Linux security and system hardening checklist

These recommendations can make you a little more resistant to evil maid attacks, but they do not constitute a proper verified boot process as found on Android, ChromeOS, or Windows. OpenSUSE and its derivatives come with encrypted /boot out of the box (as part of the root partition). This setup does work, using encryption to sidestep the unverified initramfs problem. One of linux hardening and security lessons the problems with Secure Boot, particularly on Linux, is that only the chainloader (shim), bootloader (GRUB), and kernel are verified in a typical setup. The initramfs is often left unverified and unencrypted, leaving the door open for an evil maid attack. If you are a Whonix or Tails user, you can disregard setting up DNSSEC, as Tor DNS resolution does not support it.

  • Once access to USB and Thunderbolt devices is disabled, a user cannot harm the system in these ways.
  • However, the LEGACY cryptographic policy makes your system much more vulnerable by also enabling other weak cryptographic algorithms.
  • However, hardware tokens and HSMs can have their own PKCS #11 modules that do not have their counterpart in the system.
  • However, sometimes bad drivers cause harmless oopses which would result in your system crashing, meaning this boot parameter can only be used on certain hardware.

You can also send encrypted files to the monitored systems, and specify automated actions triggered whenever a monitored system fails the integrity test. The RHSA OVAL definitions are designed to check for vulnerable versions of RPM packages installed on a system. It is possible to extend these definitions to include further checks, for example, to find out if the packages are being used in a vulnerable configuration.

2 BIOS / UEFI hardening

Ptrace is commonly used by debugging tools including gdb, strace, perf, reptyr and other debuggers. However, it also provides a means by which a malicious process can read data from and take control of other processes. BPF code may be either interpreted or compiled using a Just-In-Time (JIT) compiler.

  • OpenSUSE gives the choice of SELinux or AppArmor during the installation process.
  • First, you need to boot into your firmware interface and enter Secure Boot setup mode.
  • In some industries, such as electronic commerce, the availability and trustworthiness of data can mean the difference between success and failure.
  • You should only disable the boot process to the above drives once you have your BIOS configured.

Using these metrics, industries can calculate aspects such as data integrity and high-availability (HA) as part of their planning and process management costs. In some industries, such as electronic commerce, the availability and trustworthiness of data can mean the difference between success and failure. Enterprises have solicited the knowledge and skills of security experts to properly audit systems and tailor solutions to fit the operating requirements of their organization. The latest servers’ motherboards have an internal web server where you can access them remotely.

Packages

This passphrase serves as a key to unlock the bulk encryption key, which is used to secure the partition’s data. Security begins even before you start the installation of Red Hat Enterprise Linux. Configuring your system securely from the beginning makes it easier to implement additional security settings later. The team plans to investigate these possibilities going forward, and also intends to look into fingerprint readers in Linux, Android, and Apple devices. All major TLS libraries now support the Extended Master Secret (EMS) and enable it by default.

  • The Clevis client should store the state produced by this provisioning operation in a convenient location.
  • In a crypto_policies System Role playbook, you can define the parameters for the crypto_policies configuration file according to your preferences and limitations.
  • Moreover, newer software is often not as rigorously tested as one might expect, because of its recent arrival to production environments or because it may not be as popular as other server software.
  • The pin also supports sealing data to a Platform Configuration Registers (PCR) state.

Such changes reflect new security standards and new security research. The system-wide cryptographic policies is a system component that configures the core cryptographic subsystems, covering the TLS, IPsec, SSH, DNSSec, and Kerberos protocols. It provides a small set of policies, which the administrator can select. During the installation process, you have an option to encrypt partitions.

Security policy

Sooner or later one of these packages might contain a vulnerability. This is simply a known weakness in the software, which can lead to instability or even a security breach. For that reason, the system should be ‘patched’ on a regular basis.

This website is using a security service to protect itself from online attacks. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. In the Linux kernel, «root privileges» are split up into various different capabilities. This is helpful in applying the principle of least privilege — instead of giving a process total root privileges, you can grant them only a specific subset instead. For example, if a program simply needs to set your system time, then it only needs CAP_SYS_TIME rather than total root. This could limit the potential damage that can be done; however, you must still be cautious with granting capabilities, as many of them can be abused to gain full root privileges anyway.

This setting makes your system ignore all ICMP requests to avoid Smurf attacks, make the device more difficult to enumerate on the network and prevent clock fingerprinting through ICMP timestamps. It’s highly recommended to enable Linux https://remotemode.net/ firewall to secure unauthorised access of your servers. Apply rules in iptables to filters incoming, outgoing and forwarding packets. We can specify the source and destination address to allow and deny in specific udp/tcp port number.

linux hardening and security