LPIC3 Exam Guide
Search…
⌃K

332.1 Host Hardening

Topic 332: Host Security

Weight: 5
Description: Candidates should be able to secure computers running Linux against common threats.
Key Knowledge Areas:
  • Configure BIOS and boot loader (GRUB 2) security
  • Disable unused software and services
  • Understand and drop unnecessary capabilities for specific systemd units and the entire system
  • Understand and configure Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and Exec-Shield
  • Black and white list USB devices attached to a computer using USBGuard
  • Create an SSH CA, create SSH certificates for host and user keys using the CA and configure OpenSSH to use SSH certificates
  • Work with chroot environments
  • Use systemd units to limit the system calls and capabilities available to a process
  • Use systemd units to start processes with limited or no access to specific files and devices
  • Use systemd units to start processes with dedicated temporary and /dev directories and without network access
  • Understand the implications of Linux Meltdown and Spectre mitigations and enable/disable the mitigations
  • Awareness of polkit
  • Awareness of the security advantages of virtualization and containerization
The following is a partial list of the used files, terms and utilities:
  • grub.cfg
  • systemctl
  • getcap
  • setcap
  • capsh
  • sysctl
  • /etc/sysctl.conf
  • /etc/usbguard/usbguard-daemon.conf
  • /etc/usbguard/rules.conf
  • usbguard
  • ssh-keygen
  • /etc/ssh/
  • ~/.ssh/
  • /etc/ssh/sshd_config
  • chroot

Kernel Security

Disabling unnecessary software:

• Every running program presents a possible security threat.
• Disabling unused services is a good security practice.
• Use systemctl and chkconfig to disable services.
• Commonly disabled services include atd, ava hi-daemon, cups.

Limiting resource usage:

• The user may limit system resources such as threads, open files, and memory.
• The paml_limits.so module allows operators to control how much of any one resource a user may access through hard and soft limits.
• Most systems come with pam.so preloaded.
• The ulimit command may be used to adjust these limits at runtime.
• Limits may be set persistently in /etc/security/limits.conf.

Tuning kernel parameters:

• The sysctl command is capable of displaying and setting kernel parameters.
[[email protected] ~]# sysctl -a | less
[[email protected] ~]# sysctl -ar icmp
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_errors_use_inbound_ifaddr = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_msgs_burst = 50
net.ipv4.icmp_msgs_per_sec = 1000
net.ipv4.icmp_ratelimit = 1000
net.ipv4.icmp_ratemask = 6168
net.ipv6.icmp.ratelimit = 1000
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_icmpv6_timeout = 30
Sysctl Review
View Settings:
sysctl -a
sysctl -ar <search_pattern>
procfs
Setting parameters:
sysctl -w <param>=<value>
Persist changes:
etc/sysctl.conf
• Parameters map to the procfs filesystem.
[[email protected] ~]# ls -l /proc/sys
total 0
dr-xr-xr-x. 1 root root 0 Sep 6 07:57 abi
dr-xr-xr-x. 1 root root 0 Sep 6 04:41 crypto
dr-xr-xr-x. 1 root root 0 Sep 6 07:57 debug
dr-xr-xr-x. 1 root root 0 Sep 6 07:57 dev
dr-xr-xr-x. 1 root root 0 Apr 4 16:17 fs
dr-xr-xr-x. 1 root root 0 Apr 4 16:17 kernel
dr-xr-xr-x. 1 root root 0 Sep 6 05:46 net
dr-xr-xr-x. 1 root root 0 Sep 6 07:57 user
dr-xr-xr-x. 1 root root 0 Sep 6 07:57 vm
[[email protected] ~]# ll /proc/sys/net/ipv4/icmp*
-rw-r--r--. 1 root root 0 Sep 6 08:05 /proc/sys/net/ipv4/icmp_echo_ignore_all
-rw-r--r--. 1 root root 0 Sep 6 07:57 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
-rw-r--r--. 1 root root 0 Sep 6 07:57 /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr
-rw-r--r--. 1 root root 0 Sep 6 07:57 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
-rw-r--r--. 1 root root 0 Sep 6 07:57 /proc/sys/net/ipv4/icmp_msgs_burst
-rw-r--r--. 1 root root 0 Sep 6 07:57 /proc/sys/net/ipv4/icmp_msgs_per_sec
-rw-r--r--. 1 root root 0 Sep 6 07:57 /proc/sys/net/ipv4/icmp_ratelimit
-rw-r--r--. 1 root root 0 Sep 6 07:57 /proc/sys/net/ipv4/icmp_ratemask
• Kernel parameters set persistently in the file /etc/sysctl.conf.
See kernel-docs for additional information.
in modern linux distributions, the location of configs might be different:
[[email protected] ~]# cat /etc/sysctl.conf sysctl settings are defined through files in /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
Vendors settings live in /usr/lib/sysctl.d/. To override a whole file, create a new file with the same in /etc/sysctl.d/ and put new settings there. To override only specific settings, add a file with a lexically later name in /etc/sysctl.d/ and put new settings there.
For more information, see sysctl.conf(5) and sysctl.d(5).

