Jan 7 · 2 min read
By: Emily Nardone
Recently, SANS Institute released a whitepaper called Taming the Wild West: Finding Security in Linux, designed to help companies improve the security posture of their Linux environments. This is a growing topic of discussion within the SANS community, especially as so many organizations are building out their cloud-based development efforts on Google Cloud, AWS, or even Microsoft Azure which surprisingly runs over 50% of its cloud on Linux.
The whitepaper contains some really great information about how to approach security in your Linux environment. We here at Cmd thought it would be helpful to summarize these best practices, so we have created a short checklist that you can use as a self-assessment of your Linux environment. Download the checklist here.
The reason this guidance from SANS is so important is because many security organizations have built their internal security operations to fit the dynamics of a traditional Windows environment – users running Windows PCs on a local or distributed network.
Linux, however, is different. You need to approach it with a different set of tools and techniques.
Fundamentally, SANS recommends these five best practices:
- Do not run as Root: This is a common mistake that can easily lead to a breach. Any kind of root-level accessibility gives hackers the means to enter a system without ever actually compromising the account. Running as root used to be common for “quick-fire” activities like installing software or troubleshooting, but it’s simply not needed anymore.
- Monitor and Enforce Command Policies: Within the Linux operating system, there are certain commands and binaries that are only available to root users—this is by design of the operating system. Any user using any command outside of those specified should raise concern since they can be a potential threat to your environment.
- Profile Account Usage and Privileged Access: Information security teams need to be aware of how accounts are accessing the environment. One would hardly expect root users to have flurried, consistent activity across an environment. Look for suspicious root user activity, or at least an abuse of account privileges.
- Monitor Workflows in the Environment: The usage of automation software in recent years has exploded. Determine the workflows for your environment, opening up a large window for exposure or misconfigurations that a security team may be unable to keep up with. Monitor these close to stay ahead of them.
- Think of Linux like an Attacker: This one is pretty self-explanatory. If you can put yourself in the shoes of a hacker, is your environment vulnerable? Think about the ways in which your operating system could potentially be abused and begin implementing protection to counter any attacks.
If you are interested in hearing SANS Digital Forensics and Incident Response instructor, Matt Bromiley, talk about these best practices, check out this recording of the webcast he did. While you’re at it, give our free trial a whirl and see how you can easily address these issues and more.