Best Practices guide for securing the Linux Workstation
4 - 7 min read
Aug 02, 2002
Securing the Home Front
Best Practices guide for securing the Linux workstation
Table of Contents
Preface
The following white paper is provided as a best practices guide to
the Linux community for securing the Linux workstation. All efforts
have been exerted to be OS-agnostic and distribution specific
techniques have been noted. Rather then delve into specific
configurations, a broad overview of numerous available security
resources are presented. All too often, casual Linux users are left
with the daunting task of maintaining their system security and lack a
concise roadmap to direct them to the proper resources. Newsgroups,
mailing lists, and IRC can also be useful in solving really difficult
issues. Though not required, prior Linux experience is recommended. The
Introduction
"We will play both offense -- massing our resources to meet the most immediate threats - and defense - working to fill our most glaring gaps."
Tom Ridge
Director of the Office of Homeland Security
There is no silver bullet in security; rather, due diligence and knowledge are the best foundations for solid management of risk. Each user requires a varying degree of security specific to their situation and Linux is equally flexible in its implementation thereof. The focus of this document is distinctively on workstations: those located in a corporate environment, those situated at the house, and the myriad of situations that fall somewhere in-between.
This document is organized by methodology and a list of resources is provided at the end to supplement software packages and technologies referenced throughout the paper.
Finally, it is imperative to dispel a popular myth within the Linux community that certain distributions are more secure than others. While true that different flavors of Linux cater to separate audiences, the security of any given distribution is solely marked by the competence of its administrator. Be wary of claims such as, "secure by default" and realize that security is always evolutionary. If carefully maintained, any distribution can be secured as well as another.
Physical Access
The workstation is just as susceptible to physical attacks as the expensive server locked away in the closet. By its very nature, it is more accessible and more prone to being tampered with, and therefore must be adequately defended.
An obvious preventative technique is to not keep passwords written on sticky notes or loose pieces of paper, regardless of convenience. Setting a strong password and changing it monthly is another strategy. However, if the workstation is not logged out of and is left unattended, then a strong password is all for naught. Always configure the screensaver to initiate after a certain period of time (10 minutes of inactivity, for example) and require the system to prompt for a password.
An unattended keyboard can allow someone to forcibly kill X Windows by executing Ctrl+Alt+Backspace. Requiring a strong password and not having the machine automatically login any user will prevent this type of attack. The XF86Config file can be edited to disable the Ctrl+Alt+Backspace keystroke, which is not a bad idea, but if the workstation is set to automatically login a user, this defense is breached.
A more dangerous vulnerability exists in that a workstation
can be rebooted by executing Ctrl+Alt+Delete. Tweaking the /etc/inittab
file and changing the default id:3:initdefault line to ~~:S:wait:/sbin/sulogin prevents the attacker from booting into single user mode and changing the root password.
Additionally, commenting out this line: #ca::ctrlaltdel;/sbin/shutdown -t3 -r now
by adding a pound sign in front of the statement disables
Ctrl+Alt+Delete and prevents the system from being rebooted by anyone
lacking administrative privileges.
Lastly, be sure to set a password when installing a boot loader such as GRUB or LILO. To further deter an attacker, utilize a BIOS password for additional security.
Software Defense
Hardening the distribution is made simpler when less work is involved in executing and maintaining security. A key point worth mentioning again: security maintenance is a continuing process and not something done once and soon forgotten. Furthermore, attention must be paid to programs installed after the initial installation. Nothing is worse than having the false sense of security provided by a newly secured system shattered by an exploit based on a subsequently installed and insecure piece of software that is improperly configured.
In almost all scenarios, a smaller OS installation is preferred. Less software installed yields less to be concerned with and physically updated. Every software package, whether binary or source, is vulnerable. Having excess software to protect is a waste of bandwidth, time, and resources. Only select the packages required and do not settle for bloated installations.
The Center for Internet Security published a Linux Security Benchmark which consists of a PDF document and a Red Hat-based toolset to help secure a Linux installation. It's an invaluable resource and provides all the technical detail necessary to secure a Linux workstation or server with instructions simple enough for a newbie to follow.
Next, always keep software updated. If nothing else, this protects the workstation from previously discovered vulnerabilities. Almost every distribution has an automated method such as Red Hat's up2date and Debian's apt-get.
Utilizing md5sum is highly advisable. Most distributed Linux software comes with rarely used .sig or .asc files that contain a "signature" for the binary or software package. Simply download the package, including the accompanying signature file, and open a terminal window. Type md5sum package_name and it will produce a long string of characters. Compare the produced string to that within the signature file to verify the authenticity of the package.
Take advantage of Intrusion Detection Systems such as Snort or Tripwire. Their effectiveness depends on being instituted immediately after a fresh install with clean binaries. They take a "snapshot" of the system and alert the administrator if any tampering is present or if replacement binaries are introduced to the system. The maintainer is still responsible for acting upon these warnings and appropriately diagnosing the system.
PGP stands for Pretty Good Privacy and GnuPG is offered for many variants of Unix including Linux. Encrypting and digitally signing email not only allows for accountability, but it is also a relatively secure way of exchanging important information such as password changes or business correspondence.
Network security is beyond the scope of this document, but a workstation should always reside behind a firewall or other security device. Doing so will prevent a great deal of attacks from ever reaching their intended target. Properly configuring iptables and/or ipchains as a built-in firewall is very important to system security.
Distribution hardening scripts do exist, notably Bastille Linux for Red Hat Linux. While highly effective, these scripts take some control out of the hands of the administrator and should not coax one into believing that a system is entirely secured. Additionally, hardening scripts tend to be version specific and may not conform to the specific needs of the user.
Resources
Center for Internet Security - Linux Security Benchmark
md5sum Usage
Service Ports List
Tripwire
IP Firewall HOWTO (ipchains & iptables)
Bastille Linux
Linux Security HOWTO (very comprehensive)
