Security Strategies in Linux Platforms and Applications, 3rd Edition
- Length: 500 pages
- Edition: 3
- Language: English
- Publisher: Jones & Bartlett Learning
- Publication Date: 2022-11-09
- ISBN-10: 1284255859
- ISBN-13: 9781284255850
- Sales Rank: #2908022 (See Top 100 Books)
The third edition of Security Strategies in Linux Platforms and Applications covers every major aspect of security on a Linux system. Using real-world examples and exercises, this useful resource incorporates hands-on activities to walk readers through the fundamentals of security strategies related to the Linux system. Written by an industry expert, this book is divided into three natural parts to illustrate key concepts in the field. It opens with a discussion of the risks, threats, and vulnerabilities associated with Linux as an operating system using current examples and cases. Part 2 discusses how to take advantage of the layers of security available to Linux–user and group options, filesystems, and security options for important services. The book closes with a look at the use of both open source and proprietary tools when building a layered security strategy for Linux operating system environments. Part of the Jones & Bartlett Learning Information Systems Security & Assurance Series! Click here to learn more.
Cover Title Page Copyright Page Contents Dedication Page Purpose of This Book Acknowledgments About the Authors CHAPTER 1 Security Threats to Linux The Origins of Linux Security in an Open-Source World Linux Distributions The C-I-A Triad Linux as a Security Device Linux in the Enterprise Recent Security Issues Chapter Summary Key Concepts And Terms Chapter 1 Assessment CHAPTER 2 Basic Components of Linux Security Linux Security Relates to the Kernel The Basic Linux Kernel Philosophy Basic Linux Kernels Distribution-Specific Linux Kernels Custom Linux Kernels Linux Kernel Security Options Securing a System During the Boot Process Unified Extensible Firmware Interface (UEFI) Physical Security The Threat of the Live CD Boot Process Security More Boot Process Issues Virtual Physical Security Linux Security Issues Beyond the Basic Operating System Service Process Security Security Issues with the GUI Linux User Authentication Databases Protecting Files with Ownership, Permissions, and Access Controls Firewalls and Mandatory Access Controls in a Layered Defense Firewall Support Options Mandatory Access Control Support Protecting Networks Using Encrypted Communication Tracking the Latest Linux Security Updates Linux Security Updates for Regular Users Linux Security Updates for Home Hobbyists Linux Security Updates for Power Users Security Updates for Linux Administrators Linux Security Update Administration The Effect of Virtualization on Security Variations Between Distributions A Basic Comparison: Red Hat and Ubuntu More Diversity in Services Chapter Summary Key Concepts And Terms Chapter 2 Assessment CHAPTER 3 Starting Off: Getting Up and Running Picking a Distribution Picking a Delivery Platform Physical System Virtual Machines Cloud Services Infrastructure as a Service Platform as a Service Choosing a Boot Loader Linux Loader Grand Unified Boot Loader Services Runlevels Wrappers inetd and xinetd Chapter Summary Key Concepts And Terms Chapter 3 Assessment CHAPTER 4 User Privileges and Permissions The Shadow Password Suite /etc/passwd /etc/group /etc/shadow /etc/gshadow Defaults for the Shadow Password Suite Shadow Password Suite Commands Available User Privileges Securing Groups of Users User Private Group Scheme Create a Special Group Configuring the Hierarchy of Administrative Privileges Administrative Privileges in Services The su and sg Commands Options with sudo and /etc/sudoers Basic Options in /etc/sudoers More Detailed Options with /etc/sudoers Use the sudo Command Regular and Special Permissions The Set User ID Bit The Set Group ID Bit The Sticky Bit Tracking Access Through Logs Authorization Log Options Authorization Log Files Pluggable Authentication Modules The Structure of a PAM Configuration File PAM Configuration for Users Authorizing Access with the Polkit How the Polkit Works Polkit Concepts Network User Verification Tools NIS If You Must LDAP Shares Authentication Best Practices: User Privileges and Permissions Chapter Summary Key Concepts And Terms Chapter 4 Assessment CHAPTER 5 Filesystems, Volumes, and Encryption Filesystem Organization Filesystem Basics The Filesystem Hierarchy Standard Good Volume Organization Can Help Protect a System Read-Only Mount Points How Options for Journals, Formats, and File Sizes Affect Security Partition Types The Right Format Choice Available Format Tools Using Encryption Encryption Tools Encrypted Files Encrypted Directories Encrypted Partitions and Volumes Local File and Folder Permissions Basic File Ownership Concepts Basic File-Permission Concepts Changing File Permissions Networked File and Folder Permissions NFS Issues Samba/CIFS Network Permissions Network Permissions for the vsftp Daemon Configuring and Implementing Quotas on a Filesystem The Quota Configuration Process Quota Management Quota Reports How to Configure and Implement Access Control Lists on a Filesystem Configure a Filesystem for ACLs ACL Commands Configure Files and Directories with ACLs Best Practices: Filesystems, Volumes, and Encryption Chapter Summary Key Concepts And Terms Chapter 5 Assessment CHAPTER 6 Securing Services Starting a Hardened System Service Management SysV Init Upstart Systemd Hardening Services Using Mandatory Access Controls Security Enhanced Linux AppArmor Servers Versus Desktops Protecting Against Development Tools Chapter Summary Key Concepts And Terms Chapter 6 Assessment CHAPTER 7 Networks, Firewalls, and More Services on Every TCP/IP Port Protocols and Numbers in /etc/services Protection by the Protocol and Number Obscurity and the Open Port Problem Obscure Ports Opening Obscure Open Ports Obscurity by Other Means Protect with TCP Wrapper What Services Are TCP Wrapped? Configure TCP Wrapper Protection Packet-Filtering Firewalls Basic Firewall Commands Firewalld A Firewall for the DMZ A Firewall for the Internal Network Alternate Attack Vectors Attacks Through Nonstandard Connections Attacks on Scheduling Services Wireless-Network Issues Linux and Wireless Hardware Encrypting Wireless Networks Bluetooth Connections Security Enhanced Linux The Power of SELinux Basic SELinux Configuration Configuration from the Command Line The SELinux Administration Tool The SELinux Troubleshooter SELinux Boolean Settings Setting Up AppArmor Profiles Basic AppArmor Configuration AppArmor Configuration Files AppArmor Profiles AppArmor Access Modes Sample AppArmor Profiles AppArmor Configuration and Management Commands Best Practices: Networks, Firewalls, and TCP/IP Communications Chapter Summary Key Concepts And Terms Chapter 7 Assessment CHAPTER 8 Networked Filesystems and Remote Access Basic Principles for Systems with Shared Networking Services Configure an NTP Server Install and Configure a Kerberos Server Basic Kerberos Configuration Additional Kerberos Configuration Options Hardening NFS as If It Were Local Configure NFS Kerberos Tickets Configure NFS Shares for Kerberos Keeping vsftp Very Secure Configuration Options for vsftp Additional vsftp Configuration Files Linux as an Alternative Windows Server Samba Global Options Samba as a Primary Domain Controller Making Sure SSH Services Remain Protected The SSH Server The SSH Client Create a Secure Shell Passphrase Basic Principles of Encryption on Networks Host-to-Host IPSec Network-to-Network IPSec Helping Users Who Must Use Telnet Securing Modem Connections The Basics of RADIUS RADIUS Configuration Files Moving Away from Cleartext Access The Simple rsync Solution Email Clients Best Practices: Networked Filesystems and Remote Access Chapter Summary Key Concepts And Terms Chapter 8 Assessment CHAPTER 9 Networked Application Security Options for Secure Websites with Apache The LAMP Stack Apache Modules Security-Related Apache Directives Configure Protection on a Website Adding Encryption to Your Website Configure a Certificate Authority mod_security Apache as a Reverse Proxy Working with Squid Basic Squid Configuration Security-Related Squid Directives Limit