Securing Alpine Linux
Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process:
Step 1: Update and Upgrade System
1. Update package lists:
sudo apk update
2. **Upgrade installed packages:**
```sh sudo apk upgrade ```
- Step 2: Install Necessary Security Tools
1. **Install `audit` package:**
```sh sudo apk add audit ```
2. **Install other necessary security packages:**
```sh sudo apk add sudo logrotate bash-completion openssh-server ```
- Step 3: User and Access Management
1. **Disable root login over SSH:**
Edit `/etc/ssh/sshd_config`: ```sh sudo vi /etc/ssh/sshd_config ``` Set the following parameter: ```sh PermitRootLogin no ```
2. **Ensure password complexity:**
Edit `/etc/security/pwquality.conf`: ```sh sudo vi /etc/security/pwquality.conf ``` Add or update the following lines: ```sh minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 ```
3. **Lock unused system accounts:**
```sh for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do if [ $user != "root" ]; then sudo passwd -l $user sudo chage -E 0 $user fi done ```
- Step 4: File System and Directory Permissions
1. **Set appropriate permissions on important directories:**
```sh sudo chmod 700 /root sudo chmod 600 /boot/grub/grub.cfg sudo chmod 600 /etc/ssh/sshd_config ```
2. **Configure mount options:**
Edit `/etc/fstab`: ```sh sudo vi /etc/fstab ``` Add `nosuid`, `nodev`, and `noexec` options to non-root partitions: ```sh /dev/sda1 /home ext4 defaults,nosuid,nodev,noexec 0 2 ```
- Step 5: Network Security
1. **Disable unnecessary services:**
```sh sudo rc-update del <service_name> sudo rc-service <service_name> stop ```
2. **Configure firewall (iptables):**
```sh sudo apk add iptables sudo rc-service iptables start sudo rc-update add iptables ```
Create a basic firewall ruleset: ```sh sudo vi /etc/iptables/rules.v4 ``` Example rules: ```sh *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT COMMIT ```
- Step 6: Logging and Auditing
1. **Configure system logging:**
Edit `/etc/rsyslog.conf` to ensure all log files are being captured: ```sh sudo vi /etc/rsyslog.conf ``` Example configuration: ```sh *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron ```
2. **Set up audit rules:**
Edit `/etc/audit/rules.d/audit.rules`: ```sh sudo vi /etc/audit/rules.d/audit.rules ``` Example rules: ```sh -w /etc/passwd -p wa -k passwd_changes -w /etc/shadow -p wa -k shadow_changes -w /etc/group -p wa -k group_changes ```
- Step 7: Apply Kernel and Service Hardening
1. **Disable unused filesystems:**
Edit `/etc/modprobe.d/disable-filesystems.conf`: ```sh sudo vi /etc/modprobe.d/disable-filesystems.conf ``` Add the following lines: ```sh install cramfs /bin/true install freevxfs /bin/true install jffs2 /bin/true install hfs /bin/true install hfsplus /bin/true install squashfs /bin/true install udf /bin/true install vfat /bin/true ```
2. **Configure kernel parameters:**
Edit `/etc/sysctl.conf`: ```sh sudo vi /etc/sysctl.conf ``` Add or update the following parameters: ```sh net.ipv4.ip_forward = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 ```
- Step 8: Regular Maintenance
1. **Set up regular updates:**
Create a cron job for regular updates: ```sh sudo crontab -e ``` Add the following line to update daily at 2 AM: ```sh 0 2 * * * apk update && apk upgrade ```
2. **Review and monitor logs regularly:**
Ensure logs are rotated and reviewed frequently: ```sh sudo logrotate /etc/logrotate.conf ```
- Conclusion
This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment.