Securing Alpine Linux: Difference between revisions

Latest revision as of 10:17, 10 October 2024

Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process:

Step 1: Update and Upgrade System

1. Update package lists:

doas apk update

2. Upgrade installed packages:

doas apk upgrade

Step 2: Install Necessary Security Tools

1. Install the audit package:

doas apk add audit

2. Install other necessary security packages:

doas apk add doas logrotate bash-completion openssh-server

Step 3: User and Access Management

1. Disable root login over SSH:

Edit /etc/ssh/sshd_config:

doas vi /etc/ssh/sshd_config

Set the following parameter:

      PermitRootLogin no

2. Ensure password complexity:

Edit /etc/security/pwquality.conf:

doas vi /etc/security/pwquality.conf

Add or update the following lines:

  minlen = 14
  dcredit = -1
  ucredit = -1
  ocredit = -1
  lcredit = -1

3. Lock unused system accounts:

  for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do
      if [ $user != "root" ]; then
          doas passwd -l $user
          doas chage -E 0 $user
      fi
  done

Step 4: File System and Directory Permissions

1. Set appropriate permissions on important directories:

  doas chmod 700 /root
  doas chmod 600 /boot/grub/grub.cfg
  doas chmod 600 /etc/ssh/sshd_config

2. Configure mount options:

Edit /etc/fstab:

doas vi /etc/fstab

Add `nosuid`, `nodev`, and `noexec` options to non-root partitions:

  /dev/sda1 /home ext4 defaults,nosuid,nodev,noexec 0 2

Step 5: Network Security

1. Disable unnecessary services:

doas rc-update del <service_name> doas rc-service <service_name> stop

2. Configure firewall (iptables):

doas apk add iptables doas rc-service iptables start doas rc-update add iptables

Create a basic firewall ruleset:

doas vi /etc/iptables/rules.v4

Example rules:

  *filter
  :INPUT DROP [0:0]
  :FORWARD DROP [0:0]
  :OUTPUT ACCEPT [0:0]
  -A INPUT -i lo -j ACCEPT
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -p tcp --dport 22 -j ACCEPT
  COMMIT

Step 6: Logging and Auditing

1. Configure system logging:

Edit /etc/rsyslog.conf to ensure all log files are being captured:

doas vi /etc/rsyslog.conf

Example configuration:

  *.info;mail.none;authpriv.none;cron.none /var/log/messages
  authpriv.* /var/log/secure
  mail.* -/var/log/maillog
  cron.* /var/log/cron

2. Set up audit rules:

Edit /etc/audit/rules.d/audit.rules:

doas vi /etc/audit/rules.d/audit.rules

Example rules:

  -w /etc/passwd -p wa -k passwd_changes
  -w /etc/shadow -p wa -k shadow_changes
  -w /etc/group -p wa -k group_changes

Step 7: Apply Kernel and Service Hardening

1. Disable unused filesystems:

Edit /etc/modprobe.d/disable-filesystems.conf:

doas vi /etc/modprobe.d/disable-filesystems.conf

Add the following lines:

  install cramfs /bin/true
  install freevxfs /bin/true
  install jffs2 /bin/true
  install hfs /bin/true
  install hfsplus /bin/true
  install squashfs /bin/true
  install udf /bin/true
  install vfat /bin/true

2. Configure kernel parameters:

Edit /etc/sysctl.conf:

doas vi /etc/sysctl.conf

Add or update the following parameters:

  net.ipv4.ip_forward = 0
  net.ipv4.conf.all.accept_source_route = 0
  net.ipv4.conf.all.accept_redirects = 0
  net.ipv4.conf.all.secure_redirects = 0
  net.ipv4.conf.all.log_martians = 1
  net.ipv4.conf.default.log_martians = 1
  net.ipv4.icmp_echo_ignore_broadcasts = 1
  net.ipv4.icmp_ignore_bogus_error_responses = 1
  net.ipv4.tcp_syncookies = 1
  net.ipv4.conf.all.send_redirects = 0
  net.ipv4.conf.default.send_redirects = 0

Step 8: Regular Maintenance

1. Set up regular updates:

Create a cron job for regular updates:

doas crontab -e

Add the following line to update daily at 2 AM:

  0 2 * * * apk update && apk upgrade

2. Review and monitor logs regularly:

Ensure logs are rotated and reviewed frequently:

doas logrotate /etc/logrotate.conf

Conclusion

This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment.

@@ Line 1: / Line 1: @@
 Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process:
-Step 1: Update and Upgrade System
+== Step 1: Update and Upgrade System ==
 . Update package lists:
-    sudo apk update
+    {{cmd|doas apk update}}
 . Upgrade installed packages:
-    sudo apk upgrade
+    {{cmd|doas apk upgrade}}
+== Step 2: Install Necessary Security Tools ==
-Step 2: Install Necessary Security Tools
+. Install the {{pkg|audit|arch=}} package:
-. Install `audit` package:
+    {{cmd|doas apk add audit}}
-    sudo apk add audit
 . Install other necessary security packages:
-    sudo apk add sudo logrotate bash-completion openssh-server
+    {{cmd|doas apk add doas logrotate bash-completion openssh-server}}
+== Step 3: User and Access Management ==
-Step 3: User and Access Management
 . Disable root login over SSH:
-Edit `/etc/ssh/sshd_config`:
+Edit {{path|/etc/ssh/sshd_config}}:
-       sudo vi /etc/ssh/sshd_config
+   {{cmd|doas vi /etc/ssh/sshd_config}}
 Set the following parameter:
@@ Line 40: / Line 38: @@
 . Ensure password complexity:
-Edit `/etc/security/pwquality.conf`:
+Edit {{path|/etc/security/pwquality.conf}}:
-    sudo vi /etc/security/pwquality.conf
+    {{cmd|doas vi /etc/security/pwquality.conf}}
 Add or update the following lines:
@@ Line 56: / Line 54: @@
     for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do
-        if [ $user != "root" ]; then
+        if [ $user !{{=}} "root" ]; then
-            sudo passwd -l $user
+            doas passwd -l $user
-            sudo chage -E 0 $user
+            doas chage -E 0 $user
         fi
     done
+== Step 4: File System and Directory Permissions ==
-Step 4: File System and Directory Permissions
 . Set appropriate permissions on important directories:
-    sudo chmod 700 /root
+    doas chmod 700 /root
-    sudo chmod 600 /boot/grub/grub.cfg
+    doas chmod 600 /boot/grub/grub.cfg
-    sudo chmod 600 /etc/ssh/sshd_config
+    doas chmod 600 /etc/ssh/sshd_config
 . Configure mount options:
-Edit `/etc/fstab`:
+Edit {{path|/etc/fstab}}:
-    sudo vi /etc/fstab
+    {{cmd|doas vi /etc/fstab}}
 Add `nosuid`, `nodev`, and `noexec` options to non-root partitions:
@@ Line 82: / Line 79: @@
     /dev/sda1 /home ext4 defaults,nosuid,nodev,noexec 0 2
+== Step 5: Network Security ==
-Step 5: Network Security
 . Disable unnecessary services:
-    sudo rc-update del <service_name>
+    {{cmd|doas rc-update del <service_name>
-    sudo rc-service <service_name> stop
+    doas rc-service <service_name> stop}}
 . Configure firewall (iptables):
-    sudo apk add iptables
+    {{cmd|doas apk add iptables
-    sudo rc-service iptables start
+    doas rc-service iptables start
-    sudo rc-update add iptables
+    doas rc-update add iptables}}
 Create a basic firewall ruleset:
-    sudo vi /etc/iptables/rules.v4
+    {{cmd|doas vi /etc/iptables/rules.v4}}
 Example rules:
@@ Line 113: / Line 109: @@
     COMMIT
+== Step 6: Logging and Auditing ==
-Step 6: Logging and Auditing
 . Configure system logging:
-Edit `/etc/rsyslog.conf` to ensure all log files are being captured:
+Edit {{path|/etc/rsyslog.conf}} to ensure all log files are being captured:
-    sudo vi /etc/rsyslog.conf
+    {{cmd|doas vi /etc/rsyslog.conf}}
 Example configuration:
@@ Line 132: / Line 127: @@
 . Set up audit rules:
-Edit `/etc/audit/rules.d/audit.rules`:
+Edit {{path|/etc/audit/rules.d/audit.rules}}:
-    sudo vi /etc/audit/rules.d/audit.rules
+    {{cmd|doas vi /etc/audit/rules.d/audit.rules}}
 Example rules:
@@ Line 142: / Line 137: @@
     -w /etc/group -p wa -k group_changes
+== Step 7: Apply Kernel and Service Hardening ==
-Step 7: Apply Kernel and Service Hardening
 . Disable unused filesystems:
-Edit `/etc/modprobe.d/disable-filesystems.conf`:
+Edit {{path|/etc/modprobe.d/disable-filesystems.conf}}:
-    sudo vi /etc/modprobe.d/disable-filesystems.conf
+    {{cmd|doas vi /etc/modprobe.d/disable-filesystems.conf}}
 Add the following lines:
@@ Line 165: / Line 159: @@
 . Configure kernel parameters:
-Edit `/etc/sysctl.conf`:
+Edit {{path|/etc/sysctl.conf}}:
-    sudo vi /etc/sysctl.conf
+    {{cmd|doas vi /etc/sysctl.conf}}
 Add or update the following parameters:
@@ Line 183: / Line 177: @@
     net.ipv4.conf.default.send_redirects = 0
+== Step 8: Regular Maintenance ==
-Step 8: Regular Maintenance
 . Set up regular updates:
@@ Line 190: / Line 183: @@
 Create a cron job for regular updates:
-    sudo crontab -e
+    {{cmd|doas crontab -e}}
 Add the following line to update daily at 2 AM:
 2 * * * apk update && apk upgrade
 . Review and monitor logs regularly:
@@ Line 201: / Line 193: @@
 Ensure logs are rotated and reviewed frequently:
-    sudo logrotate /etc/logrotate.conf
+    {{cmd|doas logrotate /etc/logrotate.conf}}
+== Conclusion ==
-Conclusion
+This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment.
-This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment.
+[[Category:Security]]