stefancrain/Securing-Linux

We like to build and use devices connected to the internet. That shouldn't keep us up at night.

Securing Linux

This repo creates a usable Linux platform with adequately security for daily, non-production usage.

TODO: add blurb about reasoning

TODO: add blurb about workflow

Make no mistake this set of playbooks are opinionated and come without any express or implied warranty.

Steps in security

1. Protect data with partitioning and encryption
2. Set useful base tools
3. Restrict physical access
4. Restrict network access
5. Track audit-worthy change events

Reviewing hardening efforts

Audit programs

• jtesta/ssh-audit
• CISOfy/lynis
• future-architect/vuls

Chef InSpec

• dev-sec/linux-baseline
• dev-sec/linux-patch-baseline
• dev-sec/ssh-baseline
• dev-sec/cis-dil-benchmark
• dev-sec/cis-docker-benchmark
• dev-sec/cis-kubernetes-benchmark
• vibrato/inspec-meltdownspectre

Security hardening guides, best practices, checklists, benchmarks, tools and other resources. Help from :

• US DoD DISA Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs)
• decalage2/awesome-security-hardening

Setting up for development

This project uses :

• Terraform
  • dmacvicar/terraform-provider-libvirt for local dev
  • aws for remote dev
• Ansible for development and evaluation.
• Taskfile contains most of the magic to get this project working.

Initializing the project

make init

• Ansible-galaxy installs required public roles within requirements.yml
• Vagrant pulling down the most recent versions of the boxes currently configured.
• Creating an Ansible Vault to protect sensitive data such as keys / passwords in an encrypted vault. An example decrypted file can be reviewed vault-example.yml, which will become vault.yml.

Encrypting and decrypting the vault

make enc # encrypt vault.yml
make dec # decrypt vault.yml

Creating the test VMs

make build
make ping

• Vagrant creates test VMs
• Vagrant takes snapshot of the state at baseline to make iterative testing much faster

Managing the state of the VMs

make start
make stop
make restore # restore baseline snapshot
make destroy # remove all traces

Reviewing the baseline security official vagrant boxes

make audit

Running a hardening playbook

make play
make audit

Supported Operating Systems

OS	Release
Ubuntu	20.04 - Focal
	19.10 - Eoan
	18.04 - Bionic
	16.04 - Xenial
Debian	10 - Buster
	9 - Stretch
	8 - Jessie
ArchLinux	ArchLinux
CentOS	8
	7

Work in progress : Supported Operating Systems

OS	Release
Ubuntu	20.10 - Groovy
	14.04 - Trusty
CentOS	6
RHEL	8
	7
	6

https://github.com/mitogen-hq/mitogen/archive/v0.3.0-rc.0.tar.gz