Administration – Using Advanced Security Features
A dozen or so pages covering security-related commands are not nearly enough to address the depth of security tools available to you as a Linux system administrator. Beyond the commands covered in this chapter, here are descriptions of some features you may want to look into to further secure your Linux system:
❑ Security Enhanced Linux (SELinux) — The SELinux feature provides a means of securing the files, directories, and applications in your Linux system in such a way that exploitation of one of those areas of your system cannot be used to breach other areas. For example, if intruders were to compromise your web daemon, they wouldn’t necessarily be able to compromise the rest of the system.
SELinux was developed by the U.S. National Security Agency (NSA), who hosts a related FAQ at http://www.nsa.gov/selinux/info/faq.cfm. You need to install SELinux as separate packages. See https://wiki.ubuntu.com/SELinux for details.
❑ Central logging—If you’re managing more than a couple of Linux servers, it becomes preferable to have all your systems log to a central syslog server. When you implement your syslog server, you may want to explore using syslog-ng. Also, if you outgrow logwatch, you should consider using a log parser such as Splunk.
❑ Tripwire — Using the tripwire package, you can take a snapshot of all the files on your system, then later use that snapshot to find if any of those files have been changed. This is particularly useful to find out if any applications have been modified that should not have been. First, you take a baseline of your system file. Then at regular intervals, you run a tripwire integrity check to see if any of your applications or configuration files have been modified.
❑ APT database — Another way to check if any of your applications have been modified is by using the APT commands to validate the applications and configuration files you have installed on your system.
❑ chkrootkit—If you suspect your system has been compromised, download and build chkrootkit from http://www.chkrootkit.org. This will help you detect rootkits that may have been used to take over your machine. We recommend you run chkrootkit from a LiveCD or after mounting the suspected drive on a clean system.