Linux is a versatile operating system. Its use cases vary greatly, from hosting hundreds of containers across a complex network, to running a single desktop, to the operating systems of TVs, Android phones and most Internet of Things (IoT) devices.
However, its adaptability in a wide variety of settings means it can easily be used insecurely. Servers face the constant threat of online attack. To keep Linux secure, a security team would typically have to routinely perform many processes, including writing custom scripts to scrape logs off servers, manually creating SIEM integrations and parsing rules, and then further manipulating the data to visualize and report on everything they need to monitor. This is complex and time-consuming.
In this article we’ll explore some efficient ways to simplify Linux security, three in particular: restricting access, scanning for odd user activity, and streamlining routine Linux security tasks. We’ll also show you how Uptycs can make Linux security easier and faster, using a better approach: host level telemetry you can stream in real-time and view historically.
Whether it’s running in the cloud or on physical premises, a Linux installation will likely run Secure Shell (SSH). The SSH protocol is both a vital component for managing remote access, and a key vulnerability point for unwanted intrusion. A good understanding of Linux security requires awareness of SSH, and how to limit its attack surface. There are three ways to effectively control Linux server access.
Your Linux security system may be effectively managed in all other respects, but if passwords are too simple or reused across multiple accounts, your environment is vulnerable to attack. Even when they’re correctly used though, they can still be brute-forced by an attacker with enough time and processing power.
Your first priority in Linux security and hardening should be to migrate as many accounts as possible to SSH keys, a more secure authentication method that uses cryptographic algorithms. Taking the additional step of two-factor authentication will further improve your security posture.
Another good strategy for securing a Linux server is to minimize your SSH exposure to the Internet. The more you expose, the more you’ll have to patch rapidly and monitor. Plus, SSH exposed to the Internet also generates a huge amount of log data to keep up with. It’s therefore a good idea to make sure access to SSH is restricted via some network method. For example, you could have a reverse proxy where users authenticate before traffic is forwarded.
Moreover, the moment a vulnerability is found in an accessible installation of SSH, an attacker can exploit it. Usually, SSH has little to no impact on your running applications, so there’s little to lose from pouncing on an SSH patch and making it a high priority. From a Linux security standpoint, it’s a safe and easy win.
Augeas and osquery allow you to read configuration files (including Linux security logs) as though they were a database. This is extremely powerful for many different use cases, but when it comes to SSH, it is especially useful to verify that SSH is hardened properly. You could, for example, check the version of the SSH protocol allowed, or check that root login over SSH is disabled, forcing people to login with their own accounts and then elevating privileges if necessary. You could even use Augeas and osquery to track the sudoers file, to identify users who have the ability to elevate privileges.
To effectively monitor and investigate unusual user activity in your environment, you need Linux security software that allows you to easily correlate across different security datasets. It also greatly improves your security posture if you can view your threat intelligence both in real-time and through historical snapshots.
What constitutes “odd” user activity will vary greatly from one environment to the next. It’s important to build a detailed and nuanced list of activities warranting investigation in your Linux environment. It may be that you need an alert when a user connects directly to a container. You may require thresholds on how many machines a user should be logged into at once. Adding to the complexity, you may also need to carefully whitelist and build exception lists for any given rule.
Combining different sources of threat intelligence data can tell you more about the security of your Linux environment than using data in isolation. (Tweet this!)
For example, by using Uptycs to analyze Linux shell history in combination with process events, you can see the impact of network activity over time and by user login, drilling down to command lines and SSH activity where necessary.
Tracking security incidents in real time is undeniably important; a quick response time can greatly reduce the impact of malicious activity. However, if you confine your approach purely to real-time events, you can lose sight of how security threats develop over time. For example, if a user executed unusual commands, historical data on SSH sessions might reveal useful insight on past network activity using suspicious IP addresses.
Scanning historical data can be a challenge because most environments rapidly hit a problem of scale. Analyzing historical Linux security logs across a large network can be both costly (storing logs in a SIEM for any length of time can be quite expensive) and time-prohibitive (weaving together the artifacts and activity is complex when there are several distinct sources of data).
Uptycs Flight Recorder speeds up the process by allowing you to store large volumes of historical data in a proprietary and highly compressed manner that alleviates storage cost considerations. Through Flight Recorder you can review the state of any number of servers at a specified time in the past, uncovering incidents that would otherwise have been extremely difficult to detect.
You can learn more here about how one company improved its ability to investigate threats by using Uptycs Flight Recorder to gain visibility into the state of thousands of servers at any point in the past.
Securing your Linux environment will be easier if you can use officially supported packages, adhere to Security-Enhanced Linux (SELinux) best practices, and automate complex analytical processes.
The more official Linux packages you use, the less often you’ll be bogged down with manual security patches. Moreover, given that feature updates and security updates are handled separately by Linux, with official packages it’s feasible to automatically perform weekly security updates, reserving manual updates for features only when required.
Uptycs can further streamline the task, comparing your software with an updated list of vulnerabilities. By alerting you when a patch is required, Uptycs can help you rapidly identify vulnerable packages in your environment.
SELinux is a kernel security module that allows you to better define and implement security policies through Mandatory Access Controls (MAC). With SELinux configured properly, if an attacker tries to exploit one of your services their level of access will be restricted, even if that attempt is made from an account with high privileges.
The problem is that SELinux policies are extremely difficult to manage, monitor and troubleshoot. Security teams often gradually disable the more powerful security policy features of SELinux instead of troubleshooting them, which can be a grueling and time-consuming process.
Through Uptycs, you can use osquery SELinux event tables to generate detailed logs of SELinux events. This makes problem diagnosis easier and gives you a simpler way to refine your security policies so that they only disallow actions which pose a genuine security threat.
One of the most difficult challenges in Linux security management is reducing the grind of process work. The tasks of aggregating, storing, and sharing security data should be automated and streamlined where possible, because that time is better spent on the higher level Linux security work of threat detection and investigation.
Uptycs offers over 130 tables for analyzing Linux events, along with a large set of pre-written alerts you can use to interrogate this data in meaningful ways. Each can be further customized to the unique requirements of your environment. As your team curates these rules to become more targeted to your environment, your signal to noise ratio will gradually improve. You’re left with only the information you need to investigate threats, or build a strong case for compliance with data regulations.
You can learn more here about how a SaaS-based customer relationship management services provider used Uptycs to monitor security data from Linux server endpoints at scale. The company achieved FedRAMP compliance and were able to close a multi-million dollar contract within three months.
Linux server security involves many moving parts. By developing efficient methods for restricting access, monitoring odd user activity and streamlining routine security tasks, you can make the process easier and less time-consuming.