USB Gurd

The USBGuard software framework provides system protection against intrusive USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. To enforce a user-defined policy, USBGuard uses the Linux kernel USB device authorization feature. The USBGuard framework provides the following components:
  • The daemon component with an inter-process communication (IPC) interface for dynamic interaction and policy enforcement.
  • The command-line interface to interact with a running USBGuard instance.
  • The rule language for writing USB device authorization policies.
  • The C++ API for interacting with the daemon component implemented in a shared library.
To create the initial rule set:
usbguard generate-policy > /etc/usbguard/rules.conf
To customize the USBGuard rule set:
edit the /etc/usbguard/rules.conf
To start the USBGuard daemon:
systemctl enable usbguard.service --now
To list all USB devices recognized by USBGuard:
usbguard list-devices
To authorize a device to interact with the system:
usbguard allow-device <device-num>
To deauthorize and remove a device from the system:
usbguard reject-device <device-num>
To just deauthorize a device:
usbguard block-device <device-num>
USBGuard uses the block and reject terms with the following meaning:
  • block - do not talk to this device for now
  • reject - ignore this device as if did not exist
To see all options use usbguard --help command

Creating a White List and a Black List

The usbguard-daemon.conf file is loaded by the usbguard daemon after it parses its command-line options and is used to configure runtime parameters of the daemon. To override the default configuration file (/etc/usbguard/usbguard-daemon.conf), use the -c command-line option. See the usbguard-daemon(8) man page for further details.
To create a white list or a black list, edit the usbguard-daemon.conf file and use its options
Important
The daemon provides the USBGuard public IPC interface. In Red Hat Enterprise Linux, the access to this interface is by default limited to the root user only. Consider setting either the IPCAccessControlFiles option (recommended) or the IPCAllowedUsers and IPCAllowedGroups options to limit access to the IPC interface. Do not leave the ACL unconfigured as this exposes the IPC interface to all local users and it allows them to manipulate the authorization state of USB devices and modify the USBGuard policy.

Managing ASLR:

• ASLR stands for Address Space Layout Randomization.
• It ensures that every time a program loads, it loads into a different place in memory.

The NX bit:

• The NX bit is a CPU feature.
• It prevents execution from protected memory areas.
• Exec-Shield is a software solution for the same problem designed to support CPUs without this feature.

ICMP security settings:

• Network security may be enhanced through kernel parameter tuning.
• Disabling ICMP is a common security measure that may be achieved by setting the parameter net.ipv4.icmp_echo_ignore_all to 1.
[[email protected] ~]# sysctl -w net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_all = 1

Chroot Environments

• A chroot environment is a ‘fake root’ that is set for a specific user and process.
• The chroot command is used by root to create the environment using a pre-configured area in the filesystem.
• An unprivileged process is unable to access files outside of a chroot environment.
• Be mindful of hard links in chroot environments.they can get out!

polkit

PolKit (formerly known as PolicyKit) is an application framework that acts as a negotiator between the unprivileged user session and the privileged system context. Whenever a process from the user session tries to carry out an action in the system context, PolKit is queried. Based on its configuration—specified in a so-called “policy”—the answer could be “yes”, “no”, or “needs authentication”. Unlike classical privilege authorization programs such as sudo, PolKit does not grant root permissions to an entire session, but only to the action in question.

Virtualization

• Virtualization is similar to a chroot environment but at a much more advanced level.
• Containerization is similar in nature when it comes to resource segmentation and process isolation.

