03 Installing Linux

7/29/2019 03 Installing Linux

1/38

InstallingLinux


2/38

ObjectivesAftercompletingthisunit,youshouldbeableto:

InstallaLinuxdistributionusinginstallationCDs

oroveranetwork UnderstandaRedHatkickstart fileandhavea

basicgraspofitssyntax

Understandtheimportanceofdifferent

partitioningstrategies Beabletochooseapurposeforanewsystem

andinstallonlywhat'snecessary

Knowhowtoupdatesoftwareonyoursystem Performsomepost-installationhardening

Performsystembaselining


3/38

StartingOffSecure Whenconsideringmethodstosecureasystem,

installationiswhereitshouldallbegin.

Preparingandinstallingasystemsecurelyhelpstoensure:

Thatitwillnotbecompromisedbefore

youcanupdateit. Thatyouwon'thavetoworryaboutyour

installationchoicesfurtherdownthe

line. Thatyourdatawillbeassecureas

possiblefromthelowestlevelofthesystemtothehighest.


4/38

WhyConsiderSecurityDuring

Installation? Installationisusuallynotthetimewhenpeople

worryaboutsecurity.

Alittleplanningduringinstallationcanmakeiteasiertoenforcecertainpolicies,maintainsystemavailability,andprovideforsystemexpandabilitylater.

Therehavebeendocumentedcasesofasystembeingcompromisedimmediatelyafterinstallation.

Itgivesyouachancetodefineaspecificroleforthesystem.

Youcan'thaveasolidbuildingwithoutasolidfoundation;thesameconceptappliestoyourorganization'ssystems.


5/38

BenefitsandDrawbacks

ofInstallationSecurityBenefits

Reducesrisks

Preparessystemformaintainabilityandupgradability

Allowssystemtoscalemoreeasily

Withagoodinstallationbase,youcanmakea

kickstart configurationfilethatmakesinstallationeasieronothermachines

Drawbacks

Takesmoretime

Somepartitionscanfillupmuchmorequicklythanothers,causing

youtohavetoupgradestoragesooner

Requiresamoreintimateknowledgeof

theinstallationprocessforyourdistributionofchoice


6/38

InstallationConcepts


7/38

PlanningBeforeyouinstallasystem,besureyouhaveput

somethoughtintothefollowingthings:

Whatwillthissystembeusedfor? Howshouldyoupartitionitforitsrole?

Whatfilesystemswillyouuseonthose

partitions? Howwillyoubeinstalling?

Shouldarootpasswordbedecideduponaheadoftime,baseduponyourorganization'spassword

policies? Arethereanyknownout-of-boxvulnerabilities

withthedistributionandreleaseyouareinstalling?


8/38

SystemPurposeandPartitioning Asystem'sintendedpurposeorfunctioninyour

organizationdefineswhat softwareshouldbe

installedfromthedistribution. Onlyinstallwhatisneeded,nothingmore.

Thestructureusedforpartitioningrelatesdirectlytothesystem'srole.

Allotspacetoaparticularpartition(andmountpoint)dependingonwhatitisusedfor.

Howmuchswapspacewillthesystemneed?

Allofthisinformationwillbeusedwhendeployingthesystem.


9/38

InstallationMethods(1of2)Threechoicesformostdistributions:

CD-ROMorDVD-ROM

Simple

Effective

Well-supported

Worksonmachineswithnofloppydrive

Network(NFS,HTTP,FTP,andsoon)

Centralized

Nomediatocarryaroundorkeeptrackof

Canbefaster

NoswappingCDs


10/38

InstallationMethods(2of2) Harddrive

Providedmostlyforcompatibility

reasonsforsystemsthatcan'tinstallfromCD-ROM

UsesISOimagesthatarebotheasyto

movebetweenservers(onlyonefileperCD)aswellasusableforburningnewCDs


11/38

Kickstart AnautomatedinstallationmethodavailableinRed

HatLinux.

Kickstart configurationfileisonafloppyorCD. Afterinstallation(beginningwithrelease7.2orlater),

afilecalledanaconda-ks.cfg iscreatedintherootuser'shomedirectory.Thisisakickstart file

containingparametersofthecurrentinstallation.Theonlythingthatneedscleaninguparetheclearpartlinesandthepartlines.

MakeabootfloppyusingtheimagesontheRedHat

LinuxCDandcopyyourkickstart configurationfiletothefloppy,withthenameks.cfg.

Whenbootingoffofabootfloppywithaks.cfg file,typelinux ks=floppyatthebootprompt.


12/38

InstallationProcessDuringtheinstallation,youwillhaveto

addressthefollowingtopics:

Creatingthepartitionlayoutandchoosingthefilesystemsfor

thosepartitions Choosingandenteringtherootpassword

Configuringauthenticationmethods

Selectingthepackagesyouwishtoinstall


13/38

PartitioningandFileSystems Foreachpartitionthatyoucreate,youneedto

selectafilesystemforit.

Differentdistributionssupportdifferentfilesystems.Forexample,

RedHatLinux8.0supports:

ext2 ext3

Reiserfs

JFS Forswappartitions,youwillusuallywantatleast

twicethesystem'sinstalledphysicalmemory.


14/38

Passwords Duringinstallation,youareaskedtochoosea

rootpassword.Makesurethepasswordyou

entermeetsyourorganization'spasswordpolicies.Whileitcanbechangedlater,ifyouenteragoodpasswordnowyouwillnothavetoworryabouttakingcareofitafterinstallation.

Beforepackagegroupselection,youweregiventheopportunitytoselectabootloader(eitherGRUBorLILO)password.Whetherornotyou

areusingabootloaderpassworddependsonyourorganization'spolicyonsuchthings.


15/38

ConfiguringAuthentication

Methods MD5passwords

Shadowpasswords

NIS

LDAP

Kerberos5

SMB


16/38

Packages(1of2) Mostdistributionscomewithmanypackage

groups(listedinyourstudentnotes).

Youcaneitherinstallornotinstallthewholegroup,oryoucanselectindividualpackagesfromthegroups.

Ingeneral,amultiuserserverwillnotneedthefollowingpackagegroups(exactnamesmayvary):

XWindowSystem

GNOMEDesktopEnvironment

KDEDesktopEnvironment GraphicalInternet


17/38

Packages(2of2) Ingeneral,amultiuserserverwillnotneedthe

followingpackagegroups(exactnamesmay

vary): Office/Productivity

SoundandVideo

Graphics GamesandEntertainment

XSoftwareDevelopment

GNOMESoftwareDevelopment

KDESoftwareDevelopment


18/38

Updating Everyoperatingsystemandeverypieceof

softwarehasbugsandsecurityflaws.

OneoftheOpenSourceadvantagesisthatanyonecanfixtheseholesandcan(orevenmust)providethefixtothecommunity

Vendorsthatreleasedistributions(RedHat,

SuSE,SCO,andsoon)taketheseupdatedandpatchedpiecesofsoftwareandrepackagethemtodistributetotheircustomersthroughtheappropriatechannels.

Vendorsalsoputrigoroustestingintothepackagestheyrelease.

Vendorsstandbehindtheirsecurityfixesandpackageupdates.


19/38

WheretoGoforUpdates HerearesomeURLsforvariousvendorupdatesites:

RedHat

http://www.redhat.com/apps/support/errata/ SuSE

http://support.suse.de/psdb/

SCO(formerlyCaldera) http://www.sco.com/support/updates/

http://www.sco.com/support/security/index.html#OpenLinux

TurboLinux: http://www.turbolinux.com/support/


20/38

WhattoLookfor(1of2) Ingeneral,usinganautomatedupdatetoolsuch

asRedHat'sUpdateAgent(withaRedHat

Networksubscription)orSuSE's YaST OnlineUpdate(YOU)makesthejobofstayingcurrentmucheasieronthepackageandsoftwaremanagementside.

CheckingFTPandWebsitesmanuallymeansyoumustknowwhatyoucurrentlyhave,whatyouneed,andhowtoupgradeit.


21/38

WhattoLookfor(2of2) SomecommonRPMcommandsformanagingpackages

are:

rpm-ipackage- Installpackage

rpm-epackage- Uninstallpackage

rpm-qa - Generatealistofallinstalledpackages

rpm-qi package- Getinfoonpackage

rpm-Kpackage- Checkpackage'sGPGsignature Namingscheme:name-version-release.architecture.rpm

name- Packagename

version- Versionofthesoftwarethispackageincludes

release- Packagerelease;aversionnumberforpackages architecture- Whatsystemit'sintendedfor


22/38

VendorversusAuthor OnecommonoccurrenceintheLinuxcommunity

isthatacriticalfixwilloftencomeoutmerehoursafteravulnerabilitywasdiscovered.

Whenthisoccurs,youmust:

Evaluatewhetherornotthevulnerabilitywouldorcouldaffectyou.

Ifthethreatishigh,downloadthenewsoftwareorpatchandbuild

itbyhand.

Ifthethreatisminor,youcansimplywait

forthevendortoprovide theirpackage.

OneotheroptiontothoselistedaboveistolookonmailinglistsorWebsitesforworkarounds.


23/38

HowtoUpgrade IfyouareusinganautomatedupgradingtoolsuchasRedHat's

UpdateAgentorSuSE's YOU,orathird-partysolution,refertothattool'sdocumentationforinstructionsonitsuse.

Ifyouareupgradingbyhand,hereiswhatyouneedtoknow:

rpm-U- Upgradesthepackageifanearlierversionis

alreadyinstalled,orinstallsthepackageifnoearlierversionisfound.

rpm-F- Upgradesthepackageifanearlierversionisalreadyinstalled,ordoesnothingifnoearlierversionisinstalled.

Forallpackagesexceptkernelbinarypackages,youcan

safelyinstallthemusingeitherofthetwoRPMcommandsabove.

Kernelbinarypackages(kernel-kernelversion-release.arch.rpm)areaspecialcase;theymustbeinstalledusingtherpm-isyntax,nottherpm-Uorrpm-Fsyntax.


24/38

Hardening Hardeningasystemreducesthechancethat

someonecangainunauthorizedprivileges

higherthanwhattheyshouldhave. Whileyoucanhardenthesystemmanually,we

onlycoverthatconceptuallyinthiscourse.

WegointogreaterdepthontheuseoftheautomaticsystemhardeningtoolBastille.


25/38

IdentificationandAuthentication Hardeningofthesetwosubsystems

prevents:

Theabilitytoposeasanotherperson

Theabilitytogainaccesstoanotherperson'saccount

Themaincomponentsinvolvedare:

PAM

/etc/passwd and/etc/shadow

/bin/login


26/38

AccessControland

Authorization Hardeningthesetwosubsystemsprevents:

Theabilitytoaccessresourcesbelongingtosomeoneelse

Circumventingofsecuritymeasuresdesignedtopreventharmtothesystem

Theabilitytoaccessresourcesoutsideofyourscope


Filesystempermissions

PAM

ACLtoolsandsubsystems

Variouskernelextensions


27/38

AvailabilityandSystemIntegrity Hardeningforavailabilityreducesthelikelihoodof,or

evenprevents,asuccessfuldenialofserviceattack.


Partitioning

Diskquotas

Kerneltuning

Hardwareconfiguration Hardeningforsystemintegritypreventsimportant

systemservicesfrombeingcompromisedandmodified.

Themaincomponentsinvolvedare: Permissionsandprivileges

Filesystems

Activevigilanceinmonitoring


28/38

AuditingandIntrusionDetection Hardeningforauditingprotectsyourlogfiles,log

monitors,andothersystemmonitoringsystems.


Logfilesin/var/log

Logmonitoringtools

Effectivepoliciesforlogmanagementandarchiving

Preparationandhardeningforthepossibilityofanintrusiontypicallyinvolvesinstallingsomeintrusiondetectionand/orlogmonitoringsoftware.

Themaincomponentsinvolveddependentirelyonlogmonitoringandintrusiondetectionsoftwareyouuse.


29/38

KernelHardening Kernelhardeningistheprocessofaddingadditional

functionalitytothekernel(typicallythroughsourcepatches)tomakekernel-basedsecurityflawsorexploitsmoredifficulttotakeadvantageof.

Thethreekernelhardeningpackagescoveredinthiscourseare:

LIDS- Patch-basedkernelhardeningsystem

rsbac - Accesscontrolframeworkforhardeningsystems

selinux - AsecuredistributioncreatedbytheUnitedStates'

NationalSecurityAgency

Commonfeatures:

MandatoryAccessControl

Fileprotection

Processprotection

ACLcontrols


30/38

HostIntrusionToolsThiscoursecoversthefollowingintrusiondetectionsystems: Samhain - Fileintegrityandintrusionmonitoring

Providesfileintegritymonitoring,kernelmoduleprotection,

centralizedmonitoring,andotherfeatures. AIDE- AdvancedIntrusionDetectionEnvironment

Providesveryadvancedfileintegritymonitoring.

Wealsogooverthefollowinglogmonitors:

Swatch Areal-timelogmonitoringsystem,allowingyoutochoose

specificlogdatayouwishtosee.

logwatch

Acustomizableloganalysissystem,whichparsessystemlogsandreportsanyinformationyouspecify.

