Cloud & Networking
Reader small image

You're reading from  Mastering Linux Administration - Second Edition

Product typeBook
Published inMar 2024
PublisherPackt
ISBN-139781837630691
Edition2nd Edition
Concepts
System Administration
Right arrow
Authors (2):
Alexandru Calcatinge
Alexandru Calcatinge
author image
Alexandru Calcatinge

Alexandru Calcatinge is an open-minded architect with a background in computer science and mathematics. He is a senior university lecturer with a PhD in urban planning from Ion Mincu University of Architecture and Urban Planning and a postgraduate degree in DevOps from Caltech's Center for Technology and Management Education (CTME). He teaches students about architectural programming and development and open source technologies. He has authored five books on architecture and urban planning and numerous scientific articles on urban and rural development. Alex was certified as a Linux trainer in 2017. He loves the DevOps philosophy and the possibilities that cloud technologies bring for the future. He is also a certified programming analyst, computer network administrator, trainer, designer, and life coach.
Read more about Alexandru Calcatinge

Julian Balog
Julian Balog
author image
Julian Balog

Julian Balog is a senior software engineer with more than 15 years of experience in the industry. Currently, his work primarily focuses on application delivery controllers, containerized workflows, networking, and security. With a never-ending passion for Linux and open-source technologies, Julian is always in pursuit of learning new things while solving problems and making things work through simple, efficient, and practical engineering. He lives with his wife, two children, and an Aussie-doodle in the greater Seattle area, Washington.
Read more about Julian Balog

View More author details
Right arrow

Securing Linux

Securing a Linux machine is usually a balancing act. The endgame is essentially protecting data from unwanted access. While there are many ways to achieve this goal, we should adopt the methods that yield maximum protection, along with the most efficient system administration. Gauging the attack and vulnerability surfaces, both internal and external, is always a good start. The rest of the work is building fences and putting on armor—not too high and not too heavy. The outer fence is a network firewall. Internally, at the system level, we build application security policies. This chapter introduces both, albeit the art of the balancing act is left to you.

In the first part of this chapter, we’ll look at access control mechanisms (ACMs) and the related security modules—Security-Enhanced Linux (SELinux) and AppArmor. In the second part, we will explore packet filtering frameworks and firewall solutions.

After completing this chapter, you will...

Technical requirements

This chapter covers a relatively vast array of topics, some of which will be covered with extensive command-line operations. We recommend that you use both a Fedora and an Ubuntu platform with Terminal or SSH access. Direct console access to the systems is highly preferable due to the possibly disruptive way of altering firewall rules.

Understanding Linux security

One significant consideration for securing a computer system or network is the means for system administrators to control how users and processes can access various resources, such as files, devices, and interfaces, across systems. The Linux kernel provides a handful of such mechanisms, collectively referred to as ACMs. Let’s describe them briefly:

  • Discretionary access control (DAC) is the typical ACM related to filesystem objects, including files, directories, and devices. Such access is at the discretion of the object’s owner when managing permissions. DAC controls access to objects based on the identity of users and groups (subjects). Depending on a subject’s access permissions, they could also pass permissions to other subjects —an administrator managing regular users, for example.
  • Access control lists (ACLs) provide control over which subjects (such as users and groups) have access to specific filesystem objects...

Introducing SELinux

SELinux is a security framework in the Linux kernel for managing the access control policies of system resources. It supports a combination of the MAC, RBAC, and MLS models that were described in the previous section. SELinux is a set of kernel-space security modules and user-space command-line utilities, and it provides a mechanism for system administrators to have control over who can access what on the system. SELinux is designed to also protect a system against possible misconfigurations and potentially compromised processes.

SELinux was introduced by the National Security Agency (NSA) as a collection of Linux Security Modules (LSM) with kernel updates. SELinux was eventually released to the open source community in 2000 and became part of Linux starting with the 2.6 kernel series in 2003.

So, how does SELinux work? We’ll look at this in the next section. We will use Fedora 37 Server Edition for all our examples.

Working with SELinux

SELinux...

Introducing AppArmor

AppArmor is a Linux security module based on the MAC model that confines applications to a limited set of resources. AppArmor uses an access control mechanism based on security profiles that have been loaded into the Linux kernel. Each profile contains a collection of rules for accessing various system resources. AppArmor can be configured to either enforce access control or just complain about access control violations.

AppArmor proactively protects applications and operating system resources from internal and external threats, including zero-day attacks, by preventing both known and unknown vulnerabilities from being exploited.

AppArmor has been built into the mainline Linux kernel since version 2.6.36 and is currently shipped with Ubuntu, Debian, openSUSE, and similar distributions.

In the following sections. we’ll use an Ubuntu Server 22.04 LTS environment to showcase a few practical examples with AppArmor. Most of the related command-line utilities...

Working with firewalls

Traditionally, a firewall is a network security device that’s placed between two networks. It monitors the network traffic and controls access to these networks. Generally speaking, a firewall protects a local network from unwanted intrusion or attacks from the outside. But a firewall can also block unsolicited locally originated traffic targeting the public internet. Technically, a firewall allows or blocks incoming and outgoing network traffic based on specific security rules.

For example, a firewall can block all but a select set of inbound networking protocols (such as SSH and HTTP/HTTPS). It may also block all but approved hosts within the local network from establishing specific outbound connections, such as allowing outbound Simple Mail Transfer Protocol (SMTP) connections that originated exclusively from the local email servers.

The following diagram shows a simple firewall deployment regulating traffic between a local network and the internet...

Summary

The relatively vast content of this chapter may appear overwhelming. A key takeaway should be the focus on the frameworks (modules). If we’re discussing firewalls, we should look at packet filtering frameworks such as iptables, Netfilter, and nftables. For access control, we have security modules such as SELinux and AppArmor. We covered some of the pros and cons of each. The pivoting choice, possibly deciding the Linux distro, is between AppArmor and SELinux. One is perhaps swifter than the other, with the related administration effort hanging in the balance. For example, choosing AppArmor would narrow down the major Linux distributions to Ubuntu, Debian, and openSUSE. The distro choice, in turn, would further dictate the available firewall management solutions, and so on.

Mastering the application security frameworks and firewall management tools will help you keep your systems safe with minimal effort. As with any typical Linux system administration task, there...

Exercises

Here’s a brief quiz about some of the essential concepts that were covered in this chapter:

  1. Enumerate at least a couple of ACMs that are used in Linux.

    Hint: DAC, ACL, MAC, RBAC, MLS, MCS

  2. Enumerate the fields of the SELinux security context.

    Hint: user, role, type, level

  3. What is a domain in SELinux?

    Hint: Type assigned to a process

  4. Can you think of a significant difference between SELinux and AppArmor in terms of enforcing security policies?

    Hint: SELinux uses policies based on file labels, while AppArmor uses security policies based on paths.

  5. How do we toggle an AppArmor application profile between the enforce and complain modes?

    Hint: Using aa-enforce and aa-complain

  6. How many chains can you think of in the Linux kernel networking stack?

    Hint: Figure 9.41 could help you.

  7. What is the default firewall management solution in RHEL/Fedora? How about Ubuntu?

    Hint: firewalld (Fedora) and ufw (Ubuntu)

Further reading

Please refer to the following Packt books for more information about the topics that were covered in this chapter:

  • Mastering Linux Security and Hardening – Second Edition by Donald A. Tevault, Packt Publishing
  • Practical Linux Security Cookbook – Second Edition by Tajinder Kalsi, Packt Publishing
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 12 of 24
Next Chapter
You have been reading a chapter from
Mastering Linux Administration - Second Edition
Published in: Mar 2024Publisher: PacktISBN-13: 9781837630691
© 2024 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (2)

author image
Alexandru Calcatinge

Alexandru Calcatinge is an open-minded architect with a background in computer science and mathematics. He is a senior university lecturer with a PhD in urban planning from Ion Mincu University of Architecture and Urban Planning and a postgraduate degree in DevOps from Caltech's Center for Technology and Management Education (CTME). He teaches students about architectural programming and development and open source technologies. He has authored five books on architecture and urban planning and numerous scientific articles on urban and rural development. Alex was certified as a Linux trainer in 2017. He loves the DevOps philosophy and the possibilities that cloud technologies bring for the future. He is also a certified programming analyst, computer network administrator, trainer, designer, and life coach.
Read more about Alexandru Calcatinge

author image
Julian Balog

Julian Balog is a senior software engineer with more than 15 years of experience in the industry. Currently, his work primarily focuses on application delivery controllers, containerized workflows, networking, and security. With a never-ending passion for Linux and open-source technologies, Julian is always in pursuit of learning new things while solving problems and making things work through simple, efficient, and practical engineering. He lives with his wife, two children, and an Aussie-doodle in the greater Seattle area, Washington.
Read more about Julian Balog

