Securing Alpine Linux: Difference between revisions

From Alpine Linux
No edit summary
(Securing Alpine Linux)
Line 8: Line 8:




2. **Upgrade installed packages:**
2. Upgrade installed packages:
  ```sh
 
   sudo apk upgrade
   sudo apk upgrade
  ```


### Step 2: Install Necessary Security Tools


1. **Install `audit` package:**
Step 2: Install Necessary Security Tools
  ```sh
 
1. Install `audit` package:
 
   sudo apk add audit
   sudo apk add audit
  ```


2. **Install other necessary security packages:**
 
  ```sh
2. Install other necessary security packages:
 
   sudo apk add sudo logrotate bash-completion openssh-server
   sudo apk add sudo logrotate bash-completion openssh-server
  ```


### Step 3: User and Access Management


1. **Disable root login over SSH:**
Step 3: User and Access Management
 
1. Disable root login over SSH:
 
   Edit `/etc/ssh/sshd_config`:
   Edit `/etc/ssh/sshd_config`:
  ```sh
 
   sudo vi /etc/ssh/sshd_config
   sudo vi /etc/ssh/sshd_config
  ```
 
   Set the following parameter:
   Set the following parameter:
  ```sh
 
   PermitRootLogin no
   PermitRootLogin no
  ```


2. **Ensure password complexity:**
 
2. Ensure password complexity:
 
   Edit `/etc/security/pwquality.conf`:
   Edit `/etc/security/pwquality.conf`:
  ```sh
 
   sudo vi /etc/security/pwquality.conf
   sudo vi /etc/security/pwquality.conf
  ```
 
   Add or update the following lines:
   Add or update the following lines:
  ```sh
 
   minlen = 14
   minlen = 14
   dcredit = -1
   dcredit = -1
Line 49: Line 51:
   ocredit = -1
   ocredit = -1
   lcredit = -1
   lcredit = -1
  ```


3. **Lock unused system accounts:**
 
  ```sh
3. Lock unused system accounts:
 
   for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do
   for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do
       if [ $user != "root" ]; then
       if [ $user != "root" ]; then
Line 59: Line 61:
       fi
       fi
   done
   done
  ```


### Step 4: File System and Directory Permissions


1. **Set appropriate permissions on important directories:**
Step 4: File System and Directory Permissions
  ```sh
 
1. Set appropriate permissions on important directories:
 
   sudo chmod 700 /root
   sudo chmod 700 /root
   sudo chmod 600 /boot/grub/grub.cfg
   sudo chmod 600 /boot/grub/grub.cfg
   sudo chmod 600 /etc/ssh/sshd_config
   sudo chmod 600 /etc/ssh/sshd_config
  ```


2. **Configure mount options:**
 
2. Configure mount options:
   Edit `/etc/fstab`:
   Edit `/etc/fstab`:
  ```sh
 
   sudo vi /etc/fstab
   sudo vi /etc/fstab
  ```
 
   Add `nosuid`, `nodev`, and `noexec` options to non-root partitions:
   Add `nosuid`, `nodev`, and `noexec` options to non-root partitions:
  ```sh
 
   /dev/sda1 /home ext4 defaults,nosuid,nodev,noexec 0 2
   /dev/sda1 /home ext4 defaults,nosuid,nodev,noexec 0 2
  ```


### Step 5: Network Security


1. **Disable unnecessary services:**
Step 5: Network Security
  ```sh
 
1. Disable unnecessary services:
 
   sudo rc-update del <service_name>
   sudo rc-update del <service_name>
   sudo rc-service <service_name> stop
   sudo rc-service <service_name> stop
  ```


2. **Configure firewall (iptables):**
 
  ```sh
2. Configure firewall (iptables):
 
   sudo apk add iptables
   sudo apk add iptables
   sudo rc-service iptables start
   sudo rc-service iptables start
   sudo rc-update add iptables
   sudo rc-update add iptables
  ```
 


   Create a basic firewall ruleset:
   Create a basic firewall ruleset:
  ```sh
 
   sudo vi /etc/iptables/rules.v4
   sudo vi /etc/iptables/rules.v4
  ```
 
   Example rules:
   Example rules:
  ```sh
 
   *filter
   *filter
   :INPUT DROP [0:0]
   :INPUT DROP [0:0]
Line 109: Line 111:
   -A INPUT -p tcp --dport 22 -j ACCEPT
   -A INPUT -p tcp --dport 22 -j ACCEPT
   COMMIT
   COMMIT
  ```


### Step 6: Logging and Auditing


1. **Configure system logging:**
Step 6: Logging and Auditing
 
1. Configure system logging:
 
   Edit `/etc/rsyslog.conf` to ensure all log files are being captured:
   Edit `/etc/rsyslog.conf` to ensure all log files are being captured:
  ```sh
 
   sudo vi /etc/rsyslog.conf
   sudo vi /etc/rsyslog.conf
  ```
 
   Example configuration:
   Example configuration:
  ```sh
 
   *.info;mail.none;authpriv.none;cron.none /var/log/messages
   *.info;mail.none;authpriv.none;cron.none /var/log/messages
   authpriv.* /var/log/secure
   authpriv.* /var/log/secure
   mail.* -/var/log/maillog
   mail.* -/var/log/maillog
   cron.* /var/log/cron
   cron.* /var/log/cron
  ```


2. **Set up audit rules:**
 
2. Set up audit rules:
 
   Edit `/etc/audit/rules.d/audit.rules`:
   Edit `/etc/audit/rules.d/audit.rules`:
  ```sh
 
   sudo vi /etc/audit/rules.d/audit.rules
   sudo vi /etc/audit/rules.d/audit.rules
  ```
 
   Example rules:
   Example rules:
  ```sh
 
   -w /etc/passwd -p wa -k passwd_changes
   -w /etc/passwd -p wa -k passwd_changes
   -w /etc/shadow -p wa -k shadow_changes
   -w /etc/shadow -p wa -k shadow_changes
   -w /etc/group -p wa -k group_changes
   -w /etc/group -p wa -k group_changes
  ```


### Step 7: Apply Kernel and Service Hardening


1. **Disable unused filesystems:**
Step 7: Apply Kernel and Service Hardening
 
1. Disable unused filesystems:
 
   Edit `/etc/modprobe.d/disable-filesystems.conf`:
   Edit `/etc/modprobe.d/disable-filesystems.conf`:
  ```sh
 
   sudo vi /etc/modprobe.d/disable-filesystems.conf
   sudo vi /etc/modprobe.d/disable-filesystems.conf
  ```
 
   Add the following lines:
   Add the following lines:
  ```sh
 
   install cramfs /bin/true
   install cramfs /bin/true
   install freevxfs /bin/true
   install freevxfs /bin/true
Line 155: Line 160:
   install udf /bin/true
   install udf /bin/true
   install vfat /bin/true
   install vfat /bin/true
  ```


2. **Configure kernel parameters:**
 
2. Configure kernel parameters:
 
   Edit `/etc/sysctl.conf`:
   Edit `/etc/sysctl.conf`:
  ```sh
 
   sudo vi /etc/sysctl.conf
   sudo vi /etc/sysctl.conf
  ```
 
   Add or update the following parameters:
   Add or update the following parameters:
  ```sh
 
   net.ipv4.ip_forward = 0
   net.ipv4.ip_forward = 0
   net.ipv4.conf.all.accept_source_route = 0
   net.ipv4.conf.all.accept_source_route = 0
Line 175: Line 181:
   net.ipv4.conf.all.send_redirects = 0
   net.ipv4.conf.all.send_redirects = 0
   net.ipv4.conf.default.send_redirects = 0
   net.ipv4.conf.default.send_redirects = 0
  ```


### Step 8: Regular Maintenance


1. **Set up regular updates:**
Step 8: Regular Maintenance
 
1. Set up regular updates:
 
   Create a cron job for regular updates:
   Create a cron job for regular updates:
  ```sh
 
   sudo crontab -e
   sudo crontab -e
  ```
 
   Add the following line to update daily at 2 AM:
   Add the following line to update daily at 2 AM:
  ```sh
 
   0 2 * * * apk update && apk upgrade
   0 2 * * * apk update && apk upgrade
  ```


2. **Review and monitor logs regularly:**
 
2. Review and monitor logs regularly:
 
   Ensure logs are rotated and reviewed frequently:
   Ensure logs are rotated and reviewed frequently:
  ```sh
 
   sudo logrotate /etc/logrotate.conf
   sudo logrotate /etc/logrotate.conf
  ```


### Conclusion
 
Conclusion


This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment.
This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment.

Revision as of 14:40, 3 July 2024

Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process:

Step 1: Update and Upgrade System

1. Update package lists:

  sudo apk update


2. Upgrade installed packages:

  sudo apk upgrade


Step 2: Install Necessary Security Tools

1. Install `audit` package:

  sudo apk add audit


2. Install other necessary security packages:

  sudo apk add sudo logrotate bash-completion openssh-server


Step 3: User and Access Management

1. Disable root login over SSH:

  Edit `/etc/ssh/sshd_config`:
  sudo vi /etc/ssh/sshd_config
  Set the following parameter:
  PermitRootLogin no


2. Ensure password complexity:

  Edit `/etc/security/pwquality.conf`:
  sudo vi /etc/security/pwquality.conf
  Add or update the following lines:
  minlen = 14
  dcredit = -1
  ucredit = -1
  ocredit = -1
  lcredit = -1


3. Lock unused system accounts:

  for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do
      if [ $user != "root" ]; then
          sudo passwd -l $user
          sudo chage -E 0 $user
      fi
  done


Step 4: File System and Directory Permissions

1. Set appropriate permissions on important directories:

  sudo chmod 700 /root
  sudo chmod 600 /boot/grub/grub.cfg
  sudo chmod 600 /etc/ssh/sshd_config


2. Configure mount options:

  Edit `/etc/fstab`:
  sudo vi /etc/fstab
  Add `nosuid`, `nodev`, and `noexec` options to non-root partitions:
  /dev/sda1 /home ext4 defaults,nosuid,nodev,noexec 0 2


Step 5: Network Security

1. Disable unnecessary services:

  sudo rc-update del <service_name>
  sudo rc-service <service_name> stop


2. Configure firewall (iptables):

  sudo apk add iptables
  sudo rc-service iptables start
  sudo rc-update add iptables


  Create a basic firewall ruleset:
  sudo vi /etc/iptables/rules.v4
  Example rules:
  *filter
  :INPUT DROP [0:0]
  :FORWARD DROP [0:0]
  :OUTPUT ACCEPT [0:0]
  -A INPUT -i lo -j ACCEPT
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -p tcp --dport 22 -j ACCEPT
  COMMIT


Step 6: Logging and Auditing

1. Configure system logging:

  Edit `/etc/rsyslog.conf` to ensure all log files are being captured:
  sudo vi /etc/rsyslog.conf
  Example configuration:
  *.info;mail.none;authpriv.none;cron.none /var/log/messages
  authpriv.* /var/log/secure
  mail.* -/var/log/maillog
  cron.* /var/log/cron


2. Set up audit rules:

  Edit `/etc/audit/rules.d/audit.rules`:
  sudo vi /etc/audit/rules.d/audit.rules
  Example rules:
  -w /etc/passwd -p wa -k passwd_changes
  -w /etc/shadow -p wa -k shadow_changes
  -w /etc/group -p wa -k group_changes


Step 7: Apply Kernel and Service Hardening

1. Disable unused filesystems:

  Edit `/etc/modprobe.d/disable-filesystems.conf`:
  sudo vi /etc/modprobe.d/disable-filesystems.conf
  Add the following lines:
  install cramfs /bin/true
  install freevxfs /bin/true
  install jffs2 /bin/true
  install hfs /bin/true
  install hfsplus /bin/true
  install squashfs /bin/true
  install udf /bin/true
  install vfat /bin/true


2. Configure kernel parameters:

  Edit `/etc/sysctl.conf`:
  sudo vi /etc/sysctl.conf
  Add or update the following parameters:
  net.ipv4.ip_forward = 0
  net.ipv4.conf.all.accept_source_route = 0
  net.ipv4.conf.all.accept_redirects = 0
  net.ipv4.conf.all.secure_redirects = 0
  net.ipv4.conf.all.log_martians = 1
  net.ipv4.conf.default.log_martians = 1
  net.ipv4.icmp_echo_ignore_broadcasts = 1
  net.ipv4.icmp_ignore_bogus_error_responses = 1
  net.ipv4.tcp_syncookies = 1
  net.ipv4.conf.all.send_redirects = 0
  net.ipv4.conf.default.send_redirects = 0


Step 8: Regular Maintenance

1. Set up regular updates:

  Create a cron job for regular updates:
  sudo crontab -e
  Add the following line to update daily at 2 AM:
  0 2 * * * apk update && apk upgrade


2. Review and monitor logs regularly:

  Ensure logs are rotated and reviewed frequently:
  sudo logrotate /etc/logrotate.conf


Conclusion

This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment.