When we're working on a health check for a client, security and hardening aspects are always areas where we pay close attention. Of course, patching your systems regularly is important, but that's not the only thing you need to do. In this blog, we'll share 4 best practices to help create a secure Linux environment.
1. Disabling Unnecessary Components
One of the first things we always check is whether there are services (daemons in technical terms) running that are not directly necessary for the function of the machine. For example, consider a mail server: it's installed by default on almost every Linux machine, even on a desktop. But if your machine isn't using this mail server, we recommend disabling this component.
And this often applies to more components. Because every component that's not running is one less security risk. A handy tool for this is the benchmarks provided by the CIS Center for Internet Security. Disabling unused components is part of what's known as hardening.
2. Optimising Password Policies
Another part of hardening is the password policy. You can enforce password expiration on Linux, meaning passwords are only valid for a limited period. While you're at it, you can also set requirements for strong passwords. Also, set a password for the bootloader, which is usually GRUB. We recommend configuring it so that changing the kernel command-line (the boot options) requires a password, but it's not necessary to start the machine.
This way, your machine remains reboot-proof and can, for example, automatically start after a power outage, while AppArmor or SELinux cannot be disabled via the kernel command-line. Assuming that AppArmor or SELinux is in use on the system, of course, otherwise, that's the next thing to look at.
3. LifeCycle Management
As we mentioned in the first paragraph, LifeCycle Management (LCM) of your systems is a requirement on a regular basis. In other words, regularly installing (security) updates for your Linux distribution. But when you have multiple Linux servers running, manually patching them becomes cumbersome.
In environments with RedHat Enterprise Linux, you can set up a RedHat Satellite server. This is a product that allows you to create your own copy of the RedHat repositories in your environment to then provide your machines with updates. The big advantage is that you establish a central management environment to control this process. Consider using RedHat Insights, which provides even better insight into your environment and potential vulnerabilities.
4. Installing Updates on Hardware
What often gets overlooked in LifeCycle Management is updates to the underlying hardware. This includes BIOS and firmware updates. Server hardware often has a built-in web console. Hewlett Packard calls this the ILO, DELL calls it a DRAC, and every hardware supplier has their own name for it, but the basic functionality is more or less the same. During the time of Heartbleed (a major vulnerability in the SSL security layer), suppliers released firmware updates for these web consoles to patch this vulnerability. So it's absolutely essential to regularly install these updates on your systems as well.
In short, there are numerous aspects to pay attention to in order to run a more secure Linux environment. As Linux specialists, we're here to help you with this. Have your Linux environment checked in a health check (free of charge), or inquire about the possibilities of outsourcing the management of your Linux environment.
