SlideShare a Scribd company logo

Hardening Linux, introducing Securix GNU/Linux

Martin Holovský
Martin Holovský

Hardening Linux and introducing Securix GNU/Linux. Hardened Linux operating systems, secured by default.

Internet
1 of 33
Download to read offline
Hardening Linux and introducing Securix GNU/Linux
secured linux by default | www.securix.org Hardening basics From lowest to highest level Tune every part of system and applications Follow standards and security policies Regularly check system health Install security patches when possible Log and audit every action
Physical security Locked rack BIOS setup password Console in different rack // How it helps? Avoid unauthorized access where somebody can: - shutdown server - reboot server into single-user mode and change password - boot live CD and access data - sniff data on ethernet cable - steal hard disks
secured linux by default | www.securix.org Encrypting partitions its essential to have encrypted all partitions except /boot and swap ( / , usr, home, var, opt, tmp) no impact on resources where is HW acceleration possible my recommendation is LUKS cryptsetup -c aes-xts-plain -y -s 512 -h whirlpool luksFormat /dev/xyz // How it helps? data stored are unreadable for attacker passwords can’t be changed during boot from live CD
secured linux by default | www.securix.org Securing Grub protect grub using password password --md5 $1$Ul0TR0$fK/7jE2gCbkBAnzBQWWYf/ generate hash using grub-md5-crypt protect single-user boot via password as well setup fallback option // How it helps? avoid unauthorized single-user mode boot fallback in case of problems with new kernel
secured linux by default | www.securix.org Kernel configuration enabled only options which are really needed - smaller/faster kernel - secure - big piece of code isn't really needed enabled PaX and Grsecurity - no LSM - robust multi-level security system Securix have minimalistic predefined kernel setup which should boot on many systems by default
secured linux by default | www.securix.org /etc/securetty limit root access to console and serial port only # file: /etc/securetty # limit root access console vc/1 tty1 tty2 # serial console access ttyS0 ttyS1 ...
Use phrases, not passwords
Use phrases, not passwords
secured linux by default | www.securix.org /etc/sysctl.conf build with focus on security and network stack tuning some examples: # Kernel EXEC shield kernel.exec-shield = 1 # Make the addresses of mmap base, stack, heap and VDSO page randomized kernel.randomize_va_space = 2 # Reboot system when kernel panic occur, oops will wait 30 seconds untill call panic() kernel.panic = 30 kernel.panic_on_oops = 30 # Disable magic-sysrq key kernel.sysrq = 0
secured linux by default | www.securix.org /etc/sysctl.conf # Prevent SYN attack net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_syn_retries = 5 net.ipv4.tcp_synack_retries = 2 # Enable IP spoofing protection, turn on source route verification net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Increase allowed local port range net.ipv4.ip_local_port_range = 1024 64000 # Enable tcp_window_scaling net.ipv4.tcp_window_scaling = 1 ...and much more
iptables configuration script for pushing/editing/saving firewall rules port scan detection access logging traffic divided into chains strict default policy secured linux by default | www.securix.org
/etc/security/limits.conf secured linux by default | www.securix.org # default limits * soft core 0 * hard core 0 * hard nproc 200 * hard nofile 2000 * hard fsize 1024000 * - maxlogins 3 # operator group limits @operators hard nproc 2000 @operators hard nofile 4000 @operators hard fsize 10240000 @operators - maxlogins 10 # service group limits @services hard nproc 40000 @services hard nofile 45000 @services hard fsize 1024000000 @services - maxlogins 100
secured linux by default | www.securix.org /etc/ssh/sshd_config Port 55522 Protocol 2 ServerKeyBits 2048 Ciphers aes256-cbc,aes256-ctr,blowfish-cbc Compression yes ClientAliveInterval 15 ClientAliveCountMax 3 TCPKeepAlive no PermitRootLogin no PermitEmptyPasswords no UsePrivilegeSeparation yes StrictModes yes AllowTcpForwarding no X11Forwarding no GatewayPorts no ...
secured linux by default | www.securix.org PaX - NOEXEC The goal of NOEXEC is to prevent the injection and execution of code into a task's address space and render this exploit technique unusable under PaX. - segmentation based non-executable page protection [IA-32 only] (SEGMEXEC) - paging based non-executable page protection (PAGEEXEC) - mmap() and mprotect() restrictions (MPROTECT)
secured linux by default | www.securix.org Pax - ASLR decrease success rate of attacks that require advanced knowledge of memory addresses via Address Space Layout Randomization (ASLR) - Main executable code/data/bss segment base address randomization (RANDEXEC) - ET_EXEC ELF - mmap() and brk() managed memory [libraries, heap, thread stacks, shared memory, etc] address randomization (RANDMMAP) ET_DYN ELF - User stack base address randomization (RANDUSTACK) - Kernel stack base address randomization (RANDKSTACK)
secured linux by default | www.securix.org Grsecurity “Unlike other expensive security "solutions" that pretend to achieve security through known-vulnerability patching, signature-based detection, or other reactive methods, grsecurity provides real proactive security. The only solution that hardens both your applications and operating system, grsecurity is essential for public-facing servers and shared-hosting environments. Grsecurity increased authentication for administrators, audit important system events, and confine your system with no manual configuration through advanced Role-Based Access Control.”
secured linux by default | www.securix.org Grsecurity - features high scalable Role-Based Access Control learning mode for RBAC policies restrict access to /dev/kmem, /proc/<pid>/maps, /proc, kernel processes, linking, FIFO, dmesg, IO, ptrace, ... trusted path execution hardened chroot environment fork bomb protection & randomized PIDs
Grsecurity - features 2 network protections - randomized IP IDs, larger entropy pools, random TCP sequence numbers, randomized TCP source ports, tcp/udp blackhole, altered ping payload, socket restrictions, ... auditing - exec & chroot exec, ptrace, chdir, un/mount, signal sent, fork failure, time change, append client IP address where possible, denied RWX mmap/mprotect (PaX) ...and much more secured linux by default | www.securix.org
Grsecurity benchmark Apache Benchmark: This test profile measures how many requests per second a given system can sustain when carrying out 700,000 requests with 100 requests being carried out concurrently. Source: http://grsecurity.net/~spender/benchmarks.txt Vanilla All grsecurity/PaX features enabled All but RBAC All but UDEREF All but KERNEXEC/UDEREF All but KERNEXEC/UDEREF/SANITIZE All but KERNEXEC/UDEREF/SANITIZE/STACKLEAK
Grsecurity benchmark Apache Benchmark: This test profile measures how many requests per second a given system can sustain when carrying out 700,000 requests with 100 requests being carried out concurrently. Source: http://grsecurity.net/~spender/benchmarks.txt 11000 8250 2750 0 5500 Score Vanilla All grsecurity/PaX features enabled All but RBAC All but UDEREF All but KERNEXEC/UDEREF All but KERNEXEC/UDEREF/SANITIZE All but KERNEXEC/UDEREF/SANITIZE/STACKLEAK
secured linux by default | www.securix.org Why not SELinux? build as Linux Security Module (LSM) doesn't contain features as Grsecurity (NX, ASLR, DoS and fingerprint mitigation, entropy pools, auditing, ...) complicated policy & no learning mode worse performance in benchmark tests developed and maintained by NSA (“Big Brother”)
secured linux by default | www.securix.org Securix GNU/Linux
secured linux by default | www.securix.org Securix GNU/Linux follow “best practices” and standards with high focus on security and performance all services and system configuration secured by default own monitoring system which can fix or inform administrator about problems by email or motd (rkhunter, checksec.sh, secxmon.sh, secxwatch.sh, XCCDF, OVAL, ...) update tool which can align system with current Securix configuration actively implement protection against new attack vectors (via update tool) where applicable
secured linux by default | www.securix.org Securix GNU/Linux
secured linux by default | www.securix.org Securix GNU/Linux anyone can contribute or suggest improvement! build good pre-defined RBAC policies binaries build with SSP and PIE protection proactive security against buffer/heap/stack overflow and exploits every new settings must be tested on production environment basically “it is still Hardened Gentoo” with great support on forums, IRCs and mailing lists ...stay tuned
secured linux by default | www.securix.org Securix Installer
secured linux by default | www.securix.org Securix Installer written in bash under GPLv3 license system environment check and setup advanced auto-partitioning with LVM and LUKS support (noatime, nodev, nosuid, noexec) auto-detection/setup of architecture, bonding, serial console, http proxy, profile, ... all you need is setup some essential variables like root passphrase, hostname, root mail, etc. following methods KISS (Keep It Simple Stupid) and DASQ (Don't Ask Stupid Questions)
secured linux by default | www.securix.org Q&A?
secured linux by default | www.securix.org Thank you! Martin Čmelík [ cm3l1k1 ] martin.cmelik [ at ] security-portal.cz www.security-portal.cz www.securix.org
secured linux by default | www.securix.org Links www.securix.org www.grsecurity.net http://pax.grsecurity.net/docs/ http://www.gentoo.org/proj/en/hardened/ http://en.wikibooks.org/wiki/Grsecurity http://www.pjvenda.net/linux/doc/pax-performance/ www.cs.virginia.edu/~jcg8f/SELinux%20grsecurity%20paper.pdf www.ece.cmu.edu/~dbrumley/courses/18739c-s11/docs/aslr.pdf http://www.cyberciti.biz/ ...
Top security stories of 2011 (by Kaspersky) secured linux by default | www.securix.org
Top security stories of 2011 (by Kaspersky) secured linux by default | www.securix.org Rise of “Hactivism” - Anonymous, LulzSec, ... HBGary Federal Hack RSA, Comodo and DigiNotar incident Duqu (Stuxnet) - undetectable for years Sony Playstation Network hack Rise of Android / Mobile malware CarrierIQ - spy and monitoring tool ...we need Securix

