![Page 1: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/1.jpg)
Linux Securityfor Developers
Insights for building a (more) secure world
Michael [email protected] January 2016
![Page 2: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/2.jpg)
We Love Construction
Image source unknown 2
![Page 3: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/3.jpg)
And Magic!
Turning data into:- Useful output- Stable software- Nice services
Image source: renoairport.com 3
![Page 4: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/4.jpg)
![Page 5: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/5.jpg)
● Spying● Internet of Things● Law
○ 2016 Dutch Data Protection Act○ 2017-2018 European data protection law
Why Invest in Security Now?
5
![Page 6: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/6.jpg)
Agenda
● What can go wrong?
● What can we do?
● Strategies and Tools
6
![Page 7: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/7.jpg)
Michael Boelen
● Open Source Security○ Rootkit Hunter (malware scan)
○ Lynis (security scan)
● 150+ blog posts at Linux-Audit.com
● Founder of CISOfy
7
![Page 8: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/8.jpg)
What can go wrong?
![Page 9: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/9.jpg)
Passwords
Image source unknown
9
![Page 10: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/10.jpg)
Case: Phone House
http://sijmen.ruwhof.net/weblog/608-personal-data-of-dutch-telecom-providers-extremely-poorly-protected-how-i-could-access-12-million-records
![Page 11: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/11.jpg)
Creative Users
Image source unknown
11
![Page 12: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/12.jpg)
![Page 13: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/13.jpg)
What can we do?
![Page 14: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/14.jpg)
Solution
“Developers should become auditors of their creative work, and that of others.”
Michael Boelen, 14 January 2016
14
![Page 15: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/15.jpg)
Improve in steps
● Level 1: Basics● Level 2: Take ownership● Level 3: Perform auditing
What can we do?
15
![Page 16: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/16.jpg)
Level 1: The Basics
![Page 17: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/17.jpg)
Input Validation
Validate!
● Trust nothing
● Double check
- Client = for active user- Server = for all users
17
![Page 18: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/18.jpg)
Input Validation
Why Validate?Prevent data injection (SQL, RDF, OWL, SPARQL, SeRQL, RDQL, XML, JSON, etc.)
Where?Input forms, data imports
18
![Page 19: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/19.jpg)
Data ProtectionEncryption:● Good Encryption solves a lot● Bad Knowledge required● Ugly Easy to implement incorrectly
19
![Page 20: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/20.jpg)
Secure ProgrammingUsing universally unique identifier?
UUID1 = Host (MAC) + sequence + timeUUID4 = Random
20
![Page 21: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/21.jpg)
Two-factor Authentication
Use● GitHub
Implement● Your apps?
21
![Page 22: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/22.jpg)
Level 2: Take Ownership
![Page 23: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/23.jpg)
What?● The code● Development systems● Deployment● Production
Ownership
23
![Page 24: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/24.jpg)
Hardening
Photo Credits: http://commons.wikimedia.org/wiki/User:Wilson44691
● Add new defenses
● Improve existing defenses
● Reduce weaknesses
24
![Page 25: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/25.jpg)
Hardening
What to harden?
● Operating System
● Software + Configuration
● Access controls
25
![Page 26: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/26.jpg)
OS Hardening
Operating System:
● Services
● Users
● Permissions
26
![Page 27: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/27.jpg)
Software Hardening
Software:
● Minimal installation
● Configuration
● Tuning
27
![Page 28: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/28.jpg)
Access Hardening
Users and Access Controls:
● Who can access what
● Password policies
● Accountability
28
![Page 29: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/29.jpg)
Data Hardening
Focus on data streams● Network (data in transit)
● Storage (data at rest)
● Access
29
![Page 30: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/30.jpg)
Network Hardening
Traffic flows
● Is all incoming traffic needed?
● What about outgoing?
● IPv6?
30
![Page 31: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/31.jpg)
HTTP Hardening
HeaderX-Frame-Options SAMEORIGINAllow only iframe targets from our own domain
X-Frame-Options DENYDo not allow rendering in iframe
31
![Page 32: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/32.jpg)
HTTP Hardening
HeaderX-XSS-Protection 1; mode=blockBlock reflective XSS, avoid returning previous input (e.g. form)
32
![Page 33: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/33.jpg)
HTTP Hardening
HeaderX-Content-Type-Options nosniffDon't peek into server responses, consider text/html by default
33
![Page 35: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/35.jpg)
Hardening
Myth: After hardening I’m done
35
![Page 36: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/36.jpg)
Hardening
● Security should be an ongoing process
● Which means it is never finished
● New attacks = more hardening○ POODLE
○ Hearthbleed
36
![Page 37: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/37.jpg)
Level 3: Perform Auditing
![Page 38: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/38.jpg)
Myth
Auditing =
● A lot of work!
● Booooooring!
● And.. prone to errors...
38
![Page 39: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/39.jpg)
Fact
Well, it can be.
39
![Page 40: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/40.jpg)
Common Strategy
1. Audit
2. Get a lot of findings
3. Start hardening
4. …….
5. Quit40
![Page 41: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/41.jpg)
Strategy (New)
1. Focus
2. Audit
3. Focus
4. Harden
5. Repeat!41
![Page 42: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/42.jpg)
1. Focus
● Determine what to scan
● Limit scope of systems / applications
42
![Page 43: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/43.jpg)
2. Audit
● Start small
● Collect data
43
![Page 44: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/44.jpg)
3. Focus
Determine hardening focus
● Impact
● Number
● Area (e.g. crypto)
44
![Page 45: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/45.jpg)
4. Harden
● Create implementation plan
● Perform lock down
● Document○ What, Why, How
○ Exceptions
45
![Page 46: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/46.jpg)
5. Repeat
● Keep measuring your actions
● Again:○ Ongoing process
○ Never finishes
○ New attacks
46
![Page 47: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/47.jpg)
Questions?
![Page 48: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/48.jpg)
Tools
Options:1. Guides2. Utilities
48
![Page 49: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/49.jpg)
Benchmarks / Guides
● Center for Internet Security (CIS)
● NIST / NSA
● OWASP
● Vendors
49
![Page 50: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/50.jpg)
Benchmarks / Guides
ProsFree to useDetailedYou are in control
50
ConsTime intensiveUsually no toolingLimited distributionsDelayed releases
![Page 51: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/51.jpg)
OWASP
Open Web Application Security Project
51
![Page 52: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/52.jpg)
OWASP
Security Knowledge Framework
52
![Page 53: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/53.jpg)
OWASP
Link 53
![Page 54: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/54.jpg)
OWASP
54
![Page 55: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/55.jpg)
Tools
![Page 56: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/56.jpg)
Tools
Tools make life easier, right?
Not always...
56
![Page 57: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/57.jpg)
Tools
Problem 1: There aren’t many
57
![Page 58: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/58.jpg)
Tools
Problem 2: Usually outdated
58
![Page 59: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/59.jpg)
Tools
Problem 3: Limited support
59
![Page 60: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/60.jpg)
Tools
Problem 4: Hard to use
60
![Page 61: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/61.jpg)
Introducing Lynis
![Page 62: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/62.jpg)
Lynis
FreeOpen sourceShellSimpleFlexiblePortable
62
![Page 63: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/63.jpg)
Lynis
Background● Since 2007● GPLv3● Requirements
○ Flexible○ Portable
63
![Page 64: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/64.jpg)
Lynis
Goals● Perform a quick security scan● Collect data● Define next hardening steps
64
![Page 65: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/65.jpg)
Lynis
Simple● No installation needed● Run with just one parameter● No configuration needed
65
![Page 66: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/66.jpg)
Lynis
Flexibility● No dependencies*● Option to extend easily● Custom tests
* Besides common tools like awk, grep, ps
66
![Page 67: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/67.jpg)
How it works
1. Initialise
2. OS detection
3. Detect binaries
4. Run helpers/plugins/tests
5. Show report67
![Page 68: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/68.jpg)
Bonus: Integration
● Deployment cycle● Create your own tests:
include/tests_custom
68
![Page 69: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/69.jpg)
Running
1. lynis
2. lynis audit system
3. lynis audit system --quick
4. lynis audit system --quick --quiet
69
![Page 70: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/70.jpg)
Auditing Code
![Page 71: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/71.jpg)
Code Validation
Quick wins● Python: Pylint● Ruby: ruby-lint● Shell: shlint
71
![Page 72: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/72.jpg)
Code Validation
Professional services● Pentesting● Code reviews
72
![Page 73: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/73.jpg)
Auditing Repositories
![Page 74: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/74.jpg)
● Secret keys● Passwords● Unique IDs● Customers
Sensitive Data
74
http://blog.arvidandersson.se/2013/06/10/credentials-in-git-reposhttp://blog.nortal.com/mining-passwords-github-repositories/
![Page 75: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/75.jpg)
Search your GitHub repos:extension:conf passwordextension:pem privatefilename:.bashrcfilename:.sshlanguage:ruby secretlanguage:python password
Sensitive Data
75
![Page 76: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/76.jpg)
Hardening
Harden:● Your systems● Your code● Your sensitive data
76
![Page 77: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/77.jpg)
Latest Developments
![Page 78: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/78.jpg)
Developments
● Data protection laws
● OWASP
● New Rails security HTTP headers
● Internet of Things
● DevOps→SecDevOps / DevOpsSec78
![Page 79: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/79.jpg)
Conclusions
![Page 80: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/80.jpg)
Lesson 1: Continuous Auditing
Many small efforts =Big impact!
80
![Page 81: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/81.jpg)
Lesson 2: Implement Lynis
#include lynis.sh
81
![Page 82: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/82.jpg)
Lesson 3: Leverage Security
Security● Less: Crisis and Leaks● More: Development Time
82
![Page 83: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/83.jpg)
You Finished This Presentation
Success!
![Page 84: for Developers Linux Security - CISOfy...Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 Spying Internet](https://reader034.vdocuments.mx/reader034/viewer/2022051809/60112f9b3e612334df2c0aae/html5/thumbnails/84.jpg)
Follow Me
● Twitter: @mboelen
● Personal website: michaelboelen.com
● Blog: linux-audit.com
84
Want More?