The first step in securing your Linux system is to set up a security policy. The security policy is your guide to what you enable users (as well as visitors over the Internet) to do on the Linux system. The level of security you establish depends on how you use the Linux system and how much is at risk if someone gains unauthorized access to your system.
If you are a system administrator for Linux systems at an organization, you probably want to involve the management, as well as the users, in setting up the security policy. Obviously, you cannot create an imposing policy that prevents everyone from working on the system. On the other hand, if the users are creating or using data valuable to the organization, you have to set up a policy that protects the data from disclosure to outsiders. In other words, the security policy should strike a balance between the users’ needs and the need to protect the system.
For a standalone Linux system or a home system you occasionally connect to the Internet, the security policy can be just a listing of the Internet services you want to run on the system and the user accounts you plan to set up on the system.
The security framework outlined in Figure 22-1 starts with the development of a security policy based on business requirements and risk analysis. The business requirements identify the security needs of the business—the computer resources and information you have to protect (including any requirements imposed by applicable laws, such as the requirement to protect the privacy of some types of data). Typical security requirements might include items such as the following:
Enable access to information by authorized users.
Implement business rules that specify who has access to what information.
Employ a strong user-authentication system.
Deny malicious or destructive actions on data.
Protect data from end to end as it moves across networks.
Implement all security and privacy requirements that applicable laws impose.
Risk analysis involves determining the following and performing some analysis to establish the priority of handling the risks:
Threats—What you are protecting against
Vulnerabilities—The weaknesses that might be exploited (these are the risks)
Probability—The likelihood that a vulnerability will be exploited
Impact—The effect of exploiting a specific vulnerability
Mitigation—What to do to reduce the vulnerabilities
Before I describe risk analysis, here are some typical threats to computer security:
Denial of service—The computer and network are tied up so that legitimate users cannot make use of the systems. For businesses, denial of service can mean loss of revenue.
Unauthorized access—Use of the computer and network by someone who is not an authorized user. The unauthorized user can steal information or maliciously corrupt or destroy data. Some businesses may be hurt by the negative publicity from the mere act of an unauthorized user gaining access to the system, even if there is no explicit damage to any data.
Disclosure of information to the public—The unauthorized release of information to the public. For example, the disclosure of a password file enables potential attackers to figure out user name and password combinations for accessing a system. Exposure of other sensitive information, such as financial and medical data, might be a potential liability for a business.
These threats come from exploitation of vulnerabilities in your organization’s computer and human resources. Some common vulnerabilities are the following:
People (divulging passwords, losing security cards, and so on)
Internal network connections (routers, switches)
Interconnection points (gateways—routers and firewalls—between the Internet and the internal network)
Third-party network providers (ISPs, long-distance carriers)
Operating-system security holes (potential holes in Internet servers, such as sendmail, named, bind, and so on)
Application security holes (known security holes in specific applications)
Based on the risk analysis and any business requirements you may need to address regardless of risk level, you can craft a security policy for the organization. The security policy typically addresses the following areas:
Authentication—What method will be used to ensure that a user is the real user? Who gets access to the system? What is the minimum length and complexity of passwords? How often do users change passwords? How long can a user be idle before that user is logged out automatically?
Authorization—What can different classes of users do on the system? Who can have the root password?
Data protection—What data must be protected? Who has access to the data? Is encryption necessary for some data?
Internet access—What are the restrictions on users (from the LAN) accessing the Internet? What Internet services (such as Web, Internet Relay Chat, and so on) can users access? Are incoming emails and attachments scanned for viruses? Is there a network firewall? Are virtual private networks (VPNs) used to connect private networks across the Internet?
Internet services—What Internet services are allowed on each Linux system? Are there any file servers? Mail servers? Web servers? What services run on each type of server? What services, if any, run on Linux systems used as desktop workstations?
Security audits—Who tests whether the security is adequate? How often is the security tested? How are problems found during security testing handled?
Incident handling—What are the procedures for handling any computer security incidents? Who must be informed? What information must be gathered to help with the investigation of incidents?
Responsibilities—Who is responsible for maintaining security? Who applies patches and upgrades system software to fix security holes? Who monitors log files and audit trails for signs of unauthorized access? Who maintains the database of security policy?
After you analyze the risks—vulnerabilities—and develop a security policy, you have to select the mitigation approach: how to protect against specific vulnerabilities. This is where you develop an overall security solution based on security policy, business requirements, and available technology—a solution that consists of the following:
Services (authentication, access control, encryption)
Mechanisms (user name/password, firewalls)
Objects (hardware, software)
In addition to implementing security solutions, you have to set up security management that continually monitors, detects, and responds to any security incidents.
The combination of the risk analysis, security policy, security solutions, and security management provides the overall security framework. Such a framework helps establish a common level of understanding of security and a common basis for the design and implementation of security solutions.
The remainder of this chapter shows you some of the ways in which you can enhance and maintain the security of your Red Hat Linux system and any network.