Securing Alpine Linux: Difference between revisions
No edit summary |
(Securing Alpine Linux) |
||
| Line 8: | Line 8: | ||
2. | 2. Upgrade installed packages: | ||
sudo apk upgrade | sudo apk upgrade | ||
1. | Step 2: Install Necessary Security Tools | ||
1. Install `audit` package: | |||
sudo apk add audit | sudo apk add audit | ||
2. | |||
2. Install other necessary security packages: | |||
sudo apk add sudo logrotate bash-completion openssh-server | sudo apk add sudo logrotate bash-completion openssh-server | ||
1. | Step 3: User and Access Management | ||
1. Disable root login over SSH: | |||
Edit `/etc/ssh/sshd_config`: | Edit `/etc/ssh/sshd_config`: | ||
sudo vi /etc/ssh/sshd_config | sudo vi /etc/ssh/sshd_config | ||
Set the following parameter: | Set the following parameter: | ||
PermitRootLogin no | PermitRootLogin no | ||
2. | |||
2. Ensure password complexity: | |||
Edit `/etc/security/pwquality.conf`: | Edit `/etc/security/pwquality.conf`: | ||
sudo vi /etc/security/pwquality.conf | sudo vi /etc/security/pwquality.conf | ||
Add or update the following lines: | Add or update the following lines: | ||
minlen = 14 | minlen = 14 | ||
dcredit = -1 | dcredit = -1 | ||
| Line 49: | Line 51: | ||
ocredit = -1 | ocredit = -1 | ||
lcredit = -1 | lcredit = -1 | ||
3. | |||
3. Lock unused system accounts: | |||
for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do | for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do | ||
if [ $user != "root" ]; then | if [ $user != "root" ]; then | ||
| Line 59: | Line 61: | ||
fi | fi | ||
done | done | ||
1. | Step 4: File System and Directory Permissions | ||
1. Set appropriate permissions on important directories: | |||
sudo chmod 700 /root | sudo chmod 700 /root | ||
sudo chmod 600 /boot/grub/grub.cfg | sudo chmod 600 /boot/grub/grub.cfg | ||
sudo chmod 600 /etc/ssh/sshd_config | sudo chmod 600 /etc/ssh/sshd_config | ||
2. | |||
2. Configure mount options: | |||
Edit `/etc/fstab`: | Edit `/etc/fstab`: | ||
sudo vi /etc/fstab | sudo vi /etc/fstab | ||
Add `nosuid`, `nodev`, and `noexec` options to non-root partitions: | Add `nosuid`, `nodev`, and `noexec` options to non-root partitions: | ||
/dev/sda1 /home ext4 defaults,nosuid,nodev,noexec 0 2 | /dev/sda1 /home ext4 defaults,nosuid,nodev,noexec 0 2 | ||
1. | Step 5: Network Security | ||
1. Disable unnecessary services: | |||
sudo rc-update del <service_name> | sudo rc-update del <service_name> | ||
sudo rc-service <service_name> stop | sudo rc-service <service_name> stop | ||
2. | |||
2. Configure firewall (iptables): | |||
sudo apk add iptables | sudo apk add iptables | ||
sudo rc-service iptables start | sudo rc-service iptables start | ||
sudo rc-update add iptables | sudo rc-update add iptables | ||
Create a basic firewall ruleset: | Create a basic firewall ruleset: | ||
sudo vi /etc/iptables/rules.v4 | sudo vi /etc/iptables/rules.v4 | ||
Example rules: | Example rules: | ||
*filter | *filter | ||
:INPUT DROP [0:0] | :INPUT DROP [0:0] | ||
| Line 109: | Line 111: | ||
-A INPUT -p tcp --dport 22 -j ACCEPT | -A INPUT -p tcp --dport 22 -j ACCEPT | ||
COMMIT | COMMIT | ||
1. | Step 6: Logging and Auditing | ||
1. Configure system logging: | |||
Edit `/etc/rsyslog.conf` to ensure all log files are being captured: | Edit `/etc/rsyslog.conf` to ensure all log files are being captured: | ||
sudo vi /etc/rsyslog.conf | sudo vi /etc/rsyslog.conf | ||
Example configuration: | Example configuration: | ||
*.info;mail.none;authpriv.none;cron.none /var/log/messages | *.info;mail.none;authpriv.none;cron.none /var/log/messages | ||
authpriv.* /var/log/secure | authpriv.* /var/log/secure | ||
mail.* -/var/log/maillog | mail.* -/var/log/maillog | ||
cron.* /var/log/cron | cron.* /var/log/cron | ||
2. | |||
2. Set up audit rules: | |||
Edit `/etc/audit/rules.d/audit.rules`: | Edit `/etc/audit/rules.d/audit.rules`: | ||
sudo vi /etc/audit/rules.d/audit.rules | sudo vi /etc/audit/rules.d/audit.rules | ||
Example rules: | Example rules: | ||
-w /etc/passwd -p wa -k passwd_changes | -w /etc/passwd -p wa -k passwd_changes | ||
-w /etc/shadow -p wa -k shadow_changes | -w /etc/shadow -p wa -k shadow_changes | ||
-w /etc/group -p wa -k group_changes | -w /etc/group -p wa -k group_changes | ||
1. | Step 7: Apply Kernel and Service Hardening | ||
1. Disable unused filesystems: | |||
Edit `/etc/modprobe.d/disable-filesystems.conf`: | Edit `/etc/modprobe.d/disable-filesystems.conf`: | ||
sudo vi /etc/modprobe.d/disable-filesystems.conf | sudo vi /etc/modprobe.d/disable-filesystems.conf | ||
Add the following lines: | Add the following lines: | ||
install cramfs /bin/true | install cramfs /bin/true | ||
install freevxfs /bin/true | install freevxfs /bin/true | ||
| Line 155: | Line 160: | ||
install udf /bin/true | install udf /bin/true | ||
install vfat /bin/true | install vfat /bin/true | ||
2. | |||
2. Configure kernel parameters: | |||
Edit `/etc/sysctl.conf`: | Edit `/etc/sysctl.conf`: | ||
sudo vi /etc/sysctl.conf | sudo vi /etc/sysctl.conf | ||
Add or update the following parameters: | Add or update the following parameters: | ||
net.ipv4.ip_forward = 0 | net.ipv4.ip_forward = 0 | ||
net.ipv4.conf.all.accept_source_route = 0 | net.ipv4.conf.all.accept_source_route = 0 | ||
| Line 175: | Line 181: | ||
net.ipv4.conf.all.send_redirects = 0 | net.ipv4.conf.all.send_redirects = 0 | ||
net.ipv4.conf.default.send_redirects = 0 | net.ipv4.conf.default.send_redirects = 0 | ||
1. | Step 8: Regular Maintenance | ||
1. Set up regular updates: | |||
Create a cron job for regular updates: | Create a cron job for regular updates: | ||
sudo crontab -e | sudo crontab -e | ||
Add the following line to update daily at 2 AM: | Add the following line to update daily at 2 AM: | ||
0 2 * * * apk update && apk upgrade | 0 2 * * * apk update && apk upgrade | ||
2. | |||
2. Review and monitor logs regularly: | |||
Ensure logs are rotated and reviewed frequently: | Ensure logs are rotated and reviewed frequently: | ||
sudo logrotate /etc/logrotate.conf | sudo logrotate /etc/logrotate.conf | ||
Conclusion | |||
This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment. | This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment. | ||
Revision as of 14:40, 3 July 2024
Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process:
Step 1: Update and Upgrade System
1. Update package lists:
sudo apk update
2. Upgrade installed packages:
sudo apk upgrade
Step 2: Install Necessary Security Tools
1. Install `audit` package:
sudo apk add audit
2. Install other necessary security packages:
sudo apk add sudo logrotate bash-completion openssh-server
Step 3: User and Access Management
1. Disable root login over SSH:
Edit `/etc/ssh/sshd_config`:
sudo vi /etc/ssh/sshd_config
Set the following parameter:
PermitRootLogin no
2. Ensure password complexity:
Edit `/etc/security/pwquality.conf`:
sudo vi /etc/security/pwquality.conf
Add or update the following lines:
minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1
3. Lock unused system accounts:
for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do
if [ $user != "root" ]; then
sudo passwd -l $user
sudo chage -E 0 $user
fi
done
Step 4: File System and Directory Permissions
1. Set appropriate permissions on important directories:
sudo chmod 700 /root sudo chmod 600 /boot/grub/grub.cfg sudo chmod 600 /etc/ssh/sshd_config
2. Configure mount options:
Edit `/etc/fstab`:
sudo vi /etc/fstab
Add `nosuid`, `nodev`, and `noexec` options to non-root partitions:
/dev/sda1 /home ext4 defaults,nosuid,nodev,noexec 0 2
Step 5: Network Security
1. Disable unnecessary services:
sudo rc-update del <service_name> sudo rc-service <service_name> stop
2. Configure firewall (iptables):
sudo apk add iptables sudo rc-service iptables start sudo rc-update add iptables
Create a basic firewall ruleset:
sudo vi /etc/iptables/rules.v4
Example rules:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT COMMIT
Step 6: Logging and Auditing
1. Configure system logging:
Edit `/etc/rsyslog.conf` to ensure all log files are being captured:
sudo vi /etc/rsyslog.conf
Example configuration:
*.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron
2. Set up audit rules:
Edit `/etc/audit/rules.d/audit.rules`:
sudo vi /etc/audit/rules.d/audit.rules
Example rules:
-w /etc/passwd -p wa -k passwd_changes -w /etc/shadow -p wa -k shadow_changes -w /etc/group -p wa -k group_changes
Step 7: Apply Kernel and Service Hardening
1. Disable unused filesystems:
Edit `/etc/modprobe.d/disable-filesystems.conf`:
sudo vi /etc/modprobe.d/disable-filesystems.conf
Add the following lines:
install cramfs /bin/true install freevxfs /bin/true install jffs2 /bin/true install hfs /bin/true install hfsplus /bin/true install squashfs /bin/true install udf /bin/true install vfat /bin/true
2. Configure kernel parameters:
Edit `/etc/sysctl.conf`:
sudo vi /etc/sysctl.conf
Add or update the following parameters:
net.ipv4.ip_forward = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0
Step 8: Regular Maintenance
1. Set up regular updates:
Create a cron job for regular updates:
sudo crontab -e
Add the following line to update daily at 2 AM:
0 2 * * * apk update && apk upgrade
2. Review and monitor logs regularly:
Ensure logs are rotated and reviewed frequently:
sudo logrotate /etc/logrotate.conf
Conclusion
This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment.