Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Mastering Linux Security and Hardening
  • Toc
  • feedback
Mastering Linux Security and Hardening

Mastering Linux Security and Hardening

By : Donald A. Tevault
4.6 (34)
close
Mastering Linux Security and Hardening

Mastering Linux Security and Hardening

4.6 (34)
By: Donald A. Tevault

Overview of this book

The third edition of Mastering Linux Security and Hardening is an updated, comprehensive introduction to implementing the latest Linux security measures, using the latest versions of Ubuntu and AlmaLinux. In this new edition, you will learn how to set up a practice lab, create user accounts with appropriate privilege levels, protect sensitive data with permissions settings and encryption, and configure a firewall with the newest firewall technologies. You’ll also explore how to use sudo to set up administrative accounts with only the privileges required to do a specific job, and you’ll get a peek at the new sudo features that have been added over the past couple of years. You’ll also see updated information on how to set up a local certificate authority for both Ubuntu and AlmaLinux, as well as how to automate system auditing. Other important skills that you’ll learn include how to automatically harden systems with OpenSCAP, audit systems with auditd, harden the Linux kernel configuration, protect your systems from malware, and perform vulnerability scans of your systems. As a bonus, you’ll see how to use Security Onion to set up an Intrusion Detection System. By the end of this new edition, you will confidently be able to set up a Linux server that will be secure and harder for malicious actors to compromise.
Table of Contents (22 chapters)
close
close
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
1
Section 1: Setting up a Secure Linux System
Section 1: Setting up a Secure Linux System
Free Chapter
2
Running Linux in a Virtual Environment
Running Linux in a Virtual Environment
Looking at the threat landscape
Why do security breaches happen?
Keeping up with security news
Differences between physical, virtual, and cloud setups
Introducing VirtualBox and Cygwin
Keeping the Linux systems updated
Summary
Questions
Further reading
Answers
3
Securing Administrative User Accounts
chevron up
Securing Administrative User Accounts
The dangers of logging in as the root user
The advantages of using sudo
Setting up sudo privileges for full administrative users
Setting up sudo for users with only certain delegated privileges
Advanced tips and tricks for using sudo
New sudo features
Special sudo considerations for SUSE and OpenSUSE
Summary
Questions
Further reading
Answers
4
Securing Normal User Accounts
Securing Normal User Accounts
Locking down users’ home directories the Red Hat way
Locking down users’ home directories the Debian/Ubuntu way
Enforcing strong password criteria
Setting and enforcing password and account expiration
Configuring default expiry data for useradd for Red Hat-type systems only
Setting expiry data on a per-account basis with useradd and usermod
Setting expiry data on a per-account basis with chage
Preventing brute-force password attacks
Locking user accounts
Locking the root user account
Setting up security banners
Detecting compromised passwords
Understanding centralized user management
Samba on Linux
Summary
Questions
Further reading
Answers
5
Securing Your Server with a Firewall – Part 1
Securing Your Server with a Firewall – Part 1
Technical requirements
An overview of the Linux firewall
An overview of iptables
nftables – a more universal type of firewall system
Summary
Questions
Further reading
Answers
6
Securing Your Server with a Firewall — Part 2
Securing Your Server with a Firewall — Part 2
Technical requirements
The Uncomplicated Firewall for Ubuntu systems
firewalld for Red Hat systems
Summary
Questions
Further reading
Answers
7
Encryption Technologies
Encryption Technologies
GNU Privacy Guard (GPG)
Encrypting partitions with Linux Unified Key Setup (LUKS)
Encrypting directories with eCryptfs
Encrypting the swap partition with eCryptfs
Using VeraCrypt for cross-platform sharing of encrypted containers
OpenSSL and the Public Key Infrastructure
Introducing quantum-resistant encryption algorithms
Summary
Questions
Further reading
Answers
8
SSH Hardening
SSH Hardening
Ensuring that SSH protocol 1 is disabled
Creating and managing keys for passwordless logins
Configuring access control with whitelists and TCP Wrappers
Configuring automatic logouts and security banners
Configuring other miscellaneous security settings
Setting different configurations for different users and groups
