Open Source Platform and Network Administration (OSP201)

Course Implementation Plan

• Chapter 1: Security Threats to Linux
  • Lab 1. Installing a Core Linux Operating System on a Server
• Chapter 2. Basic Components of Linux Security
  • Lab 2. Configuring Basic Security Controls on a CentOS Linux Server
• Chapter 3: Basic Security: Facilities Through the Boot Process
• Chapter 4: User Privileges and Permissions
  • Lab 3. Hardening Security with User Account Management and Security Controls
• Chapter 5: Filesystems, Volumes, and Encryption
  • Lab 4. Applying Hardened Linux Filesystem Security Controls
• Chapter 6: Every Service Is a Potential Risk
  • Lab 5. Hardening Security for Linux Services and Applications
• Chapter 7. Networks, Firewalls, and More
• Chapter 8: Networked Filesystems and Remote Access
  • Lab 6. Hardening Security by Controlling Access
• Chapter 9: Networked Application Security
• Chapter 10: Kernel Security Risk Mitigation
  • Lab 7. Hardening Security for the Linux Kernel
• Chapter 11: Managing Security Alerts and Updates
  • Lab 8. Applying Best Practices for Secure Software Management
• Chapter 12: Building and Maintaining a Security Baseline
  • Lab 9. Applying Best Practices for Security Logging and Monitoring
• Chapter 13: Testing and Reporting
• Chapter 14: Detecting and Responding to Security Breaches
  • Lab 10. Defining Linux OS and Application Backup and Recovery Procedures
• Chapter 15: Best Practices and Emerging Technologies

Book

• Michael Jang, 2010, Security Strategies In Linux Platforms And Applications, 1st ed., Jones and Bartlett Learning (ISBN: 9780763791896)
• Laboratory Manual to Accompany (Instructor Edition) version 2.0

Prepare for Labs

1. Install virtual machine software: Virtualbox (https://www.virtualbox.org/wiki/Downloads) or VMware (https://www.vmware.com/products/workstation-player.html)
2. Download CentOS image: http://isoredirect.centos.org/centos/7/isos/x86_64/
3. Create new virtual machine and install CentOS (you should have 3GB RAM and 20GB hard drive), choose GNOME and Development tools
4. After successful installation, log in with the root account and run the following commands:
   • yum install https://repo.ius.io/ius-release-el7.rpm
   • yum install dkms
   • yum install kernel-devel
   • reboot
5. Install Guest Additions CD image…
6. Restart the CentOS virtual machine.

How to mount a new drive on startup

Run sudo fdisk /dev/sdb

• Press O and press Enter (creates a new table)
• Press N and press Enter (creates a new partition)
• Press P and press Enter (makes a primary partition)
• Press Enter twice
• Then press 1 and press Enter (creates it as the 1st partition) Finally, press W (this will write any changes to disk)

Okay now you have a partition, now you need a filesystem.

• Run sudo mkfs.ext4 /dev/sdb1
• Now you can add it to fstab. You need to add it to /etc/fstab use your favourite text editor. Be careful with this file as it can quite easily cause your system not to boot.

Add a line for the drive, the format would look like this. This assumes the partition is formatted as ext4 as per mkfs above

#device mountpoint fstype options dump fsck

/dev/sdb1 /home/ngo/haianh ext4 defaults 0 1

Install Apache Web Server

• Run sudo yum install httpd
• Start Apache sudo systemctl start httpd
• Check status sudo systemctl status httpd
• Managing the Apache Process
  • To stop the web server: sudo systemctl stop httpd
  • To start the web server when it is stopped: sudo systemctl start httpd
  • To stop and then start the service again: sudo systemctl restart httpd
  • If you are simply making configuration changes, Apache can often reload without dropping connections: sudo systemctl reload httpd
  • By default, Apache is configured to start automatically when the server boots. If this is not what you want, disable this behavior by running: sudo systemctl disable httpd
  • To re-enable the service to start up at boot: sudo systemctl enable httpd
• Reference: (https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-centos-7)

