SANS – SEC401 Security Essentials Day – 6

Security 401.6 – Linux Security

On the last day of the bootcamp we get the privilege to go through Linux Security. Day 6 also happens to be a shorter day as some students choose to leave early that day to catch their flight back home.

Talking about Linux on the last day was strategically chosen as the course designers decided that the material covered is relatively lighter than the rest.

Linux is not difficult – Just different

Unix has been around forever and has a longer history than Windows. Back when it was invented, the security landscape was a lot less hostile. Unlike Windows which has the lion share of the market. There are a lot less people using Unix variants as their primary desktop. Nowadays Unix/Linux variants are becoming more popular. MAC OSX, Ubuntu are examples of systems that are based around the System V architecture. There has been more and more malware beginning to appear targeting these OSes.

Heartbleed, Shellshock, and Poodle

Especially in 2014 – Shell Shock an openssh flaw, Heartbleed and Poodle which targets SSL are some high profile security vulnerabilities that are beginning to be uncovered as Unix/Linux systems becomes more popular.

One of the key Linux defences is to secure the file system. Linux uses a very simple listing of block codes to set file permissions.

SUID, SGID, Sticky

The only part which troubles most people is the SUID, SGID and Stick permissions flags. The SUID flag means “Set User ID” – it causes a program to run as the owner of the executable and ignores the user that executed it. This flag is used on the “passwd” command as it requires root privilege to change the /etc/shadow file. SGID is the same but for groups. As you can see this can become a major security hole if there are programs hidden in the OS with root ownership, and with the sticky flag set a perpetrator can maliciously run code as root!

The sticky flag was originally designed back in the days to cause a program to stay in memory. It now has a different use which only permits the owner of the file the ability to delete the file when applied to a directory. The SGID bit when applied to a directory also means something else. It causes a file that is created in a directory to inherit the group owner of the directory.

Next the class covers the Linux system boot process and how services are organized to run based on the different runlevels and sequence.

MBR > Linux Kerner loader > init > system startup scripts (sysinit)

NFS, Unix Printing and Web servers are some of the key services which requires some attention as they have historically contained a lot of security flaws.

Unpatched systems is the major reason why systems get compromised

Patching is another key area that any sysadmin must not overlock. Nowadays it’s a lot easier to patch as major distributions have since incorporated patch management systems that automates the resolution of dependencies – making it a lot like Windows when patching or installing software from repositories.

Lastly, the class touches briefly on Linux’s venerable firewall – iptables, SELinux – a form of Mandatory Access control (MAC), Apparmor and some of the common sniffers like snort, tcpdump and wireshark which was covered in the earlier days of the course

NO LAB – But get started on studying for the exam!

The amount of material covered in this course is no joke. It is an inch deep but a miles wide. Since you get only 4 months before your exam voucher expires, it’s advisable that you start indexing early while your mind is still fresh!

Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT. Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV