Article Title: five steps to deploy Linux in security mode. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Channel, which means that the path or method is a guide or rule set for the desired result. Similar to other channels, security requires a structured and systematic method. At the same time, it should also be a whole, covering every part of the system lifecycle (from planning to retirement. The steps in this article are composed of five steps. Each Linux system must establish a baseline through these steps. These steps are neither the beginning nor the final security solution.
I will deploy two sample systems (a Fedora desktop system and a Debian server system) to demonstrate how security is implemented in detail during each step, I chose Fedora because it is now the most popular release and can work well for any purpose. It has many desktop enhancement features, and is the most easy-to-use Linux release without command lines recommended by users, I chose Debian as our server platform because it is lightweight, has a long history and is stable, has a strong support community and a large number of documents. Both are excellent platforms and both have their own built-in security standards. If you like other releases, the steps mentioned here can be applied to any system.
Step 1: Plan
The first step is also the most important step, because the decision you make here will affect the overall security. The first step is to define the target to which the system will be deployed, will it be a small email server? Or a desktop system? Or an intrusion detection system? Once you have a goal, you can use it to guide the entire process and focus on how to provide a safer environment as much as possible, security should never impede functional integrity. After all, what is the purpose of deploying an unusable system ?!
Next, you need to decide a security goal for your system. The main goal should be based on the principle of minimum access or minimum permission, this means that only the minimum permissions required for system operations are provided for users and programs. You should have other security goals, such as scanning every file with anti-virus software or performing authentication on each user with LDAP, however, the minimum permission should remain unchanged.
To achieve these goals, you should think about how to implement them and answer some simple questions that will help you make the right decisions in steps 2 and 4. Will the system be used as a server or a desktop system? This problem determines most of the configurations on your new system. Will the user access the system locally or remotely? This is another important security-related configuration problem. Does the system need a desktop environment?
If you are familiar with the command line, deploy the system as a headless or GUI interface, and delete the X window System from your installation, you will accidentally reduce the attack surface of the system (the area where you are exposed). On the other hand, if you or your colleagues need a GUI, installing only one GUI and figuring out how to properly lock the system, installing X when installing the server, and installing X when installing the desktop system is a thumbs up method.
Finally, plan what the application will do on the system, determine which database it depends on and what operations are more common: after the system runs a remote command, unnecessary libraries are used to conceal the hacker's posture or detect the network. If you do not need a package, do not install it.
After you have figured out these questions and answers, write them to your installation logs or workbooks and keep them updated.
Step 2: Install
After writing down these plans, go to the construction step, starting with the application of the security target you set in the planning step, due to space restrictions, the following section does not list a detailed check list for the sample installation. I only mark the security-related options. In Step 1, in the Installation Log, write down your options during the installation process, which can be used when you reinstall the system.
Fedora Core 7
Start from a Fedora 7 ISO file (which can be found at the release image site) to a clean system. After confirming that your keyboard and language are set, go to the disk partition section, for most desktop releases, the installer directly configures the partition. However, if the system is prepared by some work-sensitive people, put the/home folder in a separate partition.
After the partition is complete, enter the start Manager option, select GRUB and set a password for it. It is best practice to set a password for the start manager, it helps you protect your data from loss when the disk or system is stolen. A good password should be complicated, avoiding the use of words in the dictionary, pure numbers, pure letters and non-alphanumeric symbols.
On the next screen, select DHCP, because the client usually does not need static IP addresses. If you need static IP addresses, you must use Network Address Translation (NAT) somewhere on your network. Next, set a host name and domain, and set a complex password for the root user. On the package selection screen, if you select Custom installation, carefully check the software package you selected. On the custom selection screen, select only one desktop environment [Translator's note: GNOME/KDE, etc.]. Installing one more desktop environment poses an even greater risk. Retain the default GNOME option and check every other option, you will find that many software packages will be installed (). There are 843 software packages in my installation, and your numbers may be different. Exclude unnecessary software packages, there is an optional box before each package. After you select the package, the system restarts.
Select the software package to be installed under Fedora 7
[1] [2] [3] [4] [5] Next page