Securing Grub

You may be interested in how to prevent ordinary users from doing whatever they like, if you share your computer with other people.
One thing which could be a security hole is that the user can do too many things with GRUB, because GRUB allows one to modify its configuration and run arbitrary commands at run-time. So it is necessary to disable all the interactive operations.
Thus, GRUB provides a password feature, so that only administrators can start the interactive operations (i.e. editing menu entries and entering the command-line interface).
Grub is capable of password protection for menu entries:
  • Grub 1 was only able to support passwords and not unique user accounts.
  • Grub 2 has more robust security.
lets take a look at grub configurations:
[[email protected] grub.d]# pwd
/etc/grub.d
[[email protected] grub.d]# ll
total 72
-rwxr-xr-x. 1 root root 8702 Jul 28 2020 00_header
-rwxr-xr-x. 1 root root 1043 Mar 21 2019 00_tuned
-rwxr-xr-x. 1 root root 232 Jul 28 2020 01_users
-rwxr-xr-x. 1 root root 10781 Jul 28 2020 10_linux
-rwxr-xr-x. 1 root root 10275 Jul 28 2020 20_linux_xen
-rwxr-xr-x. 1 root root 2559 Jul 28 2020 20_ppc_terminfo
-rwxr-xr-x. 1 root root 11169 Jul 28 2020 30_os-prober
-rwxr-xr-x. 1 root root 214 Jul 28 2020 40_custom
-rwxr-xr-x. 1 root root 216 Jul 28 2020 41_custom
-rw-r--r--. 1 root root 483 Jul 28 2020 README
To full review of grub and grub2 read my LPIC1 book: https://borosan.gitbook.io/lpic1-exam-guide/1022-install-a-boot-manager#grub
These step are for demonstration only. Do not repeat them on your production systems. The steps and commands might be different based on your OS. Read Documentations.
Securing Grub Configuring users in /etc/grub.d/01_users:
before:
[[email protected] grub.d]# cat 01_users
#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
source \${prefix}/user.cfg
if [ -n "\${GRUB2_PASSWORD}" ]; then
set superusers="root"
export superusers
password_pbkdf2 root \${GRUB2_PASSWORD}
fi
fi
EOF
after:
[[email protected] grub.d]# cat 01_users
#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
source \${prefix}/user.cfg
if [ -n "\${GRUB2_PASSWORD}" ]; then
set superusers="root"
export superusers
password_pbkdf2 root \${GRUB2_PASSWORD}
fi
fi
password user1 user1password
password user2 user2password
EOF
Copy Configuring menu entries from /boot/grub2/grub.cfg
menuentry 'CentOS Linux (3.10.0-1160.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-1160.el7.x86_64-advanced-21d3b367-651e-420f-b94d-43040b72360a' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_msdos
insmod xfs
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1' 052308ef-1d3c-4cab-a5e5-a5d5c9fc0a2a
else
search --no-floppy --fs-uuid --set=root 052308ef-1d3c-4cab-a5e5-a5d5c9fc0a2a
fi
linux16 /vmlinuz-3.10.0-1160.el7.x86_64 root=UUID=21d3b367-651e-420f-b94d-43040b72360a ro crashkernel=auto rhgb quiet LANG=en_US.UTF-8
initrd16 /initramfs-3.10.0-1160.el7.x86_64.img
}
and copy them in to /etc/grub.d/40_custom and modify. change --unrestricted to --users user1,user2 :
#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
menuentry 'CentOS Linux (3.10.0-1160.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --users user1,user2 $menuentry_id_option 'gnulinux-3.10.0-1160.el7.x86_64-advanced-21d3b367-651e-420f-b94d-43040b72360a' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_msdos
insmod xfs
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1' 052308ef-1d3c-4cab-a5e5-a5d5c9fc0a2a
else
search --no-floppy --fs-uuid --set=root 052308ef-1d3c-4cab-a5e5-a5d5c9fc0a2a
fi
linux16 /vmlinuz-3.10.0-1160.el7.x86_64 root=UUID=21d3b367-651e-420f-b94d-43040b72360a ro crashkernel=auto rhgb quiet LANG=en_US.UTF-8
initrd16 /initramfs-3.10.0-1160.el7.x86_64.img
}
Building grub configuration via grub2-mkconfig -o /boot/grub2/grub.cfg command :
[[email protected] grub.d]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-1160.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-1160.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-251fad2d7b5049ecbb24a0bb534b6986
Found initrd image: /boot/initramfs-0-rescue-251fad2d7b5049ecbb24a0bb534b6986.img
done
and done.
.
.
.
resources:
.