Professional Documents
Culture Documents
Objectives
After completing this unit, you should be able to: Install a Linux distribution using installation CDs or over a network Understand a Red Hat kickstart file and have a basic grasp of its syntax Understand the importance of different partitioning strategies Be able to choose a purpose for a new system and install only what's necessary Know how to update software on your system Perform some post-installation hardening Perform system baselining
That it will not be compromised before you can update it. That you won't have to worry about your installation choices further down the line. That your data will be as secure as possible from the lowest level of the system to the highest.
Installation Concepts
Planning
Before you install a system, be sure you have put some thought into the following things: What will this system be used for? How should you partition it for its role? What file systems will you use on those partitions? How will you be installing? Should a root password be decided upon ahead of time, based upon your organization's password policies? Are there any known out-of-box vulnerabilities with the distribution and release you are installing?
Installation Methods (1 of 2)
Three choices for most distributions: CD-ROM or DVD-ROM Simple Effective Well-supported Works on machines with no floppy drive Network (NFS, HTTP, FTP, and so on)
Centralized No media to carry around or keep track of Can be faster No swapping CDs
Installation Methods (2 of 2)
Hard drive
Provided mostly for compatibility reasons for systems that can't install from CD-ROM Uses ISO images that are both easy to move between servers (only one file per CD) as well as usable for burning new CDs
Kickstart
An automated installation method available in Red Hat Linux. Kickstart configuration file is on a floppy or CD. After installation (beginning with release 7.2 or later), a file called anaconda-ks.cfg is created in the root user's home directory. This is a kickstart file containing parameters of the current installation. The only thing that needs cleaning up are the clearpart lines and the part lines. Make a boot floppy using the images on the Red Hat Linux CD and copy your kickstart configuration file to the floppy, with the name ks.cfg. When booting off of a boot floppy with a ks.cfg file, type linux ks=floppy at the boot prompt.
Installation Process
During the installation, you will have to address the following topics: Creating the partition layout and choosing the file systems for those partitions Choosing and entering the root password Configuring authentication methods Selecting the packages you wish to install
Passwords
During installation, you are asked to choose a root password. Make sure the password you enter meets your organization's password policies. While it can be changed later, if you enter a good password now you will not have to worry about taking care of it after installation. Before package group selection, you were given the opportunity to select a boot loader (either GRUB or LILO) password. Whether or not you are using a boot loader password depends on your organization's policy on such things.
Packages (1 of 2)
Most distributions come with many package groups (listed in your student notes). You can either install or not install the whole group, or you can select individual packages from the groups. In general, a multiuser server will not need the following package groups (exact names may vary):
X Window System GNOME Desktop Environment KDE Desktop Environment Graphical Internet
Packages (2 of 2)
In general, a multiuser server will not need the following package groups (exact names may vary):
Office/Productivity Sound and Video Graphics Games and Entertainment X Software Development GNOME Software Development KDE Software Development
Updating
Every operating system and every piece of software has bugs and security flaws. One of the Open Source advantages is that anyone can fix these holes and can (or even must) provide the fix to the community Vendors that release distributions (Red Hat, SuSE, SCO, and so on) take these updated and patched pieces of software and repackage them to distribute to their customers through the appropriate channels. Vendors also put rigorous testing into the packages they release. Vendors stand behind their security fixes and package updates.
rpm -i package - Install package rpm -e package - Uninstall package rpm -qa - Generate a list of all installed packages rpm -qi package - Get info on package rpm -K package - Check package's GPG signature name - Package name version - Version of the software this package includes release - Package release; a version number for packages architecture - What system it's intended for
How to Upgrade
If you are using an automated upgrading tool such as Red Hat's Update Agent or SuSE's YOU, or a third-party solution, refer to that tool's documentation for instructions on its use. If you are upgrading by hand, here is what you need to know:
rpm -U - Upgrades the package if an earlier version is already installed, or installs the package if no earlier version is found. rpm -F - Upgrades the package if an earlier version is already installed, or does nothing if no earlier version is installed. For all packages except kernel binary packages, you can safely install them using either of the two RPM commands above. Kernel binary packages (kernel-kernelversionrelease.arch.rpm) are a special case; they must be installed using the rpm -i syntax, not the rpm -U or rpm -F syntax.
Hardening
Hardening a system reduces the chance that someone can gain unauthorized privileges higher than what they should have. While you can harden the system manually, we only cover that conceptually in this course. We go into greater depth on the use of the automatic system hardening tool Bastille.
The ability to pose as another person The ability to gain access to another person's account PAM /etc/passwd and /etc/shadow /bin/login
The ability to access resources belonging to someone else Circumventing of security measures designed to prevent harm to the system The ability to access resources outside of your scope File system permissions PAM ACL tools and subsystems Various kernel extensions
Hardening for system integrity prevents important system services from being compromised and modified. The main components involved are:
Log files in /var/log Log monitoring tools Effective policies for log management and archiving
Preparation and hardening for the possibility of an intrusion typically involves installing some intrusion detection and/or log monitoring software. The main components involved depend entirely on log monitoring and intrusion detection software you use.
Kernel Hardening
Kernel hardening is the process of adding additional functionality to the kernel (typically through source patches) to make kernel-based security flaws or exploits more difficult to take advantage of. The three kernel hardening packages covered in this course are:
LIDS - Patch-based kernel hardening system rsbac - Access control framework for hardening systems selinux - A secure distribution created by the United States' National Security Agency Mandatory Access Control File protection Process protection ACL controls
Common features:
Provides file integrity monitoring, kernel module protection, centralized monitoring, and other features.
A real-time log monitoring system, allowing you to choose specific log data you wish to see. A customizable log analysis system, which parses system logs and reports any information you specify. TARA; Tiger ; COPS; CIS
logwatch
Other tools:
Bastille
Very powerful automated system hardening tool. Freely available.
Walks you through the process of securing your system with either an X Window GUI or console text mode interface. Handles most common system hardening tasks automatically, requiring you to simply answer questions.
System Baselining (1 of 2)
Baselining involves taking a snapshot of your system's settings in a configuration known to be valid and watching the deviation from these settings over time. Watching how the settings change over time can alert you to potential problems. Also useful for making sure other administrators aren't reconfiguring servers without going through the proper channels.
System Baselining (1 of 2)
There are several ways to manually capture data about a properly configured system, including:
rpm -qa - Gathers information about installed packages rpm -Va - Verifies packages and their MD5 sums, file modification times, and other file properties The /proc file system contains lots of useful information about hardware, among other things.
Automated solutions, such as Tripwire, AIDE, FTimes, or FCheck, can make this task much easier.
Configuration Capturing
Making a snapshot of a machine's configuration so that it can be compared to future configurations to see the differences. Depending on the tools used, may output to plain text files or aproprietary binary format. Don't store the snapshots on the system you're capturing, as a crafty infiltrator can easily modify or delete these files. Establish a policy regarding how snapshots will be taken, when they will be taken, where they will be stored, and how they will be stored. Start with systems that you know are clean; freshly installed systems are best.
Monitoring
Once a policy for snapshot frequency has been determined, automated snapshots can be taken fairly easily. Comparing the latest snapshot to the previous snapshot gives you an idea of what changed. A chain of snapshots gives you a moving picture of the system's state. Anything that is not expected, such as something that has never changed before suddenly changing, or vice versa, should be immediately investigated. Depending on the tool or tools you use, there may be a lot of "false positives" that can be overlooked.
Baselining Strategies
Beware of automated filters. Know your systems. Know your capturing methods. Communicate all intentional changes to all administrators before touching anything. Depending on your organization's policy, you may need to wait for some or all of their approval first. An organized directory structure and/or file naming convention for all of your captured data can make locating and identifying times when specific changes occurred much easier. Every step of capturing data should be welldocumented so that new administrators will be able to have data from their systems match the rest of the organization's data.
Checkpoint
1. Why is it important to have a good security plan in mind before starting with a system? 2. True or false: The purpose behind partitioning a server for its purpose is so that it will be more scalable in the future. 3. Name three package groups that are not typically necessary on a server. 4. Name two subsystems or aspects of a system which may require hardening. 5. True or false: Configuration capturing only needs to be done once, after you first install a machine.
Unit Summary
Security is something that must be considered from the start. Several steps can be taken to ensure your systems are more secure immediately after installation, including proper partitioning, appropriate package group selection, and restrictive default settings. A defined system purpose makes it easier to manage and secure a system. Use of a system hardening tool such as Bastille is a required step following any installation. Keep your systems updated. Baselining and configuration capturing utilities can make it much easier to spot a hole or breach before serious damage occurs.