Securing Alpine Linux

2025-11-24T18:44:00Z

Dilettant: added shadow to the required packages as the lock script uses *chage* which is in the shadow package and not installed in alpine by default

Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process:

== Update and upgrade system ==

1. Update package lists: {{cmd|doas apk update}}

2. Upgrade installed packages: {{cmd|doas apk upgrade}}

== Install necessary security tools ==

1. Install the {{pkg|audit|arch=}} package: {{cmd|doas apk add audit}}

2. Install other necessary security packages: {{cmd|doas apk add doas shadow logrotate bash-completion openssh-server}}

== User and access management ==

1. Disable root login over SSH:
Edit {{path|/etc/ssh/sshd_config}} and Set the following parameter as follows {{Cat|/etc/ssh/sshd_config|...
PermitRootLogin no}}

2. Ensure password complexity:
Edit {{path|/etc/security/pwquality.conf}} and add or update the following lines:{{Cat|/etc/security/pwquality.conf|<nowiki>...
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1</nowiki>}}

3. Lock unused system accounts by running the following script:
for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do
if [ $user !{{=}} "root" ]; then
doas passwd -l $user
doas chage -E 0 $user
fi
done

== File system and directory permissions ==

1. Set appropriate permissions on important directories: {{Cmd|doas chmod 700 /root
doas chmod 600 /boot/grub/grub.cfg
doas chmod 600 /etc/ssh/sshd_config}}

2. Configure mount options:

Edit {{path|/etc/fstab}} and Add `nosuid`, `nodev`, and `noexec` options to non-root partitions as follows:{{Cat|/etc/fstab|...
/dev/sda1 /home ext4 defaults,nosuid,nodev,noexec 0 2
...}}

== Network security ==

1. Disable unnecessary services: {{cmd|doas rc-update del <service_name>
doas rc-service <service_name> stop}}

2. Configure {{Pkg|iptables}} firewall by installing and enabling it as follows:{{cmd|doas apk add iptables
doas rc-service iptables start
doas rc-update add iptables}}

Create a basic firewall ruleset by adding Example rules to {{Path|/etc/iptables/rules.v4}} as follows:{{Cat|/etc/iptables/rules.v4|*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
COMMIT }}

== Logging and auditing ==

1. Configure system logging by editing {{path|/etc/rsyslog.conf}} to ensure all log files are being captured. An example configuration is shown below:{{Cat|/etc/rsyslog.conf|*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron}}

2. Set up audit rules by editing the {{path|/etc/audit/rules.d/audit.rules}} files and adding example rules as follows:{{Cat|/etc/audit/rules.d/audit.rules|-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/group -p wa -k group_changes}}

== Apply kernel and service hardening ==

1. Disable unused filesystems by editing {{path|/etc/modprobe.d/disable-filesystems.conf}} and add the following lines: {{Cat|/etc/modprobe.d/disable-filesystems.conf|install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install vfat /bin/true}}

2. Configure kernel parameters by editing the {{path|/etc/sysctl.conf}} and adding or updating the following parameters:{{Cat|/etc/sysctl.conf|<nowiki>net.ipv4.ip_forward = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0</nowiki>}}

== Regular maintenance ==

1. Set up regular updates by creating a cron job by editing {{Path|crontab}} using the command {{ic|crontab -e}} such that updates are applied daily at 2 AM. The output of {{ic|crontab -l}} appears as follows:{{Cat|/var/spool/cron/crontabs/root|...
0 2 * * * apk update && apk upgrade }}
2. Review and monitor logs regularly and ensure that logs are rotated and reviewed frequently: {{cmd|doas logrotate /etc/logrotate.conf}}

== Conclusion ==

This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment.

[[Category:Security]]

Alpine Linux - User contributions [en]

Securing Alpine Linux