Securing Alpine Linux: Difference between revisions
m (Bulk replace sudo with doas.) |
Prabuanand (talk | contribs) (fixed heading style and removed step numbers) |
||
| (4 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process: | Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process: | ||
== Update and upgrade system == | |||
1. Update package lists: | 1. Update package lists: {{cmd|doas apk update}} | ||
2. Upgrade installed packages: {{cmd|doas apk upgrade}} | |||
== Install necessary security tools == | |||
1. Install the {{pkg|audit|arch=}} package: {{cmd|doas apk add audit}} | |||
2. Install other necessary security packages: {{cmd|doas apk add doas logrotate bash-completion openssh-server}} | |||
== User and access management == | |||
1. Disable root login over SSH: | |||
Edit {{path|/etc/ssh/sshd_config}} and Set the following parameter as follows {{Cat|/etc/ssh/sshd_config|... | |||
PermitRootLogin no}} | |||
1. Disable root login over SSH: | |||
Edit | |||
2. Ensure password complexity: | 2. Ensure password complexity: | ||
Edit {{path|/etc/security/pwquality.conf}} and add or update the following lines:{{Cat|/etc/security/pwquality.conf|<nowiki>... | |||
minlen = 14 | |||
dcredit = -1 | |||
ucredit = -1 | |||
ocredit = -1 | |||
lcredit = -1</nowiki>}} | |||
3. Lock unused system accounts by running the following script: | |||
3. Lock unused system accounts: | |||
for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do | for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do | ||
if [ $user != "root" ]; then | if [ $user !{{=}} "root" ]; then | ||
doas passwd -l $user | doas passwd -l $user | ||
doas chage -E 0 $user | doas chage -E 0 $user | ||
| Line 62: | Line 35: | ||
done | done | ||
== File system and directory permissions == | |||
1. Set appropriate permissions on important directories: {{Cmd|doas chmod 700 /root | |||
doas chmod 600 /boot/grub/grub.cfg | |||
1. Set appropriate permissions on important directories: | doas chmod 600 /etc/ssh/sshd_config}} | ||
2. Configure mount options: | 2. Configure mount options: | ||
Edit | Edit {{path|/etc/fstab}} and Add `nosuid`, `nodev`, and `noexec` options to non-root partitions as follows:{{Cat|/etc/fstab|... | ||
/dev/sda1 /home ext4 defaults,nosuid,nodev,noexec 0 2 | |||
...}} | |||
== Network security == | |||
1. Disable unnecessary services: {{cmd|doas rc-update del <service_name> | |||
doas rc-service <service_name> stop}} | |||
2. Configure {{Pkg|iptables}} firewall by installing and enabling it as follows:{{cmd|doas apk add iptables | |||
doas rc-service iptables start | |||
doas rc-update add iptables}} | |||
Create a basic firewall ruleset by adding Example rules to {{Path|/etc/iptables/rules.v4}} as follows:{{Cat|/etc/iptables/rules.v4|*filter | |||
:INPUT DROP [0:0] | |||
:FORWARD DROP [0:0] | |||
:OUTPUT ACCEPT [0:0] | |||
-A INPUT -i lo -j ACCEPT | |||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
-A INPUT -p tcp --dport 22 -j ACCEPT | |||
COMMIT }} | |||
== Logging and auditing == | |||
1. | 1. Configure system logging by editing {{path|/etc/rsyslog.conf}} to ensure all log files are being captured. An example configuration is shown below:{{Cat|/etc/rsyslog.conf|*.info;mail.none;authpriv.none;cron.none /var/log/messages | ||
authpriv.* /var/log/secure | |||
mail.* -/var/log/maillog | |||
cron.* /var/log/cron}} | |||
2. Set up audit rules by editing the {{path|/etc/audit/rules.d/audit.rules}} files and adding example rules as follows:{{Cat|/etc/audit/rules.d/audit.rules|-w /etc/passwd -p wa -k passwd_changes | |||
-w /etc/shadow -p wa -k shadow_changes | |||
-w /etc/group -p wa -k group_changes}} | |||
== Apply kernel and service hardening == | |||
1. Disable unused filesystems by editing {{path|/etc/modprobe.d/disable-filesystems.conf}} and add the following lines: {{Cat|/etc/modprobe.d/disable-filesystems.conf|install cramfs /bin/true | |||
install freevxfs /bin/true | |||
install jffs2 /bin/true | |||
install hfs /bin/true | |||
install hfsplus /bin/true | |||
install squashfs /bin/true | |||
install udf /bin/true | |||
install vfat /bin/true}} | |||
2. Configure kernel parameters by editing the {{path|/etc/sysctl.conf}} and adding or updating the following parameters:{{Cat|/etc/sysctl.conf|<nowiki>net.ipv4.ip_forward = 0 | |||
net.ipv4.conf.all.accept_source_route = 0 | |||
net.ipv4.conf.all.accept_redirects = 0 | |||
net.ipv4.conf.all.secure_redirects = 0 | |||
net.ipv4.conf.all.log_martians = 1 | |||
net.ipv4.conf.default.log_martians = 1 | |||
net.ipv4.icmp_echo_ignore_broadcasts = 1 | |||
net.ipv4.icmp_ignore_bogus_error_responses = 1 | |||
net.ipv4.tcp_syncookies = 1 | |||
net.ipv4.conf.all.send_redirects = 0 | |||
net.ipv4.conf.default.send_redirects = 0</nowiki>}} | |||
== Regular maintenance == | |||
1. Set up regular updates by creating a cron job by editing {{Path|crontab}} using the command {{ic|crontab -e}} such that updates are applied daily at 2 AM. The output of {{ic|crontab -l}} appears as follows:{{Cat|/var/spool/cron/crontabs/root|... | |||
0 2 * * * apk update && apk upgrade }} | |||
2. Review and monitor logs regularly and ensure that logs are rotated and reviewed frequently: {{cmd|doas logrotate /etc/logrotate.conf}} | |||
== Conclusion == | |||
This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment. | |||
[[Category:Security]] | |||
Latest revision as of 06:02, 11 May 2025
Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process:
Update and upgrade system
1. Update package lists:
doas apk update
2. Upgrade installed packages:
doas apk upgrade
Install necessary security tools
1. Install the audit package:
doas apk add audit
2. Install other necessary security packages:
doas apk add doas logrotate bash-completion openssh-server
User and access management
1. Disable root login over SSH:
Edit /etc/ssh/sshd_config and Set the following parameter as follows
Contents of /etc/ssh/sshd_config
2. Ensure password complexity:
Edit /etc/security/pwquality.conf and add or update the following lines:
Contents of /etc/security/pwquality.conf
3. Lock unused system accounts by running the following script:
for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do
if [ $user != "root" ]; then
doas passwd -l $user
doas chage -E 0 $user
fi
done
File system and directory permissions
1. Set appropriate permissions on important directories:
doas chmod 700 /root doas chmod 600 /boot/grub/grub.cfg doas chmod 600 /etc/ssh/sshd_config
2. Configure mount options:
Edit /etc/fstab and Add `nosuid`, `nodev`, and `noexec` options to non-root partitions as follows:
Contents of /etc/fstab
Network security
1. Disable unnecessary services:
doas rc-update del <service_name> doas rc-service <service_name> stop
2. Configure iptables firewall by installing and enabling it as follows:
doas apk add iptables doas rc-service iptables start doas rc-update add iptables
Create a basic firewall ruleset by adding Example rules to /etc/iptables/rules.v4 as follows:
Contents of /etc/iptables/rules.v4
Logging and auditing
1. Configure system logging by editing /etc/rsyslog.conf to ensure all log files are being captured. An example configuration is shown below:
Contents of /etc/rsyslog.conf
2. Set up audit rules by editing the /etc/audit/rules.d/audit.rules files and adding example rules as follows:
Contents of /etc/audit/rules.d/audit.rules
Apply kernel and service hardening
1. Disable unused filesystems by editing /etc/modprobe.d/disable-filesystems.conf and add the following lines:
Contents of /etc/modprobe.d/disable-filesystems.conf
2. Configure kernel parameters by editing the /etc/sysctl.conf and adding or updating the following parameters:
Contents of /etc/sysctl.conf
Regular maintenance
1. Set up regular updates by creating a cron job by editing crontab using the command crontab -e such that updates are applied daily at 2 AM. The output of crontab -l appears as follows:
Contents of /var/spool/cron/crontabs/root
2. Review and monitor logs regularly and ensure that logs are rotated and reviewed frequently:
doas logrotate /etc/logrotate.conf
Conclusion
This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment.