Explain Linux Security
Explain Security features Linux System ?.
Linux OS can be represented in the following with three layers. User, System and kernel.Kernel ,Consist of all the operating system resources such as file system ,memory, input/output modules and libraries.The System layer consist of system resources such as Application System interface (API).
And the User layer consist of all the user resources will reside such as application programs.
Linux is a multi-users and multi-tasking OS. Single Linux OS can provide services for more than one user at any time either locally and/or remotely. Every user has their own profile with custom settings that can be set by the user herself for the permitted settings or enforced by Root from the system side. For every user, there will be multi process running ‘concurrently’ for him,locally and/or remotely and it is said multi-tasking OS. In another simple word, single user can run many programs at any time. In order to optimize the resources such as memory, in every process there can be many threads and it is said multi-threading.
In Linux, systems’ processes or services (in Linux term it is a daemon) normally run by Root. Originally, Root can be considered as the king with unlimited privileges that can control the whole OS. However, non-root group’s users will have limited privileges. The many problems start when the users’ privileges have been escalated to Root. When normal users have controlled or could access the kernel, it is a very bad situation.
For the basic security features, Linux has password authentication, file system discretionary access control, and security auditing. By expanding the basic standard security features we have:
- User and group separation
- File system security
- Audit trails
- PAM authentication
- User and group separation : User accounts are used to verify the identity of the person using a computer system. By checking the identity of a user through username and password credentials, the system is able to determine if the user is permitted to log into the system and, if so, which resources the user is allowed to access. Groups are logical constructs that can be used to group user accounts together for a particular purpose.
- **File system Security **: A very true statement of a UNIX/Linux system, everything is a file; if something is not a file, it is a process. Most files are just files, called regular files; they contain normal data, for example text files, executable files or programs, input to or output from a program and so on.
While it is practically safe to say that everything you encounter on a Linux system is a file, there are some exceptions as listed below:
- Directories : files that are lists of other files. Special files : the mechanism used for input and output. Most special files are in /dev for example USB and CD-ROM.
- Links : a system to make a file or directory visible in multiple parts of the system's file tree. It is a shortcut.
- (Domain) sockets : a special file type, similar to TCP/IP sockets, providing inter-process networking protected by the file system's access control.
- Named pipes : act more or less like sockets and form a way for processes to communicate with each other, without using network socket semantics.
- Audit Trails Linux kernel 2.6 comes with audit daemon. It’s responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option.
- Plug-gable Authentication Modules authentication (PAM) PAM was invented by SUN Micro systems. Linux-PAM provides a flexible mechanism for authenticating users. It consists of a set of libraries that handle the authentication tasks of applications on the system. The library provides a stable general interface to which privilege-granting programs (such as login) defer to perform standard authentication tasks.Historically, authentication of Linux users relied on the input of a password which was checked with the one stored in /etc/passwd. At each improvement (e.g. /etc/shadow, one-time passwords) each program (e.g. login, ftp) had to be rewritten. PAM is a more flexible user authentication mechanism. Programs supporting PAM must dynamically link themselves to the modules in charge of authentication. The administrator is in charge of the configuration and the attachment order of modules. All applications using PAM must have a configuration file in /etc/pam.d.
Explain TCP Wrapper?.
TCP is used to restrict access to TCP services based on host name, IP address, network address, and so on. tcpd is use to access control facility for internet services. The tcpd program can be set up to monitor incoming requests for telnet, finger, ftp, exec, rsh, rlogin, tftp, sshd and other services that have a one-to-one mapping onto executable files. Your sshd server must be configuring (compiled with) to support tcpd.
The Linux services or commands that can be controlled through tcp_wrappers are those that use the libwrap library
When the system receives a network request for a service that is tcpwrapper-aware, it passes the request to tcpwrappers that checks its access rules. If there are no restrictions on the particular host, IP address or user tcpwrappers allows the access and passes control back to the service.
Access control on tcpwrappers can be configured through /etc/hosts.allow and /etc/hosts.deny files using the following order:
- First searches on /etc/hosts.allow, if tcpwrappers finds a match access is allowed and no more searches are done.
- If no match is found on /etc/hosts.allow it searches on /etc/hosts.deny. If tcpwrappers finds a match access is denied.
- Finally if no match is found on either file, access is allowed.
Wildcards The following are wildcards that can be used on /etc/hosts.allow/deny files:
ALL
: Matches everything and can be used for both the daemon list and the client list:LOCAL
: Matches any host that does not contain a period (.), such as localhost :KNOWN
: Matches any host where the hostname and host address can be resolved by our DNS :UNKNOWN
: Matches any host where the hostname or host address can not be resolved by our DNS :PARANOID
: Matches any host where the hostname does not match with his IP address. An optional field can be used on /etc/hosts.allow/deny in order to execute shell commands when a match is found through the 'spawn' and 'twist' directives.spawn
: Executes a shell command as a child process when a match is found. This feature can be used in order to get client or proccess information.
In the following example all clients attempting to access vsftpd services are logged to file /var/log/audit_vsftpd.log and the connection will be allowed.
cat /etc/hosts.allow
vsftpd : ALL : spawn /bin/echo `/bin/date` from %h>>/var/log/audit_vsftpd.log
twist
: Replaces the requested service with the specified command. Useful to send messages to connection clients cat /etc/hosts.deny
telnetd : 192.168.10.0/255.255.255.0 : twist /bin/echo "What are you doing %a!!!"
In this case when a client from 192.1568.10.0/24 LAN try to connect to telnet service, tcpwrappers deny the access and send the message to the client.
Hello There,
ReplyDeleteZoooooooom! That’s how speedy and easy this read was! Looking forward to more of such powerful content on Linux Security!
I read V7 Unix introduced the first version of the modern Standard I/O library studio as part of the system library. The next implementations increased the number of libraries significantly. Doesn't it adds overhead of loading unused libraries?
But nice Article Mate! Great Information! Keep up the good work!
Best Regards,
Preethi
ReplyDeleteThe blog is easy to study and really enjoying that. Its help me to improve my knowledge and skills also.im really satisfied in this blog.
DevOps certification in Chennai
DevOps Training in Chennai
DevOps course in Chennai
Data Science Training in Chennai
AWS training in chennai
AWS course in chennai
I like this post and I love to write articles click the link below to read the blog.
ReplyDeleteangularjs training in chennai
This blog post provides a comprehensive and clear explanation of the security features in a Linux system.
ReplyDeleteJoin Linux Course in Pune