Securing Alpine Linux

From Alpine Linux
Revision as of 06:02, 11 May 2025 by Prabuanand (talk | contribs) (fixed heading style and removed step numbers)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Securing Alpine Linux using Security Technical Implementation Guides (STIGs) involves several steps. STIGs are a series of security requirements and configurations that help to secure systems. While there might not be a specific STIG for Alpine Linux, you can follow general Linux hardening guidelines and apply the principles from other Linux STIGs. Here’s a step-by-step process:

Update and upgrade system

1. Update package lists:

doas apk update

2. Upgrade installed packages:

doas apk upgrade

Install necessary security tools

1. Install the audit package:

doas apk add audit

2. Install other necessary security packages:

doas apk add doas logrotate bash-completion openssh-server

User and access management

1. Disable root login over SSH:

Edit /etc/ssh/sshd_config and Set the following parameter as follows

Contents of /etc/ssh/sshd_config

... PermitRootLogin no

2. Ensure password complexity:

Edit /etc/security/pwquality.conf and add or update the following lines:

Contents of /etc/security/pwquality.conf

... minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1

3. Lock unused system accounts by running the following script: 

  for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd`; do
      if [ $user != "root" ]; then
          doas passwd -l $user
          doas chage -E 0 $user
      fi
  done

File system and directory permissions

1. Set appropriate permissions on important directories:

doas chmod 700 /root doas chmod 600 /boot/grub/grub.cfg doas chmod 600 /etc/ssh/sshd_config

2. Configure mount options:

Edit /etc/fstab and Add `nosuid`, `nodev`, and `noexec` options to non-root partitions as follows:

Contents of /etc/fstab

... /dev/sda1 /home ext4 defaults,nosuid,nodev,noexec 0 2 ...

Network security

1. Disable unnecessary services:

doas rc-update del <service_name> doas rc-service <service_name> stop

2. Configure iptables firewall by installing and enabling it as follows:

doas apk add iptables doas rc-service iptables start doas rc-update add iptables

Create a basic firewall ruleset by adding Example rules to /etc/iptables/rules.v4 as follows:

Contents of /etc/iptables/rules.v4

*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT COMMIT

Logging and auditing

1. Configure system logging by editing /etc/rsyslog.conf to ensure all log files are being captured. An example configuration is shown below:

Contents of /etc/rsyslog.conf

*.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron

2. Set up audit rules by editing the /etc/audit/rules.d/audit.rules files and adding example rules as follows:

Contents of /etc/audit/rules.d/audit.rules

-w /etc/passwd -p wa -k passwd_changes -w /etc/shadow -p wa -k shadow_changes -w /etc/group -p wa -k group_changes

Apply kernel and service hardening

1. Disable unused filesystems by editing /etc/modprobe.d/disable-filesystems.conf and add the following lines:

Contents of /etc/modprobe.d/disable-filesystems.conf

install cramfs /bin/true install freevxfs /bin/true install jffs2 /bin/true install hfs /bin/true install hfsplus /bin/true install squashfs /bin/true install udf /bin/true install vfat /bin/true

2. Configure kernel parameters by editing the /etc/sysctl.conf and adding or updating the following parameters:

Contents of /etc/sysctl.conf

net.ipv4.ip_forward = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0

Regular maintenance

1. Set up regular updates by creating a cron job by editing crontab using the command crontab -e such that updates are applied daily at 2 AM. The output of crontab -l appears as follows:

Contents of /var/spool/cron/crontabs/root

... 0 2 * * * apk update && apk upgrade

2. Review and monitor logs regularly and ensure that logs are rotated and reviewed frequently:

doas logrotate /etc/logrotate.conf

Conclusion

This process provides a foundation for securing an Alpine Linux system. Regular reviews and updates, along with compliance with the latest security guidelines, are essential to maintaining a secure environment.

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Securing_Alpine_Linux&oldid=29849"