1 00:00:00,000 --> 00:00:01,750 [No audio] 2 00:00:01,750 --> 00:00:05,454 Linux operating system hardening. This is a lesson about 3 00:00:05,552 --> 00:00:09,390 how can you can secure your Linux operating system. 4 00:00:09,500 --> 00:00:11,622 Well, there are many different ways that you 5 00:00:11,636 --> 00:00:14,778 could secure your operating system so it is 6 00:00:14,804 --> 00:00:18,246 not vulnerable to the viruses or attacks 7 00:00:18,428 --> 00:00:21,558 or anything that could harm your system. 8 00:00:21,704 --> 00:00:25,638 So this is also one of the most important topics in 9 00:00:25,664 --> 00:00:30,570 Linux and many times the recruiters or hiring manager will ask 10 00:00:30,620 --> 00:00:35,130 you this question about how do you secure your Linux system 11 00:00:35,180 --> 00:00:38,060 or how do you harden your operating system? 12 00:00:38,450 --> 00:00:40,280 There are few many different ways. 13 00:00:40,610 --> 00:00:42,298 Even if you go online, you'll 14 00:00:42,334 --> 00:00:43,626 find a lot of different ways. 15 00:00:43,688 --> 00:00:46,830 But I think the most basic ones that 16 00:00:46,940 --> 00:00:50,178 anyone should really know are as follow. 17 00:00:50,324 --> 00:00:52,942 The first one is about the account management. 18 00:00:53,026 --> 00:00:55,866 How do you secure the user account, what are 19 00:00:55,868 --> 00:00:58,160 the policies or standards that you have in place? 20 00:00:58,790 --> 00:01:02,382 Then we will cover about remove un-wanted packages. All 21 00:01:02,396 --> 00:01:04,554 the packages that you have installed in your system. 22 00:01:04,652 --> 00:01:06,522 If you don't need them, then why 23 00:01:06,536 --> 00:01:08,118 do you keep them, so remove them. 24 00:01:08,204 --> 00:01:10,674 Then we have to stop un-used services. 25 00:01:10,832 --> 00:01:13,194 If a service is running that is not 26 00:01:13,232 --> 00:01:16,400 required in your system, stop it, toss it. 27 00:01:16,850 --> 00:01:18,538 Check on listening ports. 28 00:01:18,574 --> 00:01:20,322 Some of the time we have ports that 29 00:01:20,336 --> 00:01:23,994 are listing for incoming traffic, but we really 30 00:01:24,032 --> 00:01:26,230 don't need any of those incoming traffic. 31 00:01:26,290 --> 00:01:30,826 So what do we do? Stop secure SSH configuration. 32 00:01:30,898 --> 00:01:32,346 We'll cover that later. 33 00:01:32,528 --> 00:01:35,758 Enable firewall, iptables which is the older 34 00:01:35,794 --> 00:01:38,074 version, and firewalld in the newer version. 35 00:01:38,182 --> 00:01:41,120 Of course again we will cover in detail 36 00:01:41,570 --> 00:01:45,738 on how we could enable firewall in our 37 00:01:45,764 --> 00:01:48,210 system to make our system more secure. 38 00:01:48,987 --> 00:01:54,538 SELinux, SELinux is a new feature that 39 00:01:54,564 --> 00:01:56,614 we will cover also as part of 40 00:01:56,652 --> 00:02:01,078 this lesson. Changing listing services port numbers. 41 00:02:01,164 --> 00:02:04,210 So for example, if your port is running on let's say 42 00:02:04,260 --> 00:02:07,786 SSH 22, you could change it to a different port. 43 00:02:07,908 --> 00:02:13,382 So the hacker who knows that the port 22 runs 44 00:02:13,406 --> 00:02:18,358 for SSH when they try they will get refused. Then 45 00:02:18,444 --> 00:02:21,982 last but not least, keep your system up to date. 46 00:02:22,176 --> 00:02:24,806 So you should have all the security patches installed. 47 00:02:24,818 --> 00:02:27,360 So let's cover them, all of them, one by one. 48 00:02:28,230 --> 00:02:30,540 Log into the Linux system. 49 00:02:30,540 --> 00:02:35,050 [no audio] 50 00:02:35,050 --> 00:02:38,330 So I have here Linux machine, 51 00:02:38,710 --> 00:02:40,782 I've logged in through the console. 52 00:02:40,866 --> 00:02:42,170 So the first thing that we talked 53 00:02:42,220 --> 00:02:44,694 about is about user account management. 54 00:02:44,742 --> 00:02:46,480 How can we secure that? 55 00:02:46,930 --> 00:02:49,734 Well, the first thing that I should include 56 00:02:49,782 --> 00:02:52,398 in this is about the naming convention. 