Remote Access with Squid Protecting DNS Services with BIND The Basics of DNS on the Internet DNS Network Configuration Secure BIND Configuration A BIND Database DNS Targets to Protect Domain Name System Security Extensions Mail Transfer Agents Open Source sendmail The Postfix Alternative Dovecot for POP and IMAP More Email Services Using Asterisk Basic Asterisk Configuration Security Considerations with Asterisk Limiting Printers Printer Administrators Shared Printers Remote Administration The CUPS Administrative Tool Protecting Time Services Best Practices: Networked Application Security Chapter Summary Key Concepts And Terms Chapter 9 Assessment CHAPTER 10 Kernel Security Risk Mitigation Distribution-Specific Functional Kernels Kernels by Architecture Kernels for Different Functions The Stock Kernel Kernel Numbering Systems Production Releases and More Download the Stock Kernel Stock Kernel Patches and Upgrades Managing Security and Kernel Updates Stock Kernel Security Issues Distribution-Specific Kernel Security Issues Installing an Updated Kernel Development Software for Custom Kernels Red Hat Kernel Development Software Ubuntu Kernel Development Software Kernel-Development Tools Before Customizing a Kernel Start the Kernel Customization Process Kernel-Configuration Options Building Your Own Hardened Kernel Download Kernel Source Code Download Ubuntu Kernel Source Code Download Red Hat Kernel Source Code Install Required Development Tools Navigate to the Directory with the Source Code Compile a Kernel on Ubuntu Systems Compile a Kernel on Red Hat Systems Compile a Stock Kernel Install the New Kernel and More Check the Boot Loader Test the Result Increasing Security Using Kernels and the /proc/ Filesystem Don’t Reply to Broadcasts Protect from Bad ICMP Messages Protect from SYN Floods Activate Reverse Path Filtering Close Access to Routing Tables Avoid Source Routing Don’t Pass Traffic Between Networks Log Spoofed, Source-Routed, and Redirected Packets Best Practices: Kernel Hardening Chapter Summary Key Concepts And Terms Chapter 10 Assessment CHAPTER 11 Managing Security Alerts and Updates Keeping Up with Distribution Security Red Hat Alerts Red Hat Enterprise Linux Rocky Linux Fedora Core Linux Ubuntu Alerts Keeping Up with Application Security GNOME Desktop Environment Web Browsers Adobe Applications Service Applications Antivirus Options for Linux Systems The Clam AntiVirus System SpamAssassin Detecting Other Malware Endpoint Security for Linux Systems Using Bug Reports Ubuntu’s Launchpad Red Hat’s Bugzilla Application-Specific Bug Reports Security in an Open-Source World The Institute for Security and Open Methodologies The National Security Agency The Free Software Foundation User Procedures Deciding Between Automated Updates or Analyzed Alerts Do You Trust Your Distribution? Do You Trust Application Developers? Do You Trust Service Developers? Linux Patch Management Standard dnf Updates Updates on Fedora Updates on Red Hat Enterprise Linux Standard apt-* Updates Options for Update Managers Configuring Automated Updates Automatic Red Hat Updates Pushing or Pulling Updates Local or Remote Repositories Configuring a Local Repository Commercial Update Managers The Red Hat Network Canonical Landscape Micro Focus’ ZENworks Open-Source Update Managers Various apt-* Commands Various dnf Commands Red Hat Spacewalk Best Practices: Security Operations Management Chapter Summary Key Concepts And Terms Chapter 11 Assessment CHAPTER 12 Building and Maintaining a Security Baseline Configuring a Simple Baseline A Minimal Red Hat Baseline A Minimal Ubuntu Baseline Read-Only or Live Bootable Operating Systems Appropriate Read-Only Filesystems Live CDs and DVDs Keeping the Baseline Up to Date A Gold Baseline Baseline Backups Monitoring Local Logs The System and Kernel Log Services Logging with journald Logs from Individual Services Consolidating and Securing Remote Logs Default rsyslog Configuration The Standard rsyslog Configuration File Identifying a Baseline System State Collect a List of Packages Compare Files, Permissions, and Ownership Define the Baseline Network Configuration