Securing Alpine Linux: Difference between revisions
Prabuanand (talk | contribs) (applied wikitags) |
Prabuanand (talk | contribs) (fixed heading style and removed step numbers) |
||
| Line 1: | Line 1: | ||
Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process: | Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process: | ||
== | == Update and upgrade system == | ||
1. Update package lists: {{cmd|doas apk update}} | 1. Update package lists: {{cmd|doas apk update}} | ||
| Line 7: | Line 7: | ||
2. Upgrade installed packages: {{cmd|doas apk upgrade}} | 2. Upgrade installed packages: {{cmd|doas apk upgrade}} | ||
== | == Install necessary security tools == | ||
1. Install the {{pkg|audit|arch=}} package: {{cmd|doas apk add audit}} | 1. Install the {{pkg|audit|arch=}} package: {{cmd|doas apk add audit}} | ||
| Line 13: | Line 13: | ||
2. Install other necessary security packages: {{cmd|doas apk add doas logrotate bash-completion openssh-server}} | 2. Install other necessary security packages: {{cmd|doas apk add doas logrotate bash-completion openssh-server}} | ||
== | == User and access management == | ||
1. Disable root login over SSH: | 1. Disable root login over SSH: | ||
| Line 27: | Line 27: | ||
lcredit = -1</nowiki>}} | lcredit = -1</nowiki>}} | ||
3. Lock unused system accounts: | 3. Lock unused system accounts by running the following script: | ||
for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do | for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do | ||
if [ $user !{{=}} "root" ]; then | if [ $user !{{=}} "root" ]; then | ||
| Line 36: | Line 35: | ||
done | done | ||
== | == File system and directory permissions == | ||
1. Set appropriate permissions on important directories: {{Cmd|doas chmod 700 /root | 1. Set appropriate permissions on important directories: {{Cmd|doas chmod 700 /root | ||
| Line 48: | Line 47: | ||
...}} | ...}} | ||
== | == Network security == | ||
1. Disable unnecessary services: {{cmd|doas rc-update del <service_name> | 1. Disable unnecessary services: {{cmd|doas rc-update del <service_name> | ||
| Line 66: | Line 65: | ||
COMMIT }} | COMMIT }} | ||
== | == Logging and auditing == | ||
1. Configure system logging by editing {{path|/etc/rsyslog.conf}} to ensure all log files are being captured. An example configuration is shown below:{{Cat|/etc/rsyslog.conf|*.info;mail.none;authpriv.none;cron.none /var/log/messages | 1. Configure system logging by editing {{path|/etc/rsyslog.conf}} to ensure all log files are being captured. An example configuration is shown below:{{Cat|/etc/rsyslog.conf|*.info;mail.none;authpriv.none;cron.none /var/log/messages | ||
| Line 72: | Line 71: | ||
mail.* -/var/log/maillog | mail.* -/var/log/maillog | ||
cron.* /var/log/cron}} | cron.* /var/log/cron}} | ||
2. Set up audit rules by editing the {{path|/etc/audit/rules.d/audit.rules}} files and adding example rules as follows:{{Cat|/etc/audit/rules.d/audit.rules|-w /etc/passwd -p wa -k passwd_changes | 2. Set up audit rules by editing the {{path|/etc/audit/rules.d/audit.rules}} files and adding example rules as follows:{{Cat|/etc/audit/rules.d/audit.rules|-w /etc/passwd -p wa -k passwd_changes | ||
| Line 78: | Line 76: | ||
-w /etc/group -p wa -k group_changes}} | -w /etc/group -p wa -k group_changes}} | ||
== | == Apply kernel and service hardening == | ||
1. Disable unused filesystems by editing {{path|/etc/modprobe.d/disable-filesystems.conf}} and add the following lines: {{Cat|/etc/modprobe.d/disable-filesystems.conf|install cramfs /bin/true | 1. Disable unused filesystems by editing {{path|/etc/modprobe.d/disable-filesystems.conf}} and add the following lines: {{Cat|/etc/modprobe.d/disable-filesystems.conf|install cramfs /bin/true | ||
| Line 101: | Line 99: | ||
net.ipv4.conf.default.send_redirects = 0</nowiki>}} | net.ipv4.conf.default.send_redirects = 0</nowiki>}} | ||
== | == Regular maintenance == | ||
1. Set up regular updates by creating a cron job by editing {{Path|crontab}} using the command {{ic|crontab -e}} such that updates are applied daily at 2 AM. The output of {{ic|crontab -l}} appears as follows:{{Cat|/var/spool/cron/crontabs/root|... | 1. Set up regular updates by creating a cron job by editing {{Path|crontab}} using the command {{ic|crontab -e}} such that updates are applied daily at 2 AM. The output of {{ic|crontab -l}} appears as follows:{{Cat|/var/spool/cron/crontabs/root|... | ||
Latest revision as of 06:02, 11 May 2025
Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process:
Update and upgrade system
1. Update package lists:
doas apk update
2. Upgrade installed packages:
doas apk upgrade
Install necessary security tools
1. Install the audit package:
doas apk add audit
2. Install other necessary security packages:
doas apk add doas logrotate bash-completion openssh-server
User and access management
1. Disable root login over SSH:
Edit /etc/ssh/sshd_config and Set the following parameter as follows
Contents of /etc/ssh/sshd_config
2. Ensure password complexity:
Edit /etc/security/pwquality.conf and add or update the following lines:
Contents of /etc/security/pwquality.conf
3. Lock unused system accounts by running the following script:
for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do
if [ $user != "root" ]; then
doas passwd -l $user
doas chage -E 0 $user
fi
done
File system and directory permissions
1. Set appropriate permissions on important directories:
doas chmod 700 /root doas chmod 600 /boot/grub/grub.cfg doas chmod 600 /etc/ssh/sshd_config
2. Configure mount options:
Edit /etc/fstab and Add `nosuid`, `nodev`, and `noexec` options to non-root partitions as follows:
Contents of /etc/fstab
Network security
1. Disable unnecessary services:
doas rc-update del <service_name> doas rc-service <service_name> stop
2. Configure iptables firewall by installing and enabling it as follows:
doas apk add iptables doas rc-service iptables start doas rc-update add iptables
Create a basic firewall ruleset by adding Example rules to /etc/iptables/rules.v4 as follows:
Contents of /etc/iptables/rules.v4
Logging and auditing
1. Configure system logging by editing /etc/rsyslog.conf to ensure all log files are being captured. An example configuration is shown below:
Contents of /etc/rsyslog.conf
2. Set up audit rules by editing the /etc/audit/rules.d/audit.rules files and adding example rules as follows:
Contents of /etc/audit/rules.d/audit.rules
Apply kernel and service hardening
1. Disable unused filesystems by editing /etc/modprobe.d/disable-filesystems.conf and add the following lines:
Contents of /etc/modprobe.d/disable-filesystems.conf
2. Configure kernel parameters by editing the /etc/sysctl.conf and adding or updating the following parameters:
Contents of /etc/sysctl.conf
Regular maintenance
1. Set up regular updates by creating a cron job by editing crontab using the command crontab -e such that updates are applied daily at 2 AM. The output of crontab -l appears as follows:
Contents of /var/spool/cron/crontabs/root
2. Review and monitor logs regularly and ensure that logs are rotated and reviewed frequently:
doas logrotate /etc/logrotate.conf
Conclusion
This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment.