Linux Security

Question 1

How do you check if AppArmor is up and running?

Answer 1

sudo aa-status

Question 2

How would you setup a port/protocol rule on ufw

Answer 2

sudo ufw allow PORT/PROTOCOL comment “STRING”

You don’t need the comment but would help if an unusual port etc

Question 3

How would you add more than one port to the ufw rule

Answer 3

eg. “… allow 21,22/tcp …”. For itemised

or
“…. allow 30000:40000/udp …” for a range

Question 4

Prioritise a ufw rule to the top of the table

Answer 4

sudo ufw prepend RULE …

Question 5

How to insert a ufw rule into a specific point on the table

Answer 5

First:
sudo ufw status numbered

Then:
sudo ufw insert LINE NO RULE

Question 6

Create a ufw rule for ssh with a more restricted scope of inbound sources I.e local machines only

Answer 6

sudo ufw allow proto tcp from 192.168.0.0/24 to any port 22

Question 7

Remove a ufw rule

Answer 7

sudo ufw status numbered
sudo ufw remove LINE NO

Question 8

What’s the syntax for adding an entry to the bottom of the sudoers file?

Answer 8

username ALL=(ALL) All
Where from=(who as). What commands

Question 9

Where is the sudoers file?

Answer 9

/etc/sudoers

Edit with Visudo

Question 10

Where is the SE Linux configuration

Answer 10

/etc/selinux/config

Question 11

Default policy setting of SELinux?

Answer 11

Targeted: Only enforces network daemon policy rules

Question 12

Non default SEL settings

Answer 12

minimum - only specified process
mls - US military & gov
strict - all daemons, not recommended

Question 13

How to change SEL state

Answer 13

sudo getenforce permissive/enforcing

To disable you have to change the config file!

Question 14

What utility do you use to view and set SEL context for user accounts?

Answer 14

semanage

Question 15

What does chcon do and What is the syntax?

Answer 15

Change default SEL context;
chcon -u USER -r ROLE -t TYPE /FILE

Question 16

Where does SEL log its security events?

Answer 16

/var/log/audit/audit.log.
Can use audit2allow to generate policy to allow a denied event

Question 17

AppArmor is usually installed by default in Ubuntu but what packages might you need to get?

Answer 17

apparmor-utils
apparmor-profiles

Question 18

Where are AppArmor profiles stored?

Answer 18

/etc/apparmor.d

Question 19

What is noteworthy about AA profile names?

Answer 19

That usually reference the application path but swap the / for .
eg usr.bin.mysqld

Question 20

How do you view a list of active network ports without an AA profile defined?

Answer 20

sudo aa-unconfined

Question 21

How do you turn off (but not disable) an AA profile?

Answer 21

aa-complain Profile_PATH

Question 22

How do you turn an AA profile off and on?

Answer 22

sudo aa-disable PATH
sudo aa-enforce PATH

Question 23

What tools are required to setup joining AD?

Answer 23

sssd-ad, sssd-tools, realmd, adcli

Question 24

How do you test if you can join the AD realm (domain)?

Answer 24

sudo realm -v discover DOMAIN

Question 25

Once everything is setup, how do you join an AD domain (realm)?

Answer 25

sudo realm join -U USER@DOMAIN domain.name

Question 26

What tools required to connect a current sys to OpenLDAP

Answer 26

libnss-ldapd, libpam-ldapd, ldap-utils

Question 27

Where do you modify an individual users ssh config?

Answer 27

~/.ssh/config

Question 28

Where do you modify every user’s ssh config?

Answer 28

/etc/ssh/ssh_config

Question 29

Where do you modify an ssh server (incoming) config?

Answer 29

/etc/ssh/sshd_config

Question 30

What is the full command to generate an SSH ID key pair?

Answer 30

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519

Question 31

How would you send your pubkey to the remote SSH server?

Answer 31

ssh-copy-id USER@HOST

For a dry run then use -n

Question 32

How to check if a program is compatible to use PAM

Answer 32

ldd /bin/PATH | grep libpam.so

Question 33

Where are would a PAM compatible program have its config file?

Answer 33

/etc/pam.d

Question 34

Three common PAM modules for enforcing strong passwords?

Answer 34

pam_unix.so
pam_pwhistory.so
pam_pwquality.so (pam_cracklib.so)

Question 35

Two PAM modules to protect against brute force

Answer 35

pam_tally.so (Deb)
pam_faillock.so (Rhel)

Question 36

PAM module to incorporate into an LDAP env?

Answer 36

pam_ldap.so

Question 37

How do you check firewalld is running?

Answer 37

firewall-cmd —state
Or
systemctl status firewalld

Question 38

Commands to modify firewalld zones

Answer 38

firewall-cmd —get-zones
—get-default-zone
—set-default-zone=ZONE
—get-active-zones
—permanent —new-zone=NEWZONE

Question 39

Change an interface to a diff firewalld zone - 2 steps to do this.

Answer 39

Modify the adapter config in /etc/sysconfig/network-scripts
Then systemctl restart firewalld

Question 40

How to add/remove a service(common proto) rule to firewalld

Answer 40

firewall-cmd zone=ZONE —add/remove-service=SERVICE

(SERVICE from —get-services)

Question 41

How do you save firewalld rules beyond current session

Answer 41

Add —permanent
Or reload the firewall

Question 42

How to add a nonstandard service/port role to firewalld

Answer 42

—zone=ZONE —permanent —add-port=PORT/PROTO (tcp/udp)

Question 43

Keep going old chap

Answer 43

You got this

Question 44

Give an example of a standard ACCEPT for iptables (http for this example)

Answer 44

iptables -A INPUT -p tcp —dport 80 -j ACCEPT

Question 45

Give an example of an iptables rule to block ssh from a specific source

Answer 45

iptables -A INPUT -s 6.6.6.6 -p tcp —dport 22 REJECT/DROP

Question 46

How to make an iptables adjustment persist

Answer 46

iptables-save or on some distros there’s no -

Question 47

What are the three different chains in iptables?

Answer 47

INPUT
FORWARD
OUTPUT

Question 48

How might you monitor in a state in iptables?

Answer 48

(…) -m state —state RELATED, ESTABLISHED (…)

Question 49

What file to edit password requirements?

Answer 49

/etc/login.defs

Question 50

The /etc/login.defs file can modify settings for password length and age, but how might you go about fixing a complexity requirement.

Answer 50

Add the pwquality.so module into the PAM rules and edit appropriately.

Question 51

How would you edit settings for the PAM pwquality.so module?

Answer 51

RHEL - /etc/pam.d/system-auth and password-auth

DEB - /etc/pam.d/common-password and common-auth
Then add appropriate directives to the end of the line: “password requisite pam_pwqualty.so”

Question 52

What’s an easy trick to restrict service accounts (especially root) from making system changes

Answer 52

Edit their /etc/passwd to run the /usr/bin/nologin as their default shell. That we they can operate but not run scripts etc

Question 53

How might you stop someone from walking up to the console and using root login?

Answer 53

Create a file /etc/securetty on the system. If nothing in it that means no consoles are permitted access with root.

Question 54

How do you block root access over ssh?

Answer 54

Modify the /etc/ssh/sshd_config file and edit the appropriate commented line.

Question 55

How to disable/change ctrl alt del?

Answer 55

systemctl mask ctrl-alt-del.target

On sysV you need to modify the appropriate line in /etc/inittab

Question 56

How would you secure ‘at’ and ‘cron’

Answer 56

They have at.allow and cron.deny files in /etc

Question 57

How would you pass on messages to users?

Answer 57

/etc/login.warn
/etc/motd

Question 58

How to block USB storage devices?

Answer 58

Modify /etc/modbrope.d/blacklist.conf with the lines:

blacklist uas
blacklist usb:storage

Save then reboot!

Question 59

How to improve and customise security logging?

Answer 59

Use the auditd package:
Edit /etc/audit/audit.rules and use auditctl command

Question 60

Top 4 services you should consider disabling?

Answer 60

FTP
Telnet
Finger
Mail services

Question 61

What are two really easy network security layers you might want to consider implementing:

Answer 61

TCP wrappers .allow and .deny
Also
hosts.allow and .deny

Question 62

How is the SELinux security context format laid out

Answer 62

User:Type:Role:Level

Question 63

An easy method of checking and enabling/disabling SE Linux policies?

Answer 63

getsebool -a
setsebool (-P) POLICY on/off

Question 64

How do you read the SEL /var/log/audit/audit.log ?

Answer 64

use audit2allow

Question 65

What are the 4 PAM service types?

Answer 65

Account
Auth
Password
Session

Question 66

What are the 6 PAM control-flags

Answer 66

Include
Optional
Requisite
Required
Substack
Sufficient

Question 67

pam_tally2.so and pam_faillock.so shared options are?

Answer 67

deny=n
silent
unlock_time=n

Question 68

Unlock with pam_tally2

Answer 68

sudo pam_tally2 -r -u USER

Question 69

Where are UFW profiles stored

Answer 69

/etc/default/ufw/applications.d

Question 70

Why is /bin/nologin used?

Answer 70

It prevents a (sys account) user from logging in from any terminal

Question 71

See the firewalld zone you’re in and rules attached to them

Answer 71

firewall-cmd —list-all
Also use —zone=NAME for a different zone to what you’re on

Question 72

Where to make actual AppArmor profile changes

Answer 72

/etc/apparmor.d/local