1. Home
  2. Training Library
  3. Linux Security and Hardening | CSL4 A3.1 |


Start course
3h 21m

In this section, you’ll take a deep dive into Linux security. You’ll build your knowledge and skills through a comprehensive overview of the key areas that you need to know to secure Linux systems.

You’ll begin with Linux security in general before moving on to physical security and the countermeasures you can employ to protect your hardware. From there, you’ll explore authentication systems and the various account types on a Linux system, and how to secure each one. You'll also learn how to enforce strong passwords and manage account and password expirations.

In the networking section, you'll learn how to secure network services that run on Linux systems. You'll also learn how the local firewall works in Linux and how to configure it. You’ll learn about file system security and how permissions work in detail, including special modes, file attributes, and ACLs. You'll also discover what rootkits are, how to detect them, and how to remove them.

You’ll also find several security resources you can use to continue your security education and stay on top of the latest security issues for Linux distributions.

There are several knowledge checks as you go through these resources. These will help you identify any areas that you might need or want to review. At the end you’ll find a final exam, where you can test yourself on what you’ve learnt.

Learning Objectives

  • Get a general view of Linux security including roles, network services, encryption, accounts, and multifactor authentication
  • Learn specific strategies for mitigating physical security risks and protecting your Linux systems against the most common physical attacks
  • Learn about data encryption and how to implement it on new Linux systems, as well as those that are already in service
  • Understand the different types of accounts you'll find on a Linux system and the special precautions you need to take with each account type
  • Learn how to enforce good password security practices on your Linux systems
  • Learn about multi-factor authentication and how it can be implemented in Linux
  • Learn techniques and strategies to secure network services
  • Learn how to secure your files and directories on Linux through permissions, data sharing, special modes, file attributes, ACLs, and rootkits

An ACL or access control list provides additional granularity to the traditional Unix and Linux file permissions. For example, if you wanna give one individual user access to a file, but you don't want to add that user to the group of the file because they don't need access to the additional files and directories that membership would give them, you can use an ACL. If you were to solve this access issue using traditional permissions, you would have to create a new group. In that group you would put the user who needs access to that single file as well as the existing members of the original group. Now anytime the group members are changed in the original group they also have to be changed in this new group as well. In order to use ACLs, the file system has to have been mounted with ACL support. For ext type file systems you can either set the default mount options with a tune2fs command, or add the acl option in the atcfs tab file. ACL support is enabled by default on many file systems like xfs and b3fs. There are two types of ACLs. The first type of ACL is called an access ACL. These ACLs grant permissions on specific files and directories. The other type of ACL is called a default ACL. Default ACLs are used only on directories. The rules of the default ACL on a directory are used if a file within that directory doesn't have an access ACL of its own. If you apply a default ACL to a directory any existing files in their ACLs will not be modified. If you want to change the ACLs on the existing files in the directory, you have to do it manually. It will not be done automatically when you create the default ACL. Only files and directories created after the default ACL was added will be affected. These default ACLs on directories are totally optional. ACLs can be created for and configured per user per group for users not in the files group and via an effective rights mask. The setfacl command is used to create, modify and delete ACLs on files and directories. If for some reason the command is not available on your system, you'll need to install the ACL tools. Typically the package is named ACL. In order to create or modify an ACL, run setfacl -m followed by the ACL sometimes called a rule and then the FILE_OR_DIRECTORY to apply that ACL too. ACLs again, sometimes called rules, follow a specific format. If you want to control the access for a given user, start the rule with a u followed by a colon, followed by a username or UID and the desired permissions. To allow the jason user permissions to read, write and execute start.sh, you would run setfacl -m u:json:rwx start.sh. If you want to allow sam read and execute permission run setfacl -m u:sam:xr start.sh. Notice that I didn't supply the normal set of three permissions with a dash representing a permission not given and I didn't even put the permissions in the traditionally correct order. Just be sure to supply the permissions that you want to grant. If you want to add permissions to a group use the format of g: group name or gid: and then the permissions. To grant all members of the sales group read and write permissions to the sales.txt file, run setfacl -m g:sales:rw sales.txt. To set the effective rights mask use m: followed by the permissions. The effective rights mask is used to restrict permissions for all users and groups that are defined in the ACL. For example, you can prevent all users from writing to a file by setting the effective mask of r-x. To do this on a file named sales.text, run setfacl -m m:rx sales.txt. Sometimes the effective mask is automatically calculated and set when you run a command or when a file is created due to the umask. To add permissions for others use o: followed by the permissions. These permissions apply to people who are not members of the files group. To allow others re permission on the sales.text file, for example, run setfacl -m o:r sales.txt. Multiple rules can be applied by separating them by a comma. Note that there are no spaces before or after the comma. To allow the user bob re permissions and the sales group read and write permissions on the sales.txt file, you would run setfacl -m u:bob:r,g:sales:rw sales.txt. So far, we've been talking about how to set access ACLs. Let's shift into setting default ACLs. If we want every file that gets created in the sales directory to be readable and writeable to the members of the sales group, we create a default ACL for the sales group. Default ACLs are like access ACLs except they are proceeded by d: So to get our desired default rule we run setfacl -m d:g:sales:rw sales. Now, when we create a new file or directory inside the sales directory, it will contain an access ACL that grants members of the sales team read and write access. In the cases of newly created sub-directories, they will also contain this default ACL, so the ACLs are carried down through the file system tree. Remember, any existing files will not have this default rule applied. If you want to modify their ACLs do so with a setfacl command manually. The easiest way to modify the ACLs for existing files in a directory is to do so recursively. Continuing on with our previous example, we can make sure members of the sales group have read write permissions on all the files and directories within the sales directory tree by running setfacl -R -m g:sales:rw sales. To remove a rule run setfacl -x followed by the rule you want to delete. When you specify the rule, you leave out the permission section. for example, to delete a rule that has granted some permissions to the jason user on sales.txt, you would run setfacl -x u:jason sales.txt. Notice that I didn't use something like u:jason:rw, just u:jason when deleting ACLs remember to leave off the permissions field. Another example would be setfacl -x g:sales sales.txt. That command would remove the rule pertaining to the sales group. If you want to remove all the ACL entries for a file, run setfacl -b followed by the path to the file or directory. Once you run this command, then traditional Linux permissions will be honored exactly as they are set on the file. Now, you know how to create, modify and delete ACLs with a setfacl command. To view ACLs use the getfacl command. Here's some example output of a getfacl ran against a file that doesn't have any ACL rules applied to it. The first three lines of output is the header. This simply tells us who owns the file, the group the file is in and the files name. The next section of the output shows the rules for this file. These rules are simply a reflection of the traditional Linux permissions applied to this file. There are no rules for individual users or groups in this particular example. This example shows a rule being added to the sales.txt file, and then that rule is displayed with they getfacl command. You'll notice that the rule now appears in the getfacl output. Even though a mask wasn't specified, it was calculated and automatically added for us. If you wanted to tighten the effective right to mask, you could do so after adding all the other rules. Let's look at some getfacl output for a directory that has default ACLs. The default rules are clearly marked at the bottom of this output. In this example, any new files or directories created within this directory will give members of the sales group read and write access. How will you be able to know if a file has ACLs? The easiest way to spot a file with ACLs is to look at its LS output. If ACLs are in use, you'll see a plus sign at the end of the permission string. In this example, the sales.txt file has ACLs and the other files do not. If you want to get the exact permissions for that file you would of course run getfacl against that file.

About the Author