Rocky Linux workstation and security

Hi,

I am a grateful home user of Rocky Linux workstation edition.

Before RL I was using Fedora workstation.

I decided to move away from Fedora because the upgrade from version 33 to 34 bricked the OS. I wanted something more stable, and RL fits the bill perfectly. I really enjoy using RL as a workstation and am thankful that RL has been created.

I had assumed (rightly or wrongly) when using Fedora workstation that it was pretty well pre-configured from a security point of view.

I noticed that RL workstation has less software pre-configured than Fedora.

And this has made me wonder if there are security related things that I should be installing or setting up with RL.

However, I am not a Linux sys admin (just a retired engineer) and so my knowledge as to how to secure RL workstation is limited.

In the past I have posted topics on this forum asking about eg what servers are running by default on RL, if any. I have tried to learn about eg making sure services such as ssh and http are not running. I believe running these kind of servers on a workstation, if they are not needed, can be a security risk. I was concerned about someone being able to connect to my RL workstation and see my data stored on local disk, etc.

I have installed firewall-config and set the default zone to Drop.

The problem with me asking just about servers, is that I don’t know what else to ask about. As Rumsfeld would have said “I dont know what I dont know” and so I am afraid I am not asking the right questions about security because I dont know what to ask about. I am concerned there are things I should be doing but I am not aware of them.

And so I would like to post this topic - how do I ensure that RL workstation is secure or make RL workstation secure?

I realize this may be a big topic, but it is a very important one to me.

I think it means identifying what is already pre-installed or configured in RL workstation that makes it secure, and what can be done to make it more secure.

Any help is appreciated.

I would also be happy to offer to help with documentation - I think I could be helpful in writing docs for workstation setup. I have made posts or tried to help with posts related to RL setup in general (non security), and I think it would be good to have some of those in the docs as well.

Thanks ahead of time…

Have you looked at RHEL 8 documentation:

Thanks @ jlehtone,
I have been looking for something like that and will go thru it.

If you don’t already have a copy UNIX AND LINUX HANDBOOK is a good bedtime read and has a section on security which includes port scanning (to see what’s open) eg.

[root@localhost ~]# nmap -sT localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2022-01-31 21:10 GMT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00047s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 995 closed ports
PORT     STATE SERVICE
80/tcp   open  http
111/tcp  open  rpcbind
631/tcp  open  ipp
3306/tcp open  mysql
9090/tcp open  zeus-admin

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
[root@localhost ~]#

I got mine for e£35 about 3 yrs ago but its listing on Amazon now at £52 which is a rip off (2017 edition - getting a bit stale) - the link above is a better deal - I’ve used them before: they’re often the same price as Amazon but sometimes massively cheaper - always worth a look (though you may have a wait if shipping US to UK).

… as you probably know, no system is 100% secure ever. Eg. even your removable drives will be running their own firmware and you can’t know what that does exactly. AMD and Intel chips have processes eg. Intel Management Engine which “always runs as long as the motherboard is receiving power, even when the computer is turned off.” and “is an attractive target for hackers, since it has top level access to all devices and completely bypasses the operating system.” . (wikipedia)

Also to bear in mind: copy and pasting a password leaves it in memory everything on your system has access to…

… just in case you weren’t already paranoid

EDIT: doh!
nmap -p- localhost to check 1-65535
nmap -p 0-65535 localhost to include 0
“…By default, Nmap scans the most common 1,000 ports for each protocol.” - prob not what you want if you’re checking for open ports… … and default seems to be just TCP…so more reading to do…

Hi bobar,
Thanks for your input.
I will check out that book.
I had heard of the Intel Management Engine but didn’t realize it was that bad.
I’m a little bit more paranoid now but that will motivate me to learn more

It all depends how far you want to take this… (or rather how much effort/time you want to put into this)

First thing: security is a process, it is not a state.

You need to define what is “secure” for you, and what are you protecting from (a threat model). Some abstract and/or high level ideas are in security standards: BS7799, ISO17799, ISO27002. (This should give you an idea of what you don’t know)

Securing just a workstation is not enough (at least for me), you need to secure entire network:

• router/firewall
• wifi access point (i.e. disable WPS)
• personal invigilation devices (android, ios, windows) needs to be isolated (preferably each in its own ssid/vlan, with aggressive firewall)
• iot/legacy devices (i.e. AV receiver, older TV, internet radio device) needs to be isolated (proprietary, outdated firmware) (my 10 year old LG plasma TV is trying to send report to its overlord every time I change a channel…)
• proprietary devices needs to be isolated (i.e. qnap nas, thermomix)
• house guests devices needs to be isolated

On RL workstation:

• I’d rather install minimal version and manually install what I need, rather than rely on someone else to decide what I need.
• Listing all installed packages and identifying whether they should be installed or not (I am looking at you: avahi)
• system wide crypto policies (man update-crypto-policies). I tend to create my own policy (the FUTURE is not future enough for me…)
• there are security scanning tools: openvas, openscap, lynis (from epel repo: sudo lynis audit system)
• usbguard for me is mandatory
• systemd (sudo systemd-analyze security)
• selinux enforcing for me is mandatory. check se audit logs periodically
• disk encryption is for me mandatory (including USB drives)

Generic security process:

1. create inventory of hardware and software
2. define what “secure” is
3. define what are you protecting from
4. based on 3) identify weak points in your infrastructure and implement countermeasures
5. audit (scan your infrastructure)
6. documment everything (this is the most important step!!! - after a month or two you won’t remember what, why, how…)
7. goto 1)

I would not recommend spending any money on linux/security books. They get outdated really fast, and everything is available online for free (RH8 documentation is very good).

Hi j6tqgf.s,
Wow, thanks very much for taking the time to share your knowledge and writing your extensive post!
You make a lot of excellent points.
Thanks for mentioning the security standards - I did not know about them.
You mention many things I was not at all aware of to check on RL.
Also you make excellent points that it is not just RL but all the hardware and software connected to it.
Thanks again!

@j6tqgf.s

All excellent stuff but I have to disagree about not spending any money on books. A lot of the time its true - the info is on the internet and info goes out of date all too quickly in IT rendering printed materal obsolete. However, in some cases …

1. the information is generalised or good for a reasonable period of time - I’m still refering to the linked title 5 yrs after it was published and it is still full of relevant useful information and will be for a time to come - it often serves as a starting point before digging deeper online. The fact that it is in its 5th edition says something about its value.
2. if you use real books it gets you away from a screen.
3. a well curated and organised body of information - particularly on a wide ranging and complex topic by experienced authors will save you time and let you understand where everyone else is coming from- similar to taking a course.

One other point: in deciding what “secure” is, for most people, and particularly in relation to personal computing, it may be easier to accept the vulnerable nature of modern IT, take the basic/sensible precautions i.e. no $$$$ transfer deals with deposed African leaders, regular backups and software updates, browser blockers/privacy guards, good password habits etc. and then use the system on the basis someoene will likely hack/compromise it at some point. … although that last bit really applies regardless what you do…

Hi @bobar,

Thanks again for your posts.

I am asking for help, and input, and suggestions from the kind people, including yourself, that are on these forums.

And many including yourself, are kind enough to help out.

But people can have different opinions about different things and people will not always agree.

I see you directed your last post at another poster - I would appreciate it if you kept your posts as responses to my post. I dont really want to see my original post and issue become an argument between others.

@RL1000

…but outright dismissing someone else’s suggestion without any caveats or justification is acceptable ?

Fair enough … if I can’t defend my input from criticism in your topics then I can’t contribute to your topics.

Bear in mind also that your post and the contributions to it will hopefully serve others later and debating differences of opinion may be important to those later visitors.

In disagreeing with what someone has said it is customary to address them - not doing so may be taken as a sign of contempt.

Hi folks,

Starting to veer a bit off topic here I think.

Perhaps @bobar and @j6tqgf.s if you wish to continue your discussion about this, please do so (but in a new thread). These conversations are great to have and there is inherent value in discourse such as this, but let’s try and keep this thread clear for folks wanting to answer @RL1000 's question

</mod>

God how I HATE packing up the apt again after only 2 yrs here — Break Time!!

I try to take reasonable security measures: I have a gateway and put everything else behind it. I use firewalld and turn OFF everything that is not being used or will be used, leaving only a handful of programs that are left ON. I use strong PASSWORD protection using 13 character or more PASSWORDS – closer to being a PASS PHRASE than a PASSWORD – using UPPER, lower, Special Character, and Numbers. I use SELinux and have it set to Enforcing. Once a month I run maldect, and rkhunter. Lastly, WEEKLY I run BackupNinja and lastly once a quarter I backup the ENTIRE Disk just in case I have a major disaster, I can restore the entire disk.

There is nothing on any of my workstations of any importance – I am a retired Ph.D, Research Microbiologist who follows Emerging Infectious Diseases as a “Hobby”, and who writes Essays of a whole range of topics, and occasionally test some program for my buddy running it inside a VM that might require some extra Horse Power – by the same token I have no desire for some clown to take over any of these machines and add them to some bot. If they want IN they are going to have to fight their way in – better yet, go pick on some stupid Windows User who does not take even a minimum of these security procedures – and we all know and probably could name SEVERAL of them personally. Most don’t even use Passwords because “It’s too hard to remember them”, they don’t separate Administrator and User Accounts – the USER IS the Administrator.

Now IF this were a Governmental Workstation where there is SENSITIVE information stored, I might want to go a lot farther by encrypting all the information, restricting user access, etc. etc., etc. Now is my Workstation “Secure”? It depends on how one defines “Secure”. Using Linux all by itself is a Security Measure, then thrown on some of the measures I’ve taken and my personal workstation is far more “Secure” than most "PC’s and probably more secure than many Governmental Workstations that also depend on Windows. I’ve actually watched someone try and break into my system – and that’s just at the gateway!! At a certain point they simply give up and go elsewhere. Were they to actually get through the gateway they run into even more locked down computers. Throw in the ISP’s Firewall, the Modem’s Firewall, the Router’s Firewall, and the Hub’s Firewall, and you have a fairly secure system. Right now ocelot’s weak point is it is facing outside and is not behind the gateway – YET!!

OK back to the Salt Mines, and more PACKING!!

D’Cat

I didn’t see it mentioned anywhere, but you also want to configure aide (in aide.conf) and then generate your aide.db.gz file, using the commands:

===AIDE===

aide --init
mv  /var/lib/aide/aide.db.new.gz   /var/lib/aide/aide.db.gz  

Then set up a daily or weekly cronjob to run:

aide --check 

Check your system messages daily or weekly looking for new files annotated in the added section, modified files, and removed files.

===AUDITD===
Also configured auditd.conf, setup your audit rules (in /etc/audit/rules.d/audit.rules is where I put all of my rules) and ensure there are not rule duplicates breaking your audit configurations. Don’t forget to enable and start auditd. After doing this, check your audit logs, also daily or weekly.

Ah!! Another CentOS Refusenik has made their way to Rocky Linux. Glad to see you once again.

D’Cat

@ desercat,
Thanks for your post and all the tips. Was not aware at all of maldect.

@ warron.french,
Thanks for pointing out Advanced Intrusion Detection Environment (AIDE).
I had not heard about it.
Will definitely run that on a regular basis.

Was not of aware of Advanced Intrusion Detection Environment (AIDE) either. Will have to check it out… at some point.

@warron.french
Thanks i’m also not aware about AIDE.

All these measures described to secure your linux system seem most appropriate to those serving the public with some sort of web content or managing other computers from outside a local network.
In the 20 + years I have been using linux and the various flavors of DE’s on my private lan I have not faced one episode of an attack that was targeted at a linux system. On the otherhand in that same time period including to this day I periodically see exploits targeted at my MS based systems. That isn’t to say that the above protocols aren’t necessary but that the extremes you take should be based on who you are and what you do that might make you a desirable target. Maintaining tight security is a consuming activity. You can’t just set it and forget it.

Iromically @jbkt23 , I was running Red Hat Linux 21 years ago on a personal PC, before the various distro of Red Hat became simply Red Hat Enterprise Linux.

Anyway, 21 years ago I was running Red Hat on a personal PC that I owned which was connected directly to the internet on what was then referred to as the @Home ISP. While I was doing that, I was glad to be running an ipchains firewall, and I had it logging every connection to a logfile (duh, right).

In that logfile I saw several different attempts to connect to tons of Linux associated application ports, such as sendmail (not Postfix back then), ntp, apache (1.x in those days) and so on.

I had hacker attempts from CZ, RU, CN, IN, and several other TLDs. I set a logon banner, which you and I both know really means nothing in terms of being enforceable by me as an individual. I also decided to run connection attempts against some of the hosts that were trying to connect to me, and many of the IPs started dropping off.

So, yeah, people do try to hack Linux, but you are correct in saying it is a lower percentage of attempts with respect to being persistent attacks.