Install MySQL Server

• Visit (https://dev.mysql.com/downloads/repo/yum/)
• Download file mysql80-community-release-el7-11.noarch.rpm
• Run sudo rpm -ivh mysql80-community-release-el7-11.noarch.rpm
• Run sudo yum install mysql-server
• Starting MySQL: sudo systemctl start mysqld
• Checking status: sudo systemctl status mysqld
• A temporary password is generated for the MySQL root user: sudo grep 'temporary password' /var/log/mysqld.log
• Configuring MySQL: sudo mysql_secure_installation
  • This will prompt you for the default root password. As soon as you enter it, you will be required to change it.
  • Enter a new 12-character password that contains at least one uppercase letter, one lowercase letter, one number and one special character. Re-enter it when prompted.
  • You’ll receive feedback on the strength of your new password, and then you’ll be immediately prompted to change it again. Since you just did, you can confidently say No
  • After we decline the prompt to change the password again, we’ll press Y and then ENTER to all the subsequent questions in order to remove anonymous users, disallow remote root login, remove the test database and access to it, and reload the privilege tables.
• We can verify our installation and get information about it by connecting with the mysqladmin tool, a client that lets you run administrative commands. Use the following command to connect to MySQL as root (-u root), prompt for a password (-p), and return the version: mysqladmin -u root -p version

Install phpMyAdmin

• sudo yum install yum-utils
• sudo yum-config-manager --enable remi-php74
• sudo yum install php-zip -y
• sudo yum install phpMyAdmin -y

