© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Security Strategies in Linux Platforms and Applications

Lesson 3Basic Security: Facilities

Through the Boot Process

Page 2Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Learning Objective

Lock down the Linux boot process.

Page 3Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Key Concepts

Physical server security Challenges of the standard kernel and

possible security issues Secure boot loaders Obscurity as a security enhancement

Page 4Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

DISCOVER: CONCEPTS

Page 5Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Physical Security-Server Room

Locks/Biometric controls

Pre-boot eXecution Environment (PXE)

Physical ports

Page 6Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Challenges of Standard Kernel

Different kernels for different architecturesWhat kernels can be installed on your system?What kernel is best for your needs?When do you consider a different kernel?You may need to customize a kernel or install

a new kernel for more security.

Page 7Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Boot Loader Security

Black-hat hacker use poorly configured boot systems and boot loaders to gain administrative access to systems

Page 8Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

DISCOVER: PROCESS

Page 9Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Locking Down Boot LoadersBack up boot loader before making changes If something goes wrong:• Use rescue mode on local distribution or a live

CD to boot system• Access local drives• Restore the boot loader from backup• Use the appropriate command (grub-install or

lilo)

Page 10Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Securing LILO

Run apt-get install lilo command

Accept LILO configuration

Create /etc/lilo.conf configuration file; customize

Run lilo -v command

Page 11Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Linux Loader Configuration File

Page 12Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Securing GRUB

Run apt-get install lilo command

Accept LILO configuration

Create /etc/lilo.conf configuration file; customize

Run lilo -v command

Page 13Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Traditional GRUB Configuration File

Page 14Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

A Protected GRUB Configuration File

Page 15Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

DISCOVER: ROLES

Page 16Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Five Process Controls

Nonrepudiation Confidentiality Privacy

Integrity Alarm

Page 17Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

DISCOVER: CONTEXTS

Page 18Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

TPM and Trusted ComputingTrusted Platform Module (TPM)

• Not open source• Password protection• Software license protection• Digital rights management (DRM)• Disk encryption• Chain of trust

TPM in a open source environment• trousers, package with the TCG software stack,

tpm-tools

Page 19Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

DISCOVER: RATIONALE

Page 20Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Why Use Obscurity?

Boot menus

Boot loader

Boot config files Services

Page 21Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

The /etc/fstab file Can Use More Obscurity

Page 22Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

SummaryPhysical server securityChallenges of the standard kernel and

possible security issuesSecure boot loadersObscurity as a security enhancement