Make sure that algorithms that are broken in regards to security are not used. Ask Sona/Casc if the algorithms listed below are the broken ones to check for or if they're the ones that are broken to begin with and if seen should be eliminated from use. DES 3DES CAST BLOWFISH MD5 SHA-1 MODP512 MODP768 MODP1024

Enea NFV Access Images should be check summed with SHA512 and/or a signed GPG key. See https://www.openssl.org/source/ for more details on how to proceed.

Applying security patches is an important part of security hardening and maintenance. Enea backports all known critical vulnerabilities within a reasonable time frame if not immeditately, and makes them available to users for updates/upgrades. Prepare the system for regular updates in the following manner: Configure the target to get software updates from the Enea source repository. Test to update or remove a package using apt-get command: root@inteld1521:~#apt-get update/upgrade

An OpenEmbedded meta-security layer provides many hardening tools. These tools are open source packages suited for embedded devices. Below is a list of several packages included in meta-security layer: Bastille Redhat-security Buck-security Libseccomp Pax-utils Nmap ISIC Tripwire checksecurity TOMOYO, which contains a number of very useful libraries for system analysis. Ask Sona if this is the intended meaning of what she wrote here originally: TOMOYO and a number of libraries which is very useful system analysis tool For more information about tools supported in the meta-security layer please refer to Introduction to the Tools in meta-security layer. change the bold text to point to the section/chapter in question through an xref

For a secure set of build CONFIGs and runtime settings see the Kernel Self Protection Project. Essentially, there are three ways to pass options to the kernel: When building the kernel (via menuconfig) When starting the kernel (usually, when invoked from a boot loader). At runtime (through the files in /proc and /sys). See sysctl for details. Parameters either have the format parameter or parameter=value. Kernel parameters can be configured via /etc/sysctl.conf at run time or via menuconfig at build time. How to enable/disable kernel parameters via menuconfig: bitbake virtual/kernel –c menuconfig Enable the configuration you want, save the .config file in the build directory, and run bitbake. For more info see http://www.tldp.org/HOWTO/SCSI-2.4-HOWTO/kconfig.html. Permanently add a Kernel Boot Parameter from boot loader: sudo gedit /etc/default/grub Enter your password when prompted by sudo. If the file /etc/default/grub appears to be empty or does not exist, see the instructions for earlier releases above. Using etc/sysctl.conf: We can view the value of a particular Linux kernel parameter using sysctl, followed by the name of the parameter: root@inteld1521:~# sysctl dev.cdrom.autoclose dev.cdrom.autoclose = 1 Or read the associated file: root@inteld1521:~# cat /proc/sys/dev/cdrom/autoclose 1 root@inteld1521:~# cat /proc/sys/dev/cdrom/ It is good to store the output of the kernel settings for comparison or reference by redirecting the output of the sysctl command to a file, for example: sysctl -A > /root/sysctl.settings.store The following kernel configurations can be used to secure the Linux system against attacks. # Turn on execshield kernel.exec-shield=1 kernel.randomize_va_space=1 # Enable IP spoofing protection net.ipv4.conf.all.rp_filter=1 # Disable IP source routing net.ipv4.conf.all.accept_source_route=0 # Ignore broadcasts request net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_messages=1 # Make sure spoofed packets get logged net.ipv4.conf.all.log_martians = 1

SECURITY (on/off) Enable different security models Depends on SYSFS This option allows you to choose different security modules to configure into your kernel. If this option is not selected, the default Linux security model will be used. SECURITY_NETWORK (on/off) Socket and Networking Security Hooks Depends on SECURITY This enables the socket and networking security hooks. If enabled, a security module can use these hooks to implement socket and networking access controls. If you are unsure how to answer this question, answer N. SECURITY_CAPABILITIES Kernel Version(s): 2.6.15.6 (on/off/module) Default Linux Capabilities Depends on SECURITY This enables the "default" Linux capabilities functionality. SECURITY_ROOTPLUG Kernel Version(s): 2.6.15.6 (on/off/module) Root Plug Support depends on USB && SECURITY This is a sample LSM module that should only be used as such. It prevents any programs running with egid == 0 if a specific USB device is not present in the system. SECURITY_SECLVL Kernel Version(s): 2.6.15.6 (on/off/module) BSD Secure Levels Depends on SECURITY select CRYPTO select CRYPTO_SHA1 Implements BSD Secure Levels as an LSM. See file Documentation/seclvl.txt for instructions on how to use this module.

