CompTIA Linux+ (XK0-005) Domain 2: Security

Domain Overview

This domain ensures Linux system confidentiality, integrity, and availability. Topics include file permissions, PAM, firewall setup, SELinux/AppArmor, SSH hardening, and log auditing.

1. User, Group, and File Security

Linux systems rely heavily on user and group management for securing access to resources:

• Permissions: Control access to files and directories using read (r), write (w), and execute (x) bits. Understand how to set basic permissions with chmod.
• Ownership: Assign ownership with chown and chgrp.
• Special Permissions: Use SUID, SGID, and Sticky bits for special access control.
• Access Control Lists (ACLs): Provide more granular permission control using getfacl and setfacl.
• Shadow Passwords: Understand the importance of /etc/shadow for secure password storage, replacing plain-text storage in /etc/passwd.

Authentication and PAM

Pluggable Authentication Modules (PAM) provide a flexible and modular framework for managing authentication on Linux systems. PAM allows administrators to define how users are authenticated, authorized, and managed during login and other system activities.

Key Features of PAM:

• **Modularity:** PAM uses a modular approach, allowing administrators to stack multiple authentication methods (e.g., password, biometrics, or tokens) for enhanced security.
• **Centralized Configuration:** PAM configurations are stored in the /etc/pam.d/ directory, making it easy to manage authentication policies for various services.
• **Flexibility:** PAM supports a wide range of modules, enabling custom authentication mechanisms tailored to specific security requirements.

Common PAM Modules:

• pam_unix.so: Provides standard Unix authentication using the /etc/passwd and /etc/shadow files.
• pam_tally2.so: Tracks failed login attempts and can lock accounts after a specified number of failures. This is useful for mitigating brute-force attacks.
• pam_pwquality.so: Enforces password complexity requirements, such as minimum length, character classes, and dictionary checks, to ensure strong passwords.
• pam_faillock.so: Replaces pam_tally2.so in modern systems for account lockout policies. It integrates with systemd for better logging and management.
• pam_limits.so: Enforces resource limits (e.g., maximum number of processes or open files) for users, as defined in /etc/security/limits.conf.

Configuring PAM:

PAM configurations are stored in the /etc/pam.d/ directory, with each file corresponding to a specific service (e.g., sshd, login, sudo). Each configuration file contains a stack of rules, where each rule specifies a module and its behavior.

Example: Enforcing Password Complexity

To enforce password complexity using pam_pwquality.so, edit the /etc/pam.d/common-password file and add the following line:

      password requisite pam_pwquality.so retry=3 minlen=12 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
        

This configuration enforces the following rules:

• Passwords must be at least 12 characters long (minlen=12).
• At least one digit is required (dcredit=-1).
• At least one uppercase letter is required (ucredit=-1).
• At least one special character is required (ocredit=-1).
• At least one lowercase letter is required (lcredit=-1).

Example: Locking Accounts After Failed Logins

To lock user accounts after three failed login attempts using pam_faillock.so, edit the /etc/pam.d/common-auth file and add the following lines:

      auth required pam_faillock.so preauth silent deny=3 unlock_time=600
      auth [default=die] pam_faillock.so authfail deny=3 unlock_time=600
      account required pam_faillock.so
        

This configuration does the following:

• Locks the account after three failed login attempts (deny=3).
• Unlocks the account automatically after 10 minutes (unlock_time=600).
• Applies the lockout policy to all authentication attempts.

Best Practices for PAM Configuration:

• Always test PAM configurations in a non-production environment to avoid locking out all users, including administrators.
• Use the pam_faillock.so module for modern systems instead of pam_tally2.so, as it provides better integration with systemd.
• Regularly review and update PAM configurations to align with organizational security policies and compliance requirements.
• Combine PAM with other security mechanisms, such as SELinux or AppArmor, for a layered security approach.

Additional Resources:

• Official PAM Documentation
• PAM Man Page
• Red Hat PAM Security Hardening Guide

3. Firewalls & SELinux

Securing Linux systems requires a combination of network-level protection and system-level access controls. Host-based firewalls like UFW and Firewalld provide network traffic filtering, while SELinux and AppArmor enforce Mandatory Access Control (MAC) policies to restrict system access.

Host-Based Firewalls

Firewalls are essential for controlling inbound and outbound network traffic. They allow administrators to define rules that permit or deny traffic based on IP addresses, ports, and protocols.

1. UFW (Uncomplicated Firewall)

UFW is a user-friendly firewall management tool for Debian-based systems. It simplifies the process of configuring iptables rules.

• Enable UFW:

  sudo ufw enable

• Allow traffic on a specific port (e.g., SSH on port 22):

  sudo ufw allow 22

• Deny traffic on a specific port (e.g., HTTP on port 80):

  sudo ufw deny 80

• Check the status of UFW and active rules:

  sudo ufw status

2. Firewalld

Firewalld is a dynamic firewall management tool for Red Hat-based systems. It supports zones, which allow different rules for different network interfaces.

• Start and enable Firewalld:

        sudo systemctl start firewalld
        sudo systemctl enable firewalld
              

• Allow traffic on a specific service (e.g., HTTPS):

  sudo firewall-cmd --add-service=https --permanent

• Reload Firewalld to apply changes:

  sudo firewall-cmd --reload

• List all active zones and their rules:

  sudo firewall-cmd --list-all

Mandatory Access Control (MAC)

MAC systems like SELinux and AppArmor enforce strict access controls by confining processes and users to only the resources explicitly allowed by security policies.

1. SELinux (Security-Enhanced Linux)

SELinux is a powerful MAC system that enforces security policies at the kernel level. It is commonly used in Red Hat-based distributions.

• Check the current SELinux mode:

  getenforce

• Temporarily change the SELinux mode to permissive:

  sudo setenforce 0

• Permanently change the SELinux mode by editing /etc/selinux/config:

        SELINUX=permissive
              

• Manage SELinux policies with semanage:

        sudo semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
        sudo restorecon -Rv /web
              

2. AppArmor

AppArmor is an alternative to SELinux that uses profiles to restrict the capabilities of individual applications. It is commonly used in Ubuntu-based systems.

• Check the status of AppArmor:

  sudo aa-status

• Set a profile to complain mode (logs violations without enforcing them):

  sudo aa-complain /etc/apparmor.d/usr.sbin.nginx

• Enforce a profile to restrict application behavior:

  sudo aa-enforce /etc/apparmor.d/usr.sbin.nginx

Best Practices for Firewalls & MAC Systems

• Always test firewall and SELinux/AppArmor configurations in a non-production environment to avoid service disruptions.
• Use a layered security approach by combining firewalls with MAC systems for comprehensive protection.
• Regularly review and update firewall rules and security policies to address new threats.
• Monitor logs for denied access attempts and adjust policies as needed.

Additional Resources

• SELinux Project
• Ubuntu AppArmor Documentation
• Firewalld Official Documentation
• UFW Documentation

4. System Security Features

Hardening Linux systems is essential to reduce attack surfaces and protect against unauthorized access. This involves implementing advanced security mechanisms such as SELinux, AppArmor, and file integrity monitoring tools.

Key System Security Features:

• SELinux (Security-Enhanced Linux): SELinux provides Mandatory Access Control (MAC) to enforce strict security policies. It confines processes and users to only the resources they are explicitly allowed to access.
  • Use getenforce to check the current SELinux mode (e.g., Enforcing, Permissive, or Disabled).
  • Use setenforce to toggle between Enforcing and Permissive modes.
  • Manage SELinux policies with semanage to define rules for file contexts, ports, and booleans.

  Example: To allow an HTTP server to bind to a non-standard port (e.g., 8080), use:

        semanage port -a -t http_port_t -p tcp 8080
              

  Learn more about SELinux at the official SELinux project.

• AppArmor: AppArmor is an alternative to SELinux that uses profiles to restrict the capabilities of individual applications. It is simpler to configure and is commonly used in Ubuntu-based systems.
  • Use aa-status to check the status of AppArmor and view loaded profiles.
  • Use aa-complain to set a profile to complain mode, where violations are logged but not enforced.
  • Use aa-enforce to enforce a profile and restrict application behavior.

  Example: To enforce a profile for the Nginx web server, run:

        aa-enforce /etc/apparmor.d/usr.sbin.nginx
              

  Learn more about AppArmor at the Ubuntu AppArmor documentation.

• File Integrity Checking: File integrity monitoring tools like AIDE (Advanced Intrusion Detection Environment) help detect unauthorized changes to critical files and directories.
  • Install AIDE using your package manager (e.g., sudo apt install aide or sudo yum install aide).
  • Initialize the AIDE database with:

        sudo aide --init
                

  • Compare the current system state to the database with:

        sudo aide --check
                

  Learn more about AIDE at the official AIDE project.

Best Practices for System Security:

• Regularly update your system to patch vulnerabilities using tools like apt, yum, or dnf.
• Use a layered security approach by combining SELinux or AppArmor with firewalls (e.g., iptables or firewalld).
• Monitor system logs for suspicious activity using tools like journalctl or logwatch.
• Implement strong password policies and enforce multi-factor authentication (MFA) where possible.
• Restrict access to critical files and directories using proper permissions and Access Control Lists (ACLs).

Additional Resources:

• SELinux Project
• Ubuntu AppArmor Documentation
• AIDE Official Website
• Red Hat Security Hardening Guide

5. Log Management and Auditing

Effective log management and auditing are critical for detecting suspicious activities, ensuring compliance with security policies, and maintaining system integrity. Linux provides robust tools and mechanisms for monitoring, analyzing, and auditing system logs.

Key Log Files to Monitor:

• /var/log/auth.log: Contains authentication-related events, such as login attempts, SSH access, and sudo usage. This is crucial for identifying unauthorized access attempts.
• /var/log/syslog: Stores general system messages and logs from various services. It is useful for troubleshooting system-wide issues.
• /var/log/kern.log: Logs kernel-related messages, including hardware errors and driver issues.
• /var/log/audit/audit.log: Contains logs generated by the auditd service, which tracks access to sensitive files and monitors policy violations.

Using auditd for Advanced Auditing:

The auditd (Audit Daemon) service is a powerful tool for tracking system events and monitoring access to critical files. It is commonly used to meet compliance requirements and detect unauthorized activities.

• Install auditd:

  sudo apt install auditd

• Start and enable the auditd service:

        sudo systemctl start auditd
        sudo systemctl enable auditd
              

• Add a rule to monitor access to a sensitive file (e.g., /etc/passwd):

        sudo auditctl -w /etc/passwd -p wa -k passwd_changes
              

  This rule tracks write (w) and attribute change (a) operations on /etc/passwd and tags the events with the key passwd_changes.

• View audit logs using ausearch:

  sudo ausearch -k passwd_changes

• Generate audit reports using aureport:

  sudo aureport -f

Using journalctl for Log Analysis:

The journalctl command is used to query and view logs managed by systemd. It provides powerful filtering options for analyzing logs.

• View all logs:

  journalctl

• Filter logs by a specific service (e.g., SSH):

  journalctl -u sshd

• View logs from the current boot session:

  journalctl -b

• Follow logs in real-time:

  journalctl -f

Best Practices for Log Management:

• Regularly review critical log files, such as /var/log/auth.log and /var/log/audit/audit.log, to detect unauthorized access attempts.
• Use log rotation tools like logrotate to manage log file sizes and ensure older logs are archived.
• Centralize log management using tools like ELK Stack (Elasticsearch, Logstash, and Kibana) or Graylog.
• Implement access controls to restrict who can view or modify log files.
• Configure alerts for critical events, such as repeated failed login attempts or unauthorized file access.

Additional Resources:

• Auditd Man Page
• Journalctl Man Page
• Elastic Stack Documentation
• Graylog Official Website

6. Important Commands Summary

Mastering these commands is essential for efficiently managing Linux security settings:

• chmod, chown, chgrp - Manage file and directory permissions and ownerships to restrict or allow access at a granular level.
• getfacl, setfacl - Define and retrieve Access Control Lists (ACLs) for fine-tuned permission management.
• passwd, chage - Update user passwords and configure expiration and aging policies.
• sudo, visudo - Delegate administrative privileges securely to non-root users.
• iptables, firewalld - Set up firewall rules for inbound and outbound network traffic control.
• auditd, ausearch, auditctl - Enable auditing of system events and monitor suspicious activities.
• SSH Configuration: Strengthen secure communications by configuring /etc/ssh/sshd_config.