How to Develop a Linux Security Framework

If you’re a system administrator for one or more Linux systems in an organization, you probably want to involve company management, as well as users, in setting up the security policy. Obviously, you can’t create a draconian policy that blocks all access. (That policy would prevent anyone from effectively working on the system.)

On the other hand, if users are creating or using data that’s valuable to the organization, you must set up a policy for your Linux system that protects the data from disclosure to outsiders. In other words, the security policy should strike a balance between users’ needs and your need to protect the system.

For a stand-alone Linux system or a home system that you occasionally connect to the Internet, the security policy can be just a list of the Internet services that you want to run on the system and the user accounts that you plan to set up on the system. For any larger organization, you probably have one or more Linux systems on a LAN connected to the Internet — preferably through a firewall. (To reiterate, a firewall is a device that controls the flow of Internet Protocol [IP] packets between the LAN and the Internet.) In such cases, thinking of computer security systematically (across the entire organization) is best.

Here's what a Linux security framework should focus on

• Determining the business requirements for security
• Performing risk assessments
• Establishing a security policy
• Implementing a cybersecurity solution that includes people, process, and technology to mitigate identified security risks
• Continuously monitoring and managing security

Determining business requirements for security and how Linux fits

• Enabling access to information by authorized users.
• Implementing business rules that specify who has access to what information.
• Employing a strong user-authentication system.
• Denying execution to malicious or destructive actions on data.
• Protecting data from end to end as it moves across networks.
• Implementing all security and privacy requirements that applicable laws impose.

Performing risk analysis on Linux systems

• Threats: What you’re protecting against.
• Vulnerabilities: Weaknesses that may be exploited by threats (the risks).
• Probability: The likelihood that a threat will exploit the vulnerability.
• Impact: The effect of exploiting a specific vulnerability.
• Mitigation: What to do to reduce vulnerabilities.
• Typical threats to a Linux system

• DoS attack: The computer and network are tied up so that legitimate users can’t make use of the systems. For businesses, a DoS attack can mean a loss of revenue. Because bringing a system to its knees with a single computer attack is a bit of a challenge these days, the more common tactic is to point many computers at a single site and let them do the dirty work. Although the purpose and result are the same as ever, this ganging-up is referred to as a distributed (DDoS) attack because more than one computer is attacking the host.
• Unauthorized access: The computer and network are used by someone who isn’t an authorized user. The unauthorized user can steal information or maliciously corrupt or destroy data. Some businesses may be hurt by the negative publicity resulting from the mere fact that an unauthorized user gained access to the system, even if the data shows no sign of explicit damage.
• Disclosure of information to the public: Disclosure in this case means the unauthorized release of information. The disclosure of a password file, for example, enables potential attackers to figure out username and password combinations for accessing a system. Exposure of other sensitive information, such as financial and medical data, may be a potential liability for a business.

Typical vulnerabilities on Linux systems

• People’s foibles (divulging passwords, losing security cards, and so on)
• Internal network connections (routers, switches)
• Interconnection points (gateways [routers and firewalls] between the Internet and the internal network)
• Third-party network providers (Internet service providers [ISPs], long-distance carriers) with looser security
• Operating-system security holes (potential holes in Internet servers, such as those associated with sendmail, named, and bind)
• Application security holes (known weaknesses in specific applications)

The 1-2-3 of risk analysis (probability and effect) on Linux systems

1. Assign subjective ratings of low, medium, and high to the probability.

   As the ratings suggest, low probability means a lesser chance that the vulnerability will be exploited; high probability means a greater chance.

2. Assign similar ratings to the effect.What you consider to be the effect is up to you.

   If the exploitation of a vulnerability would affect your business greatly, assign it a high effect rating.

3. Assign a numeric value to the three levels — low = 1, medium = 2, and high = 3 — for both probability and effect.
4. Multiply the probability by the effect.

   You can think of this product as being the risk level.

5. Decide to develop protections for vulnerabilities that exceed a specific threshold for the product of probability and effect.

   You might choose to handle all vulnerabilities that have a probability × effect value greater than 6, for example.

Establishing a security policy for Linux systems

The security policy typically addresses the following areas:

• Authentication: Examples include what method is used to ensure that a user is the real user, who gets access to the system, the minimum length and complexity of passwords, how often users change passwords, and how long a user can be idle before that user is logged out automatically.
• Authorization: Examples include what different classes of users can do on the system and who can have the root password.
• Data protection: Examples include what data must be protected, who has access to the data, and whether encryption is necessary for some data.
• Internet access: Examples include restrictions on LAN users from accessing the Internet, what Internet services (such as web and Internet Relay Chat) users can access, whether incoming emails and attachments are scanned for viruses, whether the network has a firewall, and whether virtual private networks (VPNs) are used to connect private networks across the Internet.
• Internet services: Examples include what Internet services are allowed on each Linux system; the existence of any file servers, mail servers, or web servers; what services run on each type of server; and what services, if any, run on Linux systems used as desktop workstations.
• Security audits: Examples include who tests whether the security is adequate, how often security is tested, and how problems found during security testing are handled.
• Incident handling: Examples include the procedures for handling any computer security incidents, who must be informed, and what information must be gathered to help with the investigation of incidents.
• Responsibilities: Examples include who is responsible for maintaining security, who monitors log files and audit trails for signs of unauthorized access, and who maintains the security policy.

Implementing security solutions (mitigation) on a Linux system

• Services (authentication, access control, encryption)
• Mechanisms (username and password, firewalls)
• Objects (hardware, software)

• Protection: Provide countermeasures such as policies, procedures, and technical solutions to defend against attacks on the assets being protected.
• Detection: Monitor for potential breakdowns in the protective measures that could result in security breaches.
• Reaction (response): Respond to detected breaches to thwart attacks before damage occurs; often requires human involvement.

Managing security on Linux systems

The combination of the risk analysis, security policy, security solutions, and security management provides the overall security framework. Such a framework helps establish a common level of understanding of security concerns and a common basis for the design and implementation of security solutions.