I’ve bored the readers of my personal website to death with two rather prosaic articles debating the Linux security model, in direct relation to Windows and associated claims of wondrous infections and lacks thereof. However, I haven’t yet discussed even a single program that you can use on your Linux machine to gauge your security. For my inaugural article for OSNews, I’ll leave the conceptual stuff behind, and focus on specific vectors of security, within the world of reason and moderation that I’ve created and show you how you can bolster a healthy strategy with some tactical polish, namely software.

Do not expect wonders or detailed guides how to setup this or that NIDS. That’s not the idea.

The idea is to help you understand the core elements of security, focus on identifying your

needs and leverage them with a flexible and transparent solution. The choice of software will

reflect your needs.

Let us begin.

Linux security as a concept



Linux security revolves around minimizing exposure to malicious code by using digitally

signed repositories, minimizing accidental or automated damage by using a non-root account,

default file permissions, with diversity of software as a reserve.

Now, some of the suggested repertoire might need some small tweaking.

Keep the system up to date



This is a very simple, very important piece of the puzzle. Make sure the software

repositories are configured and that you have an automated update mechanism in place. Having

your system fully patched is always a good idea.

Firewall



Firewalls sound like an interesting concept. Basically, a firewall is a tool that controls

the traffic flow in and out of your machine. Firewalls are configured to permit traffic you

initiated and asked for and blocked traffic that was sent without invitation (unsolicited).

This holds true for firewalls on all operating systems.

To work with one, you do need some basic understanding of networking. Luckily for you, most

distributions ship with a firewall enabled, with default rules that permit a reasonable level

of comfortable use, without any special changes required. In a few cases, you may need to

create manual rules to allow additional functionality, like Samba sharing.

Some distributions ship with a graphical management console for the firewall, which

simplifies the usage. Others stick to the command line, making them less suitable for new

users.

Here are a few examples:

Firewall in Fedora 12:

Ubuntu, on the other hand, ships

with the firewall disabled, because there are no network-aware services running, hence no

need for a firewall. Hence, no management console for the firewall. However, you can very

easily restore the missing bits with additional software like gufw:

openSUSE:

Scanning for malware



This is so 90s, when you think about it, still some people have this dire need for scanners.

In that case, you may want to consider using either the rkhunter or chkrootkit scanners, both

of which will probe your system for nefarious changes. Both are command-line only.

Using these scanners implies a deeper understanding of the Linux system. Then, there’s the

question of what to do if you encounter a problem. Can you really trust a subverted machine?

How do you recover? You should definitely read my previous article for

that.

Anti-virus (not needed, but read on)



You do not need one.

Seriously. Honestly. It’s not required. It’s useless. In the worst case, if you can’t let go

of your Windows demons, go for a free solution, so you need not waste your money on something

that is redundant by concept.

There’s ClamAV (including Klam for KDE), as well as a

number of commercial products that have started shipping solution for Linux. Then, most

anti-virus rescue CDs are based on Linux. Clam-based versions can be found in the

repositories.

As a security measure, anti-virus products are problematic, due to the signature-based

nature, which is always competing against malware creators and always lagging behind. The

only sensible reason to use anti-virus on Linux is to scan files that you receive from your

friends running a flavor of Windows before forwarding them to other Windows users. That way,

you may break the chain of accidental malware spreading. You may not notice or care, but your

clueless friends could. The best solution is to have no friends, but most people fail at

this.

On that note, please consider reading my whitelist vs. blackisting

article.

Still, you need not have a resident program running on the system. You can go for a web

solution, like Jotti or VirusTotal, both of which use multiple scanners to detect

malicious content. Upload a file and it will be diagnosed by a host of dedicated anti-malware

software.

You can also consider using dedicated security distributions for offline, in-depth system

scanning and analysis. A forensics distribution like BackTrack sound like a very good

idea.

You may also sin the sin of using a Linux-friendly Windows-based preinstalled environment

(PE) like BartPE or UBCD4WIN, which also come with scanner

utilities for Linux, too.

Startup applications and services



If you’re in the mood, go through the list of applications and services configured to run on

your machine. You may discover undesired processes running, hogging resources and possibly

exposing your machine to threats, as well as plain doing things that you do not want. While

this can take the form of system optimization, it can also have security implications.

As an analogy to Windows, think of these as the msconfig and services.msc utilities.

System awareness



System awareness goes beyond malware. It’s about controlling your system and knowing what’s

running when, where and why. There are tons of tools available, many already installed and

waiting for you.

If you’ve read my Linux cool hacks, both parts one and two, you’ve learned about

a few useful system tools that provide a better visibility of what’s happening inside your

system.

I’m going to mention a few, just briefly. Some of these will have their own dedicated

article, with numerous examples and screenshots.

/var/log/messages

This is the system log. Almost everything goes in there. Reading the log will give you an

indication of possible system issues, including software errors, as well as possible

security-related items. You do need some knowledge to read the file properly.

/var/log/secure

You can configure your machine to log ssh and sudo attempts to a separate file, like

/var/log/secure. Then, you can examine the log for any privilege escalation attempts or

remote connection attempts.

Examine logged in users

There are many ways of doing this. The most accurate one is to parse the output of the

ps command. But you can also use w and who and lastlog. Manually dumping utmp and

wtmp can also work.

Processes accounting

If you use pacct, you can write a log entry for every command

successfully completed on your machine. Then, you can dump the log and look for suspicious

entries. Automating the mechanism can provide you with a useful early warning system.

lastcomm lets you print out information about previously

executed command, sort of a head against the pacct log. Furthermore, you can enhance the

power of process accounting by using sar.

Audit files

It is possible to audit core system files. This is what audit is for, a built-in Linux kernel auditing

facility, which allows you to monitor changes to critical system files. I’m going to write a

dedicated article soon. Stay tuned.

Other tools

You also have a range of other utilities available, like netstat or nmap, which can help you examine

your machine network visibility

Geek stuff



There’s geek stuff, of course. For example, you may want to use system hardening tools like

AppArmor, by creating special, sandbox-style profiles for your applications, which are then

restricted from doing harm to your system, should an unwanted privilege escalation occur, due

to an error, a bug or a vulnerability.

There’s also SELinux, available in most RedHat-based distributions, like Fedora.

Conclusion



I’ve written lots of stuff. So what do you take from this article? Well, firewall seems like

the best single solution overall. It’s useful and sometimes rather necessary. Anti-virus and

malware scanners are definitely not needed. The rest is perks. Take it or leave it. You can

run a comfortable desktop life in Linux without so much as lifting a finger, with most

distributions configured properly, including firewall enabled and running and hardening

profiles preconfigured for you.

You may want to invest time in learning how to use the logging tools and facilities, as they

offer a wealth of useful information. Properly configured and used, they will replace the

need for commercial tools that strive to do that for you.

Server security is a different matter altogether, but for home use, you’re in a really good

shape. Just make sure to keep the system patched, install software from official repositories

and run a firewall. The rest is polish.

Windows users moving to Linux often suffer from a panic surge due to the sheer lack of

security-related buzz, but it’s really simple and quite boring. There’s no need to go

overboard. You can invest your brain cycles in having fun. That would be all.

Cheers.