Securing mount points on Linux

Securing mount points Mount points are defined in /etc/fstab. They link a particular disk pointer to the related device (disk, partition or virtual device). By default the mount options are not focused on security, which gives us a room to further improve hardening of the system. This hardening is especially important considering our most precious data is stored here. Via mount options we can apply additional security controls to protect our data. Mount points Let’s have a look at our […]

Read more

Alternatives to Bastille Linux: system hardening with Lynis

System hardening with Lynis Many people used Bastille Linux to harden their Linux systems. Unfortunately the website of Bastille seems very outdated, including the tool. This resulted in people searching for a great alternative to replace this tool. We found the alternative by actually combining different solutions, being more powerful. Security automation is hot, so forget Bastille and do it the right way. Automatic hardening makes sense Most system administrators can’t keep up with the new technologies and security threats. […]

Read more

PCI DSS (v3) for Linux: Auditing application processes (A.1.2.a)

PCI DSS (v3) Linux: Auditing application processes (A.1.2.a) A.1.2.a Verify the user ID of any application process is not a privileged user (root/admin). For Unix and Linux based systems, processes should run as a non-privileged user where possible. However to be able to start, a process is usually started with root permissions (uid 0). This is required to open the required sockets (e.g. bind to port 80). After the initial start, the process drops its privileges by switching to another […]

Read more

Security Automation for Linux: Are Humans Still Needed?

Security automation for Linux: Are humans still needed? The problem with humans is that they are smart yet slow at the same time. They can’t react to simultaneous events and aren’t always working. Besides that, they make mistakes, have to deal with budgets and internal company politics. Information security is impacted by these effects as well. As you might have guessed the solution is in automation. SCAP (Security Content Automation Protocol) is one of the answers. Especially the automation part is interesting, […]

Read more

How to create custom tests in Lynis

Custom tests in Lynis Although Lynis has many tests built-in, there are enough reasons to create your own custom tests. Instead of patching up existing files, there is a better way to run them and make use of existing functions. In this article we will have a look on how to create your own tests and what functions can be used. With the software being open source and licensed under GPL, you have the flexibility to see existing tests and […]

Read more

OpenSCAP on CentOS 7 – Installing from source

OpenSCAP on CentOS 7 Installing from source Security automation is hot and we love it. One way is using the OpenSCAP toolkit. Unfortunately it is not mature enough, so you might want to build and install it from source. We share our findings while creating our test environment. Install required components On our minimum installed CentOS 7 system, we need to install a few components. Most are related to compiling C++ and parsing XML files. Since we like to use […]

Read more

Yum plugins: Available plugins and built-in security support

Enhancing yum Determine available plugins and built-in security support To enhance the support in our auditing tool Lynis, we wanted to know if yum supports security related functions by using a plugin or having it as built-in functionality. Yum Yum, or Yellowdog Updater Modified, is a software management tool for Linux based systems. Usually it is used on systems running SuSE or Red Hat based (like RHEL, Fedora or CentOS). Plugins extend the functionality of yum, to improve its functionality. […]

Read more

PCI DSS (v3) Linux: Restrict log file viewing (A.1.2.d)

Restrict log file viewing A.1.2.d Verify that viewing of log entries is restricted to the owning entity. To limit exposure to information, PCI DSS requires access of logging to only the entity owning that log file. In other words, we have to search for those entries which can be seen by others. Search related log files By default, most log files on Linux based systems will be stored in /var/log. We can do a quick check for any files which […]

Read more
1181920212229