Lab

• Lab 1. Installing a Core Linux Operating System on a Server
  • Create a virtual machine and mount an installation ISO file
  • Partition a Linux hard disk for security hardening, performance, and application support
  • Install Linux in the most secure manner
  • Create a non-privileged user account for system administration access as a secure alternative to logging in as a root user
• Lab 2. Configuring Basic Security Controls on a CentOS Linux Server
  • Configure the bootloader with the timeout set to 0 and password credential to mitigate tampering with the GRUB loader and the boot sequence of the server
  • Enable SELinux on a CentOS Linux Server and set it to enforcing mode
  • Create a student user account and add it to a user group for managing permissions and applying access controls across the system
  • Configure user groups with limited sudo access (with password credentials) to log and properly monitor access across the system
  • Create iptables set to “on” for runlevels 2 and 5 to enable an internal, host-based IP stateful firewall
  • Set restrictions and permissions for user access to files and system log files
• Lab 3. Hardening Security with User Account Management and Security Controls
  • Configure a password policy by editing the /etc/login.defs file and implementing stringent password security measures on a CentOS Linux Server
  • Enforce a password change every 60 days showing a warning 14 days prior to the password’s expiration across the system for all users
  • Configure a minimum password length of eight characters with stringent complexity requirements
  • Create users and groups with the proper permissions and restrictions to enforce rolebased access controls
  • Create a temporary user account that expires in 90 days to enforce the proper principle of least privilege with contractors and temporary workers/consultants
• Lab 4. Applying Hardened Linux Filesystem Security Controls
  • Mount a filesystem without execute permissions, so you can safely read the data contained in the disk without executing any unexpected programs
  • Mount a remote filesystem and configure the system to be mounted at boot time for an automatic network share on a Linux system
  • Set user quotas on disk to protect the availability and security on the Linux system and to prevent users from taking up all the disk drive space on the system
  • Edit and modify the /etc/fstab file to manage local and remote network file shares as well as the necessary disk mounting configurations required
  • Configure and use the repquota command to verify usage of disk space by users and manage quotas
• Lab 5. Hardening Security for Linux Services and Applications
  • Harden Linux server services when enabling and installing them, and keep a security perspective during configuration
  • Perform basic security configurations to ensure that the system has been hardened before hosting a Web site
  • Configure and perform basic security for a MySQL database, understanding the ramifications of a default installation and recommending hardening steps for the database instance
  • Set up and perform basic security configuration for Sendmail to be able to leverage the built-in messaging capabilities of the Linux system
  • Enable and implement secure SSH for encrypted remote access over the network or across the Internet of a Linux server system
• Lab 6. Hardening Security by Controlling Access
  • Review current internal host-based firewall parameters and configuration settings to verify allowed and denied IP communications
  • Configure an internal host-based firewall using iptables and create stringent allow/deny rules for services that may require access to the system over the network
  • Harden the system by enabling TCP Wrappers to deny and log unauthorized attempts against services and ports running on the system
  • Secure processes running on the system by using and configuring SELinux to help perform more in-depth layered security
  • Verify configurations of the settings applied by connecting to the Linux server using SSH and connect to other services running on a Linux server
• Lab 7. Hardening Security for the Linux Kernel
  • Review and tune the kernel parameters on a CentOS Linux Server for security and monitoring purposes
  • Produce kernel versions and loaded options for a better understanding of how the system is configured and to identify potential security vulnerabilities in the CentOS Linux Server
  • Examine the /etc/sysctl.conf file and adjust tcp_sysncookies settings to configure secure options for users on a CentOS Linux Server
  • Review and assess the Loaded Kernel Modules (LKMs) of the target Linux system and provide recommendations on the output and current running configuration
  • Use and interpret the lsmod command output and perform security hardening configurations on the CentOS Linux Server
• Lab 8. Applying Best Practices for Secure Software Management
  • Query and verify all installed packages in the kernel to help evaluate what security measures are necessary
  • Verify a source tarball to determine whether the integrity and contents of the package are what you expect before executing or installing it
  • Use and leverage md5sum to verify the integrity of a downloaded software tarball
  • Use GPG to view the signature of a downloaded public key
  • Configure the rpm database to add repositories securely for the distribution of software to persons who do not need access to the system directly, only to download any updates or rpms
• Lab 9. Applying Best Practices for Security Logging and Monitoring
  • Configure remote logging on the CentOS Linux Server and send syslogs and other events to a remote host for secure secondary logging
  • Search through different log files on the CentOS Linux Server to identify where certain types of logs are stored and how often they get recycled
  • Configure the Tripwire file integrity tool so that modifications to important system files are quickly identified and properly logged both locally and remotely
  • Configure and schedule rkhunter to run at said interval using the cron subsystem so that a rootkit can be properly and quickly identified if possible
  • Configure both automatic searches on log files as well as automatic running of important security applications to properly monitor a CentOS Linux Server for malicious activity
• Lab 10. Defining Linux OS and Application Backup and Recovery Procedures
  • Ensure Linux OS, application, and data availability with documented backup and recovery procedures
  • Configure and perform backups within the Linux operating system as an automated and stable way of enhancing backup and recovery procedures and maximizing system availability
  • Encrypt backups in the Linux operating system as they are being performed and for securing data backups and storage
  • Restore encrypted backups for full recovery of the Linux OS as per defined recovery time objectives (RTO)
  • Backup and restore deleted files using /proc in Linux so that an entire system does not have to be restored in the instance of a deleted or corrupted file

Review

1. What is a difference between security vulnerabilities associated with open source software and proprietary software?
   a. Vulnerabilities in propriety software are immediately known and fixed.
   b. Open source software vulnerabilities can take months to fix because most people working on the software are volunteers.
   c. There are more resources for testing proprietary software. Therefore, vulnerabilities are usually not an issue with proprietary software.
   d. Typically, open source software vulnerabilities are immediately made public.

2. Which of the following laws ensure that all U.S.-based financial institutions protect personal financial information of their clients?
   a. HIPAA
   b. SOX
   c. GLBA
   d. PCI DSS

3. Which method is preferable for securing access in the Remote Access Domain?
   a. SSH
   b. Telnet
   c. FTP
   d. NFS

4. What are the advantages of virtualization in a Linux infrastructure? (1) Cost savings by purchasing less hardware. (2) Cost savings by using less power. (3) Security advantages with more bastion hosts
   a. Only 1 and 2 are correct
   b. Only 2 and 3 are correct
   c. Only 1 and 3 are correct
   d. 1, 2, and 3 are correct

5. Which of the following is one of the best descriptions for OSSTMM?
   a. A methodology to develop open source software
   b. A methodology used by open source security professionals to measure compliance
   c. A methodology to automate penetration tests on open source software
   d. A methodology to ensure that no open source systems can be compromised

