Linux Security Flashcards
How do you check if AppArmor is up and running?
sudo aa-status
How would you setup a port/protocol rule on ufw
sudo ufw allow PORT/PROTOCOL comment “STRING”
You don’t need the comment but would help if an unusual port etc
How would you add more than one port to the ufw rule
eg. “… allow 21,22/tcp …”. For itemised
or
“…. allow 30000:40000/udp …” for a range
Prioritise a ufw rule to the top of the table
sudo ufw prepend RULE …
How to insert a ufw rule into a specific point on the table
First:
sudo ufw status numbered
Then:
sudo ufw insert LINE NO RULE
Create a ufw rule for ssh with a more restricted scope of inbound sources I.e local machines only
sudo ufw allow proto tcp from 192.168.0.0/24 to any port 22
Remove a ufw rule
sudo ufw status numbered
sudo ufw remove LINE NO
What’s the syntax for adding an entry to the bottom of the sudoers file?
username ALL=(ALL) All
Where from=(who as). What commands
Where is the sudoers file?
/etc/sudoers
Edit with Visudo
Where is the SE Linux configuration
/etc/selinux/config
Default policy setting of SELinux?
Targeted: Only enforces network daemon policy rules
Non default SEL settings
minimum - only specified process
mls - US military & gov
strict - all daemons, not recommended
How to change SEL state
sudo getenforce permissive/enforcing
To disable you have to change the config file!
What utility do you use to view and set SEL context for user accounts?
semanage
What does chcon do and What is the syntax?
Change default SEL context;
chcon -u USER -r ROLE -t TYPE /FILE
Where does SEL log its security events?
/var/log/audit/audit.log.
Can use audit2allow to generate policy to allow a denied event
AppArmor is usually installed by default in Ubuntu but what packages might you need to get?
apparmor-utils
apparmor-profiles
Where are AppArmor profiles stored?
/etc/apparmor.d
What is noteworthy about AA profile names?
That usually reference the application path but swap the / for .
eg usr.bin.mysqld
How do you view a list of active network ports without an AA profile defined?
sudo aa-unconfined
How do you turn off (but not disable) an AA profile?
aa-complain Profile_PATH
How do you turn an AA profile off and on?
sudo aa-disable PATH
sudo aa-enforce PATH
What tools are required to setup joining AD?
sssd-ad, sssd-tools, realmd, adcli
How do you test if you can join the AD realm (domain)?
sudo realm -v discover DOMAIN
Once everything is setup, how do you join an AD domain (realm)?
sudo realm join -U USER@DOMAIN domain.name
What tools required to connect a current sys to OpenLDAP
libnss-ldapd, libpam-ldapd, ldap-utils
Where do you modify an individual users ssh config?
~/.ssh/config
Where do you modify every user’s ssh config?
/etc/ssh/ssh_config
Where do you modify an ssh server (incoming) config?
/etc/ssh/sshd_config
What is the full command to generate an SSH ID key pair?
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
How would you send your pubkey to the remote SSH server?
ssh-copy-id USER@HOST
For a dry run then use -n
How to check if a program is compatible to use PAM
ldd /bin/PATH | grep libpam.so
Where are would a PAM compatible program have its config file?
/etc/pam.d
Three common PAM modules for enforcing strong passwords?
pam_unix.so
pam_pwhistory.so
pam_pwquality.so (pam_cracklib.so)
Two PAM modules to protect against brute force
pam_tally.so (Deb)
pam_faillock.so (Rhel)
PAM module to incorporate into an LDAP env?
pam_ldap.so
How do you check firewalld is running?
firewall-cmd —state
Or
systemctl status firewalld
Commands to modify firewalld zones
firewall-cmd —get-zones
—get-default-zone
—set-default-zone=ZONE
—get-active-zones
—permanent —new-zone=NEWZONE
Change an interface to a diff firewalld zone - 2 steps to do this.
Modify the adapter config in /etc/sysconfig/network-scripts
Then systemctl restart firewalld
How to add/remove a service(common proto) rule to firewalld
firewall-cmd zone=ZONE —add/remove-service=SERVICE
(SERVICE from —get-services)
How do you save firewalld rules beyond current session
Add —permanent
Or reload the firewall
How to add a nonstandard service/port role to firewalld
—zone=ZONE —permanent —add-port=PORT/PROTO (tcp/udp)
Keep going old chap
You got this
Give an example of a standard ACCEPT for iptables (http for this example)
iptables -A INPUT -p tcp —dport 80 -j ACCEPT
Give an example of an iptables rule to block ssh from a specific source
iptables -A INPUT -s 6.6.6.6 -p tcp —dport 22 REJECT/DROP
How to make an iptables adjustment persist
iptables-save or on some distros there’s no -
What are the three different chains in iptables?
INPUT
FORWARD
OUTPUT
How might you monitor in a state in iptables?
(…) -m state —state RELATED, ESTABLISHED (…)
What file to edit password requirements?
/etc/login.defs
The /etc/login.defs file can modify settings for password length and age, but how might you go about fixing a complexity requirement.
Add the pwquality.so module into the PAM rules and edit appropriately.
How would you edit settings for the PAM pwquality.so module?
RHEL - /etc/pam.d/system-auth and password-auth
DEB - /etc/pam.d/common-password and common-auth
Then add appropriate directives to the end of the line: “password requisite pam_pwqualty.so”
What’s an easy trick to restrict service accounts (especially root) from making system changes
Edit their /etc/passwd to run the /usr/bin/nologin as their default shell. That we they can operate but not run scripts etc
How might you stop someone from walking up to the console and using root login?
Create a file /etc/securetty on the system. If nothing in it that means no consoles are permitted access with root.
How do you block root access over ssh?
Modify the /etc/ssh/sshd_config file and edit the appropriate commented line.
How to disable/change ctrl alt del?
systemctl mask ctrl-alt-del.target
On sysV you need to modify the appropriate line in /etc/inittab
How would you secure ‘at’ and ‘cron’
They have at.allow and cron.deny files in /etc
How would you pass on messages to users?
/etc/login.warn
/etc/motd
How to block USB storage devices?
Modify /etc/modbrope.d/blacklist.conf with the lines:
blacklist uas
blacklist usb:storage
Save then reboot!
How to improve and customise security logging?
Use the auditd package:
Edit /etc/audit/audit.rules and use auditctl command
Top 4 services you should consider disabling?
FTP
Telnet
Finger
Mail services
What are two really easy network security layers you might want to consider implementing:
TCP wrappers .allow and .deny
Also
hosts.allow and .deny
How is the SELinux security context format laid out
User:Type:Role:Level
An easy method of checking and enabling/disabling SE Linux policies?
getsebool -a
setsebool (-P) POLICY on/off
How do you read the SEL /var/log/audit/audit.log ?
use audit2allow
What are the 4 PAM service types?
Account
Auth
Password
Session
What are the 6 PAM control-flags
Include
Optional
Requisite
Required
Substack
Sufficient
pam_tally2.so and pam_faillock.so shared options are?
deny=n
silent
unlock_time=n
Unlock with pam_tally2
sudo pam_tally2 -r -u USER
Where are UFW profiles stored
/etc/default/ufw/applications.d
Why is /bin/nologin used?
It prevents a (sys account) user from logging in from any terminal
See the firewalld zone you’re in and rules attached to them
firewall-cmd —list-all
Also use —zone=NAME for a different zone to what you’re on
Where to make actual AppArmor profile changes
/etc/apparmor.d/local