from logs of … … <truncated> ```

To view current policy settings:

```bash # semanage boolean -l | less # semanage boolean -l | grep “(on” less # semanage boolean -l | grep httpd # getsebool httpd_enable_cgi # setsebool httd_enable_cgi off # getsebool httpd_enable_cgi # setsebool httd_enable_cgi on ```

## SELinux Users

- ``semanage-user`` – SELinux Policy Management SELinux User mapping tool

From [RedHat Docs][1]:

- Linux users in the ``user_t``, ``guest_t``, and ``xguest_t`` domains can only

run set user ID (setuid) applications if SELinux policy permits it (for
example, ``passwd``). These users cannot run the su and sudo setuid
applications, and therefore cannot use these applications to become root. 

- Linux users in the ``sysadm_t``, ``staff_t``, ``user_t``, and ``xguest_t``

domains can log in using the X Window System and a terminal. 

- By default, Linux users in the ``guest_t`` and ``xguest_t`` domains cannot

execute applications in their home directories or the ``/tmp`` directory,
preventing them from executing applications, which inherit users'
permissions, in directories they have write access to. This helps prevent
flawed or malicious applications from modifying users' files. 

- By default, Linux users in the ``staff_t`` and ``user_t`` domains can execute

applications in their home directories and ``/tmp``. See [Section 6.6,
"Booleans for Users Executing Applications"][2] for information about
allowing and preventing users from executing applications in their home
directories and ``/tmp``. 

- The only network access Linux users in the ``xguest_t`` domain have is

  • *Firefox connecting to web pages. ```bash ## comment: see list of selinux users on system # semanage user –list ## comment: see mapping of logins to user roles # semanage login -l # exit $ id -Z # comment: print security context ``` Let's check our user *captkirk*: ```bash $ su captkirk $ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 $ exit ``` Let's change *captkirk*'s SELinux role to user_u from unconfined_u**:

```bash # semanage login -a -s user_u captkirk # semanage login -l ```

[1]:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-targeted_policy-confined_and_unconfined_users [2]:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications </markdown>

linux/local-network-security.1548087814.txt.gz · Last modified: 2019/01/21 11:23 by seanburns