6. Who developed the first Linux kernel?
   a. Andrew S. Tannenbaum
   b. Bill Gates
   c. Linus Torvalds
   d. Richard Stallman

7. The Linux open source license allows anyone to use, modify, and improve the ___ .
   a. source code
   b. distributions
   c. applications
   d. None of the above

8. Red Hat and Ubuntu are examples of __.
   a. source code
   b. distributions
   c. applications
   d. None of the above

9. What is a common use for Linux in the LAN-to-WAN Domain?
   a. Firewall
   b. Gateway
   c. Bastion host
   d. All of the above

10. What is Canonical?
    a. An type of open source license
    b. The private company behind Ubuntu
    c. An auditing program
    d. A security framework

11. What is included in a typical Linux distribution?
    a. Kernel only
    b. Kernel and tools only
    c. Kernel, tools, and libraries only
    d. Kernel, tools, libraries, and applications

12. Which of the following is an open source license?
    a. GNU General Public License (GPL)
    b. Canonical
    c. OSSTMM
    d. UNIX

13. Which of the following is not true of Linux?
    a. Open source licenses allow anyone to use, modify, and improve the source code.
    b. Compiled code, or binaries, may be the intellectual property of a company or organization.
    c. The source code for many Linux binaries is released under open source licenses.
    d. Under open source licenses, you may not compile the source code affiliated with Linux binaries into your own binaries.

14. Under OSSTMM, security audits are divided into how many channels?
    a. 1
    b. 2
    c. 3
    d. 4

15. What is an entry-level security certification offered by (ISC)²?
    a. CISSP
    b. SSCP
    c. OSPA
    d. OWSE

16. Which of the following represents a type of mandatory access control?
    a. A user cannot open the /etc/shadow file to read because the file is owned by user and group root.
    b. The FTP service is allowed to interact with directories other than users’ home directories.
    c. A regular user account does not have permission to read /var/log file.
    d. A user can give read, write, and execute permissions to a file.

17. The default mandatory access control system used for Red Hat distributions is __.
    a. AppArmor
    b. SELinux
    c. Logwatch
    d. GRUB

18. Which file permission is not an example of discretionary access control?
    a. Read
    b. Write
    c. Execute
    d. Boolean

19. Which of the following statements is true about using a mandatory access control system on Linux?
    a. Properly setting up a mandatory access control system requires discipline and configuration knowledge.
    b. A mandatory access control system adds overhead to the kernel that renders it unnecessary to use.
    c. A mandatory access control system on Linux is generally considered to be a security risk.
    d. A mandatory access control system cannot be used in conjunction with a firewall.

20. A discretionary access control for a file is a control mechanism that can be set by ___.
    a. the root user
    b. a system administrator
    c. the GRUB
    d. the user owner of the file

21. The read, write, and execute permissions of a file are an example of a ____.
    a. discretionary access control
    b. firewall control
    c. mandatory access control
    d. system kernel control

22. Which of the following files is not a part of the shadow password suite?
    a. /etc/shadow
    b. /etc/group
    c. /etc/passwd
    d. /etc/sudoers

23. The iptables command is used to configure _______.
    a. a mandatory access control
    b. user account information
    c. a firewall
    d. TCP Wrappers

24. Which of the following can serve as an additional “firewall” layer in Linux?
    a. Samba
    b. A modular kernel
    c. GRUB
    d. LILO

25. What defines the services to be run in Linux?
    a. GRUB
    b. Runlevel
    c. LILO
    d. TCP Wrappers

26. What is the CUPS service associated with?
    a. File transfers
    b. E-mail
    c. Remote access
    d. Printing

27. Gnome and KDE are ____.
    a. graphical desktop environments
    b. e-mail server packages
    c. Web browsers
    d. Web server packages

28. Apache is a popular type of _____.
    a. graphical desktop environment
    b. e-mail server package
    c. Web browser
    d. Web server package

29. Postfix and Exim are types of _____.
    a. graphical desktop environments
    b. FTP server packages
    c. SMTP server packages
    d. Web server packages

30. The _____ part of the kernel contains drivers and options essential to the kernel boot process.
    a. monolithic
    b. modular
    c. live
    d. None of the above