CompTIA Linux+ XK0-005 – Unit 12 – Security part 1

1. Topic A: System Security

All right, so we’re going to start off by talking about system security and the importance of it. And of course, security is always important. And we’re going to really deal with dealing with our logins and authentication systems to tell you about some options. Now, remember that’s all these are tools. I’m not saying you have to implement everything we talk about. You might not want to, you might not care to. But the more tools you know about them, the better choices you’ve can make to figure out how to secure your system and help it meet your business needs.

2. NIS

Now in the world of security the first thing we’re going to talk about is a thing called NIS, the Network Information System. Now some people call it NYS, some call it NYS. I don’t care what you call it. Again it goes back to that very first thing I said that this is kind of a wacky world of Linux where everybody has their own pronunciations for these acronyms. So be that as it may, what it stands for is having a centralized repository of user accounts as opposed to having every single Linux box maintain their own set of user accounts. It’s the very reason we argue against a peer to peer network in Windows and have a client server model.

This is your client server model. It says, look, I want to access resources all across the network but I don’t want to remember each and every username password for each and every server because in a non centralized or client server network I could have a different username and password for a file server and a print server and everything else. I want to log in once. That’s the big idea about networks. Called it a single sign on network. So what we do then is that we log into the directory server that is running NIS and once logged in we can then use those credentials to be able to get to all of these other clients of the NIS server.

That’s our goal. It’s better than, like I said, having a separate set of logins for each and every one. Now we could still do that. You can still have clients, client to client, peer to peer type of networks if you want. But every time you change a password you either got to go and change them on all the machines or you’ve got to hope the users can remember all those passwords rather than writing them down and doing all that other kind of stuff that drives us crazy in the security world. So we’re going to look at this centralized system and again its name is the Network Information System and talk about the server and client aspects of it.

3. NIS Roles

So now that I’ve just said that, there are two basic roles, client and server. Client is easy. You’re going to provide the username and password to the server. Now, in a good network design, you don’t have just one server. If you had just one server and it goes down, everybody’s offline. So you can have multiple servers, but we usually have one writable database and everybody else having copies. And so under the server role, we designate master and slave. Now, again, the idea behind that is a lot like the older Windows Nt types of domains, where we had the primary domain controller and the backup domain controller. The backup of the slave in this case can still authenticate you. But if you need to make a change to the users, add new users, modify them, delete them. We did that at the master so that it could duplicate its copies or the changes to the Slives.

4. PAM

Now, one of the other issues we had in trying to develop programs or applications in a Linux world was that the way in which the authentication worked could be different for all of the different distributions of Linux. In other words, if I wanted to write a program for Linux users and it required that they log in and authenticate well it might be different for one version of Linux over another version. And so in order for my program to really work I had to write these authentication modules for everybody. Well, now, that made the application development very expensive and very counterproductive. I mean, that was one of the arguments that are made about using Windows is that I can write an application that runs on everybody’s machine because I write it for Windows and Windows takes care of all that back end stuff.

So the answer we had in Linux for that particular problem was called Pam. No, it’s not some person that we all relied on but instead it stood for the pluggable authentication module. Basically what happens is that the pluggable authentication module would have the same front end on every box for every developer. So I would write my authentication to work with Pam and in the background on Pam’s job was to deal with all the different types of actual backend authentication needs. It provided a common framework for the programmers so that it reduced the overall cost of making a program and of course, reduced the amount of time from there, the administrators can just select whatever is the appropriate Pam module for their system knowing that that application was written for Pam.

5. LDAP

Another type of protocol we used for being able to help navigate through these central storehouses of user accounts was called LDAP. So let’s back up just a second. When I talked about NIS as being a client server, the server side was nothing more than a database of usernames and passwords. Now, these databases have to be able to be searched so that you can locate the existing and credentials and basically match it up. Is this username and password correct? One of these common types of databases is in what we call an X 500 standard. And we navigate through it by this program, this searching tool called LDAP, the lightweight Directory Access Protocol. It is an open standard, so we call it an industry standard. The database or store will store these objects, users, resources, file systems, applications.

And they’re stored in a hierarchical method, generally by a domain inside the domain through an organizational unit or child ouse. And so we know that we can search through these things by knowing the path of the object we’re looking for. And that’s what LDAP does. It enables network interoperability because I can be on a system that provides you the information that you need. Domain, organizational unit, container, distinguished name and all of that together can be searched through LDAP on whoever is running the LDAP directory, whether it’s active directory in Windows or something similar like an eDirectory in Novella or whatever the case is. It can search for those objects based on that full name, that path, and then verify your information. So it helps allow us to have this interoperability when it comes to a client server model.

6. RADIUS

Now, another feature we have to be able to provide any type of authentication is through this thing called the Radius server. Now, I think Radius is something that needs to be updated when it comes to what does the acronym stand for? It stands for the remote authentication dialed in user service. Did you hear me say dial in? It’s been ten years since I have dialed in to anywhere. No more bird chirping for me when to make the connection. But here’s the idea of Radius was that we would create a way of connecting and talking to a Radius server to provide our credentials of who we are. And Radius’s job was to then reach out to the actual data warehouse, the data store and verify those credentials. So in a way, we didn’t directly interact with the authentication itself. We interacted with intermediary a person in the middle who would do the work of authenticating and replying to us whether it was good or bad.

7. RADIUS B

Now, in the old days, we did use it for dialins. Now there was many dialed in services. I don’t want to name them. Many of them are in business still. But as an example, it used to be that a lot of people would load this little application that would allow them to dial in to get an Internet connection. Technically, they were entering in remotely to this network, and they could chat with other users, they could browse Webs and all that kind of stuff. But what they did is they would have phone bank after phone bank in every city. And so when you would dial into the phone bank, that phone bank would hit a Radius server that would then make its remote connection to the actual authentication services back at headquarters and then get the answer back yes or no that you were who you said you were.

Another benefit of Radius is it had an awesome accounting package so it could keep track down to the minute how long you were authenticated, because they did charge you by the minute. Anyway, it worked really well today. We don’t use it so much for that dial in stuff. But we do it for different devices, like our routers or our switches, who weren’t designed to connect to Active Directory but were designed to connect to Radius, to be able to make sure the person trying to make a configuration change or even log into the device is who they say they are. Our access points are doing it too. If you’re wanting to make a wireless connection, you can often get a little pop up page that says tell me who you are, I’m going to verify it with Radius, and then we’ll let you go.

Many of them are even going through a wireless local area network controller as well. But now I’m really digressing. But what I’m trying to say is that Radius is very popular. It’s in use more than you can imagine. It can help you with VPN authentication, with 802 One X authentication, and I could just go on, probably for another 20 minutes, about Radius as use. What is important to us is that we can use it as well so that we can connect to Radius. Radius can then connect to whatever is in the back end or maybe its own database itself. And it still gives us that client server type of connection for being able to authenticate.

8. RADIUS Benefits

So now that I’ve talked a lot about Radius and then I come and say, what are the benefits? Well, the benefits are improved security. We have a secure communication to Radius. Radius securely communicates to the database backend and gives us that information about whether you were authenticated or not. It allows me to have a scalable architecture. I don’t need to have multiple databases of user accounts. I don’t need multiple domain controllers.I don’t need them because all I need is a lot of Radius servers to have you connect with in different locations around the world and those will make the connection in and take care of the authentication. It also allows me, as I said, interoperability. Because not only did I mention Linux and Windows, but I started talking about routers and switches and port based authentication and access points. And guess what? We’re really talking about a lot of interoperability.

9. SELinux – Security Enhanced

Well, there is another way of looking at security with Linux. Basically, we had the National Security Association, the NSA, go out there and create their own version of a secured Linux called Security enhanced Linux. Se linux. Basically, it took your kernel features and made it a mandatory Access control instead of a Discretionary Access Control. What does that mean? In Discretionary Access Control the user who made a file could determine the permissions or who could access the file. We had that whole discussion about choosing user and primary group and other types of access.

In this case, what happens is that there are some new modules, linux Security modules LSMs that were added, that supplied labels, users, roles and sensitivity types to all of the files. So let’s talk about max these mandatory access controls. And don’t you love that I just used an acronym that a little bit ago I told you in another chapter stood for Media Access Control with Ethernet. And if you really paid attention, you heard me use Mac as a forensic turf for date, modified, accessed and created. You got to love this world where they use the same acronym for lots of things. Now, Mac is Mandatory Access Control and it’s basically saying that we assign security levels.

