This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:local-network-security [2019/01/21 11:24] seanburns |
— (current) | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | < | ||
- | # Notes on Network and Local Security | ||
- | ## Date: Fri Oct 26 2018 | ||
- | The documentation on various aspects of local and network security is | ||
- | extensive. This is just a brief overview of a few things to be aware of. | ||
- | |||
- | ## Shutting down services | ||
- | |||
- | Be sure to monitor enabled services. To list all enabled services -- that is, | ||
- | those services that are automatically started: | ||
- | |||
- | ```bash | ||
- | $ systemctl list-unit-files | grep enabled | less | ||
- | $ # comment: Or: | ||
- | $ systemctl list-units | ||
- | ``` | ||
- | |||
- | Imagine we want to be sure that bluetooth is disabled and not running: | ||
- | |||
- | ```bash | ||
- | $ systemctl status bluetooth.target | ||
- | ● bluetooth.target - Bluetooth | ||
- | | ||
- | | ||
- | Docs: man: | ||
- | ``` | ||
- | |||
- | Good. It's not running. If it were running, then we could disable it like so: | ||
- | |||
- | ```bash | ||
- | $ sudo systemctl disable bluetooth.target | ||
- | ``` | ||
- | |||
- | ## Remote logging | ||
- | |||
- | Logs are an important way to identify and understand how the machine is being | ||
- | used and what it is doing. Depending on the level of security you might need, | ||
- | you may want to send logs off site or off the server. ``rsyslogd`` is helpful | ||
- | here: | ||
- | |||
- | From the ``man`` page: ``rsyslogd`` -- reliable and extended syslogd | ||
- | |||
- | As you may remember, the ``syslogd`` service is used to log kernel, | ||
- | application, | ||
- | in a number of ways, but one of the important extensions is to allow remote | ||
- | logging -- or forwarding logs to a remote and perhaps more secure machine (that | ||
- | is, a machine that is not exposed to the internet). | ||
- | |||
- | Visit */var/log/* and read the README file. | ||
- | |||
- | ## SELinux | ||
- | |||
- | SELinux is a kernel module used to set policies for access controls. | ||
- | |||
- | From ``man 8 selinux`` page: ``SELinux`` -- NSA Security-Enhances Linux | ||
- | |||
- | There are books on using SELinux. Briefly, we should know a few things -- e.g., | ||
- | how to know how SELinux works with various software and various users. When we | ||
- | install and configure, e.g., Apache2, we'll need to work with SELinux to allow | ||
- | Apache2 to do various things. | ||
- | |||
- | To start and to check whether it is enabled: | ||
- | |||
- | ```bash | ||
- | $ cat / | ||
- | # This file controls the state of SELinux on the system. | ||
- | # SELINUX= can take one of these three values: | ||
- | # | ||
- | # | ||
- | # | ||
- | SELINUX=enforcing | ||
- | # SELINUXTYPE= can take one of these three values: | ||
- | # | ||
- | # | ||
- | # mls - Multi Level Security protection. | ||
- | SELINUXTYPE=targeted | ||
- | ``` | ||
- | |||
- | Alternatively: | ||
- | |||
- | ```bash | ||
- | $ getenforce | ||
- | Enforcing | ||
- | ``` | ||
- | |||
- | Additional info: | ||
- | |||
- | ```bash | ||
- | $ sestatus | ||
- | SELinux status: | ||
- | SELinuxfs mount: | ||
- | SELinux root directory: | ||
- | Loaded policy name: | ||
- | Current mode: | ||
- | Mode from config file: enforcing | ||
- | Policy MLS status: | ||
- | Policy deny_unknown status: | ||
- | Memory protection checking: | ||
- | Max kernel policy version: | ||
- | ``` | ||
- | |||
- | From the ``man 8 selinux`` page: | ||
- | |||
- | SELinux enabled values: | ||
- | |||
- | - enforcing: enables SELinux for auditing and forces access denials | ||
