SCAR-iT/LWM-Linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Removed some hyperlinks and cleaned up a few codeblocks

Browse Source
This commit is contained in:
ganome 2024-11-13 11:58:46 -07:00
parent 57d07f1f13
commit ecced9e5bb
Signed by untrusted user who does not match committer: Ganome
GPG Key ID: 944DE53336D81B83
4 changed files with 53 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
09 - Linux Security Concepts/Filesystem Security (eCryptFS).md
View File

@ -17,18 +17,14 @@ Key features:
On most Linux distributions, eCryptfs can be installed using the package manager: On most Linux distributions, eCryptfs can be installed using the package manager:
```bash For Ubuntu/Debian:
# For Ubuntu/Debian: `sudo apt-get install ecryptfs-utils`
sudo apt-get install ecryptfs-utils
``` For Fedora:
```bash `sudo dnf install ecryptfs-utils`
# For Fedora:
sudo dnf install ecryptfs-utils For Arch Linux:
``` `sudo pacman -S ecryptfs-utils`
```bash
# For Arch Linux:
sudo pacman -S ecryptfs-utils
```
## 3. Setting up eCryptfs ## 3. Setting up eCryptfs
@ -66,15 +62,11 @@ mount -t ecryptfs ~/encrypted ~/encrypted
### - Unmounting: ### - Unmounting:
```bash `umount ~/encrypted`
umount ~/encrypted
```
### - Checking mount status: ### - Checking mount status:
```bash `mount | grep ecryptfs`
mount | grep ecryptfs
```
## 5. Key Management ## 5. Key Management
@ -82,15 +74,11 @@ eCryptfs uses a passphrase to derive the encryption key. This passphrase is stor
### - Adding a key to the keyring: ### - Adding a key to the keyring:
```bash `ecryptfs-add-passphrase`
ecryptfs-add-passphrase
```
### - Removing a key from the keyring: ### - Removing a key from the keyring:
```bash `keyctl purge user ecryptfs`
keyctl purge user ecryptfs
```
## 6. Advanced Features ## 6. Advanced Features
@ -98,15 +86,11 @@ keyctl purge user ecryptfs
Create a file containing your mount options: Create a file containing your mount options:
```bash `echo "passphrase_passwd=your_passphrase" > ~/.ecryptfsrc`
echo "passphrase_passwd=your_passphrase" > ~/.ecryptfsrc
```
Then mount using: Then mount using:
```bash `mount -t ecryptfs -o conf=~/.ecryptfsrc ~/encrypted ~/encrypted`
mount -t ecryptfs -o conf=~/.ecryptfsrc ~/encrypted ~/encrypted
```
### - Using different encryption for different directories: ### - Using different encryption for different directories:
@ -125,15 +109,11 @@ You can mount multiple eCryptfs directories with different encryption settings b
If you can't mount the filesystem, check if the required kernel modules are loaded: If you can't mount the filesystem, check if the required kernel modules are loaded:
```bash `lsmod | grep ecryptfs`
lsmod | grep ecryptfs
```
If not present, load them: If not present, load them:
```bash `sudo modprobe ecryptfs`
sudo modprobe ecryptfs
```
## !!!If you forget your passphrase, there's no way to recover the data. Always keep secure backups!!! ## !!!If you forget your passphrase, there's no way to recover the data. Always keep secure backups!!!

28
09 - Linux Security Concepts/Network Security (OpenSSL).md
View File

@ -16,36 +16,28 @@ OpenSSL is a robust, full-featured open-source toolkit that implements the Secur
OpenSSL is available for various operating systems. Here are basic installation instructions: OpenSSL is available for various operating systems. Here are basic installation instructions:
- Linux: Most distributions come with OpenSSL pre-installed. If not, use package managers: - Linux: Most distributions come with OpenSSL pre-installed. If not, use package managers:
```bash `sudo apt-get install openssl libssl-dev # For Debian/Ubuntu`
sudo apt-get install openssl libssl-dev # For Debian/Ubuntu
``` `sudo yum install openssl openssl-devel # For CentOS/RHEL`
```bash
sudo yum install openssl openssl-devel # For CentOS/RHEL
```
- macOS: Use Homebrew: - macOS: Use Homebrew:
``` `brew install openssl`
brew install openssl
```
- Windows: Download the installer from the official OpenSSL website. - Windows: Download the installer from the official OpenSSL website.
## 4. Basic OpenSSL Commands ## 4. Basic OpenSSL Commands
- Generate a private key: - Generate a private key:
```bash
openssl genrsa -out private.key 2048 `openssl genrsa -out private.key 2048`
```
- Create a Certificate Signing Request (CSR): - Create a Certificate Signing Request (CSR):
```bash
openssl req -new -key private.key -out certificate.csr `openssl req -new -key private.key -out certificate.csr`
```
- Generate a self-signed certificate: - Generate a self-signed certificate:
```bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 `openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365`
```
## 5. Implementing SSL/TLS in Network Applications ## 5. Implementing SSL/TLS in Network Applications

10
09 - Linux Security Concepts/Security Tools (Fail2Ban, AIDE).md
View File

@ -11,10 +11,7 @@ Fail2Ban is an intrusion prevention software framework that protects Linux syste
- Updates firewall rules to block banned IPs - Updates firewall rules to block banned IPs
### Installation: ### Installation:
```bash `sudo apt-get update && sudo apt-get install fail2ban`
sudo apt-get update
sudo apt-get install fail2ban
```
### Configuration: ### Configuration:
- Main configuration file: `/etc/fail2ban/jail.conf` - Main configuration file: `/etc/fail2ban/jail.conf`
@ -56,10 +53,7 @@ AIDE is a file and directory integrity checker that detects unauthorized changes
- Reports any discrepancies, indicating potential security breaches - Reports any discrepancies, indicating potential security breaches
### Installation: ### Installation:
```bash `sudo apt-get update && sudo apt-get install aide`
sudo apt-get update
sudo apt-get install aide
```
### Configuration: ### Configuration:
- Main configuration file: /etc/aide/aide.conf - Main configuration file: /etc/aide/aide.conf

83
09 - Linux Security Concepts/Understanding SELinux.md
View File

@ -18,17 +18,13 @@ SELinux operates in three modes:
- Disabled: SELinux is turned off - Disabled: SELinux is turned off
To check the current mode: To check the current mode:
``` `getenforce`
getenforce
```
To change modes temporarily: To change modes temporarily:
```bash
setenforce 0 # Set to permissive `setenforce 0` # Set to permissive
```
```bash `setenforce 1` # Set to enforcing
setenforce 1 # Set to enforcing
```
To change modes permanently, edit /etc/selinux/config and reboot. To change modes permanently, edit /etc/selinux/config and reboot.
@ -43,10 +39,11 @@ system_u:object_r:httpd_sys_content_t:s0
``` ```
To view contexts: To view contexts:
```
ls -Z # For files `ls -Z` # For files
ps auxZ # For processes
``` `ps auxZ` # For processes
## 4. SELinux Policies ## 4. SELinux Policies
@ -59,84 +56,56 @@ SELinux uses policies to define allowed actions. Two main policy types:
Booleans are on/off switches that allow runtime customization of SELinux policies. Booleans are on/off switches that allow runtime customization of SELinux policies.
To list all booleans: To list all booleans:
``` `getsebool -a`
getsebool -a
```
To change a boolean: To change a boolean:
```bash `setsebool httpd_can_network_connect on`
setsebool httpd_can_network_connect on
```
To make the change persistent: To make the change persistent:
```bash `setsebool -P httpd_can_network_connect on`
setsebool -P httpd_can_network_connect on
```
## 6. Troubleshooting SELinux ## 6. Troubleshooting SELinux
- Check for denials: - Check for denials:
``` `ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent`
ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent
```
- Use SELinux troubleshooter: - Use SELinux troubleshooter:
``` `sealert -a /var/log/audit/audit.log`
sealert -a /var/log/audit/audit.log
```
- Analyze SELinux logs: - Analyze SELinux logs:
``` `grep "SELinux" /var/log/messages`
grep "SELinux" /var/log/messages
```
## 7. File and Directory Labeling ## 7. File and Directory Labeling
To change the SELinux context of a file or directory: To change the SELinux context of a file or directory:
``` `chcon -t httpd_sys_content_t /path/to/file`
chcon -t httpd_sys_content_t /path/to/file
```
To restore the default context: To restore the default context:
``` `restorecon -v /path/to/file`
restorecon -v /path/to/file
```
## 8. Managing SELinux Modules ## 8. Managing SELinux Modules
List available modules: List available modules:
``` `semodule -l`
semodule -l
```
Enable a module: Enable a module:
``` `semodule -e modulename`
semodule -e modulename
```
Disable a module: Disable a module:
``` `semodule -d modulename`
semodule -d modulename
```
## 9. Creating Custom SELinux Policies ## 9. Creating Custom SELinux Policies
For complex environments, you may need to create custom policies: For complex environments, you may need to create custom policies:
- Install policy development tools: - Install policy development tools:
``` `yum install selinux-policy-devel`
yum install selinux-policy-devel
```
- Write a policy module (.te file) - Write a policy module (.te file)
- Compile and package the module: - Compile and package the module:
``` `make -f /usr/share/selinux/devel/Makefile`
make -f /usr/share/selinux/devel/Makefile
```
- Install the module: - Install the module:
``` `semodule -i mymodule.pp`
semodule -i mymodule.pp
```
## 10. SELinux and Containers ## 10. SELinux and Containers
@ -145,9 +114,7 @@ SELinux provides strong isolation for containers:
- Prevents container processes from accessing host resources - Prevents container processes from accessing host resources
To run a container with a specific SELinux context: To run a container with a specific SELinux context:
``` `docker run --security-opt label=type:svirt_lxc_net_t my_image`
docker run --security-opt label=type:svirt_lxc_net_t my_image
```
## 11. Best Practices ## 11. Best Practices