Creating different configurations for different hosts
Setting up a chroot environment for SFTP users
Sharing a directory with SSHFS
Remotely connecting from Windows desktops
Summary
Questions
Further reading
Answers
9
Section 2: Mastering File and Directory Access Control (DAC)
Section 2: Mastering File and Directory Access Control (DAC)
10
Mastering Discretionary Access Control
Mastering Discretionary Access Control
Using chown to change ownership of files and directories
Summary
Questions
Further reading
Answers
11
Access Control Lists and Shared Directory Management
Access Control Lists and Shared Directory Management
Creating an ACL for either a user or a group
Creating an inherited ACL for a directory
Removing a specific permission by using an ACL mask
Using the tar --acls option to prevent the loss of ACLs during a backup
Creating a user group and adding members to it
Creating a shared directory
Setting the SGID bit and the sticky bit on the shared directory
Using ACLs to access files in the shared directory
Summary
Questions
Further reading
Answers
12
Section 3: Advanced System Hardening Techniques
Section 3: Advanced System Hardening Techniques
13
Implementing Mandatory Access Control with SELinux and AppArmor
Implementing Mandatory Access Control with SELinux and AppArmor
How SELinux can benefit a systems administrator
Setting security contexts for files and directories
Troubleshooting with setroubleshoot
Working with SELinux policies
How AppArmor can benefit a systems administrator
Exploiting a system with an evil Docker container
Summary
Questions
Further reading
Answers
14
Kernel Hardening and Process Isolation
Kernel Hardening and Process Isolation
Understanding the /proc filesystem
Setting kernel parameters with sysctl
Configuring the sysctl.conf file
Understanding process isolation
Summary
Questions
Further reading
Answers
15
Scanning, Auditing, and Hardening
Scanning, Auditing, and Hardening
Installing and updating ClamAV and maldet
Scanning with ClamAV and maldet
Scanning for rootkits with Rootkit Hunter
Performing a quick malware analysis with strings and VirusTotal
Understanding the auditd daemon
Using ausearch and aureport
Auditing files and directories with inotifywait
Applying OpenSCAP policies with oscap
Summary
Questions
Further reading
Answers
16
Logging and Log Security
Logging and Log Security
Understanding the Linux system log files
Understanding rsyslog
Understanding journald
Making things easier with Logwatch
Setting up a remote log server
Maintaining Logs in Large Enterprises
Summary
Questions
Further reading
Answers
17
Vulnerability Scanning and Intrusion Detection
Vulnerability Scanning and Intrusion Detection
Introduction to Snort and Security Onion
Using Security Onion
IPFire and its built-in Intrusion Prevention System (IPS)
Scanning and hardening with Lynis
Finding vulnerabilities with the Greenbone Security Assistant
Web server scanning with Nikto
Summary
Questions
Further reading
Answers
18
Prevent Unwanted Programs from Running
Prevent Unwanted Programs from Running
Mount Partitions with the no options
Understanding fapolicyd
Summary
Further reading
Questions
Answers
19
Security Tips and Tricks for the Busy Bee
Security Tips and Tricks for the Busy Bee
Technical requirements
Auditing system services
Password-protecting the GRUB2 bootloader
Securely configuring BIOS/UEFI
Using a security checklist for system setup
Summary
Questions
Further reading
Answers
20
Other Books You May Enjoy
Other Books You May Enjoy
21
Index
Index

New sudo features

I mentioned before that one of the beautiful things about sudo is that it allows you to see what users are doing with their sudo privileges. Beginning with sudo version 1.9.0, the sudo logging experience has been greatly enhanced. You can now save sudo log messages in JSON format, which allows sudo to log much more information than it normally would, in a format that’s easier to parse. Beginning with sudo version 1.9.4, you can also have sudo send its log messages to a central log server, making it more difficult for bad actors to delete mention of their dirty deeds from the system log files.

Unfortunately, space constraints don’t allow me to do a full write-up about these new features here. That’s okay, though. Over at https://opensource.com/, Mr. Peter Czanik has written a great article that explains them very well. So, I’ll just refer you to him:

5 new sudo features sysadmins need to know in 2022https://opensource...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
End of Section 7
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete