Installing Linux

Objectives
After completing this unit, you should be able to: Install a Linux distribution using installation CDs or over a network Understand a Red Hat kickstart file and have a basic grasp of its syntax Understand the importance of different partitioning strategies Be able to choose a purpose for a new system and install only what's necessary Know how to update software on your system Perform some post-installation hardening Perform system baselining

Starting Off Secure

When considering methods to secure a system, installation is where it should all begin. Preparing and installing a system securely helps to ensure:

That it will not be compromised before you can update it. That you won't have to worry about your installation choices further down the line. That your data will be as secure as possible from the lowest level of the system to the highest.

Why Consider Security During Installation?

Installation is usually not the time when people worry about security. A little planning during installation can make it easier to enforce certain policies, maintain system availability, and provide for system expandability later. There have been documented cases of a system being compromised immediately after installation. It gives you a chance to define a specific role for the system. You can't have a solid building without a solid foundation; the same concept applies to your organization's systems.

Benefits and Drawbacks of Installation Security

Benefits Reduces risks Prepares system for maintainability and upgradability Allows system to scale more easily With a good installation base, you can make a kickstart configuration file that makes installation easier on other machines Drawbacks Takes more time Some partitions can fill up much more quickly than others, causing you to have to upgrade storage sooner Requires a more intimate knowledge of the installation process for your distribution of choice

Installation Concepts

Planning
Before you install a system, be sure you have put some thought into the following things: What will this system be used for? How should you partition it for its role? What file systems will you use on those partitions? How will you be installing? Should a root password be decided upon ahead of time, based upon your organization's password policies? Are there any known out-of-box vulnerabilities with the distribution and release you are installing?

System Purpose and Partitioning

A system's intended purpose or function in your organization defineswhat software should be installed from the distribution. Only install what is needed, nothing more. The structure used for partitioning relates directly to the system's role. Allot space to a particular partition (and mount point) depending on what it is used for. How much swap space will the system need? All of this information will be used when deploying the system.

Installation Methods (1 of 2)
Three choices for most distributions: CD-ROM or DVD-ROM Simple Effective Well-supported Works on machines with no floppy drive Network (NFS, HTTP, FTP, and so on)

Centralized No media to carry around or keep track of Can be faster No swapping CDs

Installation Methods (2 of 2)
Hard drive

Provided mostly for compatibility reasons for systems that can't install from CD-ROM Uses ISO images that are both easy to move between servers (only one file per CD) as well as usable for burning new CDs

Kickstart
An automated installation method available in Red Hat Linux. Kickstart configuration file is on a floppy or CD. After installation (beginning with release 7.2 or later), a file called anaconda-ks.cfg is created in the root user's home directory. This is a kickstart file containing parameters of the current installation. The only thing that needs cleaning up are the clearpart lines and the part lines. Make a boot floppy using the images on the Red Hat Linux CD and copy your kickstart configuration file to the floppy, with the name ks.cfg. When booting off of a boot floppy with a ks.cfg file, type linux ks=floppy at the boot prompt.

Installation Process
During the installation, you will have to address the following topics: Creating the partition layout and choosing the file systems for those partitions Choosing and entering the root password Configuring authentication methods Selecting the packages you wish to install

Partitioning and File Systems

For each partition that you create, you need to select a file system for it. Different distributions support different file systems. For example, Red Hat Linux 8.0 supports: ext2 ext3 Reiserfs JFS For swap partitions, you will usually want at least twice the system's installed physical memory.

Passwords
During installation, you are asked to choose a root password. Make sure the password you enter meets your organization's password policies. While it can be changed later, if you enter a good password now you will not have to worry about taking care of it after installation. Before package group selection, you were given the opportunity to select a boot loader (either GRUB or LILO) password. Whether or not you are using a boot loader password depends on your organization's policy on such things.

Configuring Authentication Methods

MD5 passwords Shadow passwords NIS LDAP Kerberos 5 SMB

Packages (1 of 2)
Most distributions come with many package groups (listed in your student notes). You can either install or not install the whole group, or you can select individual packages from the groups. In general, a multiuser server will not need the following package groups (exact names may vary):

X Window System GNOME Desktop Environment KDE Desktop Environment Graphical Internet

Packages (2 of 2)
In general, a multiuser server will not need the following package groups (exact names may vary):

Office/Productivity Sound and Video Graphics Games and Entertainment X Software Development GNOME Software Development KDE Software Development

Updating
Every operating system and every piece of software has bugs and security flaws. One of the Open Source advantages is that anyone can fix these holes and can (or even must) provide the fix to the community Vendors that release distributions (Red Hat, SuSE, SCO, and so on) take these updated and patched pieces of software and repackage them to distribute to their customers through the appropriate channels. Vendors also put rigorous testing into the packages they release. Vendors stand behind their security fixes and package updates.

Where to Go for Updates

Here are some URLs for various vendor update sites: Red Hat http://www.redhat.com/apps/support/errata/ SuSE http://support.suse.de/psdb/ SCO (formerly Caldera) http://www.sco.com/support/updates/ http://www.sco.com/support/security/index.htm l#OpenLinux TurboLinux: http://www.turbolinux.com/support/

What to Look for (1 of 2)

In general, using an automated update tool such as Red Hat's Update Agent (with a Red Hat Network subscription) or SuSE's YaST Online Update (YOU) makes the job of staying current much easier on the package and software management side. Checking FTP and Web sites manually means you must know what you currently have, what you need, and how to upgrade it.

What to Look for (2 of 2)

Some common RPM commands for managing packages are:

rpm -i package - Install package rpm -e package - Uninstall package rpm -qa - Generate a list of all installed packages rpm -qi package - Get info on package rpm -K package - Check package's GPG signature name - Package name version - Version of the software this package includes release - Package release; a version number for packages architecture - What system it's intended for

Naming scheme: name-version-release.architecture.rpm

Vendor versus Author

One common occurrence in the Linux community is that a critical fix will often come out mere hours after a vulnerability was discovered. When this occurs, you must: Evaluate whether or not the vulnerability would or could affect you. If the threat is high, download the new software or patch and build it by hand. If the threat is minor, you can simply wait for the vendor to provide their package. One other option to those listed above is to look on mailing lists or Web sites for workarounds.

How to Upgrade
If you are using an automated upgrading tool such as Red Hat's Update Agent or SuSE's YOU, or a third-party solution, refer to that tool's documentation for instructions on its use. If you are upgrading by hand, here is what you need to know:

rpm -U - Upgrades the package if an earlier version is already installed, or installs the package if no earlier version is found. rpm -F - Upgrades the package if an earlier version is already installed, or does nothing if no earlier version is installed. For all packages except kernel binary packages, you can safely install them using either of the two RPM commands above. Kernel binary packages (kernel-kernelversionrelease.arch.rpm) are a special case; they must be installed using the rpm -i syntax, not the rpm -U or rpm -F syntax.

Hardening
Hardening a system reduces the chance that someone can gain unauthorized privileges higher than what they should have. While you can harden the system manually, we only cover that conceptually in this course. We go into greater depth on the use of the automatic system hardening tool Bastille.

Identification and Authentication

Hardening of these two subsystems prevents:

The ability to pose as another person The ability to gain access to another person's account PAM /etc/passwd and /etc/shadow /bin/login

The main components involved are:

Access Control and Authorization

Hardening these two subsystems prevents:

The ability to access resources belonging to someone else Circumventing of security measures designed to prevent harm to the system The ability to access resources outside of your scope File system permissions PAM ACL tools and subsystems Various kernel extensions

The main components involved are:

Availability and System Integrity

Hardening for availability reduces the likelihood of, or even prevents, a successful denial of service attack. The main components involved are:

Partitioning Disk quotas Kernel tuning Hardware configuration

Hardening for system integrity prevents important system services from being compromised and modified. The main components involved are:

Permissions and privileges File systems Active vigilance in monitoring

Auditing and Intrusion Detection

Hardening for auditing protects your log files, log monitors, and other system monitoring systems. The main components involved are:

Log files in /var/log Log monitoring tools Effective policies for log management and archiving

Preparation and hardening for the possibility of an intrusion typically involves installing some intrusion detection and/or log monitoring software. The main components involved depend entirely on log monitoring and intrusion detection software you use.

Kernel Hardening
Kernel hardening is the process of adding additional functionality to the kernel (typically through source patches) to make kernel-based security flaws or exploits more difficult to take advantage of. The three kernel hardening packages covered in this course are:

LIDS - Patch-based kernel hardening system rsbac - Access control framework for hardening systems selinux - A secure distribution created by the United States' National Security Agency Mandatory Access Control File protection Process protection ACL controls

Common features:

Host Intrusion Tools

This course covers the following intrusion detection systems: Samhain - File integrity and intrusion monitoring

Provides file integrity monitoring, kernel module protection, centralized monitoring, and other features.

AIDE - Advanced Intrusion Detection Environment

Provides very advanced file integrity monitoring.

We also go over the following log monitors: Swatch

A real-time log monitoring system, allowing you to choose specific log data you wish to see. A customizable log analysis system, which parses system logs and reports any information you specify. TARA; Tiger ; COPS; CIS

logwatch

Other tools:

Bastille
Very powerful automated system hardening tool. Freely available.

Supports: Red Hat Linux Linux Mandrake Debian GNU/Linux

Walks you through the process of securing your system with either an X Window GUI or console text mode interface. Handles most common system hardening tasks automatically, requiring you to simply answer questions.

System Baselining (1 of 2)
Baselining involves taking a snapshot of your system's settings in a configuration known to be valid and watching the deviation from these settings over time. Watching how the settings change over time can alert you to potential problems. Also useful for making sure other administrators aren't reconfiguring servers without going through the proper channels.

System Baselining (1 of 2)
There are several ways to manually capture data about a properly configured system, including:

rpm -qa - Gathers information about installed packages rpm -Va - Verifies packages and their MD5 sums, file modification times, and other file properties The /proc file system contains lots of useful information about hardware, among other things.

Automated solutions, such as Tripwire, AIDE, FTimes, or FCheck, can make this task much easier.

Configuration Capturing
Making a snapshot of a machine's configuration so that it can be compared to future configurations to see the differences. Depending on the tools used, may output to plain text files or aproprietary binary format. Don't store the snapshots on the system you're capturing, as a crafty infiltrator can easily modify or delete these files. Establish a policy regarding how snapshots will be taken, when they will be taken, where they will be stored, and how they will be stored. Start with systems that you know are clean; freshly installed systems are best.

Monitoring
Once a policy for snapshot frequency has been determined, automated snapshots can be taken fairly easily. Comparing the latest snapshot to the previous snapshot gives you an idea of what changed. A chain of snapshots gives you a moving picture of the system's state. Anything that is not expected, such as something that has never changed before suddenly changing, or vice versa, should be immediately investigated. Depending on the tool or tools you use, there may be a lot of "false positives" that can be overlooked.

Baselining Strategies
Beware of automated filters. Know your systems. Know your capturing methods. Communicate all intentional changes to all administrators before touching anything. Depending on your organization's policy, you may need to wait for some or all of their approval first. An organized directory structure and/or file naming convention for all of your captured data can make locating and identifying times when specific changes occurred much easier. Every step of capturing data should be welldocumented so that new administrators will be able to have data from their systems match the rest of the organization's data.

Checkpoint
1. Why is it important to have a good security plan in mind before starting with a system? 2. True or false: The purpose behind partitioning a server for its purpose is so that it will be more scalable in the future. 3. Name three package groups that are not typically necessary on a server. 4. Name two subsystems or aspects of a system which may require hardening. 5. True or false: Configuration capturing only needs to be done once, after you first install a machine.

Unit Summary
Security is something that must be considered from the start. Several steps can be taken to ensure your systems are more secure immediately after installation, including proper partitioning, appropriate package group selection, and restrictive default settings. A defined system purpose makes it easier to manage and secure a system. Use of a system hardening tool such as Bastille is a required step following any installation. Keep your systems updated. Baselining and configuration capturing utilities can make it much easier to spot a hole or breach before serious damage occurs.