Securing Alpine Linux: Difference between revisions

From Alpine Linux
m (Add headers to make navigation more friendly; minor (page source) formatting changes)
(fixed heading style and removed step numbers)
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process:
Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process:


= Step 1: Update and Upgrade System =
== Update and upgrade system ==


1. Update package lists:
1. Update package lists: {{cmd|doas apk update}}


  {{cmd|doas apk update}}
2. Upgrade installed packages: {{cmd|doas apk upgrade}}


== Install necessary security tools ==


2. Upgrade installed packages:
1. Install the {{pkg|audit|arch=}} package: {{cmd|doas apk add audit}}


  {{cmd|doas apk upgrade}}
2. Install other necessary security packages: {{cmd|doas apk add doas logrotate bash-completion openssh-server}}


= Step 2: Install Necessary Security Tools =
== User and access management ==
 
1. Install the {{pkg|audit|arch=}} package:
 
  {{cmd|doas apk add audit}}
 
 
2. Install other necessary security packages:
 
  {{cmd|doas apk add doas logrotate bash-completion openssh-server}}
 
= Step 3: User and Access Management =
 
1. Disable root login over SSH:
 
Edit {{path|/etc/ssh/sshd_config}}:
 
  {{cmd|doas vi /etc/ssh/sshd_config}}
 
Set the following parameter:
 
      PermitRootLogin no


1. Disable root login over SSH:
Edit {{path|/etc/ssh/sshd_config}} and Set the following parameter as follows {{Cat|/etc/ssh/sshd_config|...
PermitRootLogin no}}


2. Ensure password complexity:
2. Ensure password complexity:
Edit {{path|/etc/security/pwquality.conf}} and add or update the following lines:{{Cat|/etc/security/pwquality.conf|<nowiki>...
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1</nowiki>}}


Edit {{path|/etc/security/pwquality.conf}}:
3. Lock unused system accounts by running the following script:
 
  {{cmd|doas vi /etc/security/pwquality.conf}}
 
Add or update the following lines:
 
  minlen = 14
  dcredit = -1
  ucredit = -1
  ocredit = -1
  lcredit = -1
 
 
3. Lock unused system accounts:
 
   for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do
   for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do
       if [ $user !{{=}} "root" ]; then
       if [ $user !{{=}} "root" ]; then
Line 60: Line 35:
   done
   done


= Step 4: File System and Directory Permissions =
== File system and directory permissions ==
 
1. Set appropriate permissions on important directories:
 
  doas chmod 700 /root
  doas chmod 600 /boot/grub/grub.cfg
  doas chmod 600 /etc/ssh/sshd_config


1. Set appropriate permissions on important directories: {{Cmd|doas chmod 700 /root
doas chmod 600 /boot/grub/grub.cfg
doas chmod 600 /etc/ssh/sshd_config}}


2. Configure mount options:
2. Configure mount options:


Edit {{path|/etc/fstab}}:
Edit {{path|/etc/fstab}} and Add `nosuid`, `nodev`, and `noexec` options to non-root partitions as follows:{{Cat|/etc/fstab|...
/dev/sda1 /home ext4 defaults,nosuid,nodev,noexec 0 2
...}}


  {{cmd|doas vi /etc/fstab}}
== Network security ==


Add `nosuid`, `nodev`, and `noexec` options to non-root partitions:
1. Disable unnecessary services: {{cmd|doas rc-update del <service_name>
doas rc-service <service_name> stop}}


  /dev/sda1 /home ext4 defaults,nosuid,nodev,noexec 0 2
2. Configure {{Pkg|iptables}} firewall by installing and enabling it as follows:{{cmd|doas apk add iptables
doas rc-service iptables start
doas rc-update add iptables}}


= Step 5: Network Security =
Create a basic firewall ruleset by adding Example rules to {{Path|/etc/iptables/rules.v4}} as follows:{{Cat|/etc/iptables/rules.v4|*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
COMMIT }}