CONFIG_CC_STACKPROTECTOR CONFIG_CC_STACKPROTECTOR_REGULAR CONFIG_CC_STACKPROTECTOR_STRONGThis option turns on the -fstack-protector GCC feature. This feature inserts a canary value on the stack just before the return address, and validates the value just before returning. Stack based buffer overflows (that need to overwrite this return address) will now also overwrite the canary, which gets detected and the attack is then neutralized via a kernel panic. This feature requires gcc version 4.2 or above. prompt: Enable -fstack-protector buffer overflow detection (EXPERIMENTAL) type: bool depends on: (none) defined in arch/arm/Kconfig found in Linux kernels: 2.6.36–2.6.39, 3.0–3.13 Currently these configurations are not set in the Intel kernel in Enea NFV Access:tmp/deploy/images/inteld1521/config-inteld1521.config CONFIG_CC_STACKPROTECTOR is not set CONFIG_CC_STACKPROTECTOR_REGULAR is not set CONFIG_CC_STACKPROTECTOR_STRONG is not set

An optional config to randomize the SLAB freelist (heap freelist). SLAB is a memory management mechanism intended for the efficient memory allocation of kernel objects. SLAB displays the desirable property of eliminating fragmentation caused by allocations and deallocations. This security feature reduces the predictability of the kernel slab allocator against heap overflows.

This feature fills the pages with poison patterns after free_pages() and verifies the patterns before alloc_pages(). This results in a large slowdown, but helps to find certain types of memory corruption. This option cannot be enabled in combination with hibernation as that would result in incorrect warnings of memory corruption after a resume, since free pages are not saved to the suspend image. Poison pages after freeing are found in mm/Kconfig.debug. The configuration item CONFIG_PAGE_POISONING: prompt: Poison pages after freeing type: bool depends on: (none) defined in mm/Kconfig.debug found in Linux kernels: 4.6–4.12, 4.13-rc+HEAD

CONFIG_HARDENED_USERCOPY CONFIG_HARDENED_USERCOPY_PAGESPANThis configuration checks that objects being copied to/from user space meet certain criteria.

CONFIG_CC_STACKPROTECTOR_STRONG=y, is a more powerful stack canary checking method supported by GCC versions 4.9 and later. On an x86 "defconfig" build, this feature adds canary checks to about 20% of all kernel functions, which increases the kernel code size by about 2%. More info about this feature can be found at https://lwn.net/Articles/584278/.

CONFIG_RANDOMIZE_BASE with physical memory randomization, extends kernel image physical address randomization to addresses larger than 4GB, among other improvements.

CONFIG_RANDOMIZE_MEMORY randomizes the virtual addresses of memory sections, including physical memory mappings: vmalloc, and vemmap. As with other memory randomization routines, by randomizing the virtual address space of kernel memory sections, the goal is to mitigate predictable memory locations.

The sections below detail various ways in which a developer can effectively secure their operating system(s).

Create a default user with su access and then use sudo to delegate administrative access.

Rsyslog is the default logging program on several Linux distributions. Apart from implementing the syslog protocol, rsyslog adds additional features such as content-based filtering and also uses TCP for transporting, providing many configuration options. Further reading is available at https://linux-audit.com/central-audit-logging-configuration-collecting-linux-audit-events/.

Enea provides a minimum set of packages in release images. All extra packages should be available in the Enea source repository so users can get when needed. Ask Sona/Casc for details on what should be definitively written in this section

Critical systems should be separated into different partitions. An example to start from would be: / /boot /usr /home /tmp /var Create a separate volume with the nodev, nosuid, and noexec options set for /tmp. /tmp is intended to be globally writable, creating a separate partition for it can prevent resource exhaustion. Setting nodev prevents users from creating or using block or special character devices. Setting noexec prevents users from running binary executables from /tmp. Setting nosuid prevents users from creating set userid files in /tmp.

There are 3 special permissions available for executable files and directories: SUID permission SGID permission Sticky bit

To better understand, check the permissions of the /usr/bin/passwd command: # ls -lrt /usr/bin/passwd -r-sr-sr-x 1 root sys 31396 Jan 20 2014 /usr/bin/passwdThere are 2 S’s in the permission field, the first ”s” stands for the SUID and the second for SGID. When a command or script set with SUID bit is run, its effective UID becomes that of the owner of the file, rather than of the user who is running it. If there are files with all SUID/SGID bits enabled, said files can be misused if the SUID/SGID executable has a security problem or bug. All local or remote users can access/use the file, which may prove dangerous. It's a good idea to find all such files and this can be done using the find command: #See all set user id files: find / -perm +4000 # See all group id files find / -perm +2000 # Or combine both in a single command find / \( -perm -4000 -o -perm -2000 \) -print find / -path -prune -o -type f -perm +6000 -lsYou need to investigate each reported file. See reported file(s) man page for further details.

The Sticky Bit is primarily used on shared directories. It's useful for shared directories such as /var/tmp and /tmp because users can create files, read and execute files owned by other users, but are not allowed to remove files owned by other users. For example, if user Bob creates a file named /tmp/bob, user Tom cannot delete this file even when the /tmp directory has permission 777. If Sticky Bit is not set, then Tom can delete /tmp/bob, since the file inherits the parent directory permissions. The root users and file owners can remove their own files. Example:# ls -ld /var/tmp drwxrwxrwt 2 sys sys 512 Jan 26 11:02 /var/tmpT refers to when the execute permissions are off and t refers to when they are on.

