332.1 Host Hardening

Key Knowledge Areas:

Configure BIOS and boot loader (GRUB 2) security
Disable unused software and services
Understand and drop unnecessary capabilities for specific systemd units and the entire system
Understand and configure Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and Exec-Shield
Black and white list USB devices attached to a computer using USBGuard
Create an SSH CA, create SSH certificates for host and user keys using the CA and configure OpenSSH to use SSH certificates
Work with chroot environments
Use systemd units to limit the system calls and capabilities available to a process
Use systemd units to start processes with limited or no access to specific files and devices
Use systemd units to start processes with dedicated temporary and /dev directories and without network access
Understand the implications of Linux Meltdown and Spectre mitigations and enable/disable the mitigations
Awareness of polkit
Awareness of the security advantages of virtualization and containerization

The following is a partial list of the used files, terms and utilities:

grub.cfg
systemctl
getcap
setcap
capsh
sysctl
/etc/sysctl.conf
/etc/usbguard/usbguard-daemon.conf
/etc/usbguard/rules.conf
usbguard
ssh-keygen
/etc/ssh/
~/.ssh/
/etc/ssh/sshd_config
chroot

Terms

ASLR

Increases difficulty of process exploits by randomizing the positions of key data areas of a process. Without side channel attacks, a bad actor would have to guess where to find the memory addresses to target.

DEP

Executable space protection (Data Execution Prevention)

Protects against memory abuse by marking certain areas non-executable.

Exec-Shield

Exec Shield, Executable space protection - Exec Shield

Project that encompasses various security features, such as: executable space protection (DEP), position-independent executables (PIE), address space layout randomization (ASLR). But its first patch to the Linux kernel, NX bit emulation on x86 CPUs, is also commonly referred to by the project’s name.

Files

grub.cfg

GRand Unified Bootloader configuration

/etc/sysctl.conf

Kernel parameters configuration

/etc/usbguard/usbguard-daemon.conf

USBGuard daemon runtime parameters configuration

/etc/usbguard/rules.conf

USBGuard policy rule set

/etc/ssh/

System configuration path and key store for OpenSSH

~/.ssh/

User configuration path and key store for OpenSSH

/etc/ssh/sshd_config

OpenSSH daemon configuration

Utilities

systemctl

Controls the systemd daemon

getcap, setcap

Display or set a file’s Linux capabilities

capsh

Linux capability shell wrapper. Provides capability testing, debugging, and environment creation.

sysctl

Manage kernel parameters

usbguard

The USBGuard software framework helps to protect your computer against rogue USB devices (a.k.a. BadUSB) by implementing basic whitelisting and blacklisting capabilities based on device attributes.

ssh-keygen

Generate, manage, and convert authentication keys for ssh.

certificates

The ssh-keygen utility supports user and host certificates.

Note: OpenSSH certificates are not X.509 certificates.

In the following examples -s is the public half of the CA.

user certificate:

$ ssh-keygen -s /path/to/ca_key -I id -n user \
      /path/to/user_key.pub

Where -n is a comma-separated list of principals (usernames).

host certificate:

$ ssh-keygen -s /path/to/ca_key -I id -h -n foo.example.org \
      /path/to/host_key.pub

Where -n is a comma-separated list of hostnames, which may contain wildcard characters.

sign using a CA key stored in a PKCS#11 token:

$ ssh-keygen -s ca_key.pub -D libpkcs11.so ...

Where -D is the token library.

sign using a CA key to be hosted in an ssh-agent:

$ ssh-keygen -Us ca_key.pub ...

Where -U indicates ssh-agent use.

chroot

Change the root directory of the calling process and all of its children.

Notes

polkit

Polkit

Organizes communication of unprivileged processes to privileged ones. Through pkexec it can act similar to sudo, although it is less forthcoming in terms of security, flexibility, and configuration simplicity.