Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


linux security simplified: how to make linux more secure (with less work)

Posted by bax at 2020-03-11

Linux Security Simplified: How To Make Linux More Secure (With Less Work) Linux is a versatile operating system. Its use cases vary greatly, from hosting hundreds of containers across a complex network, to running a single desktop, to the operating systems of TVs, Android phones and most Internet of Things (IoT) devices. However, its adaptability in a wide variety of settings means it can easily be used insecurely. Servers face the constant threat of online attack. To keep Linux secure, a security team would typically have to routinely perform many processes, including writing custom scripts to scrape logs off servers, manually creating SIEM integrations and parsing rules, and then further manipulating the data to visualize and report on everything they need to monitor. This is complex and time-consuming. In this article we’ll explore some efficient ways to simplify Linux security, three in particular: restricting access, scanning for odd user activity, and streamlining routine Linux security tasks. We’ll also show you how Uptycs can make Linux security easier and faster, using a better approach: host level telemetry you can stream in real-time and view historically. 1. Reducing Attack Surface Area Whether it’s running in the cloud or on physical premises, a Linux installation will likely run Secure Shell (SSH). The SSH protocol is both a vital component for managing remote access, and a key vulnerability point for unwanted intrusion. A good understanding of Linux security requires awareness of SSH, and how to limit its attack surface. There are three ways to effectively control Linux server access. Develop a secure approach to SSH authentication. Your Linux security system may be effectively managed in all other respects, but if passwords are too simple or reused across multiple accounts, your environment is vulnerable to attack. Even when they’re correctly used though, they can still be brute-forced by an attacker with enough time and processing power. Your first priority in Linux security and hardening should be to migrate as many accounts as possible to SSH keys, a more secure authentication method that uses cryptographic algorithms. Taking the additional step of two-factor authentication will further improve your security posture. Minimize SSH exposure and act fast on vulnerabilities. Another good strategy for securing a Linux server is to minimize your SSH exposure to the Internet. The more you expose, the more you’ll have to patch rapidly and monitor. Plus, SSH exposed to the Internet also generates a huge amount of log data to keep up with. It’s therefore a good idea to make sure access to SSH is restricted via some network method. For example, you could have a reverse proxy where users authenticate before traffic is forwarded. Manage secure SSH configuration with Augeas and osquery. Augeas and osquery allow you to read configuration files (including Linux security logs) as though they were a database. This is extremely powerful for many different use cases, but when it comes to SSH, it is especially useful to verify that SSH is hardened properly. You could, for example, check the version of the SSH protocol allowed, or check that root login over SSH is disabled, forcing people to login with their own accounts and then elevating privileges if necessary. You could even use Augeas and osquery to track the sudoers file, to identify users who have the ability to elevate privileges. 2. Scanning For Odd User Activity To effectively monitor and investigate unusual user activity in your environment, you need Linux security software that allows you to easily correlate across different security datasets. It also greatly improves your security posture if you can view your threat intelligence both in real-time and through historical snapshots. Correlate different kinds of data. What constitutes “odd” user activity will vary greatly from one environment to the next. It’s important to build a detailed and nuanced list of activities warranting investigation in your Linux environment. It may be that you need an alert when a user connects directly to a container. You may require thresholds on how many machines a user should be logged into at once. Adding to the complexity, you may also need to carefully whitelist and build exception lists for any given rule. Sign up for this on-demand webinar to learn more about how osquery can help you monitor your system and detect breaches on Linux. Track both historical and real-time Linux security data. Tracking security incidents in real time is undeniably important; a quick response time can greatly reduce the impact of malicious activity. However, if you confine your approach purely to real-time events, you can lose sight of how security threats develop over time. For example, if a user executed unusual commands, historical data on SSH sessions might reveal useful insight on past network activity using suspicious IP addresses.

Uptycs Flight Recorder speeds up the process by allowing you to store large volumes of historical data in a proprietary and highly compressed manner that alleviates storage cost considerations. Through Flight Recorder you can review the state of any number of servers at a specified time in the past, uncovering incidents that would otherwise have been extremely difficult to detect. You can learn more here about how one company improved its ability to investigate threats by using Uptycs Flight Recorder to gain visibility into the state of thousands of servers at any point in the past. 3. Streamlining Routine Linux Security Tasks Securing your Linux environment will be easier if you can use officially supported packages, adhere to Security-Enhanced Linux (SELinux) best practices, and automate complex analytical processes. Use official packages when possible. The more official Linux packages you use, the less often you’ll be bogged down with manual security patches. Moreover, given that feature updates and security updates are handled separately by Linux, with official packages it’s feasible to automatically perform weekly security updates, reserving manual updates for features only when required. Uptycs can further streamline the task, comparing your software with an updated list of vulnerabilities. By alerting you when a patch is required, Uptycs can help you rapidly identify vulnerable packages in your environment. Make Security-Enhanced Linux (SELinux) more manageable. The problem is that SELinux policies are extremely difficult to manage, monitor and troubleshoot. Security teams often gradually disable the more powerful security policy features of SELinux instead of troubleshooting them, which can be a grueling and time-consuming process. Through Uptycs, you can use osquery SELinux event tables to generate detailed logs of SELinux events. This makes problem diagnosis easier and gives you a simpler way to refine your security policies so that they only disallow actions which pose a genuine security threat. Focus on outcomes instead of processes. One of the most difficult challenges in Linux security management is reducing the grind of process work. The tasks of aggregating, storing, and sharing security data should be automated and streamlined where possible, because that time is better spent on the higher level Linux security work of threat detection and investigation. You can learn more here about how a SaaS-based customer relationship management services provider used Uptycs to monitor security data from Linux server endpoints at scale. The company achieved FedRAMP compliance and were able to close a multi-million dollar contract within three months. Uptycs can simplify your approach to Linux security. Linux server security involves many moving parts. By developing efficient methods for restricting access, monitoring odd user activity and streamlining routine security tasks, you can make the process easier and less time-consuming. Interested in learning more about using osquery and the MITRE ATTCK framework for monitoring and detecting breaches on Linux (and other operating systems)? Sign up for our on-demand webinar.