User Tools

Site Tools


linux:local-network-security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
linux:local-network-security [2019/01/21 11:24]
seanburns
— (current)
Line 1: Line 1:
-<markdown> 
-# Notes on Network and Local Security 
-## Date: Fri Oct 26 2018 
  
-The documentation on various aspects of local and network security is 
-extensive. This is just a brief overview of a few things to be aware of. 
- 
-## Shutting down services 
- 
-Be sure to monitor enabled services. To list all enabled services -- that is, 
-those services that are automatically started: 
- 
-```bash 
-$ systemctl list-unit-files | grep enabled | less  
-$ # comment: Or: 
-$ systemctl list-units 
-``` 
- 
-Imagine we want to be sure that bluetooth is disabled and not running: 
- 
-```bash 
-$ systemctl status bluetooth.target 
-● bluetooth.target - Bluetooth 
-   Loaded: loaded (/lib/systemd/system/bluetooth.target; static; vendor preset: enabl 
-   Active: inactive (dead) 
-     Docs: man:systemd.special(7) 
-``` 
- 
-Good. It's not running. If it were running, then we could disable it like so: 
- 
-```bash 
-$ sudo systemctl disable bluetooth.target 
-``` 
- 
-## Remote logging 
- 
-Logs are an important way to identify and understand how the machine is being 
-used and what it is doing. Depending on the level of security you might need, 
-you may want to send logs off site or off the server. ``rsyslogd`` is helpful 
-here: 
- 
-From the ``man`` page: ``rsyslogd`` -- reliable and extended syslogd 
- 
-As you may remember, the ``syslogd`` service is used to log kernel, 
-application, and other programs or services. ``rsyslogd`` extends ``syslogd`` 
-in a number of ways, but one of the important extensions is to allow remote 
-logging -- or forwarding logs to a remote and perhaps more secure machine (that 
-is, a machine that is not exposed to the internet).  
- 
-Visit */var/log/* and read the README file. 
- 
-## SELinux 
- 
-SELinux is a kernel module used to set policies for access controls. 
- 
-From ``man 8 selinux`` page: ``SELinux`` -- NSA Security-Enhances Linux 
- 
-There are books on using SELinux. Briefly, we should know a few things -- e.g., 
-how to know how SELinux works with various software and various users. When we 
-install and configure, e.g., Apache2, we'll need to work with SELinux to allow 
-Apache2 to do various things. 
- 
-To start and to check whether it is enabled: 
- 
-```bash 
-$ cat /etc/selinux/config 
-# This file controls the state of SELinux on the system. 
-# SELINUX= can take one of these three values: 
-#     enforcing - SELinux security policy is enforced. 
-#     permissive - SELinux prints warnings instead of enforcing. 
-#     disabled - No SELinux policy is loaded. 
-SELINUX=enforcing 
-# SELINUXTYPE= can take one of these three values: 
-#     targeted - Targeted processes are protected, 
-#     minimum - Modification of targeted policy. Only selected processes are protected.  
-#     mls - Multi Level Security protection. 
-SELINUXTYPE=targeted 
-``` 
- 
-Alternatively: 
- 
-```bash 
-$ getenforce 
-Enforcing 
-``` 
- 
-Additional info: 
- 
-```bash 
-$ sestatus 
-SELinux status:                 enabled 
-SELinuxfs mount:                /sys/fs/selinux 
-SELinux root directory:         /etc/selinux 
-Loaded policy name:             targeted 
-Current mode:                   enforcing 
-Mode from config file:          enforcing 
-Policy MLS status:              enabled 
-Policy deny_unknown status:     allowed 
-Memory protection checking:     actual (secure) 
-Max kernel policy version:      31 
-``` 
- 
-From the ``man 8 selinux`` page: 
- 
-SELinux enabled values: 
- 
-- enforcing: enables SELinux for auditing and forces access denials 
