Compliance

Do NOT use Linux hardening checklists for your servers

The solution to avoid using Linux hardening checklists for your servers is simple. With proper automation and regular checks, checklists could be avoided.

Summary of Do NOT use Linux hardening checklists for your servers

Quality is an interesting word. It describes, well, the quality of something. Quality is just another word for how well can you repeat something. The goal is to get each time exactly the same result. Whenever it’s a physical product, or rolling out a new Linux system, you want great quality. One method to increase quality is using checklists. However we strongly advice against using Linux hardening checklists.. But checklists are good, right?

Read the full article…

Find the alternatives: CIS-CAT auditing tool

Sometimes time or money is limited. We hunt to find great alternatives to commercial solutions. This time alternatives for the CIS auditing tool CIS-CAT.

Summary of Find the alternatives: CIS-CAT auditing tool

The Center for Internet Security, CIS for short, is the organization behind several in-depth hardening guides. The quality of these hardening guides is outstanding, with a high level of detail. This high level of detail has one downside: it costs a lot of time to read, try and test the recommendations. Sometimes we simply don’t have the time to do an extensive audit by hand. Let alone the time to actually repeat the auditing and hardening steps on a regular basis.

Read the full article…

GDPR Compliance: Technical Requirements for Linux Systems

An insight in the technical aspects and requirements for Linux systems when it comes to compliance with the GDPR, the General Data Protection Regulation.

Summary of GDPR Compliance: Technical Requirements for Linux Systems

What is GDPR? GDPR or General Data Protection Regulation is a regulation to protect personal data from citizens of the European Union (EU). When speaking about stored data, it includes the handling of data at any given time, from the initial creation of the data, until the final deletion of it. One of the important parts is the right to ‘know’. That means that individuals can ask what data is stored about them.

Read the full article…

Linux server security: Three steps to secure each system

Article about Linux server security and guidance for securing your Linux systems. Focus on auditing, hardening and compliance, to improve security defenses.

Summary of Linux server security: Three steps to secure each system

Determining the level of Linux server security can only by measuring the actual implemented security safeguards. This process is called auditing and focuses on comparing common security measures with the ones implemented. While there is almost no system with all possible safeguards implemented, we still can determine how well (or badly) the system is protected. Security is about finding the weakest link(s) and associate risk with each weakness. Depending on the role of the system, sensitivity of data and possible threats, we can then select what security safeguards are appropriate.

Read the full article…

PCI DSS (v3) for Linux: Auditing application processes (A.1.2.a)

PCI DSS v3 compliance (A.1.2.a) requires you to verify if no application processes are running as root. We audit these application processes and check the status of each.

Summary of PCI DSS (v3) for Linux: Auditing application processes (A.1.2.a)

A.1.2.a Verify the user ID of any application process is not a privileged user (root/admin). For Unix and Linux based systems, processes should run as a non-privileged user where possible. However to be able to start, a process is usually started with root permissions (uid 0). This is required to open the required sockets (e.g. bind to port 80). After the initial start, the process drops its privileges by switching to another user.

Read the full article…

PCI DSS (v3) Linux: Creation and deletion of system-level objects (10.2.7)

The PCI DSS standard defines "Creation and deletion of system-level objects" in control 10.2.7. For Linux systems this might be handled with the Linux audit framework.

Summary of PCI DSS (v3) Linux: Creation and deletion of system-level objects (10.2.7)

Some areas are within the PCI standard are definitely not directly clear when reading the description. Section 10.2.7 is one of them. It talks about the creation and deletion of system-level objects and specifically the ability to log them. System-level objects? The guidance in 10.2.7 speaks about malware and mentions database related items. That does not make auditing very obvious, as malware usually targets binaries. Therefore we have to look first what a system-level object is.

Read the full article…

PCI DSS (v3) Linux: Invalid logical access attempts (10.2.4)

PCI DSS compliance control 10.2.4 mandates to monitor invalid logical access attempts. For Linux we can use the Linux audit framework to monitor for this event.

Summary of PCI DSS (v3) Linux: Invalid logical access attempts (10.2.4)

PCI describes in control 10.2.4 to monitor for “invalid logical access attempts”. Another way of saying to monitor attempts which are not allowed, like accessing a file you are not supposed to. Another indication might be brute force attempts to log in, which result in several failed logins. To monitor for invalid access attempts, we can use the Linux audit framework. This framework has been created and maintained by Red Hat over the years.

