Linux security administration can be very complicated and it is sometimes hard for an administrator to determine where a control is applied or managed, especially for those who only have a background in Windows. Linux administrators also have extensive command-line interaction when securing Linux. This interaction is often done with
Comparatively, most Windows administrators control settings through a GUI interface or through the application of controls like group policies. They usually have good help available and Microsoft does provide some excellent documentation. For many Windows administrators used to this environment the move to the Linux world can result in some initial trepidation. This is not to suggest Windows administrators are any less skilled than their Linux counterparts. Anyone who plays heavily in the registry or with configuration languages like SDDL (Security Descriptor Definition Language) has my respect.
With the complexity in mind I'd offer several pieces of advice for getting up to speed.
Apply consistent policies and standards
Firstly, start your security administration from a consistent base. Document the policies and standards (if you haven't already) that you apply to your Windows environment. Then look to apply those same policies and standards in your Linux environment. This consistent approach will make overall security management much easier.
Take advantage of training courses in Linux and Unix
Secondly, references materials and books can be excellent sources of information but are limited by their finite nature. Send your staff on training courses or utilize CBT training materials. Training courses -- specifically in Linux security -- seem to be rather thin on the ground at the moment. But organizations like SANS often run Unix security courses that heavily utilize and discuss Linux (in addition to other flavors of Unix).
I'd recommend that your Linux administration staff go on a training course (preferably one with hands-on labs). Whilst books and other reference materials are very useful, there is nothing better than hands-on experience of security administration -- especially if the instructor is able to provide real-world context and content for the course as many of the SANS courses offer. Obviously it can be expensive to train your staff like this. But consider this cost in light of the potential cost of a breach or a security-related outage caused by poor security on your systems.
Use the community
Thirdly, utilize the Linux community. A number of sites, mailing lists and forums exist that discuss Linux security and application and database security on Linux. These resources often provide excellent (and free) advice on how to secure your systems.
Remember, though, that not everyone offers good advice and not everyone agrees on what is the appropriate security configuration. Any advice you glean from the community should be backed up by further research and testing to ensure it suits your security requirements and environment.
It can be a steep (and sometimes expensive) learning curve to become proficient in Linux
security, but the return in terms of protection of your assets and the mitigation of risks to your
organization is well worth it.
This was first published in August 2005