CompTIA Linux+ (XK0-005) Domain 2: Security

A comprehensive guide to understanding and implementing robust security measures on Linux systems, covering key objectives for the XK0-005 exam.

Domain Overview

Domain 2 of the CompTIA Linux+ (XK0-005) certification focuses on securing Linux systems by implementing and maintaining measures that ensure confidentiality, integrity, and availability. Key topics include robust user and file security, advanced authentication mechanisms like PAM, configuring host-based firewalls, leveraging Mandatory Access Control systems such as SELinux or AppArmor, hardening SSH for secure remote access, and diligent system logging and auditing.

1. User, Group, and File Security

Fundamental Linux security relies on proper management of users, groups, and file permissions to control access to system resources.

Core Concepts:

  • Permissions: Control access using read (r), write (w), and execute (x) bits for owner, group, and others. Set with chmod (e.g., chmod 750 filename or chmod u=rwx,g=rx,o= filename).
  • Ownership: Assign file/directory ownership using chown (change owner) and chgrp (change group).
  • Special Permissions:
    • SUID (Set User ID): Allows a user to execute a file with the permissions of the file owner. (chmod u+s filename)
    • SGID (Set Group ID): Allows a user to execute a file with the permissions of the file's group. For directories, new files/dirs inherit the directory's group. (chmod g+s filename_or_dirname)
    • Sticky Bit: On directories, allows only the file owner, directory owner, or root to delete/rename files within that directory. (chmod +t dirname, e.g., /tmp)
  • Access Control Lists (ACLs): Provide more granular permission control beyond traditional user/group/other. Use getfacl to view and setfacl to modify ACLs (e.g., setfacl -m u:username:rwx filename).
  • Shadow Passwords: The /etc/shadow file securely stores encrypted user passwords and aging information, readable only by root. This is a critical improvement over storing password hashes in the world-readable /etc/passwd.

2. Authentication and PAM

Pluggable Authentication Modules (PAM) offer a flexible framework for user authentication, authorization, account management, and session management.

Key Features of PAM:

  • Modularity: Allows stacking multiple authentication methods.
  • Centralized Configuration: Service-specific configurations are in /etc/pam.d/.
  • Flexibility: Supports diverse modules for custom security needs.

Common PAM Modules:

  • pam_unix.so: Standard Unix authentication (uses /etc/passwd, /etc/shadow).
  • pam_pwquality.so: Enforces password complexity rules.
  • pam_faillock.so: Manages account lockout after failed login attempts (replaces older pam_tally2.so).
  • pam_limits.so: Enforces resource limits from /etc/security/limits.conf.
  • pam_sss.so: Integrates with SSSD for centralized identity management.

Example: Enforcing Password Complexity

In /etc/pam.d/system-auth or common-password (varies by distro): 

password requisite pam_pwquality.so retry=3 minlen=12 difok=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1

This example requires a 12-character minimum, 3 different characters from the old password, and at least one digit, uppercase, other special character, and lowercase character.

Example: Account Lockout with pam_faillock

In /etc/pam.d/system-auth or common-auth (before pam_unix.so): 

auth        required      pam_faillock.so preauth silent audit deny=5 unlock_time=900
auth        [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900

And in /etc/pam.d/system-account or common-account: 

account     required      pam_faillock.so

This locks an account for 900 seconds (15 minutes) after 5 failed attempts.

3. Firewalls & Mandatory Access Control (SELinux/AppArmor)

Protecting Linux systems involves network traffic filtering with host-based firewalls and enforcing fine-grained system-level access controls with Mandatory Access Control (MAC) systems.

Host-Based Firewalls:

UFW (Uncomplicated Firewall) - Debian/Ubuntu

  • Enable: sudo ufw enable
  • Allow SSH: sudo ufw allow ssh or sudo ufw allow 22/tcp
  • Deny HTTP: sudo ufw deny http
  • Status: sudo ufw status verbose

Firewalld - RHEL/CentOS/Fedora

  • Start & Enable: sudo systemctl start firewalld && sudo systemctl enable firewalld
  • Allow HTTPS (permanently): sudo firewall-cmd --permanent --add-service=https
  • Reload: sudo firewall-cmd --reload
  • List all: sudo firewall-cmd --list-all

Mandatory Access Control (MAC):

SELinux (Security-Enhanced Linux)

  • Check mode: getenforce
  • Temporarily set to permissive: sudo setenforce 0 (enforcing: sudo setenforce 1)
  • Persistently change mode in /etc/selinux/config (e.g., SELINUX=enforcing). Reboot required.
  • Manage file contexts: sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/custom(/.*)?" then sudo restorecon -Rv /var/www/custom
  • View audit logs for denials: sudo ausearch -m avc -ts recent or check /var/log/audit/audit.log

AppArmor

  • Check status: sudo aa-status
  • Set profile to complain mode: sudo aa-complain /path/to/profile
  • Enforce profile: sudo aa-enforce /path/to/profile
  • Profiles are typically in /etc/apparmor.d/.

File Integrity Checking (e.g., AIDE):

  • Initialize database: sudo aideinit (or aide --init, then move db)
  • Check integrity: sudo aide --check
  • Update database after legitimate changes: sudo aide --update (then move new db)

4. Secure Communications & SSH Hardening

Securing remote access, primarily through SSH, is vital. This involves configuring SSH for optimal security and understanding tools for secure data transfer.

SSH Hardening (/etc/ssh/sshd_config):

  • Disable root login: PermitRootLogin no
  • Disable password authentication (use key-based only): PasswordAuthentication no
  • Use a non-standard port: Port 2222 (ensure firewall allows this)
  • Limit users/groups: AllowUsers user1 user2 or AllowGroups ssh_access_group
  • Set idle timeout: ClientAliveInterval 300 and ClientAliveCountMax 0
  • Use strong Ciphers, MACs, and KexAlgorithms (often default to secure values in modern SSH).
  • Always restart sshd after changes: sudo systemctl restart sshd

Secure File Transfer:

  • scp: Secure copy (uses SSH). Example: scp localfile user@remotehost:/remote/path
  • sftp: Secure FTP (uses SSH). Interactive session: sftp user@remotehost
  • rsync: Versatile tool for syncing files, can use SSH. Example: rsync -avz -e ssh localdir/ user@remotehost:/remote/dir/

5. Log Management and Auditing

Effective log management and system auditing are crucial for monitoring security events, troubleshooting issues, and ensuring compliance.

Key Log Files & Directories:

  • /var/log/auth.log or /var/log/secure: Authentication logs (logins, sudo, SSH).
  • /var/log/syslog or /var/log/messages: General system messages.
  • /var/log/kern.log: Kernel messages.
  • /var/log/audit/audit.log: Logs from the auditd service.
  • Application-specific logs (e.g., /var/log/nginx/, /var/log/httpd/).

Using journalctl (systemd journal):

  • View all logs: journalctl
  • Follow logs live: journalctl -f
  • Filter by service: journalctl -u sshd.service
  • Show kernel messages: journalctl -k
  • Logs since a specific time: journalctl --since "yesterday"

Using auditd for Advanced Auditing:

  • Install: sudo apt install auditd or sudo yum install audit
  • Start/Enable: sudo systemctl start auditd && sudo systemctl enable auditd
  • Add rule (e.g., monitor /etc/shadow for write/attribute changes): 
    sudo auditctl -w /etc/shadow -p wa -k shadow_access
    (Make rules persistent in /etc/audit/rules.d/)
  • Search audit logs: sudo ausearch -k shadow_access
  • Generate reports: sudo aureport -l (for login events)

Log Rotation:

logrotate (configured via /etc/logrotate.conf and files in /etc/logrotate.d/) manages log file size, rotation, compression, and removal to prevent disks from filling up.

6. Important Commands Summary

A quick reference to essential commands for Linux security administration:

  • File Permissions & Ownership: chmod, chown, chgrp, getfacl, setfacl, umask.
  • User & Group Management: useradd, usermod, userdel, groupadd, passwd, chage, sudo, visudo.
  • Authentication (PAM): Configuration files in /etc/pam.d/. Tools like faillock.
  • Firewalls: ufw, firewall-cmd, iptables (legacy/advanced), nft (newer).
  • SELinux/AppArmor: getenforce, setenforce, semanage, restorecon (SELinux); aa-status, aa-complain, aa-enforce (AppArmor).
  • SSH: Client ssh, server config /etc/ssh/sshd_config, ssh-keygen, ssh-copy-id.
  • Logging & Auditing: journalctl, auditctl, ausearch, aureport, logrotate. Relevant log files in /var/log/.
  • Integrity Checking: aide, tripwire.

Domain 2 Summary & Next Steps

Securing Linux systems is a critical, multi-faceted discipline. Domain 2 covers essential practices from foundational file permissions and robust authentication with PAM, to network defense using firewalls, advanced system confinement with SELinux/AppArmor, secure remote access via SSH, and vigilant monitoring through logging and auditing. Mastering these concepts is vital for real-world Linux administration and success in the CompTIA Linux+ XK0-005 exam.

Proceed to Domain 3: Scripting, Containers & Automation → ← Back to Linux+ Overview