TLP WHITE
National Cyber Security Centre
TLP WHITE
Page 2 of 3
Application whitelisting
Whilst Linux doesn’t natively offer application whitelisting functionality, and the
choices for application whitelisting on Linux are sparse compared to Microsoft
Windows, a small number of vendors do offer third party application whitelisting
solutions. However, organisations need to consider the specific Linux distributions
they are using and how application whitelisting solutions may impact other security
controls. For example, deploying the latest kernel updates may be problematic on
certain Linux distributions if the application whitelisting solutions don’t support the
latest kernel version and may be especially problematic in environments where
custom kernels are in use.
Application and operating system patching
Patching Linux is easy to achieve when combined with locally hosted repositories and
scheduled scripts. Some Linux distributions now provide administrative servers that
allow control of machines from a centralised location to push updates as necessary.
This can enhance the ability of an organisation to efficiently and effectively manage
their change management process while ensuring timely patching occurs. Linux
system administrators should check with their vendor if they are unsure how to best
handle application and operating system patching in a Linux environment.
Restricting administrative privileges
Restricting administrative privileges in a Linux environment can be achieved through
a combination of: controlling the number of users with administrative privileges,
controlling the access those users have, and auditing the actions of those users.
Determining the number of users with administrative privileges on Linux machines is
relatively simple. Auditing the number of users with the ability to elevate permissions,
or having privileged accounts, can be achieved by listing groups and group
memberships of users on each Linux machine to check which users belong to each
group. The “sudoers” group and any other specific admin groups for a given
distribution must be considered when conducting this audit. Additionally,
organisations should ensure users do not have a user ID (UID) or group ID (GID) of
0, which would grant that specific user root access on that machine.
In addition to minimising the number of users with administrative privileges,
organisations should ensure they enforce a policy of using the sudo command when
administering Linux servers as opposed to logging in locally or remotely with an
administrative account. This will not only prevent the use of shared accounts, but also
enhance the ability of an organisation to audit administrative access and encourage
system administrator accountability.
General hardening of Linux
Given the difficulty in implementing application whitelisting on Linux, the following
strategies can be implemented to assist with reducing the residual risk of the