From ecced9e5bb872dfa3d069eea8d93851d959c7069 Mon Sep 17 00:00:00 2001 From: ganome Date: Wed, 13 Nov 2024 11:58:46 -0700 Subject: [PATCH] Removed some hyperlinks and cleaned up a few codeblocks --- .../Filesystem Security (eCryptFS).md | 52 ++++-------- .../Network Security (OpenSSL).md | 28 +++---- .../Security Tools (Fail2Ban, AIDE).md | 10 +-- .../Understanding SELinux.md | 83 ++++++------------- 4 files changed, 53 insertions(+), 120 deletions(-) diff --git a/09 - Linux Security Concepts/Filesystem Security (eCryptFS).md b/09 - Linux Security Concepts/Filesystem Security (eCryptFS).md index 0e18217..f22c5cb 100644 --- a/09 - Linux Security Concepts/Filesystem Security (eCryptFS).md +++ b/09 - Linux Security Concepts/Filesystem Security (eCryptFS).md @@ -17,18 +17,14 @@ Key features: On most Linux distributions, eCryptfs can be installed using the package manager: -```bash -# For Ubuntu/Debian: -sudo apt-get install ecryptfs-utils -``` -```bash -# For Fedora: -sudo dnf install ecryptfs-utils -``` -```bash -# For Arch Linux: -sudo pacman -S ecryptfs-utils -``` +For Ubuntu/Debian: +`sudo apt-get install ecryptfs-utils` + +For Fedora: +`sudo dnf install ecryptfs-utils` + +For Arch Linux: +`sudo pacman -S ecryptfs-utils` ## 3. Setting up eCryptfs @@ -66,15 +62,11 @@ mount -t ecryptfs ~/encrypted ~/encrypted ### - Unmounting: -```bash -umount ~/encrypted -``` +`umount ~/encrypted` ### - Checking mount status: -```bash -mount | grep ecryptfs -``` +`mount | grep ecryptfs` ## 5. Key Management @@ -82,15 +74,11 @@ eCryptfs uses a passphrase to derive the encryption key. This passphrase is stor ### - Adding a key to the keyring: -```bash -ecryptfs-add-passphrase -``` +`ecryptfs-add-passphrase` ### - Removing a key from the keyring: -```bash -keyctl purge user ecryptfs -``` +`keyctl purge user ecryptfs` ## 6. Advanced Features @@ -98,15 +86,11 @@ keyctl purge user ecryptfs Create a file containing your mount options: -```bash -echo "passphrase_passwd=your_passphrase" > ~/.ecryptfsrc -``` +`echo "passphrase_passwd=your_passphrase" > ~/.ecryptfsrc` Then mount using: -```bash -mount -t ecryptfs -o conf=~/.ecryptfsrc ~/encrypted ~/encrypted -``` +`mount -t ecryptfs -o conf=~/.ecryptfsrc ~/encrypted ~/encrypted` ### - Using different encryption for different directories: @@ -125,15 +109,11 @@ You can mount multiple eCryptfs directories with different encryption settings b If you can't mount the filesystem, check if the required kernel modules are loaded: -```bash -lsmod | grep ecryptfs -``` +`lsmod | grep ecryptfs` If not present, load them: -```bash -sudo modprobe ecryptfs -``` +`sudo modprobe ecryptfs` ## !!!If you forget your passphrase, there's no way to recover the data. Always keep secure backups!!! diff --git a/09 - Linux Security Concepts/Network Security (OpenSSL).md b/09 - Linux Security Concepts/Network Security (OpenSSL).md index 24ae722..c81645a 100644 --- a/09 - Linux Security Concepts/Network Security (OpenSSL).md +++ b/09 - Linux Security Concepts/Network Security (OpenSSL).md @@ -16,36 +16,28 @@ OpenSSL is a robust, full-featured open-source toolkit that implements the Secur OpenSSL is available for various operating systems. Here are basic installation instructions: - Linux: Most distributions come with OpenSSL pre-installed. If not, use package managers: - ```bash - sudo apt-get install openssl libssl-dev # For Debian/Ubuntu - ``` - ```bash - sudo yum install openssl openssl-devel # For CentOS/RHEL - ``` + `sudo apt-get install openssl libssl-dev # For Debian/Ubuntu` + + `sudo yum install openssl openssl-devel # For CentOS/RHEL` - macOS: Use Homebrew: - ``` - brew install openssl - ``` + `brew install openssl` - Windows: Download the installer from the official OpenSSL website. ## 4. Basic OpenSSL Commands - Generate a private key: - ```bash - openssl genrsa -out private.key 2048 - ``` + + `openssl genrsa -out private.key 2048` - Create a Certificate Signing Request (CSR): - ```bash - openssl req -new -key private.key -out certificate.csr - ``` + + `openssl req -new -key private.key -out certificate.csr` - Generate a self-signed certificate: - ```bash - openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 - ``` + + `openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365` ## 5. Implementing SSL/TLS in Network Applications diff --git a/09 - Linux Security Concepts/Security Tools (Fail2Ban, AIDE).md b/09 - Linux Security Concepts/Security Tools (Fail2Ban, AIDE).md index 7846810..0f97008 100644 --- a/09 - Linux Security Concepts/Security Tools (Fail2Ban, AIDE).md +++ b/09 - Linux Security Concepts/Security Tools (Fail2Ban, AIDE).md @@ -11,10 +11,7 @@ Fail2Ban is an intrusion prevention software framework that protects Linux syste - Updates firewall rules to block banned IPs ### Installation: -```bash -sudo apt-get update -sudo apt-get install fail2ban -``` +`sudo apt-get update && sudo apt-get install fail2ban` ### Configuration: - Main configuration file: `/etc/fail2ban/jail.conf` @@ -56,10 +53,7 @@ AIDE is a file and directory integrity checker that detects unauthorized changes - Reports any discrepancies, indicating potential security breaches ### Installation: -```bash -sudo apt-get update -sudo apt-get install aide -``` +`sudo apt-get update && sudo apt-get install aide` ### Configuration: - Main configuration file: /etc/aide/aide.conf diff --git a/09 - Linux Security Concepts/Understanding SELinux.md b/09 - Linux Security Concepts/Understanding SELinux.md index 9130bcb..bd26874 100644 --- a/09 - Linux Security Concepts/Understanding SELinux.md +++ b/09 - Linux Security Concepts/Understanding SELinux.md @@ -18,17 +18,13 @@ SELinux operates in three modes: - Disabled: SELinux is turned off To check the current mode: -``` -getenforce -``` +`getenforce` To change modes temporarily: -```bash -setenforce 0 # Set to permissive -``` -```bash -setenforce 1 # Set to enforcing -``` + +`setenforce 0` # Set to permissive + +`setenforce 1` # Set to enforcing To change modes permanently, edit /etc/selinux/config and reboot. @@ -43,10 +39,11 @@ system_u:object_r:httpd_sys_content_t:s0 ``` To view contexts: -``` -ls -Z # For files -ps auxZ # For processes -``` + +`ls -Z` # For files + +`ps auxZ` # For processes + ## 4. SELinux Policies @@ -59,84 +56,56 @@ SELinux uses policies to define allowed actions. Two main policy types: Booleans are on/off switches that allow runtime customization of SELinux policies. To list all booleans: -``` -getsebool -a -``` +`getsebool -a` To change a boolean: -```bash -setsebool httpd_can_network_connect on -``` +`setsebool httpd_can_network_connect on` To make the change persistent: -```bash -setsebool -P httpd_can_network_connect on -``` +`setsebool -P httpd_can_network_connect on` ## 6. Troubleshooting SELinux - Check for denials: -``` -ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent -``` +`ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent` - Use SELinux troubleshooter: -``` -sealert -a /var/log/audit/audit.log -``` +`sealert -a /var/log/audit/audit.log` - Analyze SELinux logs: -``` -grep "SELinux" /var/log/messages -``` +`grep "SELinux" /var/log/messages` ## 7. File and Directory Labeling To change the SELinux context of a file or directory: -``` -chcon -t httpd_sys_content_t /path/to/file -``` +`chcon -t httpd_sys_content_t /path/to/file` To restore the default context: -``` -restorecon -v /path/to/file -``` +`restorecon -v /path/to/file` ## 8. Managing SELinux Modules List available modules: -``` -semodule -l -``` +`semodule -l` Enable a module: -``` -semodule -e modulename -``` +`semodule -e modulename` Disable a module: -``` -semodule -d modulename -``` +`semodule -d modulename` ## 9. Creating Custom SELinux Policies For complex environments, you may need to create custom policies: - Install policy development tools: -``` -yum install selinux-policy-devel -``` +`yum install selinux-policy-devel` - Write a policy module (.te file) - Compile and package the module: -``` -make -f /usr/share/selinux/devel/Makefile -``` +`make -f /usr/share/selinux/devel/Makefile` - Install the module: -``` -semodule -i mymodule.pp -``` +`semodule -i mymodule.pp` ## 10. SELinux and Containers @@ -145,9 +114,7 @@ SELinux provides strong isolation for containers: - Prevents container processes from accessing host resources To run a container with a specific SELinux context: -``` -docker run --security-opt label=type:svirt_lxc_net_t my_image -``` +`docker run --security-opt label=type:svirt_lxc_net_t my_image` ## 11. Best Practices