How to Develop a Linux Security Framework

By Emmett Dulaney

The first step in securing your Linux system is setting up a security policy — a set of guidelines that states what you enable users (as well as visitors over the Internet) to do on your Linux system. The level of security you establish depends on how you use the Linux system and on how much is at risk if someone gains unauthorized access to your system.

If you’re a system administrator for one or more Linux systems in an organization, you probably want to involve company management, as well as users, in setting up the security policy. Obviously, you can’t create a draconian policy that blocks all access. (That policy would prevent anyone from effectively working on the system.)

On the other hand, if users are creating or using data that’s valuable to the organization, you must set up a policy for your Linux system that protects the data from disclosure to outsiders. In other words, the security policy should strike a balance between users’ needs and your need to protect the system.

For a stand-alone Linux system or a home system that you occasionally connect to the Internet, the security policy can be just a list of the Internet services that you want to run on the system and the user accounts that you plan to set up on the system. For any larger organization, you probably have one or more Linux systems on a LAN connected to the Internet — preferably through a firewall. (To reiterate, a firewall is a device that controls the flow of Internet Protocol [IP] packets between the LAN and the Internet.) In such cases, thinking of computer security systematically (across the entire organization) is best.

Here’s what a Linux security framework should focus on

  • Determining the business requirements for security
  • Performing risk assessments
  • Establishing a security policy
  • Implementing a cybersecurity solution that includes people, process, and technology to mitigate identified security risks
  • Continuously monitoring and managing security

Determining business requirements for security and how Linux fits

The business requirements for security identify the computer resources and information you have to protect (including any requirements imposed by applicable laws, such as the requirement to protect the privacy of some types of data). Typical security requirements may include items such as the following:

  • Enabling access to information by authorized users.
  • Implementing business rules that specify who has access to what information.
  • Employing a strong user-authentication system.
  • Denying execution to malicious or destructive actions on data.
  • Protecting data from end to end as it moves across networks.
  • Implementing all security and privacy requirements that applicable laws impose.

Performing risk analysis on Linux systems

Risk analysis is about identifying and assessing risks — potential events that can harm your Linux system. The analysis involves determining the following and performing some analysis to establish the priority for handling the risks:

  • Threats: What you’re protecting against.
  • Vulnerabilities: Weaknesses that may be exploited by threats (the risks).
  • Probability: The likelihood that a threat will exploit the vulnerability.
  • Impact: The effect of exploiting a specific vulnerability.
  • Mitigation: What to do to reduce vulnerabilities.
  • Typical threats to a Linux system

Some typical threats to your Linux system include the following:

  • DoS attack: The computer and network are tied up so that legitimate users can’t make use of the systems. For businesses, a DoS attack can mean a loss of revenue. Because bringing a system to its knees with a single computer attack is a bit of a challenge these days, the more common tactic is to point many computers at a single site and let them do the dirty work. Although the purpose and result are the same as ever, this ganging-up is referred to as a distributed (DDoS) attack because more than one computer is attacking the host.
  • Unauthorized access: The computer and network are used by someone who isn’t an authorized user. The unauthorized user can steal information or maliciously corrupt or destroy data. Some businesses may be hurt by the negative publicity resulting from the mere fact that an unauthorized user gained access to the system, even if the data shows no sign of explicit damage.
  • Disclosure of information to the public: Disclosure in this case means the unauthorized release of information. The disclosure of a password file, for example, enables potential attackers to figure out username and password combinations for accessing a system. Exposure of other sensitive information, such as financial and medical data, may be a potential liability for a business.

Typical vulnerabilities on Linux systems

The threats to your system and network come from exploitation of vulnerabilities in your organization’s resources, both computer and people. Following are some common vulnerabilities:

  • People’s foibles (divulging passwords, losing security cards, and so on)
  • Internal network connections (routers, switches)
  • Interconnection points (gateways [routers and firewalls] between the Internet and the internal network)
  • Third-party network providers (Internet service providers [ISPs], long-distance carriers) with looser security
  • Operating-system security holes (potential holes in Internet servers, such as those associated with sendmail, named, and bind)
  • Application security holes (known weaknesses in specific applications)

The 1-2-3 of risk analysis (probability and effect) on Linux systems

To perform risk analysis, assign a numeric value to the probability and effect of each potential vulnerability. To develop a workable risk analysis, do the following for each vulnerability or risk:

  1. Assign subjective ratings of low, medium, and high to the probability.

    As the ratings suggest, low probability means a lesser chance that the vulnerability will be exploited; high probability means a greater chance.

  2. Assign similar ratings to the effect.What you consider to be the effect is up to you.

    If the exploitation of a vulnerability would affect your business greatly, assign it a high effect rating.

  3. Assign a numeric value to the three levels — low = 1, medium = 2, and high = 3 — for both probability and effect.
  4. Multiply the probability by the effect.

    You can think of this product as being the risk level.

  5. Decide to develop protections for vulnerabilities that exceed a specific threshold for the product of probability and effect.

    You might choose to handle all vulnerabilities that have a probability × effect value greater than 6, for example.

If you want to characterize the probability and effect with finer gradations, use a scale of, say, 1 through 5 instead of 1 through 3, and follow the same steps.

Establishing a security policy for Linux systems

Using risk analysis and any business requirements that you may have to address (regardless of risk level) as a foundation, you can craft a security policy for the organization. Such a security policy typically addresses high-level objectives such as ensuring the confidentiality, integrity, and availability of data and systems.

The security policy typically addresses the following areas:

  • Authentication: Examples include what method is used to ensure that a user is the real user, who gets access to the system, the minimum length and complexity of passwords, how often users change passwords, and how long a user can be idle before that user is logged out automatically.
  • Authorization: Examples include what different classes of users can do on the system and who can have the root password.
  • Data protection: Examples include what data must be protected, who has access to the data, and whether encryption is necessary for some data.
  • Internet access: Examples include restrictions on LAN users from accessing the Internet, what Internet services (such as web and Internet Relay Chat) users can access, whether incoming emails and attachments are scanned for viruses, whether the network has a firewall, and whether virtual private networks (VPNs) are used to connect private networks across the Internet.
  • Internet services: Examples include what Internet services are allowed on each Linux system; the existence of any file servers, mail servers, or web servers; what services run on each type of server; and what services, if any, run on Linux systems used as desktop workstations.
  • Security audits: Examples include who tests whether the security is adequate, how often security is tested, and how problems found during security testing are handled.
  • Incident handling: Examples include the procedures for handling any computer security incidents, who must be informed, and what information must be gathered to help with the investigation of incidents.
  • Responsibilities: Examples include who is responsible for maintaining security, who monitors log files and audit trails for signs of unauthorized access, and who maintains the security policy.

Implementing security solutions (mitigation) on a Linux system

After you analyze the risks (vulnerabilities) and develop a security policy, you must select the mitigation approach: how to protect against specific vulnerabilities. You develop an overall security solution based on security policy, business requirements, and available technology. This solution makes use of people, process, and technology, and includes the following:

  • Services (authentication, access control, encryption)
  • Mechanisms (username and password, firewalls)
  • Objects (hardware, software)

Because it’s impossible to protect computer systems from all attacks, solutions identified through the risk management process must support three integral concepts of a holistic security program:

  • Protection: Provide countermeasures such as policies, procedures, and technical solutions to defend against attacks on the assets being protected.
  • Detection: Monitor for potential breakdowns in the protective measures that could result in security breaches.
  • Reaction (response): Respond to detected breaches to thwart attacks before damage occurs; often requires human involvement.

Because absolute protection from attacks is impossible to achieve, a security program that doesn’t incorporate detection and reaction is incomplete.

Managing security on Linux systems

In addition to implementing security solutions, you also need to implement security management measures to continually monitor, detect, and respond to any security incidents.

The combination of the risk analysis, security policy, security solutions, and security management provides the overall security framework. Such a framework helps establish a common level of understanding of security concerns and a common basis for the design and implementation of security solutions.