Linux server security: Three steps to secure each system
Determining the level of Linux server security can only by measuring the actual implemented security safeguards. This process is called auditing and focuses on comparing common security measures with the ones implemented. While there is almost no system with all possible safeguards implemented, we still can determine how well (or badly) the system is protected.
Security is about finding the weakest link(s) and associate risk with each weakness. Depending on the role of the system, sensitivity of data and possible threats, we can then select what security safeguards are appropriate. By implementing these safeguards, called hardening, we increase our security defenses. After these steps, we will compare implemented measures with our baselines to determine the level of compliance.
Auditing
To audit a Linux system we use our open source tool Lynis and perform a system scan. It runs on almost all Unix and Linux based systems and only requires a shell and root permissions. It will automatically discover the operating system, available binaries and tools to run the audit process. After that first step it will start with the first batch of tests. Each set of tests are bundled by category, so it is easy to determine on what areas additional hardening might be needed.
After the scan all findings will be reported and additional information will be stored in the log files (/var/log/lynis.log). Also a hardening index will be displayed, to give the auditor a first impression on how well the system is hardened.
Hardening
After running Lynis it’s time to deal with the findings. Depending on the role of the machine and the risks, it’s the auditor who should make a decision on what security controls need to be implemented. Since Lynis can’t judge this, it simply will report every possible finding.
Hardening of systems can be time consuming, so therefore each finding should be carefully analyzed. Especially production environments might stop functioning if hardening isn’t done properly.
For professional auditors and security professionals, the Lynis Enterprise Suite will help you with selecting the right controls. Also the right hardening snippets will be provided, so they can be tested before put in production. To help you with the implementation, a priority list is created to determine where to start. It will provide risk ratings by measuring effort and risk of each control. By combining this information and compare it with other systems, the implementation plan is customized to your environment. This enables you to select the systems which needs attention first, or determining what controls to implement to have the biggest impact on the security defenses.
Compliance
Last but not least, compliance! Auditing and hardening systems are the very first steps to improve security. To maintain the effect or earlier security efforts, it’s important to keep measuring your security level and compare them with baselines. Every system should be checked on a regular base and deviations to your standard should be detected as soon as possible. By determining the risk level of this deviations, it will be much easier to take an appropriate action or implement different security measures.
Lynis does support basic compliance checking by providing key-value pairs in the scan profile. One of these examples are file permissions or kernel security parameters. The Lynis Enterprise Suite has more possibilities to check for compliance, include defining baselines and measure the compliance rate.