Linux Security Baseline Implementation Efforts at the INL

Jason Miller

NLIT 2009

Linux Minimum Security Configurations• Informational

– Some Numbers– Project Specific Stuff– General Information

• Technical– In-depth how it works– Some Gotcha's– If I could do it over…

INL’s IT By The Numbers• 12,000 IT Devices owned by INL• 9,000 Devices on the Network• 5,500 Desktop & Laptop Computers• Windows Shop (85% Windows, 9% MAC’s, 6% Linux)

Linux Install Base

SuSE 80%

Ubuntu 12%

RHE 7%

Gentoo 1%

• 45% of all internet servers POSIX based – www.netcraft.com

• Hard drive Storage Capacities

Information Security Is Paramount

Why Do We Have Linux Users?• High Performance Computing• GPL/GNU Available software (Open Source)• More Control of their own PC’s• Want to be cool!

Who’s Responsible For What?• Managed Devices

– Patches, Vulnerability Scans, Upgrades…• Self-Managed Devices

– Require more in-depth support– Might be Rev-locked

• Collaboration… little of both– Linux users that have no time to manage their PC’s

Linux Minimum Security Configuration Project Goals• Primary Goals

– Verify Compliance level– Apply necessary changes– Report to some kind of database

• While keeping in mind:– Modular (upgradable, easily expandable)– Platform Diversity– User Friendly

End User Responses• As we expected they were wary…

– Will I lose root privileges?– Will this slow my PC down?– If I do this, will you people promise to leave me alone

forever…

• MSCs were demonstrated and our users responded– Provided multiple implementation suggestions– Received Kudos

Linux Minimum Security Configuration Project Build Time• MSC Installer & Individual MSC scripts

– 360 Hours, One individual• Reporting Database

– 15 Hours, One individual• Additional hours:

– MSC Installer add-ons to suit our customer’s needs– Chronological adjustments (crontab)– Diverse Platforms require modifications to code

??

?

?

??

?

?

??

?

?

??

?

? ??

?

?

??

?

???

? ?

Linux Minimum Security Configuration Installer• Simple BASH

scripting• Easy to

understand• User can opt-out

Linux Minimum Security Configuration Installer – For the Technicians• Quick Installer• Allows for on the fly

modifications

Reporting• An IT perspective

– PCs report daily– Compliance history

User Friendly• It’s more than just a benchmark

– Keeps the PC compliant– Several runtime methods to choose from– Non-intrusive, helpful information pop-ups

Enforce ModeVerify Mode

• Installer invokes individual MSC script MSC scripts apply/verify

settings• Installer invokes next individual

MSC script

• When all MSC scripts are complete, the installer sends off the report

Modular Code

Individual MSC scripts in-depth

• There are two types of MSC scripts– Configure Services

• chkconfig• sysvconfig, runlevel, /etc/rc2.d… (Ubuntu)

– Modify Configuration files• awk, sed, grep…

Gotcha's!• Platform differences• Third party application dependencies• Delivery methods had to meet MSC compliance• Exceptions to the CIS benchmarks

– esound– cups– …

Spin-Off Projects– Let’s use LANDesk!

– We’re already using LANDesk for 85% of our install base

– Perform extremely detailed queries

Spin-off Projects

– Quest Authentication Services (aka Vintela or VAS)– Brings Linux into Active Directory– Centralized management tool– Another way to distribute MSC scripts

If I Could Do It Over Again• ‘Configuration file code’ could be more modular

– What configuration file do you have in mind? – sshd.conf– What do you want me to find? – Protocol 1– OK, what do I change it to – Protocol 2 (all as a variable)

• Include a definitions file for all text based responses– A centralized file for all grammar used in the scripts

• Better package management… somehow– Negate the need for a user to satisfy dependencies

QuestionsJason MillerDesktop ManagementIdaho National LaboratoryEmail: jason.miller@inl.gov