Hardening Linux

Hardening Linux
by John H. Terpstra, Paul Love, Ronald P. Reck, Tim Scanlon.
ISBN: 0-07-225497-1
Publisher: McGraw-Hill/Osborne

This is the first security-related Linux book I’ve picked up in about a year. Those that know me know that I buy a lot of books, but lately I’ve found a lot of the books dealing with Linux security have been re-hashing the same topics, and my interest in these books has diminished. This book caught my eye initially for one reason only: The really cool tattooed biker dude on the cover. Call me whimsical, but I liked the cover and as a result actually spent a little time to look at the contents. What I saw in the table of contents intrigued me, and I’d like to thank McGraw Hill for sending me a copy to review.

On first cracking open the book and reading the preamble, I was disappointed because before the book actually even started I found three typos drive me nuts, and the first thing that came to mind was “Great, it’ll be like reading 400 pages of Linux Format”. Thankfully, once I got into the meat of the book, it looked to have been much better edited.

The book, as it’s title indicates, takes a proactive approach to security on a Linux system. The way the book is written is nice as well. It takes you through the first steps and as you get further into it introduces logical “next steps” that you would take to harden your linux system. In fact, this approach is almost novel in that few other books take it, which makes this more of a guide book than anything else. You can literally sit down with this book and implement the techniques and advice demonstrated to build up the security of your system. Unlike other books that meander from advanced topic to advanced topic, with no real regard for how things should be done or the order in which they should be done, Hardening Linux takes an approach that basically says “Start here, and together we’ll get your system up to snuff”.

The first section of the book deals with things that need to be done immediately to establish a decent baseline of security. It discusses the evaluation of your currently running system so you can determine whether or not it had been compromised. After all, why take the steps of hardening a system if it’s already been hacked? It also addresses common-sense issues such as hardware and power issues that, while not so essential to system security, certainly have an impact on the overall health of a system.

The next section of the book deals with the actual hardening of the system. Congratulations are in order here because, unlike most books, the authors’ first recommendation is to disconnect the system from the network altogether. Such a logical first step! Yet, most people (authors of similar books included) don’t do or mention this very simple, yet very required, item to do first. From this point, the book (which deals primarily with Red Hat AS 3.0 and SLES8/SLES9, but is generic enough in most instances to deal with every Linux distribution) talks about running only essential services, even to the point of providing charts of what daemons are required to run what service.

Like all good books, there is a section dealing with firewalls and protected network access using tools like tcp_wrappers. Unfortunately, when it comes to creating a firewall it walks you through the YaST GUI configuration and doesn’t actually do much to discuss iptables at all. It provides a simple firewall script, but doesn’t do much to describe it. For someone who has never used iptables before, unless they’re using SLES8/SLES9, this chapter won’t provide much good information other than the basics of what networking is and why firewalls are a good idea.

From this point forward, the book deals with various hardening strategies like removing unneeded software, using file permissions effectively. It recommends recording information on suid/sgid files, which I found amusing simply because they recommend using simple find commands and printing out a list with timestamps and filesizes, and other relatively useless information. Yet, later they discuss tripwire (discuss, mind you, and nothing else). Granted, the output of find is better than nothing, but all of the information being recorded is trivial to forge and for someone who doesn’t know about Linux security, they may be lulled into believing this is an appropriate baseline to compare files. If nothing else, obtaining the md5sum of these files and keeping that around would make much more sense and although the md5sum of a file is not the be-all and end-all of verifying that it hasn’t been tampered with, it goes much further than just relying on a timestamp and filesize.

Hardening Linux contains a nice chapter on using and customizing PAM. It discusses the syntax and configuration of PAM, including how PAM modules work and how they can be chained together. It also discusses certain PAM modules, such as pam_cracklib, pam_wheel, and others. I believe this is the first time I’ve come across a book suggesting the use of the pam_wheel module which, although not my preferred method of granting access to /bin/su, is better than the traditional method of anyone being able to use it. I would have loved to see them discuss using sudo as a means to access /bin/su, but that’s just because that’s my preferred method of granting su access.

The next chapter discusses using chroot in depth, which is great. It discusses the uses of chroot, when to use it, what it’s drawbacks are, and so forth. After giving the reader the opportunity to think about some of the uses for chroot, it dives right into how to construct chroot environments, including how to determine what libraries to copy in and so forth. All in all, this chapter is great as it gives a lot of good information on how to construct chroot jails. It even goes so far as to discuss modifying RPM spec files to recompile packages specifically to be installed into a chroot. Amusingly enough, although the book focuses on RHAS3.0 and SLES8/SLES9, the example openssh.spec file they customize for chroot installation is based on the Mandrake spec file (amusing because for a few years I was maintaining that very same spec file!).

Beyond that excellent chapter the book dives into secure communications and discusses protocols such as SSH and how to use it, giving some great information. They also discuss VPN, which I must admit I’m a novice at, so this information was well received and, most importantly, easily understood.

That ends the hardening section of the book and it moves along into a new section aptly titled “Once Is Never Enough!”. I like this because a lot of people assume that once they harden a system their job is done and they don’t need to pay attention to it anymore, when in fact their job is really only just beginning. Here the book gets into topics that are more commonly covered in almost every other book in this “genre”; tools such as snort, tcpdump, and ethereal are discussed.

Unlike many other books, Hardening Linux then discusses replacing syslog with syslog-ng, and wrapping it with SSL using stunnel. This is another great chapter, although it requires some external help. The syslog-ng configuration is somewhat sparse simply dealing with communication between one client and the host, and how stunnel comes into play. Apparently getting syslog-ng up and running otherwise is an exercise left to the reader (the authors provide an extremely basic example that serves more as an illustration for remote logging than for local logging). This seems odd because the authors then make a point of printing out an initscript to start syslog-ng. The authors make it clear that using syslogd is not secure, and proceed to discuss syslog-ng, without at all discussing converting an existing syslogd configuration to the syslog-ng equivalent. The chapter provides some good information, but could certainly have provided much more.

Further in this same chapter they discuss the all-important monitoring of log files, discussing various tools such as the venerable swatch and others like logsurfer. They bring up the questions, before-hand, of what to do if the log files contain evidence of foul play; something most people only think of after-the-fact. This is prudent advice as it allows you to proceed with a recovery and reporting strategy that is clearly defined, rather than trying to figure out what to do in the event of a system compromise when you may be thinking of recovery without giving any thought to keeping evidence of the attack/compromise.

Next they discuss the methods of keeping current with security updates and patches, walking the reader through the use of YaST in SLES8/SLES9 and up2date in RHAS. Topics such as monitoring changed software to make sure there are no unforseen problems are also discussed.

Finally, more of the traditional topics in other books are brought to light in the “Self-Monitoring Tools” section. Perhaps because these topics are so widely covered in other books, this chapter was pretty small with just very basic discussion of tools such as Tripwire, John the Ripper, nmap, and Nessus. This actually didn’t bother me so much because you can get great information on these and other tools by grabbing almost any other Linux security book. Talking about the tools, without getting into too much depth, is adequate to give readers the basics of how to use them. More attention was given to Tripwire and Nessus due to the complexity of both pieces of software; all in all a good overview of how to install and use them.

The last section of the book deals more with security in the enterprise from the point of selling the need for security to managers. It discusses things like understanding what is involved in increasing security, determining the cost, ROI (Return on Investment), and other policies. This entire section deals more with corporate politics; important information to be sure for anyone needing to sell the need for security enhancements to management. Plenty of good information and ideas here for anyone having a hard time convincing management of the need for increased security.

Overall, I found the book quite good. It was a refreshing change of pace from the other Linux security books out there, and I both liked and appreciated the style and focus of the book. As I indicated before, this book reads more like a “HOWTO” or step-by-step guide than a book discussing various tools for different situations and uses, something I think the uninitiated may approve of. I would certainly recommend this book as a worthwhile read to anyone new to dealing with security and system administration.

In some cases the book provided sufficient information on a particular topic, and at other times it felt as though I was reading a Reader’s Digest condensed novel. Some topics just needed more flushing out, and because of this it felt like the book was sometimes contradictory; in some cases the authors were lending a hand to solve a problem and in others they just dangled a carrot in that only the basics were provided, but to get anything real out of it the reader is left to their own devices. Despite those moments of, when putting myself in novice shows, feeling like a hapless mule, the book provided solid information in a clear manner making it easily understood by the novice. It’s evident that the book focuses on two particular crowds: those new to security and those put in the unenviable position of trying to sell the need for security to the decision makers. On both counts, particularly the latter, the book is great.

For the novice, I would recommend this book and pretty much any other book on security that discusses the tools a bit more. Every administrator needs an arsenal, and a book that discusses, in more depth, the additional tools required to build up a good arsenal would make a great companion to this book. All in all, I’d have to say I was quite pleased with this book; I’ve already made space for it on the bookshelf in my office (by moving one of those “other” security books to the basement).