57 00:02:52,434 --> 00:02:55,370 When you create a username, for example Oracle or 58 00:02:55,420 --> 00:03:00,494 admin, I recommend everyone to not use those standard 59 00:03:00,592 --> 00:03:06,822 usernames because it's very easy to predict those usernames. 60 00:03:06,846 --> 00:03:09,078 So instead of Oracle you pick like Oracle 61 00:03:09,114 --> 00:03:11,034 one two three or one two three oracle. 62 00:03:11,142 --> 00:03:15,774 Instead of admin you pick tadmin, or sadmin. 63 00:03:15,882 --> 00:03:17,598 So how do we get all the usernames? 64 00:03:17,634 --> 00:03:22,058 You go to etc, the passwd file and you'll see the 65 00:03:22,084 --> 00:03:24,770 listing of all the users that we have in our system. 66 00:03:24,820 --> 00:03:28,586 You see here all first one column before the 67 00:03:28,768 --> 00:03:33,378 column we have the username like spiderman, spider, that's 68 00:03:33,414 --> 00:03:37,890 my name, and many others like nfs, chrony. 69 00:03:38,070 --> 00:03:40,742 So you could change the username to 70 00:03:40,756 --> 00:03:43,458 a different name so it's not easily guessed. 71 00:03:43,614 --> 00:03:47,174 Another way I would say is by default when 72 00:03:47,272 --> 00:03:49,854 a user is created when you run the command 73 00:03:49,962 --> 00:03:53,298 useradd, when you create a user, it automatically 74 00:03:53,334 --> 00:03:56,426 assigns a user ID, which usually starts with three 75 00:03:56,488 --> 00:04:00,674 digits or four digits, which is 1000, so on. 76 00:04:00,772 --> 00:04:04,614 So I would also recommend as an industry 77 00:04:04,662 --> 00:04:09,054 standard that to use anything from 10,000 and above. 78 00:04:09,102 --> 00:04:11,620 So this way it's not hard to guess. 79 00:04:12,190 --> 00:04:15,858 Another way is about the password policies. 80 00:04:16,014 --> 00:04:20,221 Now, how often your password changes, how 81 00:04:20,296 --> 00:04:21,793 long your password should be. 82 00:04:21,832 --> 00:04:25,274 All that information can be looked at by 83 00:04:25,312 --> 00:04:29,726 running the command chage, which is change age. 84 00:04:29,788 --> 00:04:32,234 If you do -l on the username, which is 85 00:04:32,272 --> 00:04:35,582 myself, you will see right here last password change. 86 00:04:35,656 --> 00:04:37,938 This is the time when I changed my password. 87 00:04:38,094 --> 00:04:39,806 Password expired never. 88 00:04:39,988 --> 00:04:41,934 Password inactive. 89 00:04:42,042 --> 00:04:45,830 So password expired never is not a good sign. 90 00:04:46,000 --> 00:04:48,278 Since this is a lab environment, it's for 91 00:04:48,304 --> 00:04:50,918 training purposes, I don't really care, but in 92 00:04:51,004 --> 00:04:54,830 corporate environment and production environment there should be 93 00:04:54,880 --> 00:04:56,750 a date to change the password. 94 00:04:57,190 --> 00:05:01,770 Same thing goes for inactive password, account expires, 95 00:05:01,830 --> 00:05:05,642 when does the password expires, a number of days 96 00:05:05,716 --> 00:05:09,242 of warning before password expires, and so on. 97 00:05:09,316 --> 00:05:11,454 All that information can be changed. 98 00:05:11,502 --> 00:05:14,006 You could set your own standard 99 00:05:14,188 --> 00:05:16,446 depending on your company's requirement. 100 00:05:16,578 --> 00:05:21,050 You could run chage command with help 101 00:05:21,160 --> 00:05:22,958 to find more information on how you 102 00:05:22,984 --> 00:05:26,526 could make those changes for each user. 103 00:05:26,718 --> 00:05:31,790 Also, if you go to /etc/shadow file, you will see 104 00:05:31,897 --> 00:05:34,676 Permission denied, I have to be root. 105 00:05:34,676 --> 00:05:37,118 [No audio] 106 00:05:37,118 --> 00:05:40,021 So if you cat out the /etc/shadow file, 107 00:05:41,853 --> 00:05:48,102 you'll see each user has the username and password at the end of 108 00:05:48,116 --> 00:05:51,186 the password in this column it has these numbers. 109 00:05:51,248 --> 00:05:53,022 These are the same numbers as 110 00:05:53,096 --> 00:05:56,574 we have defined in change age. 111 00:05:56,672 --> 00:05:59,298 You could change either with this command see 112 00:05:59,324 --> 00:06:02,840 a change, or you could go directly to 113 00:06:03,950 --> 00:06:06,390 the /etc/shadow file and make the change. 114 00:06:06,500 --> 00:06:09,750 Let's see here. This seven refers to this seven. 115 00:06:09,860 --> 00:06:12,920 This 99999 refers to this 99999. 116 00:06:13,045 --> 00:06:15,450 This 0 refers to this 0. 117 00:06:15,450 --> 00:06:17,818 So you can get more information about how 118 00:06:17,844 --> 00:06:19,474 you could change it, whether you could do 119 00:06:19,572 --> 00:06:23,590 through the /etc/shadow or chage age. 120 00:06:23,700 --> 00:06:26,100 I would prefer that you use change age. 121 00:06:26,490 --> 00:06:28,618 Anyway, moving forward. 122 00:06:28,704 --> 00:06:31,234 Also another file that you should 123 00:06:31,272 --> 00:06:35,845 look at is /etc/login.defs. 124 00:06:35,845 --> 00:06:37,906 This is the file that you could also 125 00:06:37,968 --> 00:06:42,098 define some of the parameters and those parameters 126 00:06:42,194 --> 00:06:46,402 are, let's open the file again and you 127 00:06:46,416 --> 00:06:50,098 will see here maximum password, maximum days. 128 00:06:50,184 --> 00:06:52,270 These are the default settings. 129 00:06:52,590 --> 00:06:55,514 You could do it by per user basis, 130 00:06:55,562 --> 00:06:56,602 or if you want to apply to 131 00:06:56,616 --> 00:06:58,318 the default setting, you could use it 132 00:06:58,344 --> 00:07:01,140 here. See PASS_MIN_LEN five. 133 00:07:01,770 --> 00:07:06,122 If a user is putting a password length four, then it's 134 00:07:06,146 --> 00:07:07,930 not going to accept it, so it has to be five. 135 00:07:08,040 --> 00:07:09,622 But of course I would recommend going at 136 00:07:09,636 --> 00:07:11,554 least twelve or 13 and change it right 137 00:07:11,592 --> 00:07:15,430 here. you could also disable all password. 138 00:07:16,170 --> 00:07:20,690 Another file that actually manages user accounts, 139 00:07:20,750 --> 00:07:23,878 And the security is /etc/pam.d, the 140 00:07:23,904 --> 00:07:28,570 directory and the file is system-auth. 141 00:07:29,730 --> 00:07:32,170 When you look at this file, it has a 142 00:07:32,220 --> 00:07:35,530 lot of other parameters that you could define. 143 00:07:36,090 --> 00:07:39,334 I want you to spend some time here or even 144 00:07:39,372 --> 00:07:43,618 look it up online and study every field of this 145 00:07:43,764 --> 00:07:47,160 file to understand exactly how this file works. 146 00:07:48,870 --> 00:07:54,430 Next one we have is about remove unwanted packages. 147 00:07:54,990 --> 00:07:58,510 Right? So how do we get the listing of all the packages? 148 00:07:59,430 --> 00:08:01,462 To get the listing of packages, I think you 149 00:08:01,476 --> 00:08:03,838 should know that. If you have forgotten that's fine, 150 00:08:03,924 --> 00:08:07,102 rpm -qa, and then you hit enter. 151 00:08:07,236 --> 00:08:08,854 When you hit enter, you get a 152 00:08:08,892 --> 00:08:10,810 bunch of lists of all the packages. 153 00:08:11,250 --> 00:08:14,220 Now, how many packages do I have in my system? 154 00:08:14,550 --> 00:08:16,942 So that's like a quiz for you. 155 00:08:16,956 --> 00:08:18,634 So tell me, how many packages do I have? 156 00:08:18,732 --> 00:08:24,478 Well, the command is rpm -qa | wc -l, and this 157 00:08:24,504 --> 00:08:27,566 will count every line output of rpm -qa. 158 00:08:27,638 --> 00:08:31,030 I have a total number of package 1350. 159 00:08:31,200 --> 00:08:32,594 So there are so many package 160 00:08:32,642 --> 00:08:34,042 that I really don't need it. 161 00:08:34,176 --> 00:08:36,514 So what do we need it for? 162 00:08:36,611 --> 00:08:37,832 Well, get rid of them. 163 00:08:37,871 --> 00:08:40,058 So, to get rid of a package, the command 164 00:08:40,094 --> 00:08:44,169 is rpm -e, and the package name. 165 00:08:44,280 --> 00:08:46,474 So also remember, when you are deleting a 166 00:08:46,511 --> 00:08:49,874 package, it will ask you that this package 167 00:08:49,922 --> 00:08:52,094 has a dependency on another package. 168 00:08:52,202 --> 00:08:54,429 So be very careful on that. 169 00:08:54,539 --> 00:08:58,774 If you remove the package, and that package has 170 00:08:58,812 --> 00:09:02,534 dependencies on another package, or other package has dependencies 171 00:09:02,582 --> 00:09:05,818 on this one, you will have some corruption and 172 00:09:05,844 --> 00:09:08,594 some programs that won't work properly. 173 00:09:08,642 --> 00:09:09,638 So just be careful. 174 00:09:09,734 --> 00:09:12,960 Then we have the next one iss top unused services. 175 00:09:13,350 --> 00:09:15,602 Okay, how do we get, what are the listing 176 00:09:15,626 --> 00:09:17,350 of all the services that we are running? 177 00:09:17,460 --> 00:09:20,938 If you run systemctl -a, this will 178 00:09:20,964 --> 00:09:23,582 give you everything active or inactive. 179 00:09:23,666 --> 00:09:26,554 So if there is a service that is active and you 180 00:09:26,592 --> 00:09:29,290 really don't need it, you could just simply stop it. 181 00:09:29,340 --> 00:09:32,398 If a system is serving webpages, why 182 00:09:32,424 --> 00:09:34,138 do you need NFS service on it, 183 00:09:34,164 --> 00:09:36,960 right? So that's where we stop the services. 184 00:09:37,350 --> 00:09:39,562 Then the next one we have here 185 00:09:39,636 --> 00:09:43,238 is about check on listening ports. 186 00:09:43,394 --> 00:09:46,442 Now how do we check on the listening ports? 187 00:09:46,586 --> 00:09:48,574 Every service that you run has 188 00:09:48,612 --> 00:09:51,000 a port associated with it. 189 00:09:51,990 --> 00:10:01,426 If you run netstat -tunlp, why 190 00:10:01,488 --> 00:10:04,018 am I picking these specific options? 191 00:10:04,164 --> 00:10:06,058 It's just that that I've been used to it. 192 00:10:06,084 --> 00:10:08,942 You could pick different options to check the ports. 193 00:10:09,026 --> 00:10:11,998 When I hit enter, you will see all the 194 00:10:12,024 --> 00:10:14,314 ports that are open and listening right now. 195 00:10:14,352 --> 00:10:17,446 See here's the IP address right here, 196 00:10:17,628 --> 00:10:19,286 and this is my local IP. 197 00:10:19,358 --> 00:10:21,014 And again, this is my local IP. 198 00:10:21,062 --> 00:10:23,686 And you'll see everything that after 199 00:10:23,748 --> 00:10:25,740 that has of these port. 200 00:10:25,740 --> 00:10:29,550 111, 53, 22, 631, 25. 201 00:10:29,550 --> 00:10:31,560 Tell me what 53 is for? 202 00:10:31,950 --> 00:10:33,130 That's a quiz. 203 00:10:34,710 --> 00:10:39,646 Well, if you don't remember, 53 is for DNS, and 204 00:10:39,708 --> 00:10:43,090 as I said, DNS what port it runs on, 205 00:10:43,140 --> 00:10:45,802 also one of the important questions. So if 206 00:10:45,816 --> 00:10:48,386 your machine is not serving as a DNS, 207 00:10:48,518 --> 00:10:51,682 why do we have a 53 port running? 208 00:10:51,756 --> 00:10:52,980 So stop it. 209 00:10:53,430 --> 00:10:54,994 The next one we have 210 00:10:55,092 --> 00:10:58,898 is about securing SSH configuration. 211 00:10:59,054 --> 00:11:01,174 Now, if you know that when you log 212 00:11:01,212 --> 00:11:04,438 into system remotely, what protocol you use, you 213 00:11:04,464 --> 00:11:07,198 use SSH and on the port 22. 214 00:11:07,344 --> 00:11:10,054 So this could be secured as well. 215 00:11:10,092 --> 00:11:17,894 So if you go to cd /etc/ssh, and then there is a file 216 00:11:17,942 --> 00:11:23,098 called sshd.config, and when you hit enter or do more on it, 217 00:11:23,184 --> 00:11:26,998 you will see this file can be modified and a lot of 218 00:11:27,024 --> 00:11:31,550 its parameters can be modified to make SSH more secure. 219 00:11:31,670 --> 00:11:33,890 And what are those things that can be modified? 220 00:11:34,010 --> 00:11:37,546 The two basic ones that I usually make changes 221 00:11:37,608 --> 00:11:40,162 to is number one is I change the port. 222 00:11:40,296 --> 00:11:43,440 So right now, if you see the port is running on 22, 223 00:11:43,830 --> 00:11:47,158 I will change it to 1022 or whichever the port that I 224 00:11:47,184 --> 00:11:50,246 would like to have, so my system is more secure. 225 00:11:50,378 --> 00:11:53,434 Another thing that I like to do whenever I build 226 00:11:53,472 --> 00:11:57,514 a system is I go in and I enable this. 227 00:11:57,552 --> 00:12:00,262 Right now you see here, this one has hash sign. 228 00:12:00,396 --> 00:12:03,350 Anything that starts with hash, it's a comment. 229 00:12:03,470 --> 00:12:05,918 So I will take out this hash sign and I'll 230 00:12:05,954 --> 00:12:09,790 say PermitRootLogin and I will say no. Why? 231 00:12:09,840 --> 00:12:12,962 Because if I'm logging in or if anybody's logging 232 00:12:12,986 --> 00:12:15,970 into the system as root, they will deny it. 233 00:12:16,080 --> 00:12:18,454 They should log in as themselves and 234 00:12:18,492 --> 00:12:22,622 this way they could become root. 235 00:12:22,766 --> 00:12:26,318 The reason behind this is because every time a user 236 00:12:26,354 --> 00:12:28,814 logs in, let's say if I log in, my activity 237 00:12:28,862 --> 00:12:31,354 will be logged in, at the time when I log 238 00:12:31,392 --> 00:12:33,578 in and what time I became root. 239 00:12:33,614 --> 00:12:36,766 So all that tracking information will be recorded 240 00:12:36,888 --> 00:12:38,614 and it will be a lot easier to 241 00:12:38,652 --> 00:12:41,700 understand who did what to the system. 242 00:12:42,090 --> 00:12:43,294 So these are a couple of things 243 00:12:43,332 --> 00:12:46,430 I will do with the SSH configuration. 244 00:12:46,610 --> 00:12:49,750 Then we have enable firewall. 245 00:12:50,070 --> 00:12:53,618 Now, firewall, as I said, there are older 246 00:12:53,654 --> 00:12:56,954 version of firewall that runs in Redhat 247 00:12:57,002 --> 00:13:00,310 6 and older, it is called iptables. 248 00:13:00,930 --> 00:13:02,974 The newer version of firewall with 249 00:13:03,012 --> 00:13:06,214 seven and above is firewalld. 250 00:13:06,372 --> 00:13:09,180 Both serves the same function. 251 00:13:09,810 --> 00:13:12,542 The firewalld has a few enhanced functions. 252 00:13:12,686 --> 00:13:14,818 You could look it up again if 253 00:13:14,844 --> 00:13:17,054 you want to learn more about firewall. 254 00:13:17,162 --> 00:13:21,262 Now, I could tell you what firewall does. 255 00:13:21,456 --> 00:13:24,850 firewall, when you have it enabled in your system, 256 00:13:25,020 --> 00:13:27,946 what it does is, you could filter out. 257 00:13:28,068 --> 00:13:32,462 Meaning if you want to only accept the traffic that's 258 00:13:32,486 --> 00:13:35,758 coming in on port 22, you can tell firewall hey 259 00:13:35,784 --> 00:13:40,894 firewall, only accept traffic coming in for port 22 or 260 00:13:40,932 --> 00:13:44,566 only accept traffic coming in for port 123 or 53. 261 00:13:44,628 --> 00:13:46,738 Anything that you wanted to make the changes to 262 00:13:46,764 --> 00:13:49,570 firewall, anything you want the service to be running. 263 00:13:49,620 --> 00:13:55,198 So firewall is like a watchdog, it's a defender or a 264 00:13:55,224 --> 00:13:59,518 gatekeeper for your system which allows someone or traffic to come 265 00:13:59,544 --> 00:14:04,102 in or it allows the traffic to leave. The commands that 266 00:14:04,116 --> 00:14:07,826 you need to know for firewall is in GUI, 267 00:14:07,898 --> 00:14:10,834 in the newer version of Linux. If you are using 268 00:14:10,872 --> 00:14:16,042 GUI, you could run firewall-config, hit Enter and you 269 00:14:16,056 --> 00:14:18,790 will see it will bring up a GUI. 270 00:14:20,010 --> 00:14:25,646 This GUI will let you enable services, let you enable 271 00:14:25,718 --> 00:14:32,182 ports, add ports, remove protocols or add protocols. If you 272 00:14:32,196 --> 00:14:33,910 see, if you want to add a port. 273 00:14:33,960 --> 00:14:36,574 Let's say if you enable firewall on your 274 00:14:36,612 --> 00:14:39,610 system, by default it will block everything. 275 00:14:39,780 --> 00:14:42,274 So once you enable firewall, it's not 276 00:14:42,312 --> 00:14:44,518 going to talk anybody outside, it's not 277 00:14:44,544 --> 00:14:46,750 going to have anybody talking to you. 278 00:14:46,860 --> 00:14:49,586 So how do you enable the communication? 279 00:14:49,658 --> 00:14:51,538 You add the port, you click on 280 00:14:51,564 --> 00:14:53,230 Add, you put the port number. 281 00:14:53,280 --> 00:14:56,542 Let's say I want everyone to talk to me, and 282 00:14:56,616 --> 00:15:00,274 I'm a DNS server, so talk to me with 53. 283 00:15:00,432 --> 00:15:02,194 I'm allowing it. That's good. 284 00:15:02,232 --> 00:15:04,606 Click OK and good. Perfect. 285 00:15:04,728 --> 00:15:09,430 So that's how the firewall or iptable works, 286 00:15:09,540 --> 00:15:12,038 in a newer system, and that has GUI. 287 00:15:12,134 --> 00:15:15,250 What if I do not have a GUI? 288 00:15:15,690 --> 00:15:18,826 Okay, for that there's another command for 289 00:15:19,008 --> 00:15:21,874 text based or command line command which 290 00:15:21,912 --> 00:15:25,466 is firewall-cmd which is for command. 291 00:15:25,598 --> 00:15:28,426 And when you do help, you'll get a lot of information. 292 00:15:28,548 --> 00:15:30,094 How do you find or how do you 293 00:15:30,132 --> 00:15:32,520 query or how you remove a port? 294 00:15:33,750 --> 00:15:37,274 In older version we have the command iptables. 295 00:15:37,442 --> 00:15:41,722 So when you hit iptables, you could just do help, 296 00:15:41,796 --> 00:15:45,646 and you'll see all the information that you have right now. 297 00:15:45,708 --> 00:15:49,774 If you enable the IP services and then you run 298 00:15:49,812 --> 00:15:55,642 iptable -list, it will list all the services. Anyway, 299 00:15:55,716 --> 00:16:03,530 the configuration file for iptables, the older version is /etc/sysconfig, 300 00:16:03,530 --> 00:16:08,151 [No audio] 301 00:16:08,151 --> 00:16:14,642 ip, and in sysconfig the file is iptables, 302 00:16:14,642 --> 00:16:16,564 config, and this 303 00:16:16,564 --> 00:16:18,882 is the file where you could go in and modify. 304 00:16:18,966 --> 00:16:20,702 If you don't want to modify it through 305 00:16:20,716 --> 00:16:23,138 the command line, you can modify through the 306 00:16:23,164 --> 00:16:25,190 file and then restart the services. 307 00:16:25,300 --> 00:16:29,750 In the newer version, the file name is /etc/firewall. 308 00:16:30,694 --> 00:16:36,110 I'm sorry, /etc/firewalld is the directory, 309 00:16:36,610 --> 00:16:39,554 and the file is firewalld.conf. 310 00:16:39,652 --> 00:16:41,450 This is the one that you can modify. 311 00:16:42,490 --> 00:16:45,422 Then we'll move on to the next one 312 00:16:45,556 --> 00:16:51,978 about securing our system, which is enable SELinux. 313 00:16:52,134 --> 00:16:54,294 Now, what is SELinux? 314 00:16:54,402 --> 00:16:56,414 Now, let me read you something really off 315 00:16:56,452 --> 00:17:00,846 the Internet or standard definition of SELinux. 316 00:17:00,918 --> 00:17:03,954 SELinux stands for Security Enhanced 317 00:17:04,002 --> 00:17:08,066 Linux. It is a security architecture integrated into 318 00:17:08,127 --> 00:17:11,054 the 2.6x kernel using the 319 00:17:11,092 --> 00:17:14,286 Linux Security module, also known as LSM. 320 00:17:14,415 --> 00:17:16,770 It is a project of the United States National 321 00:17:16,829 --> 00:17:22,278 Security Agency which stands for NSA, which is abbreviated 322 00:17:22,314 --> 00:17:25,069 as NSA and the SELinux Community. 323 00:17:25,240 --> 00:17:30,134 SELinux integration into Redhat Linux Enterprise Voice was a 324 00:17:30,172 --> 00:17:34,009 joint effort between the NSA and the Redhat. 325 00:17:34,009 --> 00:17:39,230 SELinux defines the access and transition rights of every 326 00:17:39,280 --> 00:17:45,520 user, every application process and the file the system on. 327 00:17:45,910 --> 00:17:49,705 So if you know, every operating system has 328 00:17:49,768 --> 00:17:51,818 an application, it has a process, it has 329 00:17:51,844 --> 00:17:53,665 a file, it has a user, right? 330 00:17:53,788 --> 00:17:56,238 So we have talked about the user 331 00:17:56,274 --> 00:17:58,034 permissions and how do we change it? 332 00:17:58,072 --> 00:18:00,110 We change it to the change mod right? 333 00:18:00,220 --> 00:18:02,846 Now how do we change the permission of a process? 334 00:18:03,028 --> 00:18:03,962 How do we change the 335 00:18:03,976 --> 00:18:05,726 permission of an application, right? 336 00:18:05,848 --> 00:18:08,462 Well that's not possible with the operating system. 337 00:18:08,536 --> 00:18:11,606 So what we did, we have this SELinux which 338 00:18:11,668 --> 00:18:18,182 controls the permission access of process and application, and 339 00:18:18,196 --> 00:18:22,034 it goes deep, deep down in the detail and 340 00:18:22,132 --> 00:18:27,350 control every access of the file, the configuration file. 341 00:18:28,510 --> 00:18:31,658 If you want to make SELinux enable, the 342 00:18:31,684 --> 00:18:34,672 first thing you have to do is run sestatus to 343 00:18:34,672 --> 00:18:36,530 make sure if it's running or not. 344 00:18:36,700 --> 00:18:39,386 And if you do sestatus, you see 345 00:18:39,508 --> 00:18:43,430 in my system SELinux status is enabled. 346 00:18:44,470 --> 00:18:46,946 Now, a lot of companies that I have worked in 347 00:18:46,948 --> 00:18:49,010 the past and a lot of people that I've talked 348 00:18:49,060 --> 00:18:56,786 to, they usually keep SELinux disabled, which I understand 349 00:18:56,908 --> 00:19:00,422 because many times their computers or their environment running in 350 00:19:00,436 --> 00:19:03,206 a private network so they really don't need it. 351 00:19:03,388 --> 00:19:08,390 Plus SELinux is a very newer technology and it 352 00:19:08,440 --> 00:19:12,326 is a bit complicated when implemented into your system. 353 00:19:12,388 --> 00:19:14,486 So you have to have a very 354 00:19:14,548 --> 00:19:17,510 detailed and better understanding for SELinux. 355 00:19:17,950 --> 00:19:21,062 So if you want to disable it, all you have to 356 00:19:21,076 --> 00:19:26,922 do is go to /etc/sysconfig and you do vi. 357 00:19:27,006 --> 00:19:28,840 I'm just doing more for now. 358 00:19:29,530 --> 00:19:33,134 And you will see right here, let me clear the screen 359 00:19:33,172 --> 00:19:37,780 so there won't be any confusion when you look at it. 360 00:19:38,170 --> 00:19:40,274 So you see right here anything that 361 00:19:40,312 --> 00:19:43,082 has hash signs of course is comment. 362 00:19:43,216 --> 00:19:46,206 So you see right here it says SELINUX equal enforcing. 363 00:19:46,278 --> 00:19:48,978 It means it is enforced and it's enabled. 364 00:19:49,134 --> 00:19:54,234 And there are three modes of SELinux. 365 00:19:54,282 --> 00:19:56,078 One is enforcing which means the 366 00:19:56,104 --> 00:19:58,960 SELinux Security policy is enforced. Right? 367 00:19:59,470 --> 00:20:02,294 Then the second is Permissive which is 368 00:20:02,332 --> 00:20:05,214 telling that SELinux system prints warning 369 00:20:05,322 --> 00:20:07,170 but does not enforce policies. 370 00:20:07,290 --> 00:20:09,734 So if someone is making any changes, it will print hey, 371 00:20:09,772 --> 00:20:12,218 something was going on, but it's not going to stop it. 372 00:20:12,364 --> 00:20:14,080 Then there's another one. 373 00:20:14,470 --> 00:20:16,058 The last one of course is the 374 00:20:16,084 --> 00:20:19,494 disabled, of course, which disables the SELinux. 375 00:20:19,542 --> 00:20:21,842 So you could change it here and once you have 376 00:20:21,856 --> 00:20:24,160 it, it is recommended that you reboot your system. 377 00:20:25,450 --> 00:20:29,966 So to check the parameters of a file, for example, 378 00:20:30,028 --> 00:20:33,602 let's say if I go to my home directory and 379 00:20:33,616 --> 00:20:35,258 these are the files and directories I have. 380 00:20:35,344 --> 00:20:39,278 So if I just do status, sorry, just stat and I 381 00:20:39,304 --> 00:20:43,300 do let's say I have this file called lalaland. 382 00:20:44,710 --> 00:20:47,894 You will see right here it tells me 383 00:20:47,932 --> 00:20:51,278 everything about the file name, the size, the 384 00:20:51,304 --> 00:20:54,482 block, the IO block and right here it 385 00:20:54,496 --> 00:20:57,878 says Access which is read, write, execute, right? 386 00:20:57,964 --> 00:21:01,418 We already covered that and if not, then you already 387 00:21:01,504 --> 00:21:06,642 know that it could be defined by change mod command. 388 00:21:06,786 --> 00:21:08,678 Now if you notice right here, 389 00:21:08,764 --> 00:21:10,910 this is a new thing, Context. 390 00:21:11,350 --> 00:21:14,774 This specific file is defined by 391 00:21:14,812 --> 00:21:16,946 the object is user home. 392 00:21:17,068 --> 00:21:20,450 So that's how the SELinux keep track of 393 00:21:20,500 --> 00:21:24,374 which directory belongs to which user or which 394 00:21:24,412 --> 00:21:27,354 file and it also gives you Access, Modify, 395 00:21:27,462 --> 00:21:30,220 Birth, Change, and all that different information. 396 00:21:30,670 --> 00:21:32,534 We could change only the 397 00:21:32,572 --> 00:21:34,430 read, write, and execute, right? 398 00:21:34,540 --> 00:21:37,178 But all that additional stuff if you want to 399 00:21:37,204 --> 00:21:39,590 have it, that could be done with SELinux. 400 00:21:40,270 --> 00:21:42,998 Anyway, there are other commands that I want you 401 00:21:43,024 --> 00:21:45,230 to look into it which I will not cover 402 00:21:45,280 --> 00:21:49,490 here, which is because SELinux is a huge topic. 403 00:21:49,810 --> 00:21:54,422 Just for your knowledge or to have you have 404 00:21:54,496 --> 00:21:58,586 somewhat exposure, you should know what SELinux is. 405 00:21:58,708 --> 00:22:01,466 So anyway, some of the command of SELinux is 406 00:22:01,588 --> 00:22:08,678 chcon which change file, SELinux security context, then we 407 00:22:08,704 --> 00:22:14,846 have checkpolicy which is SELinux policy compiler, and 408 00:22:14,908 --> 00:22:20,130 the other ones are new rule, setsebool, 409 00:22:20,300 --> 00:22:24,018 sebool, fixfiles, semanage, and so many 410 00:22:24,044 --> 00:22:26,826 other commands that I will not cover here. 411 00:22:27,008 --> 00:22:29,754 Also I have attached some 412 00:22:29,792 --> 00:22:32,720 documentation which you could read. 413 00:22:33,350 --> 00:22:35,422 So this is about SELinux. 414 00:22:35,506 --> 00:22:38,334 Now, the second to the last part that I wanted 415 00:22:38,372 --> 00:22:43,266 to cover is about change listing service port numbers. 416 00:22:43,388 --> 00:22:45,714 Now, also I covered that a little bit 417 00:22:45,752 --> 00:22:49,626 on the SSH configuration where you could change 418 00:22:49,748 --> 00:22:51,834 from port 22 to a different port. 419 00:22:51,932 --> 00:22:56,190 You could also make that same change to other services. 420 00:22:56,300 --> 00:22:59,970 For example, DNS by default run on 53, right? 421 00:23:00,080 --> 00:23:01,710 You could make that changes as well 422 00:23:01,760 --> 00:23:03,870 to make your system more secure. 423 00:23:04,550 --> 00:23:06,726 And the last one is about keep 424 00:23:06,788 --> 00:23:08,886 your operating system up to date. 425 00:23:09,008 --> 00:23:11,598 Now, it doesn't mean you just go online and 426 00:23:11,624 --> 00:23:14,478 do yum update all and just update everything, all 427 00:23:14,504 --> 00:23:16,962 the packages that you have. You don't have to 428 00:23:16,976 --> 00:23:18,994 do or you don't have to update every package, 429 00:23:19,042 --> 00:23:22,854 but you do have to make sure especially anything 430 00:23:22,952 --> 00:23:26,758 that is related to security, you have to update. 431 00:23:26,914 --> 00:23:31,158 And how do we keep on up to date with the security? 432 00:23:31,304 --> 00:23:32,694 Well, one thing is you keep 433 00:23:32,732 --> 00:23:35,754 on running this yum update, right? 434 00:23:35,912 --> 00:23:38,082 But is it the right way to do it? 435 00:23:38,156 --> 00:23:40,770 Well, what I do I could tell you is I keep 436 00:23:40,820 --> 00:23:45,618 myself up to date with all the alerts that I get 437 00:23:45,644 --> 00:23:48,490 from Redhat or CentOS or even Windows. 438 00:23:48,610 --> 00:23:50,730 Every time there is an issue or there's a new 439 00:23:50,780 --> 00:23:53,898 patch that comes out, I get notified, I have an 440 00:23:53,924 --> 00:23:56,142 email, so I would recommend you to do the same. 441 00:23:56,216 --> 00:23:59,962 Go ahead and sign up on redhat.com on centos.org. 442 00:23:59,986 --> 00:24:03,740 As soon as you get any of those updates, go and apply. 443 00:24:04,250 --> 00:24:06,502 That's how you keep your system secure. 444 00:24:06,646 --> 00:24:11,985 Anyway, this is about how you could do your system 445 00:24:11,985 --> 00:24:17,574 secure or OS hardening if you cover everything here in detail 446 00:24:17,732 --> 00:24:21,906 and if someone is asking you questions, trust me, you're going 447 00:24:21,908 --> 00:24:23,994 to ace it if you go over this. 448 00:24:24,152 --> 00:24:25,436 All right, good luck. 449 00:24:25,436 --> 00:24:26,837 [No audio]