1. Disable unnecessary services:
== Logging and auditing ==


  {{cmd|doas rc-update del <service_name>
1. Configure system logging by editing {{path|/etc/rsyslog.conf}} to ensure all log files are being captured. An example configuration is shown below:{{Cat|/etc/rsyslog.conf|*.info;mail.none;authpriv.none;cron.none /var/log/messages
  doas rc-service <service_name> stop}}
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron}}


2. Set up audit rules by editing the {{path|/etc/audit/rules.d/audit.rules}} files and adding example rules as follows:{{Cat|/etc/audit/rules.d/audit.rules|-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/group -p wa -k group_changes}}


2. Configure firewall (iptables):
== Apply kernel and service hardening ==


  {{cmd|doas apk add iptables
1. Disable unused filesystems by editing {{path|/etc/modprobe.d/disable-filesystems.conf}} and add the following lines: {{Cat|/etc/modprobe.d/disable-filesystems.conf|install cramfs /bin/true
  doas rc-service iptables start
install freevxfs /bin/true
  doas rc-update add iptables}}
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install vfat /bin/true}}


2. Configure kernel parameters by editing the {{path|/etc/sysctl.conf}} and adding or updating the following parameters:{{Cat|/etc/sysctl.conf|<nowiki>net.ipv4.ip_forward = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0</nowiki>}}


Create a basic firewall ruleset:
== Regular maintenance ==


  {{cmd|doas vi /etc/iptables/rules.v4}}
1. Set up regular updates by creating a cron job by editing {{Path|crontab}} using the command {{ic|crontab -e}} such that  updates are applied daily at 2 AM. The output of {{ic|crontab -l}} appears as follows:{{Cat|/var/spool/cron/crontabs/root|...
0 2 * * * apk update && apk upgrade }}
2. Review and monitor logs regularly and ensure that logs are rotated and reviewed frequently: {{cmd|doas logrotate /etc/logrotate.conf}}


Example rules:
== Conclusion ==


  *filter
This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment.
  :INPUT DROP [0:0]
  :FORWARD DROP [0:0]
  :OUTPUT ACCEPT [0:0]
  -A INPUT -i lo -j ACCEPT
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -p tcp --dport 22 -j ACCEPT
  COMMIT
 
= Step 6: Logging and Auditing =
 
1. Configure system logging:
 
Edit {{path|/etc/rsyslog.conf}} to ensure all log files are being captured:
 
  {{cmd|doas vi /etc/rsyslog.conf}}


Example configuration:
[[Category:Security]]
 
  *.info;mail.none;authpriv.none;cron.none /var/log/messages
  authpriv.* /var/log/secure
  mail.* -/var/log/maillog
  cron.* /var/log/cron
 
 
2. Set up audit rules:
 
Edit {{path|/etc/audit/rules.d/audit.rules}}:
 
  {{cmd|doas vi /etc/audit/rules.d/audit.rules}}
 
Example rules:
 
  -w /etc/passwd -p wa -k passwd_changes
  -w /etc/shadow -p wa -k shadow_changes
  -w /etc/group -p wa -k group_changes
 
= Step 7: Apply Kernel and Service Hardening =
 
1. Disable unused filesystems:
 
Edit {{path|/etc/modprobe.d/disable-filesystems.conf}}:
 
  {{cmd|doas vi /etc/modprobe.d/disable-filesystems.conf}}
 
Add the following lines:
 
  install cramfs /bin/true
  install freevxfs /bin/true
  install jffs2 /bin/true
  install hfs /bin/true
  install hfsplus /bin/true
  install squashfs /bin/true
  install udf /bin/true
  install vfat /bin/true
 
 
2. Configure kernel parameters:
 
Edit {{path|/etc/sysctl.conf}}:
 
  {{cmd|doas vi /etc/sysctl.conf}}
 
Add or update the following parameters:
 
  net.ipv4.ip_forward = 0
  net.ipv4.conf.all.accept_source_route = 0
  net.ipv4.conf.all.accept_redirects = 0
  net.ipv4.conf.all.secure_redirects = 0
  net.ipv4.conf.all.log_martians = 1
  net.ipv4.conf.default.log_martians = 1
  net.ipv4.icmp_echo_ignore_broadcasts = 1
  net.ipv4.icmp_ignore_bogus_error_responses = 1
  net.ipv4.tcp_syncookies = 1
  net.ipv4.conf.all.send_redirects = 0
  net.ipv4.conf.default.send_redirects = 0
 
