Notes from Linux Security Tunables by Kees Cook

I recently attended Drupalcon Portland where I attended Kees Cook's session on Linux System Security Tunables. He had some great general security advice before the session began. You can watch the video on the Drupalcon site and read the slides there. Here are my notes from the session.

Authentication hygiene (e.g. ssh keys)

  • know where your credentials live
  • keep away from devices with remote access
  • store encrypted, tied to a specific device - if you lose control of that device, revoke those keys
  • don't use password or even only-passphrase authentication
  • keep the ssh comments ([email protected]) so you can more easily revoke keys in case you need to
  • ssh gives you a host key when you first connect - verify that it's right! ssh-keygen -f /etc/ssh/ssh_host_rsa.pub -lv

Discretionary Access Control (user-defined)

  • Personal accounts
    • no direct access
  • Web services
    • no access to personal information nor reconfigure itself
    • cannot change execution
  • Service maintainers
    • No access to personal acct, limited system access
    • Can modify a given service (e.g. the database service)
  • System admin
    • extremely powerful
  • This is great for logging because you can see transitions between levels
  • Clear lines between data and execution
  • Control access via sudo or other keys
    User_Alias SOME_SERVICE = kees, gchaix, pholcomb
    OR put individual keys into /home/some_service/.ssh/authorized_keys

Mandatory Access Control

  • AppArmor
  • SELinux
  • SMACK
  • Tomoyo

Multifactor Authentication (TFA or more)

  • Downside to recommending sudo: 1 password for 2 accounts
  • MFA can help

Kernel tunables

  • Tree of items /proc/sys
  • Use sysctl to edit them, or they are files so you can just edit them
  • randomize_va_space=2
  • net.ipv4.tcp_syncookies=1
  • kernel.yama.ptrace_scope=1
  • vm.mmap_min_addr=65536
  • kptr_restrict=1
  • kernel.dmesg_restrict=1
  • fs.protected_symlinks=1
  • fs.protected_hardlines=1
  • kernel.modules_disabled=1

Start today

  • Make a plan
  • Prioritize the changes
  • Make changes
  • Automate verification (cacti, nagios, cron, etc.)