110.1 Perform security administration

Tech Tutorial: 110.1 Perform Security Administration #

Introduction #

In this tutorial, we will delve into the critical aspect of security administration on Linux systems. Ensuring the security of a Linux host is paramount, especially in environments sensitive to data breaches or intrusions. This guide will help you understand how to review and secure your Linux systems in alignment with local security policies.

Exam Objective #

The goal is to equip candidates with the knowledge required to review system configurations and ensure host security effectively. This includes understanding various utilities and commands that assist in monitoring and securing a system.

Key Knowledge Areas #

  • Auditing system files
  • Managing user/group permissions and ownership
  • Understanding of security-related system logs
  • Basics of firewall management

Utilities #

  • auditd
  • chown, chmod
  • journalctl
  • firewalld, iptables

Step-by-Step Guide #

1. Auditing System Files with auditd #

auditd is a daemon that serves the purpose of creating an audit trail, which is a record of who did what and when on the system. It’s a key component in system security and complying with local security policies.

Installation

sudo apt-get install auditd    # Ubuntu/Debian
sudo yum install audit        # CentOS/RHEL

Configuring Audit Rules

You can configure audit rules by editing the /etc/audit/audit.rules file. Here’s an example to audit all attempts to alter the system time:

echo '-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change' | sudo tee -a /etc/audit/audit.rules
sudo systemctl restart auditd

Checking Audit Logs

Audit logs can be reviewed using the ausearch or aureport utilities:

sudo ausearch -k time-change
sudo aureport -m

2. Managing Permissions with chown and chmod #

Proper file permissions and ownership are crucial for securing access to system files and directories.

Changing Ownership with chown:

sudo chown username:groupname filename

Setting Permissions with chmod:

sudo chmod 644 filename

Here, 644 sets read and write permissions for the owner, and read-only for the group and others.

3. System Logs with journalctl #

journalctl is part of the systemd suite and is used to query and display messages from the systemd journal.

Viewing Logs:

journalctl

Filtering Logs by Time:

journalctl --since "2021-01-01" --until "2021-01-02"

4. Basic Firewall Management with firewalld and iptables #

Firewalls are critical in defending a system from unwanted access.

Using firewalld:

sudo systemctl start firewalld
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --reload

Using iptables:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -j DROP

Conclusion #

Security administration is a continuous process of monitoring, auditing, and adjusting based on evolving threats and compliance requirements. This tutorial covers the basics and provides a foundation for securing your Linux systems. Regularly review your security policies and ensure your system configurations adhere to these standards. Always test changes in a safe environment before applying them to production systems.