LPI LVL3 Security:  Area 2 – Local Security



Deals with local security issues – user and authentication systems such as shadow passwords, PAM, filesystem and partition security, configuring local daemons and services, X-Windows,  LIDS, Logging, Mail security, physical and bootloader security, incident response, etc.


  1. Local security systems


    1. The linux boot sequence

                                                               i.      Boot loader security

1.      Boot password

2.      Designating an “emergency kernel”

                                                             ii.      Booting to single user mode Init / inittab

                                                            iii.      Understanding runlevels

1.      Identifying current runlevel

2.      changing runlevels

3.      changing runlevel configurations


    1. The linux kernel

                                                               i.      Custom kernel modifications

                                                             ii.      Disabling unnecessary protocols and services

                                                            iii.      Recompiling the kernel

                                                           iv.      Kernel-specific security enhancements

1.      SELinux from the NSA

2.      Kernel patches

3.      CSA Auditing


    1. User / authentication configuration

                                                               i.      /etc/passwd

                                                             ii.      /etc/shadow - differences

                                                            iii.      Account information tied to user config (password expiry, primary group membership, etc.)

                                                           iv.      Setuid


    1. SUDO


    1. PAM


    1. Group membership and  configuration

                                                               i.      /etc/groups

                                                             ii.      Chgrp

                                                            iii.      Gpasswd

                                                           iv.      Groupadd / groupdel / groupmod

                                                             v.      setgid


    1. Package management

                                                               i.      Install packages to fix security vulnerabilities

                                                             ii.      Patch source code w/ diff files and recompile to fix security vulnerabilities

                                                            iii.      Download updated ‘tarball’ and recompile to fix security vulnerabilities

                                                           iv.      Configure automated package update utilities (up2date, YaST, etc.)


    1. Filesystem security

                                                               i.      Overview of filesystems

1.      Journaling vs. non-journalling

2.      Level of logging

3.      Fragmentation issues (availability)

4.      ext2, iso9660, fat, etc.

5.      Creating a volume with fdisk

6.      Formating a volume with mkfs

                                                             ii.      Chmod

                                                            iii.      Chown

                                                           iv.      Attrib

1.      Especially attrib +i (immutable)

                                                             v.      Setuid and setgid binaries

                                                           vi.      Using mount

                                                          vii.      Fstab / mtab


    1. Partition security

                                                               i.      Different options for mounting filesystems

1.      R/O  vs. R/W

2.      no symlinks

3.      NFS

4.      Samba (smbmount)

5.      NFS (nfsmount)

6.      re-exporting a mount

                                                             ii.      File locking systems

                                                            iii.      Creating secure /home and /tmp directories

                                                           iv.      Creating encrypted volumes

1.      not /boot or equivalent

2.      runefs – whatever is built in

                                                             v.      Disk quotas


    1. Configuring running services

                                                               i.      Identify listening ports with netstat

                                                             ii.      Identify listening ports with lsof


    1. Process security

                                                               i.      Starting a process with a specific ‘nice’ level

                                                             ii.      Starting a process with another visible name

                                                            iii.      Using sudo


    1. Setting up time synchronization


    1. Configuring tripwire


    1. X-Windows


                                                               i.      Configure XDM security

                                                             ii.      Configure security with ‘xhosts

                                                            iii.      Configure locking screen savers

                                                           iv.      Tunnel remote X-windows sessions through SSH

                                                             v.      Understand the .Xauthority file

                                                           vi.      Use ‘–nolisten tcp’ to stop remote X sessions


    1. LIDS, other stack protection systems


                                                               i.      SELinux from the NSA

                                                             ii.      Kernel patches


    1. Anti-Virus


    1. Logging

                                                               i.      Configuring syslog

1.      Changing log settings

2.      Logging to a remote host

3.      Accepting syslog connections from a remote host

                                                             ii.      .bash_history  / Shell history

                                                            iii.      Wtmp

                                                           iv.      Utmp


    1. Incident response

                                                               i.      Establish a system to identify an incident

1.      Automated systems (IDS)

2.      Manual systems (manual reconciliation / log analysis)

3.      Establish thresholds for what defines an “incident”

                                                             ii.      Establish a system to respond to an incident

1.      An incident response team

2.      A recommended set of IR steps

3.      A means to limit further exposure

4.      A means to capture as much relevant information as possible

5.      A means to communicate information up and down the chain

6.      A plan to deal with management, employees, the media, etc.

7.      A means to analyze the effectiveness of the plan after and incident and revise as appropriate

8.      Take into account applicable IR Laws (California HB 1386)

                                                            iii.      Using find to identify interesting files

1.      ctime, -mtime, -atime

2.      File ownership

3.      Analyze slack / unallocated inodes

                                                           iv.      Identifying running processes

                                                             v.      Identifying current network connections

                                                           vi.      Using MD5 hashes to find Trojans/backdoors

                                                          vii.      Using software to find Trojans/backdoors

1.      Find rootkit

2.      Anti-virus

                                                        viii.      Using TCT

                                                           ix.      Using FIRE

                                                             x.      Other forensic tools