= Step 8: Regular Maintenance =
 
1. Set up regular updates:
 
Create a cron job for regular updates:
 
  {{cmd|doas crontab -e}}
 
Add the following line to update daily at 2 AM:
 
  0 2 * * * apk update && apk upgrade
 
2. Review and monitor logs regularly:
 
Ensure logs are rotated and reviewed frequently:
 
  {{cmd|doas logrotate /etc/logrotate.conf}}
 
= Conclusion =
 
This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment.

Latest revision as of 06:02, 11 May 2025

Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process:

Update and upgrade system

1. Update package lists:

doas apk update

2. Upgrade installed packages:

doas apk upgrade

Install necessary security tools

1. Install the audit package:

doas apk add audit

2. Install other necessary security packages:

doas apk add doas logrotate bash-completion openssh-server

User and access management

1. Disable root login over SSH:

Edit /etc/ssh/sshd_config and Set the following parameter as follows

Contents of /etc/ssh/sshd_config

... PermitRootLogin no

2. Ensure password complexity:

Edit /etc/security/pwquality.conf and add or update the following lines:

Contents of /etc/security/pwquality.conf

... minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1

3. Lock unused system accounts by running the following script: 

  for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do
      if [ $user != "root" ]; then
          doas passwd -l $user
          doas chage -E 0 $user
      fi
  done

File system and directory permissions

1. Set appropriate permissions on important directories:

doas chmod 700 /root doas chmod 600 /boot/grub/grub.cfg doas chmod 600 /etc/ssh/sshd_config

2. Configure mount options:

Edit /etc/fstab and Add `nosuid`, `nodev`, and `noexec` options to non-root partitions as follows:

Contents of /etc/fstab

... /dev/sda1 /home ext4 defaults,nosuid,nodev,noexec 0 2 ...

Network security

1. Disable unnecessary services:

doas rc-update del <service_name> doas rc-service <service_name> stop

2. Configure iptables firewall by installing and enabling it as follows:

doas apk add iptables doas rc-service iptables start doas rc-update add iptables

Create a basic firewall ruleset by adding Example rules to /etc/iptables/rules.v4 as follows:

Contents of /etc/iptables/rules.v4

*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT COMMIT

Logging and auditing

1. Configure system logging by editing /etc/rsyslog.conf to ensure all log files are being captured. An example configuration is shown below:

Contents of /etc/rsyslog.conf

*.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron

2. Set up audit rules by editing the /etc/audit/rules.d/audit.rules files and adding example rules as follows:

Contents of /etc/audit/rules.d/audit.rules

-w /etc/passwd -p wa -k passwd_changes -w /etc/shadow -p wa -k shadow_changes -w /etc/group -p wa -k group_changes

Apply kernel and service hardening

1. Disable unused filesystems by editing /etc/modprobe.d/disable-filesystems.conf and add the following lines:

Contents of /etc/modprobe.d/disable-filesystems.conf

install cramfs /bin/true install freevxfs /bin/true install jffs2 /bin/true install hfs /bin/true install hfsplus /bin/true install squashfs /bin/true install udf /bin/true install vfat /bin/true

2. Configure kernel parameters by editing the /etc/sysctl.conf and adding or updating the following parameters:

Contents of /etc/sysctl.conf

net.ipv4.ip_forward = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0

Regular maintenance

1. Set up regular updates by creating a cron job by editing crontab using the command crontab -e such that updates are applied daily at 2 AM. The output of crontab -l appears as follows:

Contents of /var/spool/cron/crontabs/root

... 0 2 * * * apk update && apk upgrade

2. Review and monitor logs regularly and ensure that logs are rotated and reviewed frequently:

doas logrotate /etc/logrotate.conf

Conclusion

This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment.

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Securing_Alpine_Linux&oldid=29849"