We have top secret files, secret files, and all the way down to public domain or whatever we have it set up for. So we create sensitivity levels. And as a user you have to be a part of the role of Top Secret to be able to see a top secret file. But not only that, not only do you have to have Top secret clearance, but you also have it to have it for different categories or sensitivity types. So just because you have Top secret security doesn’t mean you can see naval deployments. Maybe you can see what’s being shipped, or maybe you can see nuclear secrets, but you can’t see every single type of Top secret document unless you also have that clearance. That’s what Mandatory Access control does. And that’s what’s enabled by the Linux Security modules.

Now, there are some different types of modes. If you choose to get this and download this version of Linux, one is running mode of Enabled. That means that Se Linux is turned on and all of its policies are enforced. If you have it in a running mode of disabled, that means that it is completely turned off in the kernel and you won’t see it at all. The third running mode is Permissive, which means that Se Linux is turned on but not all of the operating are permitted. It’s kind of in between. Now, remember, it deals with things called file labels. So that instead of having permissions like we’re used to read, write and execute, we deal with these labels that are on each file to determine its sensitivity and category. So we know whether or not you should have access.

10. Changing Modes

Now, if you want to change the modes in Se Linux you can do that by simply changing the actual configuration file or using a command called Set Enforce. It’s another command that you have. So you can enable the permissive mode by putting a one in either the Se Linux Enforce configuration file or use the Set Enforce command. You can put it into disable mode by the same way go to the Se Linux configuration file or you can even edit and you’ll love this the boot grub grub configuration file. That’s right. That way, when you reboot the thing, it’s disabled and it does not come back on. You’d have to literally go edit it and reboot it again. Or you can rebuild the file flags using the fixed files relabel command. Or if you need to, you can use the Touch command.

Remember, Touch was a way of creating an empty file to be able to create this new auto relabel hidden file and reboot the thing. Now, I’ve hit that very quickly because I just don’t imagine a lot of you actually trying the Se Linux. But some of you might say, well, that sounds pretty cool, I’m going to go download it. Well, you can. It’s been put in public domain. You don’t have to pay for it. And if I always encourage people to experiment and have some fun with this thing. So anyway, you can change the modes on Se Linux, but I don’t think it’s going to be a model you’re going to go to for most of our businesses because they like and prefer and run best on the discretionary access control model, not a mandatory access control.

11. Demo – Examining SELinux

All right, we are going to just examine if Se Linux has been installed and is an option that we have to run on this particular operating system. So we’re going to start off with this you name command. Remember, if I just do you name it tells me that it’s Linux but I want to also know the release. So there’s the release information and what we’re going to do is we’re going to look at the configuration configuration file, the information that’s based on this config and at the same time we’re going to use the grip command to look for this term Se Linux. So we’re going to do that and we’re going to take a look at the boot and the config option that we have of our kernel. I’m going to hit enter and so here’s what we see.

We see that we do have a y for yes, we can configure security with Se Linux and we also see though here that the Se Linux has been disabled.So one of the things that you would do if you wanted to actually change this is obviously turn off this disable, make that a no. We’ve already know that we can have that set up. And then you’d have to relabel all of the files in your system depending on the version of the operating system you have. Because when we get into the mandatory access control, you actually have to have sensitivity labels and categories on each file. So we can label things like Top Secret and Travel and Top Secret and something else. All right? So that’s a very easy way of determining if you have that capability. If you didn’t, that would be something you would have to optionally only install if you actually intend to use it.

12. User Tools

Now some of the other tools that we use under the idea of security is to keep track of users and what they’re doing. Last is a tool that lets us display a list of the Last logged on users. That’s nice to know not just who currently is on, but who was recently on last b is similar to the Last command, but it also shows you a list of the bad logon attempts. Also I think equally important, it’s when you user trying to log in 2030 times that’s a sign of either a very forgetful user or a hacker trying to get in. Lock is a nice little way of having a Gnome screen saver command that locks things down so that if the screen saver comes on, you got to log in.

W displays the list of who’s logged in to your computer and what processes they’re running, who will display just a list of who’s logged on. All of these are nice to be able to run. In fact, remember I talked about scripting in OC as a scripting language you can have a scripts that can run these tools for you, even filter the displays and then you can schedule that OC script to run with your cron. What I’m trying to do is call the callback I’m trying to call back to other chapter or other units that we’ve talked about to see if you’ve can see how you can put it all together. Hopefully when I do those little callbacks that you’re thinking oh yeah, I get it. That’s some of that flexibility that I have in Linux.