Nobody is perfect – especially no operating system! Therefore, system hardening for Linux is also recommended. However, the implementation can be complex in corporate environments. This is what you should consider.
Why is it necessary to harden Linux?
Linux is often described as “secure” per se. A fallacy! Until now, there have been fewer attacks because the operating system is used less frequently than Windows, for example.
But now the wind has changed: Since Linux is “working under the hood” in more and more systems and thus also in a growing number of companies, the interest of cybercriminals in the OS is growing. As a study by Trend Micro shows, the number of Linux attacks is increasing significantly.
Hardening systems through appropriate system configuration is extremely important – and that includes Linux! If the open operating system is used in the business environment, you should definitely harden it. Especially if sensitive data is being processed!
The large community has recognized this, and various projects are taking up the topic. For example:
What is the challenge of hardening Linux?
There are some important differences with Linux compared to Windows that you need to consider. These are the most important aspects from our perspective:
“Write programs that do one thing and do it well”
Applications on Linux have (at least in UNIX philosophy ) fairly clear areas of responsibility. They are supposed to go little or not at all beyond that.
However, discussion often arises in the community about how something is “best” solved. This leads to fragmentation and forks. While this is important in principle as it provides for the intended “separation of powers”, it can make Linux complex to manage.
“Everything is a file”
Windows uses abstract centralized approaches such as group policies or the associated registry entries to set preferences. On the Linux side, the equivalent would be to make such settings via configuration files.
Due to the different approaches described above and the – in contrast to Windows – more or less fundamental degrees of freedom, there are often various implementations / names / formats for a service. These make automation challenging.
What are the consequences?
If there is no massive standardization and automation when introducing Linux infrastructures in a company, the world of Linux derivatives, services and various configurations of actually identical services can only be “recaptured” with great effort.
Questions like these then arise:
-
- Which distribution is used?
- Who installs the updates and when?
- Which firewall implementation is used?
- How is the NTP service to be configured?
- How to configure logging settings?
- Which (centrally managed) user accounts get “sudo” privileges?
- Is the use of the “root” account forbidden?
Reading tip: These Arch Linux articles summarize other important basic ideas and questions.
Are there any hardening recommendations for Linux?
“Linux vendors” are an individual, small groupings, associations, or larger companies (depending on the distribution). Even if you only look at the core of Linux (the “kernel”), there is no central “spokesperson”. General recommendations are therefore hard to find.
However, there are already good handouts, for example this one:
-
- For Arch Linux there is a security overview available
- On debian.org you can find the handbook “Securing Debian”
- For SUSE Linux Enterprise there is the “Hardening Guide”
Recommendations from organizations like DISA, CIS, BSI & Co. that we usually recommend for Windows system hardening can of course also be found on the net. Here are a few examples:
How good is your Linux hardening?
If you want to subject Ubuntu, Debian or Fedora to system hardening, you first need to determine the status quo. That is, how well have you hardened or securely configured your Linux so far?
Since the last major version jump, the Audit Test Automation Package (short: AuditTAP) offers a “Security Base Data” report for the most common Linux variants.
This is not (yet) a comprehensive audit report in terms of Linux hardening, but a first important step towards it. Important basic parameters are checked here. They give a first impression of a basic configuration.
System hardening: More than just applying a script!
System hardening is not a one-time task. For the implementation of a Security Configuration Management, besides the implementation, the regular control and monitoring of the settings is equally important.
This is what we want to support. Our mission is therefore: Not only Windows systems have to be hardened professionally, but also Linux!
We approach this mission step by step. Therefore we will regularly update this post and enrich it with new information to clearly describe the hardening of Ubuntu, Debian and Co. for enterprises. Stay tuned!
Do you have any questions about system hardening or AuditTAP? Contact us without any obligation!
Image: Freepik