Recommended

Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security OverviewKernel TLV
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network SecurityAmr Ali
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Linux Security
Linux SecurityLinux Security
Linux Securitynayakslideshare
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 

Recommended

Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security OverviewKernel TLV
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network SecurityAmr Ali
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Linux Security
Linux SecurityLinux Security
Linux Securitynayakslideshare
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhydn|u - The Open Security Community
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux SecurityRizky Ariestiyansyah
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-TutorialVladimir Koychev
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal HarouniBSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal HarouniShellmates
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerMuhammad Moinur Rahman
 
Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0maaz khan
 
FreeBSD is not Linux
FreeBSD is not LinuxFreeBSD is not Linux
FreeBSD is not LinuxMuhammad Moinur Rahman
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic UsageDmytro Minochkin
 
Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash CourseUTD Computer Security Group
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 

More Related Content

What's hot

Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal HarouniBSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal HarouniShellmates
 
Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0maaz khan
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 

What's hot (20)

Unix Security
Unix SecurityUnix Security
Unix Security
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
 
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal HarouniBSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0
 
FreeBSD is not Linux
FreeBSD is not LinuxFreeBSD is not Linux
FreeBSD is not Linux
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
 
Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash Course
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
 

Similar to Hardening Linux, introducing Securix GNU/Linux

Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System zShawn Wells
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guideCraig Cannon
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & dockerejlp12
 
Ubuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesUbuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesDustin Kirkland
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in LinuxSadegh Dorri N.
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to KubernetesRohman Muhamad
 
Install websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsInstall websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsManuel Vega
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn ContainerDay Security 2023
 
Recommended Software and Modifications for Server Security
Recommended Software and Modifications for Server SecurityRecommended Software and Modifications for Server Security
Recommended Software and Modifications for Server SecurityHTS Hosting
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 

Similar to Hardening Linux, introducing Securix GNU/Linux (20)

Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & docker
 
System Integrity
System IntegritySystem Integrity
System Integrity
 
Ubuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesUbuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security Features
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
Cl116
Cl116Cl116
Cl116
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
 
KVM_security
KVM_securityKVM_security
KVM_security
 
Install websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsInstall websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bits
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSEC
 
Kali kinux1
Kali kinux1Kali kinux1
Kali kinux1
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
 
Recommended Software and Modifications for Server Security
Recommended Software and Modifications for Server SecurityRecommended Software and Modifications for Server Security
Recommended Software and Modifications for Server Security
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 

Recently uploaded

VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 

Recently uploaded (20)

VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 

Hardening Linux, introducing Securix GNU/Linux

  • 1. Hardening Linux and introducing Securix GNU/Linux
  • 2. secured linux by default | www.securix.org Hardening basics From lowest to highest level Tune every part of system and applications Follow standards and security policies Regularly check system health Install security patches when possible Log and audit every action
  • 3. Physical security Locked rack BIOS setup password Console in different rack // How it helps? Avoid unauthorized access where somebody can: - shutdown server - reboot server into single-user mode and change password - boot live CD and access data - sniff data on ethernet cable - steal hard disks
  • 4. secured linux by default | www.securix.org Encrypting partitions its essential to have encrypted all partitions except /boot and swap ( / , usr, home, var, opt, tmp) no impact on resources where is HW acceleration possible my recommendation is LUKS cryptsetup -c aes-xts-plain -y -s 512 -h whirlpool luksFormat /dev/xyz // How it helps? data stored are unreadable for attacker passwords can’t be changed during boot from live CD
  • 5. secured linux by default | www.securix.org Securing Grub protect grub using password password --md5 $1$Ul0TR0$fK/7jE2gCbkBAnzBQWWYf/ generate hash using grub-md5-crypt protect single-user boot via password as well setup fallback option // How it helps? avoid unauthorized single-user mode boot fallback in case of problems with new kernel
  • 6. secured linux by default | www.securix.org Kernel configuration enabled only options which are really needed - smaller/faster kernel - secure - big piece of code isn't really needed enabled PaX and Grsecurity - no LSM - robust multi-level security system Securix have minimalistic predefined kernel setup which should boot on many systems by default
  • 7. secured linux by default | www.securix.org /etc/securetty limit root access to console and serial port only # file: /etc/securetty # limit root access console vc/1 tty1 tty2 # serial console access ttyS0 ttyS1 ...
  • 8. Use phrases, not passwords
  • 9. Use phrases, not passwords
  • 10. secured linux by default | www.securix.org /etc/sysctl.conf build with focus on security and network stack tuning some examples: # Kernel EXEC shield kernel.exec-shield = 1 # Make the addresses of mmap base, stack, heap and VDSO page randomized kernel.randomize_va_space = 2 # Reboot system when kernel panic occur, oops will wait 30 seconds untill call panic() kernel.panic = 30 kernel.panic_on_oops = 30 # Disable magic-sysrq key kernel.sysrq = 0
  • 11. secured linux by default | www.securix.org /etc/sysctl.conf # Prevent SYN attack net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_syn_retries = 5 net.ipv4.tcp_synack_retries = 2 # Enable IP spoofing protection, turn on source route verification net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Increase allowed local port range net.ipv4.ip_local_port_range = 1024 64000 # Enable tcp_window_scaling net.ipv4.tcp_window_scaling = 1 ...and much more
  • 12. iptables configuration script for pushing/editing/saving firewall rules port scan detection access logging traffic divided into chains strict default policy secured linux by default | www.securix.org
  • 13. /etc/security/limits.conf secured linux by default | www.securix.org # default limits * soft core 0 * hard core 0 * hard nproc 200 * hard nofile 2000 * hard fsize 1024000 * - maxlogins 3 # operator group limits @operators hard nproc 2000 @operators hard nofile 4000 @operators hard fsize 10240000 @operators - maxlogins 10 # service group limits @services hard nproc 40000 @services hard nofile 45000 @services hard fsize 1024000000 @services - maxlogins 100
  • 14. secured linux by default | www.securix.org /etc/ssh/sshd_config Port 55522 Protocol 2 ServerKeyBits 2048 Ciphers aes256-cbc,aes256-ctr,blowfish-cbc Compression yes ClientAliveInterval 15 ClientAliveCountMax 3 TCPKeepAlive no PermitRootLogin no PermitEmptyPasswords no UsePrivilegeSeparation yes StrictModes yes AllowTcpForwarding no X11Forwarding no GatewayPorts no ...
  • 15. secured linux by default | www.securix.org PaX - NOEXEC The goal of NOEXEC is to prevent the injection and execution of code into a task's address space and render this exploit technique unusable under PaX. - segmentation based non-executable page protection [IA-32 only] (SEGMEXEC) - paging based non-executable page protection (PAGEEXEC) - mmap() and mprotect() restrictions (MPROTECT)
  • 16. secured linux by default | www.securix.org Pax - ASLR decrease success rate of attacks that require advanced knowledge of memory addresses via Address Space Layout Randomization (ASLR) - Main executable code/data/bss segment base address randomization (RANDEXEC) - ET_EXEC ELF - mmap() and brk() managed memory [libraries, heap, thread stacks, shared memory, etc] address randomization (RANDMMAP) ET_DYN ELF - User stack base address randomization (RANDUSTACK) - Kernel stack base address randomization (RANDKSTACK)
