Explain Linux Security

-

Explain Security features Linux System ?.

Linux OS can be represented in the following with three layers. User, System and kernel.Kernel ,Consist of all the operating system resources such as file system ,memory, input/output modules and libraries.The System layer consist of system resources such as Application System interface (API).
And the User layer consist of all the user resources will reside such as application programs.
Linux is a multi-users and multi-tasking OS. Single Linux OS can provide services for more than one user at any time either locally and/or remotely. Every user has their own profile with custom settings that can be set by the user herself for the permitted settings or enforced by Root from the system side. For every user, there will be multi process running ‘concurrently’ for him,locally and/or remotely and it is said multi-tasking OS. In another simple word, single user can run many programs at any time. In order to optimize the resources such as memory, in every process there can be many threads and it is said multi-threading.
In Linux, systems’ processes or services (in Linux term it is a daemon) normally run by Root. Originally, Root can be considered as the king with unlimited privileges that can control the whole OS. However, non-root group’s users will have limited privileges. The many problems start when the users’ privileges have been escalated to Root. When normal users have controlled or could access the kernel, it is a very bad situation.
For the basic security features, Linux has password authentication, file system discretionary access control, and security auditing. By expanding the basic standard security features we have:
  • User and group separation
  • File system security
  • Audit trails
  • PAM authentication
  1. User and group separation : User accounts are used to verify the identity of the person using a computer system. By checking the identity of a user through username and password credentials, the system is able to determine if the user is permitted to log into the system and, if so, which resources the user is allowed to access. Groups are logical constructs that can be used to group user accounts together for a particular purpose.
  2. **File system Security **: A very true statement of a UNIX/Linux system, everything is a file; if something is not a file, it is a process. Most files are just files, called regular files; they contain normal data, for example text files, executable files or programs, input to or output from a program and so on.
While it is practically safe to say that everything you encounter on a Linux system is a file, there are some exceptions as listed below:
  • Directories : files that are lists of other files. Special files : the mechanism used for input and output. Most special files are in /dev for example USB and CD-ROM.
  • Links : a system to make a file or directory visible in multiple parts of the system's file tree. It is a shortcut.
  • (Domain) sockets : a special file type, similar to TCP/IP sockets, providing inter-process networking protected by the file system's access control.
  • Named pipes : act more or less like sockets and form a way for processes to communicate with each other, without using network socket semantics.
  1. Audit Trails Linux kernel 2.6 comes with audit daemon. It’s responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option.
  2. Plug-gable Authentication Modules authentication (PAM) PAM was invented by SUN Micro systems. Linux-PAM provides a flexible mechanism for authenticating users. It consists of a set of libraries that handle the authentication tasks of applications on the system. The library provides a stable general interface to which privilege-granting programs (such as login) defer to perform standard authentication tasks.Historically, authentication of Linux users relied on the input of a password which was checked with the one stored in /etc/passwd. At each improvement (e.g. /etc/shadow, one-time passwords) each program (e.g. login, ftp) had to be rewritten. PAM is a more flexible user authentication mechanism. Programs supporting PAM must dynamically link themselves to the modules in charge of authentication. The administrator is in charge of the configuration and the attachment order of modules. All applications using PAM must have a configuration file in /etc/pam.d.

Explain TCP Wrapper?.

TCP is used to restrict access to TCP services based on host name, IP address, network address, and so on. tcpd is use to access control facility for internet services. The tcpd program can be set up to monitor incoming requests for telnet, finger, ftp, exec, rsh, rlogin, tftp, sshd and other services that have a one-to-one mapping onto executable files. Your sshd server must be configuring (compiled with) to support tcpd.
The Linux services or commands that can be controlled through tcp_wrappers are those that use the libwrap library
When the system receives a network request for a service that is tcpwrapper-aware, it passes the request to tcpwrappers that checks its access rules. If there are no restrictions on the particular host, IP address or user tcpwrappers allows the access and passes control back to the service.
Access control on tcpwrappers can be configured through /etc/hosts.allow and /etc/hosts.deny files using the following order:
  • First searches on /etc/hosts.allow, if tcpwrappers finds a match access is allowed and no more searches are done.
  • If no match is found on /etc/hosts.allow it searches on /etc/hosts.deny. If tcpwrappers finds a match access is denied.
  • Finally if no match is found on either file, access is allowed.
Wildcards The following are wildcards that can be used on /etc/hosts.allow/deny files:
ALL : Matches everything and can be used for both the daemon list and the client list:
LOCAL : Matches any host that does not contain a period (.), such as localhost :
KNOWN : Matches any host where the hostname and host address can be resolved by our DNS :
UNKNOWN : Matches any host where the hostname or host address can not be resolved by our DNS :
PARANOID : Matches any host where the hostname does not match with his IP address. An optional field can be used on /etc/hosts.allow/deny in order to execute shell commands when a match is found through the 'spawn' and 'twist' directives.
spawn : Executes a shell command as a child process when a match is found. This feature can be used in order to get client or proccess information.
In the following example all clients attempting to access vsftpd services are logged to file /var/log/audit_vsftpd.log and the connection will be allowed.
    cat /etc/hosts.allow
    vsftpd : ALL : spawn /bin/echo `/bin/date` from %h>>/var/log/audit_vsftpd.log
twist : Replaces the requested service with the specified command. Useful to send messages to connection clients
    cat /etc/hosts.deny
     telnetd : 192.168.10.0/255.255.255.0 : twist /bin/echo "What are you doing %a!!!"
In this case when a client from 192.1568.10.0/24 LAN try to connect to telnet service, tcpwrappers deny the access and send the message to the client.

Comments

  1. UnknownMay 15, 2018 at 11:31 AM

    Hello There,

    Zoooooooom! That’s how speedy and easy this read was! Looking forward to more of such powerful content on Linux Security!

    I read V7 Unix introduced the first version of the modern Standard I/O library studio as part of the system library. The next implementations increased the number of libraries significantly. Doesn't it adds overhead of loading unused libraries?

    But nice Article Mate! Great Information! Keep up the good work!

    Best Regards,
    Preethi

    ReplyDelete
  2. sandeep saxenaFebruary 11, 2019 at 12:45 PM


    The blog is easy to study and really enjoying that. Its help me to improve my knowledge and skills also.im really satisfied in this blog.
    DevOps certification in Chennai
    DevOps Training in Chennai
    DevOps course in Chennai
    Data Science Training in Chennai
    AWS training in chennai
    AWS course in chennai

    ReplyDelete
  3. HarleyApril 25, 2023 at 3:22 PM

    I like this post and I love to write articles click the link below to read the blog.
    angularjs training in chennai

    ReplyDelete
  4. iteducationcentreJanuary 31, 2024 at 10:43 AM

    This blog post provides a comprehensive and clear explanation of the security features in a Linux system.
    Join Linux Course in Pune

    ReplyDelete

Post a Comment

Popular posts from this blog

Docker ,MakeFile and Jenkins pipeline

-
How to create a re-usable MakeFile for build, push and deploy docker containers? and automate build using Jenkins pipeline.? Typing a long docker commands is always a pain.We can create a script to help us out. Bash can be used here, but using a Makefile for more convenient than script, as the syntax is easy to get started with. Clone below repo [ MakeFile_repo ] and go to the directory.  git clone git@github.com:Prashanth-Pullaikodi/Makefile_Docker_Build.git Repo contains below files and folders. 1. MakeFile: Contains make configuration to build, push and deploy containers. Inorder to run the make command you needs to have docker installed and docker hub account . 2. Nginx: Contains Dockerfile to build NGINX . 3. Jenkinsfile: Contains CD pipile line defintion of automating this build ,push deploy task. Inorder have to use this file you needs to have Jenkins installed and configured with pipeline ,Git plugins. You can use Makefile without Jenkins as well . Makefile
Read more

SAN and NAS Interview questions

-
What is a SAN? SAN is short for Storage Area Network. It is a high-speed network of storage elements, similar in form and function to a LAN that establishes direct and indirect connections between multiple servers and multiple storage elements. The SAN is an extension of the server’s storage bus https://devops-geek.blogspot.com/2011/12/san-and-nas-interview-questions.html What does a SAN do? SANs create connectivity. SANs offer a method of attaching storage that improves data reliability, availability and performance SAN overcomes traditional network bottlenecks by connecting in three ways: Server-to-storage (direct attached storage) Server-to-server (network attached storage) Storage-to-storage (SAN Attached Storage) Name some of the SAN topologies and Explain each of them ? Point-to-point, arbitrated loop, and switched fabric topologies Point-to-Point  A point-to-point connection is the simplest topology. It is used when there are exactly two nodes and future
Read more

Infrastructure As Code - Terraform and AWS.

-
Build AWS infrastructure using Terraform Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers as well as custom in-house solutions. Here i use "AWS" provider to build the infrastructure using terraform but Terraform can manage many providers, including multiple providers in a single configuration, check here for list of providers  https://www.terraform.io/docs/providers/index.html  . If you don't have an AWS account, create one now. For the getting started guide, we'll only be using resources which qualify under the AWS free-tier, meaning it will be free.Make sure to select the free tier ami before building the infrastructure, which will be discussed later in this document. Terraform uses text files to describe infrastructure and to set variables. These text files are called Terraform configurations and end in .tf . Refer For more information about con
Read more