Othertools:

TARA;Tiger;COPS;CIS


31/38

Bastille Verypowerfulautomatedsystemhardeningtool.

Freelyavailable.

Supports: RedHatLinux

LinuxMandrake

Debian GNU/Linux

WalksyouthroughtheprocessofsecuringyoursystemwitheitheranXWindowGUIorconsoletextmodeinterface.

Handlesmostcommonsystemhardeningtasks

automatically,requiringyoutosimplyanswerquestions.


32/38

SystemBaselining (1of2) Baselining involvestakingasnapshotofyour

system'ssettingsinaconfigurationknowntobe

validandwatchingthedeviationfromthesesettingsovertime.

Watchinghowthesettingschangeovertimecanalertyoutopotentialproblems.

Alsousefulformakingsureotheradministratorsaren'treconfiguringserverswithoutgoingthroughtheproperchannels.


33/38

SystemBaselining (1of2) Thereareseveralwaystomanuallycapturedata

aboutaproperlyconfiguredsystem,including:

rpm-qa - Gathersinformationaboutinstalledpackages

rpm-Va - VerifiespackagesandtheirMD5sums,filemodificationtimes,andotherfileproperties

The/procfilesystemcontainslotsofusefulinformationabout

hardware,amongotherthings.

Automatedsolutions,suchasTripwire,AIDE,

FTimes,orFCheck,canmakethistaskmucheasier.


34/38

ConfigurationCapturing

Makingasnapshotofamachine'sconfigurationsothatitcanbecomparedtofutureconfigurationstoseethedifferences.

Dependingonthetoolsused,mayoutputtoplaintextfilesoraproprietary binaryformat.

Don'tstorethesnapshotsonthesystemyou'recapturing,asacraftyinfiltratorcaneasilymodify

ordeletethesefiles. Establishapolicyregardinghowsnapshotswillbe

taken,whentheywillbetaken,wheretheywillbestored,andhowtheywillbestored.

Startwithsystemsthatyouknowareclean;freshlyinstalledsystemsarebest.


35/38

Monitoring

Onceapolicyforsnapshotfrequencyhasbeendetermined,automatedsnapshotscanbetakenfairlyeasily.

Comparingthelatestsnapshottotheprevioussnapshotgivesyouanideaofwhatchanged.

Achainofsnapshotsgivesyouamovingpictureofthesystem'sstate.

Anythingthatisnotexpected,suchassomethingthathasneverchangedbeforesuddenlychanging,orviceversa,shouldbeimmediatelyinvestigated.

Dependingonthetoolortoolsyouuse,theremaybealotof"falsepositives"thatcanbeoverlooked.


36/38

Baselining Strategies

Bewareofautomatedfilters.

Knowyoursystems.

Knowyourcapturingmethods. Communicateallintentionalchangestoall

administratorsbeforetouchinganything.Dependingonyourorganization'spolicy,youmayneedtowaitforsomeoralloftheirapprovalfirst.

Anorganizeddirectorystructureand/orfilenamingconventionforallofyourcaptureddatacanmakelocatingandidentifyingtimeswhenspecificchangesoccurredmucheasier.

Everystepofcapturingdatashouldbewell-documentedsothatnewadministratorswillbeabletohavedatafromtheirsystemsmatchtherestoftheorganization'sdata.


37/38

Checkpoint

1.Whyisitimportanttohaveagoodsecurityplaninmindbeforestartingwithasystem?

2.Trueorfalse:Thepurposebehindpartitioningaserverforitspurposeissothatitwillbemorescalableinthefuture.

3.Namethreepackagegroupsthatarenottypically

necessaryonaserver.4.Nametwosubsystemsoraspectsofasystem

whichmayrequirehardening.

5.Trueorfalse:Configurationcapturingonlyneedstobedoneonce,afteryoufirstinstallamachine.


38/38

UnitSummary

Securityissomethingthatmustbeconsideredfromthestart.

Severalstepscanbetakentoensureyoursystems

aremoresecureimmediatelyafterinstallation,includingproperpartitioning,appropriatepackagegroupselection,andrestrictivedefaultsettings.

Adefinedsystempurposemakesiteasierto

manageandsecureasystem. UseofasystemhardeningtoolsuchasBastilleisa

requiredstepfollowinganyinstallation.

Keepyoursystemsupdated.

Baselining andconfigurationcapturingutilitiescanmakeitmucheasiertospotaholeorbreachbeforeseriousdamageoccurs.

03 Installing Linux

Documents

Transcript of 03 Installing Linux