Personalised recommendations for you

Based on your interests and search pattern

Designing and Implementing Microsoft Azure Networking Solutions

Designing and Implementing Microsoft Azure Networking Solutions

Designing and Implementing Microsoft Azure Networking Solutions Exam Ref AZ-700 is an all-encompassing guide to the AZ-700 exam and contains all the information you need to succeed in the world of virtual networking with Azure. With this book, you will be fully prepared for the exam and the world of cloud networking.

BookAug 2023524 pages
Microsoft 365 Security, Compliance, and Identity Administration

Microsoft 365 Security, Compliance, and Identity Administration

The Microsoft 365 Security, Compliance, and Identity Administration is a comprehensive guide that helps you employ Microsoft 365's robust suite of features and empowers you to optimize your administrative tasks.

BookAug 2023630 pages
Zero Trust Overview and Playbook Introduction

Zero Trust Overview and Playbook Introduction

Get started on Zero Trust with this step-by-step playbook and learn everything you need to know for a successful Zero Trust journey with tailored guidance for every role, covering strategy, operations, architecture, implementation, and measuring success. This book will become an indispensable reference for everyone in your organization.

BookOct 2023240 pages
The Self-Taught Cloud Computing Engineer

The Self-Taught Cloud Computing Engineer

This self-study book helps you master multiple clouds, including AWS, Azure, and GCP, and serves as a roadmap to becoming a certified cloud computing expert. The book will guide you to develop a professional cloud career by helping you build a broad cloud knowledge base, developing hands-on cloud computing skills, and getting cloud certified.

BookSep 2023472 pages
Technology Operating Models for Cloud and Edge

Technology Operating Models for Cloud and Edge

This book will help you build and create ownership of a technology operating model, as well as connect your leadership with engineering and operations, keeping your internal and external customers in mind. It provides practical tips on why, where, and how to make the cloud and edge platform paradigm sing for you, your team, and your organization.

BookAug 2023228 pages
Azure Architecture Explained

Azure Architecture Explained

Azure is the preferred platform to build mission-critical and secure apps. This book provides comprehensive coverage of essential Azure products, services, and solutions vital for every solution architect's success. Elevate your knowledge and master the critical components of Azure to excel in your role with Azure Architecture Explained.

BookSep 2023446 pages
Pentesting Active Directory and Windows-based Infrastructure

Pentesting Active Directory and Windows-based Infrastructure

This practical guide helps you explore the pentesting of Microsoft infrastructure in detail, and enhances your offensive skillset by showing you the different ways to perform security assessment. This book will help blue teamers and IT engineers get up to speed with possible security issues they may encounter in their Windows environments.

BookNov 2023360 pages
Practical Ansible

Practical Ansible

In Practical Ansible, you'll work with the latest release of Ansible and learn to solve complex issues quickly with the help of task-oriented scenarios. You'll start by installing and configuring Ansible to automate monotonous and repetitive IT tasks and get to grips with concepts such as playbooks, inventories, plugins, collections, and network modules.

BookSep 2023420 pages
Windows 11 for Enterprise Administrators

Windows 11 for Enterprise Administrators

Microsoft’s launch of Windows 11 is a step toward satisfying the enterprise administrator’s needs for better management and enhanced user experience customization. This book provides the enterprise administrator with the knowledge needed to fully utilize the advanced feature set of Windows 11 Enterprise.

BookOct 2023286 pages
The Linux DevOps Handbook

The Linux DevOps Handbook

This book is for software and IT professionals seeking knowledge on Linux systems and DevOps practices. This book will provide you with guidance and tools to learn and gain proficiency in managing Linux-based infrastructures and knowledge of DevOps.

BookNov 2023428 pages2