2021/06/08 Hardware Security

Hardware Security


Preface

This section is going to be more technical and positioned to users who are more versed in Linux/BSD styled systems. While I will make mention of this now, get rid of Windows and read up about GNU/Linux in the section An Introduction To GNU/Linux. While this document is titled as "Hardware Security" this is going to be an overarching compiled list of hardware and software hardening for your GNU/Linux system.

Document Everything On Installation

Documenting the base information from your install will be beneficial to you in the future. This list should include the following to prevent any discrepancies or tampering.

Minimize System Packages

Minimizing system packages can greatly increase the overall security of your system. Since software bugs are one of the main barriers to security, having fewer packages mean the vulnerability surface gets smaller. Smaller footprint, smaller attack surface. As previously mentioned, you want to maintain a list of all installed packages installed in your system.

Set Password Expiration

To ensure good reinforcement of strong password policies is to enable password expiration for your user account. You can set expiration dates for user passwords by using the chage command in GNU/Linux. This will prompt your system to ask users to set a new password once the existing password expires.

Split Disk Partitions And Secure System Partitions

The Linux file-system divides everything into several parts based on their use case. You can separate the critical portions of the file-system into different partitions of your disk storage. For example, the following file-systems should be split into different partitions. This helps to isolate the sensitive portions of your system. Thus, even if a malicious user gains access to some part of the system, they can not roam freely through the entire system.

You should give extra attention to the underlying system partitions. Malicious users may leverage partitions like /tmp, /var/tmp, and /dev/shm to store and execute unwanted programs. You can take steps to secure your partitions by adding some parameters to your /etc/fstab file. Open this following file using a Linux text editor.

File-System Encryption

Encrypt Communications

While I will emphasize a usage of GPG or similar services like PGP and OpenPGP, you will also want to always use secure communication services such as ssh, scp, rsync, or sftp for remote data transfer. While using these services, make attempts to use GPG encryption to encrypt and sign your data along with all messages passed in your circle of trust.

Legacy Communications

Avoid or remove them! While I will be the first to defend these legacy communcations and how fun/special/interesting they are... they are NOT secure. All or near all legacy programs do not provide essential security during data transmission. These include...

RAM Disk

Configure Your Kernel

The Linux kernel has a lot of runtime parameters. You can easily tweak some of them to improve Linux hardening. Using the sysctl command allows the root/admin to configure these kernel parameters. You may also modify the /etc/sysctl.conf file for kernel tweaking. For example, add the below line at the end of your sysctl configuration to allow system reboots after 10 seconds of a kernel panic.

You can add as many rules as you like and customize existing rules to fit your kernel requirements.

Malware Detection

Malware/Rootkit Protection

Firewall Security

UFW (Debian/Ubuntu)

Set Up Default Policies

Security Modules

Disable Unnecessary Services

This section mainly pertains to daemons. A lot of services and daemons are started during system boot. Disabling those that are not mandatory can help in hardening and improve your boot time. Since most modern distributions use systemd instead of init scripts, you can use systemctl for finding these services.

Cron Access

GNU/Linux provides automation support by means of cron jobs. You can specify routine tasks using the cron scheduler. root/admin users must make sure that ordinary users are unable to access or put entries in the crontab. Simply put their usernames in the /etc/cron.deny file to do this.

Core Dumps

Core dumps are memory snapshots that contain crash information of executables. These are created when binaries stop working or crash. They contain too much sensitive information about the system and may threaten your security if fallen into the wrong hands. And so it is always a good idea to restrict core dumps on your machine.

Disable Firewire/Thunderbolt Devices

It is always a good idea to disable as many peripherals as possible that are uneeded or unused. This makes your system secure against attackers who have gained direct access to the infrastructure you are connected to. Firewire is the generic name of the IEEE 1394 hardware interface. It is used for connecting digital devices like Camcorders. Disable it by using the following command.

Disable Ctrl+Alt+Delete

The Ctrl+Alt+Delete key combinations allow users to force reboot many GNU/Linux distributions. This can be a problem for you as a user. root/admin users should disable this hotkey in order to maintain proper GNU/Linux hardening. You can run the following command to disable this in systemd based systems.

Misc

Spectre / Meltdown Check

BACK UP YOUR DATA

You need to be always prepared for unforeseen problems. Backing up your workstation or server can prove extremely beneficial in the long run. Thankfully, a large number of backup utility for Linux exists to make system backups easier. Moreover, you must automate the backup process and store your system data safely. Employing disaster management and recovery solutions can be also useful when it comes to data management.