LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-29-2014, 01:56 AM   #1
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Mint 17.1 KDE on workstation, CentOS 6.x on servers
Posts: 1,145

Rep: Reputation: 47
What's a good resource on how to better secure a system?


I've been using Linux for a long time but one thing I never dived that deeply into is proper security.

The biggest thing I know is to not use root, but that is probably my biggest downfall.. how do you NOT use root? Unless I'm only modifying files owned by a specific user chances are I need to su as root at some point. Examples of such things are editing configuration files, or moving entire file structures. Due to Linux's lack of file inheritance there's always going to be that one file somewhere that has a different permission because it was put there via a different process (perhaps SMB or NFS instead of locally or vise versa) and it took on whatever permissions that process was running as. Or perhaps it was just another user who also has access to that share who put the file there, but now my own user can't see it because the folder does not take proper owner/group/perm inheritance like it would in windows.

Another thing is pretty much all commands aside from basic requires root. If I want to look at raid information, or use smartctl, or dd, or even ifconfig or tcpdump.

I made a custom monitoring program where the config is stored only on the server and pushed to agents, this makes deployment and management extremely easy. Unfortunately most commands that are used to gather system info need to run as root, so the agent has to run as root. This is quite a security risk as if someone compromises the monitoring server they can then modify the config file to send any command they want to the agents such as rm -rf /.

In the desktop world I run as a regular user as the GUIs seem to be rather well designed now days to work fairly well as a non root user. But for servers, I always find myself having to su or sudo as root. I'm sure there are better ways I can do this.

Heck, all my cron jobs run as root as well. A simple example is a backup script, I need a user that has access to *ALL* files to run the backups, and also access to change permissions and ownership, because after the file backup is complete I need to set the permissions to something my regular user can see in case I need to access the backups.

Tons of stuff like that requires root, unless there are other ways.


I've also been told that doing apt-get update or yum update is not enough, as I need to update the kernel and other stuff too that's not covered by those commands, so what else needs to be done to keep that stuff updated?

Overall I'm open to other tips or good resources to read as well.

I'd also like to eventually host other people's websites, or at least separate my own into their own "accounts" so I'd like to learn more security on that aspect as well.

Other random thing I thought of is commands that require a password. Those will show up in ps aux and similar commands, how do you prevent that? (mysqldump for example)

Last edited by Red Squirrel; 08-29-2014 at 02:31 AM.
 
Old 08-29-2014, 05:02 AM   #2
jessetaylor84
Member
 
Registered: Jan 2014
Location: Olympia, WA
Distribution: Debian / Tails
Posts: 47

Rep: Reputation: 10
It's not that you're *never* supposed to run applications as the root user -- what people are generally saying is that you should not be running applications as root when you don't need to (e.g. things like your web browser, games, media player, etc.). Many system administration tasks require that you are root (or use sudo), and there is nothing "insecure" about this.

As far as apt-get update "not being enough" to update the kernel ... I'm not sure what this means. Aptitude does indeed perform updates for the kernel.

As far as online resources for Linux security, you might want to start with the Linux Security HOWTO ... for something more specific to Fedora, you could check the Fedora Basic Hardening Guide

Last edited by jessetaylor84; 08-29-2014 at 05:07 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
good resource for upgrading hardware? fitzov Debian 1 07-17-2007 03:20 PM
LXer: University of Michigan Selects SSH Tectia for Secure System Administration and Secure File Transfers LXer Syndicated Linux News 0 04-25-2006 01:54 AM
A Good Software Resource seesharp Linux - Software 2 11-24-2004 03:36 PM
Looking for a good DDNS resource RHnewb Linux - Networking 7 09-16-2003 08:43 AM
Would someone direct me to a good resource? 2016 Linux - General 2 01-31-2002 12:59 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration