What best practice do you recommend for every Linux security administrator? Logs are very important. Collect all of the system logs in one machine, and you'll know what is going on and whether there is anything wrong with your Linux system. After you deploy your Linux system, you need to monitor logs for different events and to see what services are being restarted. Monitor to see restarts of the Web server or to see crashes. Find out...
if there are many unauthorized attempts to connect to an SMTP server by looking at the log files, such as certain simple log message files.
Remember to look at the default log files, as well as application-specific log files, and then centralize the log files and have a central program with scripts and tools. This will sometimes help you identify if something is wrong with your Linux system.
Continue reading part two of this interview. Could you name other important Linux security tools?
Nessus is a vulnerability scanner that runs on different Unix flavors and Linux. It is a very good idea to use Nessus to scan your systems' blocks on a fresh newly-built Linux system.
Scanning production machines is a different story. In that case, you might need permissions or a separate scan window, or you only scan during certain times. There are lots of issues, and nmap can address some of them. It is another tool that is not limited to Linux. I am not that convinced that everyone knows about nmap, but they should.
Say, you don't want to go for a full vulnerability scan, but you want to scan a new production system for, say, open ports or management for a special secure shelf. You scan with nmap, and it tells you that port 6000 -- which is Xwindows -- hasn't been disabled. Then, you can simply disable it. With nmap, you can avoid some common holes in Linux. Could you describe an experience you've had in securing Linux and what you learned from it?
I had to build a very paranoid Linux system for an experiment using hackers and various scenarios in which they attack through unknown channels. With Linux, I could use a number of tools, which let me harden my Linux system to really high degrees. I modified the kernel and changed some of the in-depth system options to prevent certain types of attacks. I found that, if you want to go that far, you can go to the kernel level and harden. Modifying the system kernel is very effective because you can disable unused functionality at the very heart of the OS, making it unavailable to be abused by attackers.
I found that Linux is very securable. It gives you lots of different pedals you can pull and buttons you can press to make it more secure. You mentioned tools for securing Linux. What security tool should every Linux security admin use?
For Linux, the number one item would be the host-hardening tool, such as Bastille Linux. Bastille, written by Jay Beale, is of the best scripts ever. You install a Linux distribution, and then you install Bastille. Then, Bastille recommends which software settings you should change to make the system more secure.
For example, Bastille would identify an FTP server and ask if you need this FTP service tie-in. If not, Bastille can turn it off for you. You run Bastille so that you supply security settings properly. As a result, you arrive with a much better secured Linux system. Is Linux is a more securable data center OS than Windows?
I truly believe that Linux is more securable than Windows because it is more open. If you have more knowledge, then you have more handles to make it bulletproof.
However, if you have unskilled system administrators, it doesn't matter whether an OS is secure out of the box. You're going to have an insecure data center.