Collect Runtime Information Checking for Changes with Integrity Scanners Tripwire Advanced Intrusion Detection Environment Best Practices: Building and Maintaining a Secure Baseline Chapter Summary Key Concepts And Terms Chapter 12 Assessment CHAPTER 13 Testing and Reporting Testing Every Component of a Layered Defense Testing a Firewall Testing Various Services Testing Passwords Testing Mandatory Access Control Systems Checking for Open Network Ports The telnet Command The netstat Command The lsof Command The nmap Command Running Integrity Checks of Installed Files and Executables Verifying a Package Performing a Tripwire Check Testing with the Advanced Intrusion Detection Environment Ensuring That Security Does Not Prevent Legitimate Access Reasonable Password Policies Allowing Access from Legitimate Systems Monitoring Virtualized Hardware Virtual Machine Hardware Virtual Machine Options Using Virtual Machines on Linux Standard Open-Source Security-Testing Tools Snort Netcat and the nc Command Vulnerability Scanners for Linux Nessus OpenVAS Nexpose Where to Install Security-Testing Tools Hint: Not Where Attackers Can Use Them Against You Some Tools Are Already Available on Live CDs Other Distributions Best Practices: Testing and Reporting Chapter Summary Key Concepts And Terms Chapter 13 Assessment CHAPTER 14 Detecting and Responding to Security Breaches Performing Regular Performance Audits The Basic Tools: ps and top The System Status Package For Additional Analysis Making Sure Users Stay Within Secure Limits Appropriate Policies Education User Installation of Problematic Services Logging Access into the Network Identifying Users Who Have Logged In System Authentication Logs Monitoring Account Behavior for Security Issues Downloaded Packages and Source Code Executable Files Creating an Incident Response Plan Increased Vigilance Should You Leave the System On? Acquiring the Memory Contents Having Live Linux CDs Ready for Forensics Purposes Helix Live Response SANS Investigative Forensics Toolkit Digital Evidence and Forensics Toolkit Build Your Own Media Forensic Live Media When You Put Your Plan into Action Confirming the Breach Identifying Compromised Systems Having Replacement Systems in Place Secure Backup and Recovery Tools Disk Images for Later Investigation The rsync Command Mount Encrypted Filesystems The Right Way to Save Compromised Data as Evidence Basic Principles for Evidence Remembering the Volatile Data Preserving the Hard Disks Disaster Recovery from a Security Breach Determining What Happened Prevention Replacement How and When to Share with the Open-Source Community If the Security Issue Is Known… If the Security Issue Has Not Been Reported… Best Practices: Security Breach Detection and Response Chapter Summary Key Concepts And Terms Chapter 14 Assessment CHAPTER 15 Best Practices and Emerging Technologies Maintaining a Gold Baseline Monitoring Security Reports Working Through Updates Recalibrating System Integrity Ensuring Availability with Redundancy A Gold Physical Baseline A Gold Virtual Baseline Host Identifying Your Support Options Red Hat Support Options Canonical Support Options Open-Source Community Support Checking Compliance with Security Policies User Security Administrator Security Keeping the Linux Operating System Up to Date Baseline Updates Functional Bugs New Releases Keeping Distribution-Related Applications Up to Date Server Applications Desktop Applications Managing Third-Party Applications Licensing Issues Support Issues Sharing Problems and Solutions with the Community Which Community? Sharing with Developers Sharing on Mailing Lists Testing New Components Before Putting Them into Production Testing Updates Documenting Results Beta Testing Keeping Up with Security on Your Systems A New Firewall Command More Mandatory Access Controls Penetration-Testing Tools Single Sign-On Incident Response Chapter Summary Key Concepts And Terms Chapter 15 Assessment APPENDIX A Answer Key APPENDIX B Standard Acronyms Glossary of Key Terms References Index
Donate to keep this site alive
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.