General Security Advisory

TLP WHITE

National Cyber Security Centre

TLP WHITE

Page 1 of 3

Implementing the Top 4 in a Linux Environment

This document has been developed to assist organisations understand how the “Top 4

Strategies to Mitigate Targeted Cyber Intrusions” can be implemented in Linux environments.

While this document refers specifically to Linux environments, the guidance presented is equally

applicable to all Unix-style environments.

Intended audience

This document is intended for cyber security professionals as well as information

technology decision makers, architects, designers and support staff responsible for

Linux assets on their corporate network.

The top 4 mitigation strategies

The Australian Signals Directorate has developed prioritised mitigation strategies to

help technical cyber security professionals across all organisations mitigate cyber

security incidents.

No single mitigation strategy is guaranteed to prevent cyber security incidents. At least

85% of the adversary techniques used in targeted cyber intrusions could be mitigated

by implementing the following strategies:

 Use application whitelisting to help prevent malicious software and

unapproved programs from running

 Patch applications such as Flash, web browsers, Microsoft Office, Java and PDF

viewers

 Patch operating systems

 Restrict administration privileges to operating systems and applications based

on user duties

Implementing the top 4 on Linux

The strategy that poses the most challenge on Linux is application whitelisting, while

the remaining three strategies can be implemented in a similar manner to Microsoft

Windows.

National Cyber Security Centre

General Security Advisory

GSA-001-17

The National Cyber Security Centre is hosted within the Government Communications Security Bureau

TLP WHITE

National Cyber Security Centre

TLP WHITE

Page 2 of 3

Application whitelisting

Whilst Linux doesn’t natively offer application whitelisting functionality, and the

choices for application whitelisting on Linux are sparse compared to Microsoft

Windows, a small number of vendors do offer third party application whitelisting

solutions. However, organisations need to consider the specific Linux distributions

they are using and how application whitelisting solutions may impact other security

controls. For example, deploying the latest kernel updates may be problematic on

certain Linux distributions if the application whitelisting solutions don’t support the

latest kernel version and may be especially problematic in environments where

custom kernels are in use.

Application and operating system patching

Patching Linux is easy to achieve when combined with locally hosted repositories and

scheduled scripts. Some Linux distributions now provide administrative servers that

allow control of machines from a centralised location to push updates as necessary.

This can enhance the ability of an organisation to efficiently and effectively manage

their change management process while ensuring timely patching occurs. Linux

system administrators should check with their vendor if they are unsure how to best

handle application and operating system patching in a Linux environment.

Restricting administrative privileges

Restricting administrative privileges in a Linux environment can be achieved through

a combination of: controlling the number of users with administrative privileges,

controlling the access those users have, and auditing the actions of those users.

Determining the number of users with administrative privileges on Linux machines is

relatively simple. Auditing the number of users with the ability to elevate permissions,

or having privileged accounts, can be achieved by listing groups and group

memberships of users on each Linux machine to check which users belong to each

group. The “sudoers” group and any other specific admin groups for a given

distribution must be considered when conducting this audit. Additionally,

organisations should ensure users do not have a user ID (UID) or group ID (GID) of

0, which would grant that specific user root access on that machine.

In addition to minimising the number of users with administrative privileges,

organisations should ensure they enforce a policy of using the sudo command when

administering Linux servers as opposed to logging in locally or remotely with an

administrative account. This will not only prevent the use of shared accounts, but also

enhance the ability of an organisation to audit administrative access and encourage

system administrator accountability.

General hardening of Linux

Given the difficulty in implementing application whitelisting on Linux, the following

strategies can be implemented to assist with reducing the residual risk of the

TLP WHITE

National Cyber Security Centre

TLP WHITE

Page 3 of 3

exploitation of Linux machines. Note, this list is not exhaustive and does not take into

account specific use cases or differences between Linux distributions.

 Use unique restricted users for key at-risk services (e.g. Apache software runs

under a restricted ‘apache’ user role).

 Apply additional forms of security policy enforcement such as SELinux or

AppArmour.

 Implement appropriately hardened security configurations, and permissions of

key configuration files (e.g. /etc/security/access.conf, /etc/hosts,

/etc/nsswitch.conf).

 Use the ‘noexec’ parameter to mount partitions which users have write access to.

 Implement software-based firewalls for both internal and external network

interfaces.

 Perform tasks with least privileges.

 Centralise auditing and analysis of system and application logs.

 Disable unrequired operating system functionality.

 Implement specific configurations based on server role (e.g. running Apache

webserver, harden as per Apache hardening guide).

 As far as practical, implement vendor security guidance for specific Linux

distributions.

Summary

Given the difficulty in implementing application whitelisting on Linux, organisations

may choose to address, as a higher priority, application and operating system

patching, restricting administrative privileges and implementing general system

hardening measures.

Reference:

http://asd.gov.au/publications/protect/top_4_mitigations_linux.htm

https://www.asd.gov.au/infosec/mitigationstrategies.htm

Further information:

The full list of strategies is available at:

http://www.asd.gov.au/infosec/top35mitigationstrategies.htm

The NCSC can be contacted by email via info@ncsc.govt.nz or by phone on: 04 498 7654.

We encourage you to contact us at any time if you require any further assistance or advice.