Securing Alpine Linux: Difference between revisions
Prabuanand (talk | contribs) m (Added category. fixed headings as per wiki guidelines) |
Prabuanand (talk | contribs) (applied wikitags) |
||
| Line 3: | Line 3: | ||
== Step 1: Update and Upgrade System == | == Step 1: Update and Upgrade System == | ||
1. Update package lists: | 1. Update package lists: {{cmd|doas apk update}} | ||
2. Upgrade installed packages: {{cmd|doas apk upgrade}} | |||
2. Upgrade installed packages: | |||
== Step 2: Install Necessary Security Tools == | == Step 2: Install Necessary Security Tools == | ||
1. Install the {{pkg|audit|arch=}} package: | 1. Install the {{pkg|audit|arch=}} package: {{cmd|doas apk add audit}} | ||
2. Install other necessary security packages: {{cmd|doas apk add doas logrotate bash-completion openssh-server}} | |||
2. Install other necessary security packages: | |||
== Step 3: User and Access Management == | == Step 3: User and Access Management == | ||
1. Disable root login over SSH: | 1. Disable root login over SSH: | ||
Edit {{path|/etc/ssh/sshd_config}} and Set the following parameter as follows {{Cat|/etc/ssh/sshd_config|... | |||
Edit {{path|/etc/ssh/sshd_config}} | PermitRootLogin no}} | ||
2. Ensure password complexity: | 2. Ensure password complexity: | ||
Edit {{path|/etc/security/pwquality.conf}} and add or update the following lines:{{Cat|/etc/security/pwquality.conf|<nowiki>... | |||
Edit {{path|/etc/security/pwquality.conf}}: | minlen = 14 | ||
dcredit = -1 | |||
ucredit = -1 | |||
ocredit = -1 | |||
lcredit = -1</nowiki>}} | |||
3. Lock unused system accounts: | 3. Lock unused system accounts: | ||
| Line 62: | Line 38: | ||
== Step 4: File System and Directory Permissions == | == Step 4: File System and Directory Permissions == | ||
1. Set appropriate permissions on important directories: | 1. Set appropriate permissions on important directories: {{Cmd|doas chmod 700 /root | ||
doas chmod 600 /boot/grub/grub.cfg | |||
doas chmod 600 /etc/ssh/sshd_config}} | |||
2. Configure mount options: | 2. Configure mount options: | ||
Edit {{path|/etc/fstab}} | Edit {{path|/etc/fstab}} and Add `nosuid`, `nodev`, and `noexec` options to non-root partitions as follows:{{Cat|/etc/fstab|... | ||
/dev/sda1 /home ext4 defaults,nosuid,nodev,noexec 0 2 | |||
...}} | |||
Add `nosuid`, `nodev`, and `noexec` options to non-root partitions: | |||
== Step 5: Network Security == | == Step 5: Network Security == | ||
1. Disable unnecessary services: | 1. Disable unnecessary services: {{cmd|doas rc-update del <service_name> | ||
doas rc-service <service_name> stop}} | |||
2. Configure {{Pkg|iptables}} firewall by installing and enabling it as follows:{{cmd|doas apk add iptables | |||
doas rc-service iptables start | |||
doas rc-update add iptables}} | |||
Create a basic firewall ruleset by adding Example rules to {{Path|/etc/iptables/rules.v4}} as follows:{{Cat|/etc/iptables/rules.v4|*filter | |||
:INPUT DROP [0:0] | |||
:FORWARD DROP [0:0] | |||
:OUTPUT ACCEPT [0:0] | |||
-A INPUT -i lo -j ACCEPT | |||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
-A INPUT -p tcp --dport 22 -j ACCEPT | |||
COMMIT }} | |||
== Step 6: Logging and Auditing == | == Step 6: Logging and Auditing == | ||
1. Configure system logging | 1. Configure system logging by editing {{path|/etc/rsyslog.conf}} to ensure all log files are being captured. An example configuration is shown below:{{Cat|/etc/rsyslog.conf|*.info;mail.none;authpriv.none;cron.none /var/log/messages | ||
authpriv.* /var/log/secure | |||
mail.* -/var/log/maillog | |||
cron.* /var/log/cron}} | |||
2. Set up audit rules by editing the {{path|/etc/audit/rules.d/audit.rules}} files and adding example rules as follows:{{Cat|/etc/audit/rules.d/audit.rules|-w /etc/passwd -p wa -k passwd_changes | |||
-w /etc/shadow -p wa -k shadow_changes | |||
-w /etc/group -p wa -k group_changes}} | |||
2. Set up audit rules | |||
== Step 7: Apply Kernel and Service Hardening == | == Step 7: Apply Kernel and Service Hardening == | ||
1. Disable unused filesystems | 1. Disable unused filesystems by editing {{path|/etc/modprobe.d/disable-filesystems.conf}} and add the following lines: {{Cat|/etc/modprobe.d/disable-filesystems.conf|install cramfs /bin/true | ||
install freevxfs /bin/true | |||