Read the full article…

PCI DSS (v3) Linux: Logging of administrative actions with root privileges (10.2.2)

PCI DSS requires logging of administrative actions, including commands executed by the root user or using sudo. Learn how to set up accounting and auditing.

Summary of PCI DSS (v3) Linux: Logging of administrative actions with root privileges (10.2.2)

Companies who need to comply with the PCI DSS standard need to log all actions which are executed by the root user or those accounts with similar administrative privileges. 10.2.2 Verify all actions taken by any individual with root or administrative privileges are logged. The Linux kernel allows the monitoring of executed commands. This monitoring and logging can be done with the Linux audit framework. Using this framework, we can monitor the right system calls and create an audit trail.

Read the full article…

PCI DSS (v3) Linux: No write access to shared system binaries (A.1.2.c)

PCI compliance (A.1.2.c) demands that no write access is allowed to shared system binaries. For this to test we can use several tools to determine if write access is allowed.

Summary of PCI DSS (v3) Linux: No write access to shared system binaries (A.1.2.c)

A.1.2.c Verify that an entity’s users do not have write access to shared system binaries Shared system binaries should be protected, as they form the basis of your system. PCI compliance (A.1.2.c) demands that users do not have write access to shared systems binaries. The only exception is of course the root user, so software upgrades are still possible. Paths for system binaries Depending on the distribution used there are several directories which have shared system binaries.

Read the full article…

PCI DSS (v3) Linux: Restrict log file viewing (A.1.2.d)

Linux users who want to compliant with PCI DSS have to restrict log file viewing to only the owner. We have a look at how to discover log files which can be viewed by others.

Summary of PCI DSS (v3) Linux: Restrict log file viewing (A.1.2.d)

A.1.2.d Verify that viewing of log entries is restricted to the owning entity. To limit exposure to information, PCI DSS requires access of logging to only the entity owning that log file. In other words, we have to search for those entries which can be seen by others. Search related log files By default, most log files on Linux based systems will be stored in /var/log. We can do a quick check for any files which are world readable, by using find.

Read the full article…

Security Integration: Configuration Management and Auditing

Configuration Management and Auditing. Increased strength when combining tools for automation and security of IT environments Tools like Ansible, Chef, and Puppet are used a lot for rapid...

Summary of Security Integration: Configuration Management and Auditing

Increased strength when combining tools for automation and security of IT environments Tools like Ansible, Chef, and Puppet are used a lot for rapid deployment and keeping systems properly configured. These tools in itself are great for ensuring consistency over your systems. So what is Configuration Management? Configuration management is the art of keeping systems properly configured. Usually companies start small, which equals manual configuration. Each time a new system is deployed, it is configured manually.

Read the full article…

SOx compliance and Enron: The Smartest Guys in the Room

On of the biggest companies in the US, Enron fell into the trap of fraud. Great lessons might be learned from the documentary, and see why SOx compliance isn't that bad.

Summary of SOx compliance and Enron: The Smartest Guys in the Room

If you are involved with Linux security, you might already have come across SOx compliance. Usually from a sysadmins point of view, work doesn’t get easier due to these compliance requirements. Still there are some lessons we can learn, followed by a great documentary to watch about Enron. The Sabanes-Oxley Act, SOx for short, now applies to all companies who like to have their stock exchanged at the New York stock exchange (NYSE).

Read the full article…

Using ClamAV for Linux PCI DSS requirement 5: Malware

PCI DSS requirement 5 focuses on anti-virus and malware, or malicious software. Linux systems can also be compliant by using the popular ClamAV software.

Summary of Using ClamAV for Linux PCI DSS requirement 5: Malware

An important part in the PCI DSS compliance, is checking for malicious software, or malware. By using anti-virus software like ClamAV, malware threats can be detected, and in most cases prevented. In this article we focus mainly on Linux environments, but of course most of these tips will apply to other platforms like Mac OS. 5.1. Verify presence of software 5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists.

Read the full article…

Using Open Source Auditing Tools as alternative to CIS Benchmarks

Hardening guides, and the CIS benchmarks in particular, are a great resource to check your system for possible weaknesses and conduct system hardening. But who has the time to read it cover to...

Summary of Using Open Source Auditing Tools as alternative to CIS Benchmarks

An alternative to CIS Benchmarks and hardening guides Hardening guides, and the CIS benchmarks in particular, are a great resource to check your system for possible weaknesses and conduct system hardening. But who has the time to read it cover to cover, and apply every single step? In this article, we have a look at the alternative: open source auditing tools. Time.. Hardening is a time-consuming task. As security specialists, we know that.

Read the full article…