We will be undergoing scheduled maintenance on May 20th, 2013 at 02:00 GMT.
Using Security Tools Tutorials
Host Security / Linux Host Lockdown Tools
Subtitles of the Movie (Using Security Tools / Host Security / Linux Host Lockdown Tools)
As secure as Linux host is, it's normally not as secure as you would like it to be when it's first installed so you may want to use various Linux host lockdown tools to lockdown your Linux distribution. Now, what these are is various tools used to lockdown the security configuration on a Linux box. Now, I would caution you that there are many different Linux distributions and as such, with Linux being an open source community, there are many different lockdown tools available. Some examples would be Bastille, which is a very popular Linux distribution tool that is used to lockdown various distributions of Linux and you can download that separately or it can be included in your Linux distribution. Some of the other distributions have various tools such as set check scripts and so forth that you can also download and use that are specific to distributions and some distributions even have tools included when you install them that will help you lockdown the various security configuration options on your Linux boxes; Red Hat, openSUSE, Gentoo, so forth. They all have their own unique tools that by and large are similar to most other tools out there so just that word of caution there that there are so many tools out there it's hard to nail down one particular tool that works across the board. So you're going to see various tools to do this with. Now, these tools configure various options automatically for security on your box and these could be things like file permissions, set get and set UID permissions and so forth, different things that you can use to secure your different security options and again, you'll see those on most Linux distributions. How you would use them, it really depends. Some of them are installed when you install the distribution, some of them you must download from a community repository or from a site and downloaded news. Bastille is one of them. You can download that from the Bastille site or a site that hosts Bastille and download it and install it of course. Let's just take a look at example tool that we'll see in openSUSE that's used to configure security on openSUSE in particular using YaST. Again, your tool may be different depending upon what distribution you're using. Let's go ahead and take a look at it. OK, we're in our YaST control center of our openSUSE 11 box and in YaST on open SUSE, you can control local security configuration through the local security applet that's in the security and users group. Again, this may differ based upon the distribution you're using; Red Hat, Gentoo, Mandriva and so forth all have similar utilities located in them; some GUI, some Command Line but they basically all do the same thing. Let's go ahead and take a look at the local security applet in YaST and so we can get an idea of how it configures security on an openSUSE distribution for example. It actually gives us different options we can use; a home work station, networked work station or network server so it is based on roles that your computer plays as to how it configures its settings and all these settings are basically the same; it's just by and large predetermined templates that it suggest, sort of like Windows templates do but based upon the role, we can configure different options. Let's go ahead and look at custom settings so we can look at all the wide variety of options you can set using this tool. So let's click Next and some of the options we can check are password settings, for example check new passwords and determine whether or not they're complicated or meet a particular password policy such as uppercase, lowercase and so forth or length and you can also configure the number of passwords to remember. For example, you don't want a user to use say the last ten passwords that they've used before. You want them to come up with a new password. You can also use different password encryption methods such as DES, MD5 or Blowfish. I would highly recommend you go with Blowfish. The minimum acceptable password length and we could use things like eight characters, which is a standard across the board. We could also minimum-age the passwords and make it so they can't change them before a certain amount of time has elapsed, say three days, and we can make it so they have to change their password every say 90 days and about seven days before they're going to get a warning saying that in seven days they're going to change their password. We can also change boot permissions on the, in the YaST tool, the interpretation of Control Alt Delete for example, whether it's going to reboot the system or it'll be ignored or whether it'll halt the system. We're going to leave that at the default and whether users can shut down the system from login manager. That's automatic, all users can do it, no one can do it or only root can do it. We'll stick with all users because right now all users should be able to shut down the system if we need to. A delay after incorrect login attempt; and so basically this is going to allow them to use incorrect logins only so many times and then their account may be locked or maybe disabled. Record successful login attempts in the security log and allow remote graphical login. We can turn that on or off as we please. Some other things we can do, this one we're adding users. We can automatically set the user ID and group ids. The reason you may want to do this is normally certain sets of user ids are reserved for privileged users so normal users may start at a certain user ID and by default openSUSE sits them as a thousand and a maximum of 60,000 and those are good defaults to leave them at. We can also change our file permissions so that by default they're easy permission; very relaxed or secure or very paranoid permissions and you may want to do this based upon the security level that you deem you need on your openSUSE box. We can also change other things such as path to add regular users into roots path so that when they sudo or su they can have access to root's path as well if we like. So those are some of the different options we can set using the local security settings in YaST and it's very similar to what you'll find on other Linux distributions. The tool may look a little bit different but you'll see those other options normally on there and also keep in mind that all these things can be done at the command prompt as well. You'll also see similar settings in various Windows tools as well so when configuring host or local security, there's different options but most of all you'll see those in various platforms; Windows, Linux and so forth. So that's just an example of one tool you can use to lockdown the host security of a Linux box.
Tutorial Information
| Course: | Using Security Tools |
| Author: | Bobby Rogers |
| SKU: | 34068 |
| ISBN: | 1-935320-88-2 |
| Release Date: | 2009-12-04 |
| Duration: | 9 hrs / 91 lessons |
| Captions: | No |
| Compatibility: |
Vista/XP/2000, OS X, Linux QuickTime 7, Flash 8 |
VTC Sign up & Benefits
- Unlimited Access
- 81,350 Video Tutorials (14,200 free)
- Video Available as Flash or QuickTime
- Over 715 Courses
- $30 for One Month Access
- Multi-User Discounts Available
