Enhancing System Resilience - Elemental aspects of hardening Ubuntu
Cybersecurity is a critical aspect of system design, management and administration, especially when it comes to protecting Linux-based systems like Ubuntu. The process of system hardening helps to create a more secure environment by minimizing vulnerabilities and improving the security posture of the system in question. In this post, we'll explore avenues of Ubuntu system hardening, mention relevant benchmarks, guidelines, possible automation tools, understand the categorisation of STIG items, and delve into file system encryption, some sub-topics complemented by small bits of examples.
The Ubuntu Hardening Conundrum
Ubuntu, known for its user-friendly interface and robust performance, is a preferred choice for servers and desktops alike. However, its versatility also attracts various security vulnerabilities that can be exploited if left unchecked. Unlike its proprietary counterparts, Ubuntu's open-source nature means that while it benefits from community-driven security enhancements, it also requires administrators to actively engage in the hardening process to maintain a secure environment. Regular updates, disabling unnecessary services, and configuring security features are all part of this process.
Proactive Configuration and the CIS Benchmark
The CIS Benchmark provides a set of practices to secure Ubuntu systems. This benchmark is a curated collection of best practices designed to safeguard Ubuntu systems against a myriad of vulnerabilities. It encompasses recommendations for everything from password policies to more technical configurations such as kernel module loading and network settings. Following the CIS recommendations can significantly improve a system's defense against general attacks. For Ubuntu system administrators, adhering to the CIS Benchmark is a formidable step toward ensuring a solid security posture. The CIS Benchmark is methodical and detailed, making it a cornerstone in the hardening process.
Automation with SCAP Tools
SCAP tools like OpenSCAP automate the process of checking and enforcing system compliance with security policies like the CIS Benchmark. They can scan, remediate, and report on system security, which is essential for managing multiple systems effectively.
Grasping the STIGs: CAT I, II, and III
The Security Technical Implementation Guides (STIGs), provided by the Defense Information Systems Agency (DISA), are security guidelines for hardening systems. They are more specific and often stricter than CIS Benchmarks. STIG items are divided into CAT I, CAT II, and CAT III categories, based on the impact of the vulnerabilities they address. CAT I items are considered critical, with the exploitation of these vulnerabilities potentially leading to severe damage. CAT II items are of moderate importance, with a lower impact than CAT I. CAT III items, while less severe, still require attention to mitigate the risk of incremental degradation of security posture over time. Understanding these categories is crucial for prioritizing hardening efforts.
The Bedrock of Security: File System Encryption
Encrypting the file system is a key defense measure for data protection. Ubuntu supports methods like eCryptfs and LUKS for encryption. For example, LUKS can encrypt entire disk partitions to protect data.
Default LUKS Configuration Example # Setup a LUKS encrypted volume sudo cryptsetup luksFormat /dev/sdX # Open the encrypted volume sudo cryptsetup luksOpen /dev/sdX encrypted_volume # Create a filesystem on the encrypted volume sudo mkfs.ext4 /dev/mapper/encrypted_volume # Mount the encrypted file system sudo mount /dev/mapper/encrypted_volume /mnt +-----------------------------+ | File Data (Encrypted) | +-----------------------------+ | File System (e.g., ext4) | +-----------------------------+ | LUKS Encryption Layer | +-----------------------------+ | Physical Disk | +-----------------------------+
Encryption keys should be stored securely, separate from the data they protect. Possible storage locations include external physical media, a secure key management service, or even a hardware security module (HSM), depending on the security requirements.
Bash Scripting for Hardening
To facilitate hardening tasks, bash scripting is an invaluable skill for system administrators. Scripts can automate repetitive tasks, enforce configurations, and ensure consistency across multiple systems.
Basic User Account Hardening
# Ensure password expiration of 90 days
sudo chage --maxdays 90 username
# Lock out accounts after three failed login attempts
sudo sed -i '/^auth\s*required\s*pam_tally2.so/!s/^auth\s*required\s*pam_unix.so/auth required pam_tally2.so onerr=fail audit silent deny=3 unlock_time=600\n&/' /etc/pam.d/common-auth
Restricting Unnecessary Services
# Disable an unnecessary service
sudo systemctl disable service_name
# Stop the service immediately
sudo systemctl stop service_name
File Permission Audits and Corrections
# Find files with permissions more permissive than 755 and correct them
find / -type f -perm /022 -exec chmod o-w {} \;
# Ensure no world-writable directories exist
find / -type d -perm -0002 -exec chmod o-w {} \;
Ensuring Firewall Configuration
# Enable UFW (Uncomplicated Firewall) and deny incoming connections by default
sudo ufw default deny incoming
# Allow outgoing connections by default
sudo ufw default allow outgoing
# Enable the firewall
sudo ufw enable
Implementing Auditd Rules
# Monitor changes to the /etc/passwd file
echo "-w /etc/passwd -p wa -k user_monitor" | sudo tee -a /etc/audit/audit.rules
# Restart auditd to apply the changes
sudo systemctl restart auditdBasic scripts can automate hardening tasks, such as managing account policies, disabling services, setting file permissions, configuring firewalls, and monitoring system files. In conclusion, the art of hardening Ubuntu systems is a meticulous blend of proactive configuration management, diligent application of benchmarks and guidelines.
