Subtitles of the Movie

Our final best practices session that we'll cover concerns best security practices. Now, we've taken best security practices from all security areas; user security, file security and even system security. The first thing you need to do with security is plan it. And the first thing you need to plan is what you're going to use your computer for and then you secure it for that use. If you're going to use it for a home workstation, then your security requirements are probably going to be a little bit different than those that you might have for a small business or even a large corporate enterprise. Once you decide what your function is for your computer, then plan what security mechanisms you're going to need. For example, in a home environment, you're not likely to have to use an NIS server or Kerberos authentication between multiple systems, but you may need those in a large corporate environment or even a small business environment. Now security starts out with a secure installation and although we've already covered a couple of things we can do during installation, let's reiterate them here. First, during installation, put certain file systems on their own partition or even consider putting them on their hard disk if you have the resources. Some partitions can fill up very fast, such as slash home and slash var because of the files that they can get on them from users and from logs. But also malicious files frequently can be put in those directories and somehow or other they can be transmitted to other directories as well. That does happen. Users don't mean to, but they copy files from their home directories to system directories and malware can spread that way. So you might want to keep those separate; both for security reasons and for performance reasons because they tend to fill up. System file systems that you should think about separating are the slash etc and slash bin. Those are where all the primary system files are usually. Root's home directory is a directory also that should be separated. You don't want to give everyone access to this directory because frequently, if other people have access to it , then malicious files can be put in there and then when root logs in, those files are able to run through the context of root's security login. During installation, definitely remember to create a strong password for the root account during the get go. A lot of people create a real, insignificant, weak password just to get through the installation and they have good intentions on changing the password to something stronger later, and then of course, they forget to. So create a strong password during installation. During installation you also might want to add additional users immediately and use their accounts instead of just using the root account. People have a tendency to install the root account and then use that to keep logging in and unfortunately, they use that account to check their mail and write documents and surf the net. The problem with that is any process that's running while you're logged in as root automatically inherits the privileges and rights of the root account so you probably want to only use the root account for everyday tasks only when you need it. Don't use it for routine tasks such as checking email and surfing the net. Also, don't use automatic login. Everyone needs their own specific login and they should have to create a password and use a password to get in. This will help secure your system and trace actions back to users. Carefully plan and place users in the correct files, such as the SUDUers file, with appropriate restrictions in order to perform administrative tasks. Not everyone needs to have access to the root account, but for those who do need administrative-level privileges, have them use the SU or the SUDU commands only because that way you can track what they do and they don't have unlimited access. Definitely set restricted permissions on system files and directories. We covered permissions earlier so you know that you need to set those permissions at something like 640 or 600; that way they're not world writable, readable or executable and even the group can do very limited things. Only root or another privileged user account should be the owner of system files and directories. Individual users should not because root needs to be the one that has control over those files. Set the default umask very carefully. Basically this determines what the default file permissions are for newly-created files. Now, 037 is a good starting point. It's a little restrictive, but it will help you start out with good security if new files are created. I know we've covered it before, but patch your system frequently. Make sure you update security fixes as they come because new threats come out every day and you need those patches to adequately protect your box from those attacks and I know I might get some argument from some folks out there, but please use antivirus software on your Linux box. Yes, Linux boxes can get malware. It's a popular misconception. Linux boxes are by and large very secure right out of the box, but of course, any system in it's default configuration is unsecure and any system can get malware. Remember that malware is also, could be scripts for example that may do seemingly innocuous things, but may do things that you don't want them to do, such as delete file systems. A lot of malware is written and can be compiled and put on Linux boxes. So definitely get some kind of anti-malware, antivirus software. If you're using remote administration to your boxes, only use secure administration methods, such as open SSH, secure copy and secure FTP. Try to avoid Telnet and the R commands, such as rshell or rcopy, rlogin and so forth. Those are unsecure because they transmit user names and password in clear text, so they can easily be intercepted. You don't want that. Enforce strong password policies, such as minimum length, complexity and password aging. That way you're not giving the attacker an easy way in with the easy passwords such as password or your first name or something like that. If you're concerned about applications security, definitely use AppArmor. We demonstrated how easy it is to use and configure, but it can do a lot for you despite being easy. Configure your firewall to protect your host. Only allow those services in or out that you need. Don't allow unknown services in or out. And finally, the best advice I can give you, the best security practice that you could follow is learn all that you can about openSUSE security. Learn what makes openSUSE tick. Learn about its security mechanisms. Learn how they work, learn what their shortcomings are and how to mitigate those shortcomings.