-- permissive: enables SELinux code for auditing only 
-- disabled: completely disables SELinux protection 
- 
-SELinux type policy values: 
- 
-- targeted: a policy where most user processes operate without restrictions, 
-  and only specific services are placed into distinct security domains that are 
-  confined by the policy  
-- mls (Multi-Level Security): a policy where all processes are partitioned into 
-  fine-grained security domains and confined by policy 
- 
-See also: 
- 
-- booleans(8) 
-- setsebool(8) 
-- sepolicy(8) 
-- system-config-selinux(8) 
-- togglesebool(8) 
-- fixfiles(8) 
-- restorecon(8) 
-- setfiles(8) 
-- semanage(8) 
-- seinfo(8) 
-- sesearch(8) 
- 
-From the ``man 8 selinux`` page: 
- 
-- All files, directories, devices [...] have a security context/label associated 
-  with them. 
-- Every confined service on the system has a man page in the following format: 
- 
-``` 
-<servicename>_selinux(8) 
-``` 
- 
-For example, httpd has the ``httpd_selinux(8)`` man page. To see what's active 
-on our systems, then we: 
- 
-```bash 
-$ man -k selinux 
-selinux (8)          - NSA Security-Enhanced Linux (SELinux) 
-audit2allow (1)      - generate SELinux policy allow/dontaudit rules from logs of ... 
-... <truncated> 
-``` 
- 
-To view current policy settings: 
- 
-```bash 
-# semanage boolean -l | less 
-# semanage boolean -l | grep "(on" less 
-# semanage boolean -l | grep httpd 
-# getsebool httpd_enable_cgi 
-# setsebool httd_enable_cgi off 
-# getsebool httpd_enable_cgi 
-# setsebool httd_enable_cgi on 
-``` 
- 
-## SELinux Users 
- 
-- ``semanage-user`` -- SELinux Policy Management SELinux User mapping tool 
- 
-From [RedHat Docs][1]: 
- 
-- Linux users in the ``user_t``, ``guest_t``, and ``xguest_t`` domains can only 
-  run set user ID (setuid) applications if SELinux policy permits it (for 
-  example, ``passwd``). These users cannot run the su and sudo setuid 
-  applications, and therefore cannot use these applications to become root.  
-- Linux users in the ``sysadm_t``, ``staff_t``, ``user_t``, and ``xguest_t`` 
-  domains can log in using the X Window System and a terminal.  
-- By default, Linux users in the ``guest_t`` and ``xguest_t`` domains cannot 
-  execute applications in their home directories or the ``/tmp`` directory, 
-  preventing them from executing applications, which inherit users' 
-  permissions, in directories they have write access to. This helps prevent 
-  flawed or malicious applications from modifying users' files.  
-- By default, Linux users in the ``staff_t`` and ``user_t`` domains can execute 
-  applications in their home directories and ``/tmp``. See [Section 6.6, 
-  "Booleans for Users Executing Applications"][2] for information about 
-  allowing and preventing users from executing applications in their home 
-  directories and ``/tmp``.  
-- The only network access Linux users in the ``xguest_t`` domain have is 
-  **Firefox** connecting to web pages. 
- 
-```bash 
-## comment: see list of selinux users on system 
-# semanage user --list 
-## comment: see mapping of logins to user roles 
-# semanage login -l 
-# exit 
-$ id -Z         # comment: print security context 
-``` 
- 
-Let's check our user *captkirk*: 
- 
-```bash 
-$ su captkirk 
-$ id -Z 
-unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
-$ exit 
-``` 
- 
-Let's change *captkirk*'s SELinux role to **user_u** from **unconfined_u**: 
- 
-```bash 
-# semanage login -a -s user_u captkirk 
-# semanage login -l 
-``` 
- 
-[1]:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-targeted_policy-confined_and_unconfined_users 
-[2]:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications  
-</markdown> 
linux/local-network-security.1548087842.txt.gz · Last modified: 2019/01/21 11:24 by seanburns