The boot directory contains important files related to the Linux kernel, make sure that this directory is locked down with read-only permissions. You can set the owner and group of /etc/grub.conf to the root user like so: #chown root:root /etc/fstab #chown root:root /etc/grub.conf EX: ls -ld /boot/* <<<< root only lrwxrwxrwx 1 root root 32 Aug 7 13:07 /boot/bzImage -> / bzImage-4.9.30-intel-pk-standard -rw-r--r-- 1 root root 7860816 Jun 8 10:55 /boot/bzImage-4.9.20-yocto-standard -rw-r--r-- 1 root root 4624464 Aug 7 12:48 /boot/bzImage-4.9.30-intel-pk-standard

The networking stack includes IPsec, which provides confidentiality, authenticity, and integrity protection of IP networking. It can be used to implement VPNs, and also point to point security.

All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with passwords or by using keys/certificates. Below are several methods and tools that facilitate encryption: Use scp, ssh, rsync, or sftp for file transfers. You can also mount a remote server file system or your own home directory using special sshfs and fuse tools. GnuPG allows you to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kind of public key directories. OpenVPN is a cost-effective, lightweight SSL VPN. Another option to try out is tinc, which uses tunneling and encryption to create a secure private network between hosts, on the Internet or on a private insecure LAN. Lighttpd SSL (Secure Server Layer) HTTPS Configuration and Installation. Apache SSL (Secure Server Layer) HTTPS (mod_ssl) Configuration and Installation. Configure Nginx with free Let’s Encrypt SSL certificate on Debian or Ubuntu Linux.

SSH is secure by default but its services need to be hardened as well. Open /etc/ssh/sshd_config and change the default configuration: Change the default port number 22 to something else, e.g. 99.root@inteld1521:~# xxxxx Disable ssh login for rootssh root@172.24.12.73 root@inteld1521:~# Make sure following configuration is set for the SSH server: Protocol version is set to 2 LogLevel is set to INFO PermitEmptyPasswords IgnoreRhosts to yes HostbasedAuthentication no PermitEmptyPasswords no X11Forwarding no MaxAuthTries 5 Ciphers aes128-ctr,aes192-ctr,aes256-ctr ClientAliveInterval 900 ClientAliveCountMax 0 UsePAM yes These settings use the default set on most platforms, setting them to other values impacts the security of the SSH server. The SSH connection to a server can be controlled by using the following files: /etc/hosts.allow and /etc/hosts.deny. Set the permissions on the sshd_config file so that only root users can change its contents like so: #chown root:root /etc/ssh/sshd_config #chmod 600 /etc/ssh/sshd_config

Identifying open connections to the internet is a critical mission. In Kali Linux, the following command can be used to spot any hidden open ports: root@172:~# netstat -ral -tuwx -en Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.24.15.254 0.0.0.0 UG 0 0 0 eth1 172.24.12.0 0.0.0.0 255.255.252.0 U 0 0 0 eth1

Disable legacy services that rely on unencrypted authentication such as: telnet­server, rsh, rlogin, rcp, ypserv, ypbind, tftp, tftp­server, talk and talk­server. Use instead OpenSSH , SFTP or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP.

Disabling unused services will reduce the attack surface. Examples of such services include: FTP, DNS, LDAP, SMB, DHCP, NFS, SNMP, etc.

Firewalls are an important tool and act as a barrier between a trusted and an untrusted network. Iptables is a firewall (user space application) which allows users to configure the Netfilter provided by the Linux kernel. Netfilter hooks packets which pass into, through and from the system. Kernel-level modules may hook into this framework to examine packets and make security decisions about them. Iptables contains five tables: Raw is used only for configuring packets to be exempt from connection tracking. Filter is the default table, where all the actions typically associated with a firewall take place. NAT is used for network address translation (e.g. port forwarding). Mangle is used for specialized packet alterations. Security is used for Mandatory Access Control networking rules (e.g. SELinux). Filter and NAT are the most common use cases. The other tables are aimed at complex configurations involving multiple routers and routing decisions, and are beyond the scope of these introductory remarks. Here are some important features to consider for securing a host network (these kernel parameters are set in /etc/sysctl.conf): Disable: IP forwarding send packet redirects source routed packet acceptance ICMP redirect acceptance Enable: Ignore Broadcast Requests Bad Error Message Protection TCP/SYN cookies iptables is a systemd service. However, the service won't start unless it finds a /etc/iptables/iptables.rules file. To start the service for the first time edit: # vi /etc/iptables/iptables.rulesor# cp /etc/iptables/empty.rules /etc/iptables/iptables.rules <<< no empty.rules root@inteld1521:~# ls /usr/sbin/iptables iptables iptables-restore iptables-save Then start the iptables.service unit. As with other services, if you want iptables to be loaded automatically on boot, you must enable it. Iptables rules for IPv6 are, by default, stored in /etc/iptables/ip6tables.rules, which is read by ip6tables.service. You can start it the same way as shown above. After adding rules via command-line as shown below, save the configuration file manually: # iptables-save > /etc/iptables/iptables.rules