install jffs2 /bin/true | |||
install hfs /bin/true | |||
install hfsplus /bin/true | |||
install squashfs /bin/true | |||
install udf /bin/true | |||
install vfat /bin/true}} | |||
2. Configure kernel parameters by editing the {{path|/etc/sysctl.conf}} and adding or updating the following parameters:{{Cat|/etc/sysctl.conf|<nowiki>net.ipv4.ip_forward = 0 | |||
net.ipv4.conf.all.accept_source_route = 0 | |||
net.ipv4.conf.all.accept_redirects = 0 | |||
net.ipv4.conf.all.secure_redirects = 0 | |||
net.ipv4.conf.all.log_martians = 1 | |||
net.ipv4.conf.default.log_martians = 1 | |||
net.ipv4.icmp_echo_ignore_broadcasts = 1 | |||
net.ipv4.icmp_ignore_bogus_error_responses = 1 | |||
net.ipv4.tcp_syncookies = 1 | |||
net.ipv4.conf.all.send_redirects = 0 | |||
net.ipv4.conf.default.send_redirects = 0</nowiki>}} | |||
== Step 8: Regular Maintenance == | == Step 8: Regular Maintenance == | ||
1. Set up regular updates | 1. Set up regular updates by creating a cron job by editing {{Path|crontab}} using the command {{ic|crontab -e}} such that updates are applied daily at 2 AM. The output of {{ic|crontab -l}} appears as follows:{{Cat|/var/spool/cron/crontabs/root|... | ||
0 2 * * * apk update && apk upgrade }} | |||
2. Review and monitor logs regularly and ensure that logs are rotated and reviewed frequently: {{cmd|doas logrotate /etc/logrotate.conf}} | |||
2. Review and monitor logs regularly | |||
== Conclusion == | == Conclusion == | ||
Revision as of 05:58, 11 May 2025
Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process:
Step 1: Update and Upgrade System
1. Update package lists:
doas apk update
2. Upgrade installed packages:
doas apk upgrade
Step 2: Install Necessary Security Tools
1. Install the audit package:
doas apk add audit
2. Install other necessary security packages:
doas apk add doas logrotate bash-completion openssh-server
Step 3: User and Access Management
1. Disable root login over SSH:
Edit /etc/ssh/sshd_config and Set the following parameter as follows
Contents of /etc/ssh/sshd_config
2. Ensure password complexity:
Edit /etc/security/pwquality.conf and add or update the following lines:
Contents of /etc/security/pwquality.conf
3. Lock unused system accounts:
for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do
if [ $user != "root" ]; then
doas passwd -l $user
doas chage -E 0 $user
fi
done
Step 4: File System and Directory Permissions
1. Set appropriate permissions on important directories:
doas chmod 700 /root doas chmod 600 /boot/grub/grub.cfg doas chmod 600 /etc/ssh/sshd_config
2. Configure mount options:
Edit /etc/fstab and Add `nosuid`, `nodev`, and `noexec` options to non-root partitions as follows:
Contents of /etc/fstab
Step 5: Network Security
1. Disable unnecessary services:
doas rc-update del <service_name> doas rc-service <service_name> stop
2. Configure iptables firewall by installing and enabling it as follows:
doas apk add iptables doas rc-service iptables start doas rc-update add iptables
Create a basic firewall ruleset by adding Example rules to /etc/iptables/rules.v4 as follows:
Contents of /etc/iptables/rules.v4
Step 6: Logging and Auditing
1. Configure system logging by editing /etc/rsyslog.conf to ensure all log files are being captured. An example configuration is shown below:
Contents of /etc/rsyslog.conf
2. Set up audit rules by editing the /etc/audit/rules.d/audit.rules files and adding example rules as follows:
Contents of /etc/audit/rules.d/audit.rules
Step 7: Apply Kernel and Service Hardening
1. Disable unused filesystems by editing /etc/modprobe.d/disable-filesystems.conf and add the following lines:
Contents of /etc/modprobe.d/disable-filesystems.conf
2. Configure kernel parameters by editing the /etc/sysctl.conf and adding or updating the following parameters:
Contents of /etc/sysctl.conf
Step 8: Regular Maintenance
1. Set up regular updates by creating a cron job by editing crontab using the command crontab -e such that updates are applied daily at 2 AM. The output of crontab -l appears as follows:
Contents of /var/spool/cron/crontabs/root
2. Review and monitor logs regularly and ensure that logs are rotated and reviewed frequently:
doas logrotate /etc/logrotate.conf
Conclusion
This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment.