Monday, June 24, 2024

BASIC Linux Security Audit P02 - Kernel Modules / Memory Access

DEFAULT KERNEL OPTIONS

With this command we can check the boot loader options. It offers normally two kernel load types, one classic and one secure load and some of the options coming with it:

    $ grep linuz /boot/grub2/grub.cfg | head -1
    $ cat /etc/default/grub    
    Options:
        - rhgb  = graphical screen
        - quiet = hide most of the messages
        - LVM Partitionning
        - language and encoding


 



============================================================   

PROTECT THE MEMORY FROM SYSTEM PERIPHERAL ACCESS

  • Memory Isolation: IOMMU ensures that peripheral devices cannot access arbitrary areas of system memory, which is crucial for maintaining data integrity and security.

  • Protection Against DMA Attacks: Direct Memory Access (DMA) attacks exploit the ability of devices to read/write directly to memory. Without IOMMU, a malicious device could potentially read sensitive data or inject malicious code. IOMMU restricts this capability.

  • Virtualization Security: In virtualized environments, IOMMU is critical for assigning devices to virtual machines securely, preventing them from accessing memory outside their allocated spaces.

    $ nano /etc/default/grub    

        -----------------------------------
        GRUB_TIMEOUT=5
        GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
        GRUB_DEFAULT=saved
        GRUB_DISABLE_SUBMENU=true
        GRUB_TERMINAL_OUTPUT="console"
        GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos_file-s/root rd.lvm.lv=centos_file-s/swap rhgb quiet"
        GRUB_DISABLE_RECOVERY="true"
        -----------------------------------
        # add this "iommu=force" (Input-Output Memory Management Unit):
        GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos_file-s/root rd.lvm.lv=centos_file-s/swap rhgb quiet iommu=force"  

 
================================================

SUPPLEMENTARY BLOCKAGE OF MODULE LOADING

Prevention of Malicious Modules: By disabling the loading of new kernel modules, you prevent attackers from injecting malicious modules into the kernel. These modules could be used to execute arbitrary code, escalate privileges, or conceal malicious activities (rootkits).

System Integrity: Ensuring that only the necessary and verified modules are loaded at boot time helps maintain the integrity of the operating system. Disabling module loading reduces the attack surface.

Compliance and Control: For systems that require strict compliance with security policies (e.g., PCI-DSS, HIPAA), having the ability to disable module loading helps enforce these policies and control the system environment more tightly.

    $ sysctl kernel.modules_disabled
        # this will show us the actual state of module access
        # kernel.modules_disabled = 0    -> it is zero, meaning accessible
    
    $ sysctl -w kernel.modules_disabled=1
        # this command will disable it for the current instance
        # it will be though put back to zero and active after reboot
        
    $ echo "kernel.modules_disabled = 1" >> /etc/sysctl.conf
    $ nano /etc/sysctl.conf
        add : kernel.modules_disabled = 1

NOTE: This may prevent certain updates of the kernel itself, kernel modules, hardware drivers and so. Temporarily these can be disabled, for updates and upgrades. As it affects only "new" modules", disabling it will not remove the loading of already installed and updated components. Yes, set it to zero, do your updates and upgrades. Reboot, set it back to 1, reboot. Off you go.


at No comments:
Labels: ,

BASIC Linux Security Audit P01 - Grub Access

There are some very basic security ideas that can be easily implemented into linux-servers through the command line for initial security. These are so basic, that are mostly overlooked from new comers. Like the 7 accessible virtual consoles, just before we login, or even before, the grub boot-loader or the actual bios. You cannot lock these down actually, cause often a server for instance is remote, so after boot, you wouldn't be able to access it, unless someone physically bypasses the bios and grub passwd. Anyways, let's get started. 

============================================

SECURITY GOALS:

    - minimalism
    - least privileges possible
    - profound defense

1) Minimalism

    - Reduce attack surface
    - Reduce number of components (like unwanted installed software or services - remove them)
        ( this will also reduce unwanted updates and upgrades, reduce network congestion and compatibility issues)
    - Easy and effective supervision
    

2) Least Privileges

    - To make sure that there are no extra privileges and access for unwanted personal
    - To avoid toxic mishaps, unwanted actions and deleting, and to avoid others taking control
    

3) Profound Defense

    - Slow down the attackers
    - Intrusion Detection
        # Network Separation           
        # Obliged Manual Auth for all privileged actions
        # Tracking procedure - centralized and secured (to see who did when, what, why, how...)
        # Enclosure of exposed-processes
        # updated components (firmware and drivers time to time, but software, services, security features for sure)

==========================================

For this Article I used CentOS but you can also use Fedora Server or better, Rocky Linux Server, as CentOS is over and out. 

SECURITY of BOOTLOADER = Grub, KERNEL and DYNAMIC KERNEL MODULES

GRUB  - Grand Unified Bootloader
    (When our OS starts, we choose normal or secure boot mode, but using 'c' or 'tab' we can get into the grub terminal too and could do harmful actions if wanted. We must protect this Boot menu)

           
/boot/grub2/grub.cfg - principal bootloader file
etc/grub.d/ - updated dynamically from this space        
    # files in this directory should be accessible only for root !!!


    01-users   # contain info auth. what protects the shell access
    Use these commands to add new superuser for shell-use
        $ grub2-mkpasswd-pbkdf2    # passwd generator
                                   # copy the passwd to clipboard
        $ nano /etc/grub.d/01_users
            # add these lines to the file
            set superusers="admin"       
            password_pbkdf2 admin grub.pbkdf2.sha512.10000.5D.....

                The 01-users should look sg like this 
                        --------------------------------------
                        #!/bin/sh -e
                        cat << EOF
                        if [ -f \${prefix}/user.cfg ]; then
                          source \${prefix}/user.cfg
                          if [ -n "\${GRUB2_PASSWORD}" ]; then
                            set superusers="root admin"
                            export superusers
                            password_pbkdf2 root \${GRUB2_PASSWORD}
                            password_pbkdf2 admin grub.pbkdf2...
                          fi
                        fi
                        EOF
                        --------------------------------------
        $ grub2-mkconfig -o /boot/grub2/grub.cfg
        # to apply changes for next grub load


_dnhyper

at No comments:
Labels:
Subscribe to: Comments (Atom)

Sharepoint sync and lock issues - solutions

 Sharepoint synced down to your PC by onedrive can have a ton of errors. It is caused by the simple dis-functionality of this badly thought ...