- | - permissive: enables SELinux code for auditing only | ||
- | - disabled: completely disables SELinux protection | ||
- | |||
- | SELinux type policy values: | ||
- | |||
- | - targeted: a policy where most user processes operate without restrictions, | ||
- | and only specific services are placed into distinct security domains that are | ||
- | confined by the policy | ||
- | - mls (Multi-Level Security): a policy where all processes are partitioned into | ||
- | fine-grained security domains and confined by policy | ||
- | |||
- | See also: | ||
- | |||
- | - booleans(8) | ||
- | - setsebool(8) | ||
- | - sepolicy(8) | ||
- | - system-config-selinux(8) | ||
- | - togglesebool(8) | ||
- | - fixfiles(8) | ||
- | - restorecon(8) | ||
- | - setfiles(8) | ||
- | - semanage(8) | ||
- | - seinfo(8) | ||
- | - sesearch(8) | ||
- | |||
- | From the ``man 8 selinux`` page: | ||
- | |||
- | - All files, directories, | ||
- | with them. | ||
- | - Every confined service on the system has a man page in the following format: | ||
- | |||
- | ``` | ||
- | < | ||
- | ``` | ||
- | |||
- | For example, httpd has the ``httpd_selinux(8)`` man page. To see what's active | ||
- | on our systems, then we: | ||
- | |||
- | ```bash | ||
- | $ man -k selinux | ||
- | selinux (8) - NSA Security-Enhanced Linux (SELinux) | ||
- | audit2allow (1) - generate SELinux policy allow/ | ||
- | ... < | ||
- | ``` | ||
- | |||
- | To view current policy settings: | ||
- | |||
- | ```bash | ||
- | # semanage boolean -l | less | ||
- | # semanage boolean -l | grep " | ||
- | # semanage boolean -l | grep httpd | ||
- | # getsebool httpd_enable_cgi | ||
- | # setsebool httd_enable_cgi off | ||
- | # getsebool httpd_enable_cgi | ||
- | # setsebool httd_enable_cgi on | ||
- | ``` | ||
- | |||
- | ## SELinux Users | ||
- | |||
- | - ``semanage-user`` -- SELinux Policy Management SELinux User mapping tool | ||
- | |||
- | From [RedHat Docs][1]: | ||
- | |||
- | - Linux users in the ``user_t``, ``guest_t``, | ||
- | run set user ID (setuid) applications if SELinux policy permits it (for | ||
- | example, ``passwd``). These users cannot run the su and sudo setuid | ||
- | applications, | ||
- | - Linux users in the ``sysadm_t``, | ||
- | domains can log in using the X Window System and a terminal. | ||
- | - By default, Linux users in the ``guest_t`` and ``xguest_t`` domains cannot | ||
- | execute applications in their home directories or the ``/tmp`` directory, | ||
- | preventing them from executing applications, | ||
- | permissions, | ||
- | flawed or malicious applications from modifying users' files. | ||
- | - By default, Linux users in the ``staff_t`` and ``user_t`` domains can execute | ||
- | applications in their home directories and ``/tmp``. See [Section 6.6, | ||
- | " | ||
- | allowing and preventing users from executing applications in their home | ||
- | directories and ``/ | ||
- | - The only network access Linux users in the ``xguest_t`` domain have is | ||
- | **Firefox** connecting to web pages. | ||
- | |||
- | ```bash | ||
- | ## comment: see list of selinux users on system | ||
- | # semanage user --list | ||
- | ## comment: see mapping of logins to user roles | ||
- | # semanage login -l | ||
- | # exit | ||
- | $ id -Z # comment: print security context | ||
- | ``` | ||
- | |||
- | Let's check our user *captkirk*: | ||
- | |||
- | ```bash | ||
- | $ su captkirk | ||
- | $ id -Z | ||
- | unconfined_u: | ||
- | $ exit | ||
- | ``` | ||
- | |||
- | Let's change *captkirk*' | ||
- | |||
- | ```bash | ||
- | # semanage login -a -s user_u captkirk | ||
- | # semanage login -l | ||
- | ``` | ||
- | |||
- | [1]: | ||
- | [2]: | ||
- | </ |