  • 17. secured linux by default | www.securix.org Grsecurity “Unlike other expensive security "solutions" that pretend to achieve security through known-vulnerability patching, signature-based detection, or other reactive methods, grsecurity provides real proactive security. The only solution that hardens both your applications and operating system, grsecurity is essential for public-facing servers and shared-hosting environments. Grsecurity increased authentication for administrators, audit important system events, and confine your system with no manual configuration through advanced Role-Based Access Control.”
  • 18. secured linux by default | www.securix.org Grsecurity - features high scalable Role-Based Access Control learning mode for RBAC policies restrict access to /dev/kmem, /proc/<pid>/maps, /proc, kernel processes, linking, FIFO, dmesg, IO, ptrace, ... trusted path execution hardened chroot environment fork bomb protection & randomized PIDs
  • 19. Grsecurity - features 2 network protections - randomized IP IDs, larger entropy pools, random TCP sequence numbers, randomized TCP source ports, tcp/udp blackhole, altered ping payload, socket restrictions, ... auditing - exec & chroot exec, ptrace, chdir, un/mount, signal sent, fork failure, time change, append client IP address where possible, denied RWX mmap/mprotect (PaX) ...and much more secured linux by default | www.securix.org
  • 20. Grsecurity benchmark Apache Benchmark: This test profile measures how many requests per second a given system can sustain when carrying out 700,000 requests with 100 requests being carried out concurrently. Source: http://grsecurity.net/~spender/benchmarks.txt Vanilla All grsecurity/PaX features enabled All but RBAC All but UDEREF All but KERNEXEC/UDEREF All but KERNEXEC/UDEREF/SANITIZE All but KERNEXEC/UDEREF/SANITIZE/STACKLEAK
  • 21. Grsecurity benchmark Apache Benchmark: This test profile measures how many requests per second a given system can sustain when carrying out 700,000 requests with 100 requests being carried out concurrently. Source: http://grsecurity.net/~spender/benchmarks.txt 11000 8250 2750 0 5500 Score Vanilla All grsecurity/PaX features enabled All but RBAC All but UDEREF All but KERNEXEC/UDEREF All but KERNEXEC/UDEREF/SANITIZE All but KERNEXEC/UDEREF/SANITIZE/STACKLEAK
  • 22. secured linux by default | www.securix.org Why not SELinux? build as Linux Security Module (LSM) doesn't contain features as Grsecurity (NX, ASLR, DoS and fingerprint mitigation, entropy pools, auditing, ...) complicated policy & no learning mode worse performance in benchmark tests developed and maintained by NSA (“Big Brother”)
  • 23. secured linux by default | www.securix.org Securix GNU/Linux
  • 24. secured linux by default | www.securix.org Securix GNU/Linux follow “best practices” and standards with high focus on security and performance all services and system configuration secured by default own monitoring system which can fix or inform administrator about problems by email or motd (rkhunter, checksec.sh, secxmon.sh, secxwatch.sh, XCCDF, OVAL, ...) update tool which can align system with current Securix configuration actively implement protection against new attack vectors (via update tool) where applicable
  • 25. secured linux by default | www.securix.org Securix GNU/Linux
  • 26. secured linux by default | www.securix.org Securix GNU/Linux anyone can contribute or suggest improvement! build good pre-defined RBAC policies binaries build with SSP and PIE protection proactive security against buffer/heap/stack overflow and exploits every new settings must be tested on production environment basically “it is still Hardened Gentoo” with great support on forums, IRCs and mailing lists ...stay tuned
  • 27. secured linux by default | www.securix.org Securix Installer
  • 28. secured linux by default | www.securix.org Securix Installer written in bash under GPLv3 license system environment check and setup advanced auto-partitioning with LVM and LUKS support (noatime, nodev, nosuid, noexec) auto-detection/setup of architecture, bonding, serial console, http proxy, profile, ... all you need is setup some essential variables like root passphrase, hostname, root mail, etc. following methods KISS (Keep It Simple Stupid) and DASQ (Don't Ask Stupid Questions)
  • 29. secured linux by default | www.securix.org Q&A?
  • 30. secured linux by default | www.securix.org Thank you! Martin Čmelík [ cm3l1k1 ] martin.cmelik [ at ] security-portal.cz www.security-portal.cz www.securix.org
  • 31. secured linux by default | www.securix.org Links www.securix.org www.grsecurity.net http://pax.grsecurity.net/docs/ http://www.gentoo.org/proj/en/hardened/ http://en.wikibooks.org/wiki/Grsecurity http://www.pjvenda.net/linux/doc/pax-performance/ www.cs.virginia.edu/~jcg8f/SELinux%20grsecurity%20paper.pdf www.ece.cmu.edu/~dbrumley/courses/18739c-s11/docs/aslr.pdf http://www.cyberciti.biz/ ...
  • 32. Top security stories of 2011 (by Kaspersky) secured linux by default | www.securix.org
  • 33. Top security stories of 2011 (by Kaspersky) secured linux by default | www.securix.org Rise of “Hactivism” - Anonymous, LulzSec, ... HBGary Federal Hack RSA, Comodo and DigiNotar incident Duqu (Stuxnet) - undetectable for years Sony Playstation Network hack Rise of Android / Mobile malware CarrierIQ - spy and monitoring tool ...we need Securix