security strategies in linux platforms and applications lesson 3
DESCRIPTION
Security Strategies in Linux Platforms and Applications Lesson 3 Basic Security: Facilities Through the Boot Process. Learning Objective. Lock down the Linux boot process. Key Concepts. Physical server security Challenges of the standard kernel and possible security issues - PowerPoint PPT PresentationTRANSCRIPT
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Security Strategies in Linux Platforms and Applications
Lesson 3Basic Security: Facilities
Through the Boot Process
Page 2Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Learning Objective
Lock down the Linux boot process.
Page 3Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Key Concepts
Physical server security Challenges of the standard kernel and
possible security issues Secure boot loaders Obscurity as a security enhancement
Page 4Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: CONCEPTS
Page 5Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Physical Security-Server Room
Locks/Biometric controls
Pre-boot eXecution Environment (PXE)
Physical ports
Page 6Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Challenges of Standard Kernel
Different kernels for different architecturesWhat kernels can be installed on your system?What kernel is best for your needs?When do you consider a different kernel?You may need to customize a kernel or install
a new kernel for more security.
Page 7Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Boot Loader Security
Black-hat hacker use poorly configured boot systems and boot loaders to gain administrative access to systems
Page 8Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: PROCESS
Page 9Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Locking Down Boot LoadersBack up boot loader before making changes If something goes wrong:• Use rescue mode on local distribution or a live
CD to boot system• Access local drives• Restore the boot loader from backup• Use the appropriate command (grub-install or
lilo)
Page 10Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Securing LILO
Run apt-get install lilo command
Accept LILO configuration
Create /etc/lilo.conf configuration file; customize
Run lilo -v command
Page 11Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Linux Loader Configuration File
Page 12Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Securing GRUB
Run apt-get install lilo command
Accept LILO configuration
Create /etc/lilo.conf configuration file; customize
Run lilo -v command
Page 13Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Traditional GRUB Configuration File
Page 14Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
A Protected GRUB Configuration File
Page 15Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: ROLES
Page 16Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Five Process Controls
Nonrepudiation Confidentiality Privacy
Integrity Alarm
Page 17Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: CONTEXTS
Page 18Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
TPM and Trusted ComputingTrusted Platform Module (TPM)
• Not open source• Password protection• Software license protection• Digital rights management (DRM)• Disk encryption• Chain of trust
TPM in a open source environment• trousers, package with the TCG software stack,
tpm-tools
Page 19Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: RATIONALE
Page 20Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Why Use Obscurity?
Boot menus
Boot loader
Boot config files Services
Page 21Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
The /etc/fstab file Can Use More Obscurity
Page 22Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
SummaryPhysical server securityChallenges of the standard kernel and
possible security issuesSecure boot loadersObscurity as a security enhancement