Monday, 18 May 2015

LINUX OPERATING SYSTEM HARDENING AND ITS PRINCIPLES


WHAT IS LINUX OS HARDENING

Hardening is a process of securely configuring weak(vulnerability) point of a system like there may be unused port, services or useless software running that may create weak point in your system. these weak point may be used by other's to enter in your system. In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability. A system has a larger vulnerability surface the more that it does; in principle a single-function system is more secure than a multipurpose one. Reducing available vectors of attack typically includes the removal of unnecessary software, unnecessary usernames or logins and the disabling or removal of unnecessary services.

LINUX OS HARDENING METHODS

There are various methods of hardening Unix and Linux systems. This may involve, among other measures, applying a patch to the kernel such as Exec Shield or PaX; closing open network ports; and setting up intrusion-detection systems, firewalls and intrusion-prevention systems. There are also hardening scripts and tools like Bastille Linux, JASS for Solaris systems and Apache/PHP Hardener that can, for example, deactivate unneeded features in configuration files or perform various other protective measures.
For example in Linux systems there is a file called /etc/hosts is used to allow/disallow users as per policy. So you may need to change the permissions of this file chmod 700 /etc/hosts.allow or chmod 000 /etc/hosts.allow

You can use tool like PSysHard Hardening Framew0rk

LINUX OS HARDENING And Its PRINCIPLES

1. Install only necessary software; delete or disable everything else.

2. Keep all system and application software painstakingly up-to-date, at least with security

3. patches, but preferably with all package-by-package updates.

4. Delete or disable unnecessary user accounts.

5. Don't needlessly grant shell access: /bin/false should be the default shell for nobody, guest, and any other account used by services, rather than by an individual local user.

6. Allow each service (networked application) to be publicly accessible only by design, never by default.

7. Run each publicly accessible service in a chrooted filesystem (i.e., a subset of /).

8. Don't leave any executable file needlessly set to run with superuser privileges, i.e., with its SUID bit set (unless owned by a sufficiently nonprivileged user).

9. If your system has multiple administrators, delegate root's authority.

10. Configure logging and check logs regularly.

11. Configure every host as its own firewall; i.e., bastion hosts should have their own packet filters and access controls in addition to (but not instead of) the firewall's.

12. Check your work now and then with a security scanner, especially after patches and upgrades.

13. Understand and use the security features supported by your operating system and applications, especially when they add redundancy to your security fabric.

14. After hardening a bastion host, document its configuration so it may be used as a baseline for similar systems and so you can rebuild it quickly after a system compromise or failure.

No comments:

Post a Comment