Practice Exercise: Enhancing Local Security in Linux
Objectives
- Explore the use of
sudofor command execution with elevated privileges. - Practice keeping Linux systems up-to-date for improved security.
Scenario
Security is a top priority in Linux system administration. In this exercise, you will delve into various aspects of local security principles. You will explore how to use sudo for secure command execution and ensure that your Linux systems remain current with the latest security updates.
Tasks
Task 1: Using sudo for Controlled Access
- Explain the purpose of the
sudocommand in Linux. - Demonstrate how to execute a command with elevated privileges using
sudo. - Create a new user and grant them
sudoprivileges for specific commands. - Emphasize the significance of using
sudoto limit superuser access and maintain security.[intern@intern-a1t-inf-lnx1 ~]$ sudo useradd new_user [intern@intern-a1t-inf-lnx1 ~]$ sudo passwd new_user Changing password for user new_user. New password: Retype new password: passwd: all authentication tokens updated successfully. [intern@intern-a1t-inf-lnx1 ~]$ su -l new_user Password: Last login: Wed Sep 27 03:16:09 UTC 2023 on pts/0 [intern@intern-a1t-inf-lnx1 ~]$ sudo ls /root/ We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for new_user: new_user is not in the sudoers file. This incident will be reported. [intern@intern-a1t-inf-lnx1 ~]$ exit [intern@intern-a1t-inf-lnx1 ~]$ sudo visudo ... # Add sudo privileges to new_user using the command ls new_user ALL=(ALL:ALL) NOPASSWD: /usr/bin/ls ... - The following lines were appended to the file:
# Add sudo privileges to new_user using the command ls new_user ALL=(ALL) NOPASSWD: /usr/bin/ls - Now
new_usercan list restricted folders[intern@intern-a1t-inf-lnx1 ~]$ su -l new_user Password: Last login: Wed Sep 27 03:17:33 UTC 2023 on pts/0 [intern@intern-a1t-inf-lnx1 ~]$ sudo ls /root check.sh node_exporter-1.6.1.linux-amd64.tar.gz submit.sh node_exporter-1.6.1.linux-amd64 splunkforwarder-9.1.0.1-77f73c9edb85-Linux-x86_64.tgz
Task 2: Keeping Systems Current
- Stress the importance of keeping Linux systems up-to-date with security patches.
- Explain how package managers, such as
aptoryum, can be used to update software packages. - Demonstrate how to check for system updates and apply them to ensure system security.
- Discuss the risks associated with running outdated software.
[intern@intern-a1t-inf-lnx1 ~]$ sudo yum update Last metadata expiration check: 3:11:33 ago on Wed 27 Sep 2023 12:15:01 AM UTC. Error: Problem: cannot install the best update candidate for package libidn2-2.2.0-1.el8.x86_64 - nothing provides libunistring.so.0()(64bit) needed by libidn2-2.3.4-1.el7.x86_64 (try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages) - When encountering error while updating it usually suggest course of action. For this one let's try the
--skip-brokenand if that doesn't work let's try the--nobest[intern@intern-a1t-inf-lnx1 ~]$ sudo yum update --skip-broken Last metadata expiration check: 3:12:58 ago on Wed 27 Sep 2023 12:15:01 AM UTC. Error: Problem: cannot install the best update candidate for package libidn2-2.2.0-1.el8.x86_64 - nothing provides libunistring.so.0()(64bit) needed by libidn2-2.3.4-1.el7.x86_64 (try to add '--nobest' to use not only best candidate packages) [intern@intern-a1t-inf-lnx1 ~]$ sudo yum update --nobest Last metadata expiration check: 3:13:25 ago on Wed 27 Sep 2023 12:15:01 AM UTC. Dependencies resolved. Problem: cannot install the best update candidate for package libidn2-2.2.0-1.el8.x86_64 - nothing provides libunistring.so.0()(64bit) needed by libidn2-2.3.4-1.el7.x86_64 ====================================================================================================== Package Arch Version Repository Size ====================================================================================================== Installing: kernel x86_64 4.18.0-514.el8 baseos 10 M Upgrading: NetworkManager x86_64 1:1.40.16-9.el8 baseos 2.3 M NetworkManager-libnm x86_64 1:1.40.16-9.el8 baseos 1.9 M NetworkManager-team x86_64 1:1.40.16-9.el8 baseos 160 k NetworkManager-tui x86_64 1:1.40.16-9.el8 baseos 355 k audit x86_64 3.0.7-5.el8 baseos 283 k audit-libs x86_64 3.0.7-5.el8 baseos 123 k authselect x86_64 1.2.6-2.el8 baseos 149 k authselect-compat x86_64 1.2.6-2.el8 appstream 38 k authselect-libs x86_64 1.2.6-2.el8 baseos 266 k bind-export-libs x86_64 32:9.11.36-9.el8 baseos 1.1 M brotli x86_64 1.0.9-10.el7 epel 309 k c-ares x86_64 1.13.0-8.el8 baseos 93 k ca-certificates noarch 2023.2.60_v7.0.306-80.0.el8 baseos 935 k chkconfig x86_64 1.19.2-1.el8 baseos 217 k cloud-init noarch 23.1.1-10.el8 appstream 1.2 M crypto-policies noarch 20230731-1.git3177e06.el8 baseos 64 k crypto-policies-scripts noarch 20230731-1.git3177e06.el8 baseos 84 k cryptsetup-libs x86_64 2.3.7-7.el8 baseos 491 k curl x86_64 7.61.1-33.el8 baseos 353 k dbus x86_64 1:1.12.8-26.el8 baseos 38 k dbus-common noarch 1:1.12.8-26.el8 baseos 47 k dbus-daemon x86_64 1:1.12.8-26.el8 baseos 246 k dbus-libs x86_64 1:1.12.8-26.el8 baseos 185 k dbus-tools x86_64 1:1.12.8-26.el8 baseos 87 k dnf noarch 4.7.0-19.el8 baseos 553 k dnf-data noarch 4.7.0-19.el8 baseos 159 k dnf-plugins-core noarch 4.0.21-23.el8 baseos 77 k dracut x86_64 049-228.git20230802.el8 baseos 380 k dracut-network x86_64 049-228.git20230802.el8 baseos 111 k dracut-squash x86_64 049-228.git20230802.el8 baseos 63 k elfutils-debuginfod-client x86_64 0.189-3.el8 baseos 76 k elfutils-default-yama-scope noarch 0.189-3.el8 baseos 52 k elfutils-libelf x86_64 0.189-3.el8 baseos 232 k elfutils-libs x86_64 0.189-3.el8 baseos 303 k epel-release noarch 8-11.el8 extras 24 k findutils x86_64 1:4.6.0-21.el8 baseos 537 k firewalld noarch 0.9.11-1.el8 baseos 580 k firewalld-filesystem noarch 0.9.11-1.el8 baseos 78 k glibc x86_64 2.28-236.el8.6 baseos 2.2 M glibc-all-langpacks x86_64 2.28-236.el8.6 baseos 26 M glibc-common x86_64 2.28-236.el8.6 baseos 1.0 M glibc-devel x86_64 2.28-236.el8.6 baseos 85 k glibc-gconv-extra x86_64 2.28-236.el8.6 baseos 1.5 M glibc-headers x86_64 2.28-236.el8.6 baseos 490 k glibc-langpack-en x86_64 2.28-236.el8.6 baseos 828 k gnutls x86_64 3.6.16-7.el8 baseos 1.0 M grubby x86_64 8.40-48.el8 baseos 50 k hwdata noarch 0.314-8.19.el8 baseos 1.8 M iproute x86_64 6.2.0-2.el8 baseos 880 k iptables x86_64 1.8.5-10.el8 baseos 592 k iptables-ebtables x86_64 1.8.5-10.el8 baseos 74 k iptables-libs x86_64 1.8.5-10.el8 baseos 103 k iputils x86_64 20180629-11.el8 baseos 149 k irqbalance x86_64 2:1.9.2-1.el8 baseos 72 k kbd x86_64 2.0.4-11.el8 baseos 422 k kbd-legacy noarch 2.0.4-11.el8 baseos 536 k kbd-misc noarch 2.0.4-11.el8 baseos 1.6 M kernel-tools x86_64 4.18.0-514.el8 baseos 10 M kernel-tools-libs x86_64 4.18.0-514.el8 baseos 10 M kexec-tools x86_64 2.0.26-9.el8 baseos 531 k krb5-libs x86_64 1.18.2-25.el8 baseos 852 k libblkid x86_64 2.32.1-43.el8 baseos 220 k libcap x86_64 2.48-5.el8 baseos 77 k libcurl x86_64 7.61.1-33.el8 baseos 303 k libdnf x86_64 0.63.0-17.el8 baseos 710 k libfastjson x86_64 0.99.9-2.el8 appstream 38 k libfdisk x86_64 2.32.1-43.el8 baseos 254 k libibverbs x86_64 46.0-1.el8.1 baseos 410 k libldb x86_64 2.7.2-3.el8 baseos 198 k libmount x86_64 2.32.1-43.el8 baseos 236 k libnftnl x86_64 1.2.2-3.el8 baseos 87 k libsmartcols x86_64 2.32.1-43.el8 baseos 179 k libsolv x86_64 0.7.20-6.el8 baseos 376 k libsss_autofs x86_64 2.9.1-2.el8 baseos 128 k libsss_certmap x86_64 2.9.1-2.el8 baseos 184 k libsss_idmap x86_64 2.9.1-2.el8 baseos 130 k libsss_nss_idmap x86_64 2.9.1-2.el8 baseos 139 k libsss_sudo x86_64 2.9.1-2.el8 baseos 126 k libstdc++ x86_64 8.5.0-20.el8 baseos 458 k libtalloc x86_64 2.4.0-3.el8 baseos 50 k libtdb x86_64 1.4.8-3.el8 baseos 60 k libtevent x86_64 0.14.1-3.el8 baseos 52 k libuuid x86_64 2.32.1-43.el8 baseos 99 k libzstd x86_64 1.5.5-1.el7 epel 292 k linux-firmware noarch 20230824-118.git0e048b06.el8 baseos 286 M memstrack x86_64 0.2.5-2.el8 baseos 52 k ncurses x86_64 6.1-10.20180224.el8 baseos 393 k ncurses-base noarch 6.1-10.20180224.el8 baseos 114 k ncurses-libs x86_64 6.1-10.20180224.el8 baseos 339 k nftables x86_64 1:1.0.4-3.el8 baseos 380 k openssh x86_64 8.0p1-19.el8 baseos 524 k openssh-clients x86_64 8.0p1-19.el8 baseos 669 k openssh-server x86_64 8.0p1-19.el8 baseos 493 k pam x86_64 1.3.1-27.el8 baseos 850 k platform-python x86_64 3.6.8-55.el8 baseos 87 k platform-python-pip noarch 9.0.3-23.el8 baseos 1.7 M procps-ng x86_64 3.3.15-14.el8 baseos 330 k python3-audit x86_64 3.0.7-5.el8 baseos 87 k python3-cffi x86_64 1.11.5-6.el8 baseos 249 k python3-cryptography x86_64 3.2.1-6.el8 baseos 641 k python3-dnf noarch 4.7.0-19.el8 baseos 604 k python3-dnf-plugins-core noarch 4.0.21-23.el8 baseos 279 k python3-firewall noarch 0.9.11-1.el8 baseos 472 k python3-hawkey x86_64 0.63.0-17.el8 baseos 118 k python3-libdnf x86_64 0.63.0-17.el8 baseos 780 k python3-libs x86_64 3.6.8-55.el8 baseos 8.4 M python3-nftables x86_64 1:1.0.4-3.el8 baseos 31 k python3-perf x86_64 4.18.0-514.el8 baseos 10 M python3-pip-wheel noarch 9.0.3-23.el8 baseos 866 k python3-pytz noarch 2017.2-11.el8 appstream 57 k python3-requests noarch 2.20.0-4.el8 baseos 135 k python3-setools x86_64 4.3.0-5.el8 baseos 627 k python3-syspurpose x86_64 1.28.40-1.el8 baseos 340 k qemu-guest-agent x86_64 15:6.2.0-39.module_el8+669+76cc32af appstream 364 k rsyslog x86_64 8.2102.0-15.el8 appstream 778 k selinux-policy noarch 3.14.3-128.el8 baseos 664 k selinux-policy-targeted noarch 3.14.3-128.el8 baseos 15 M shadow-utils x86_64 2:4.6-19.el8 baseos 1.3 M squashfs-tools x86_64 4.3-21.el8 baseos 165 k sssd-client x86_64 2.9.1-2.el8 baseos 250 k sssd-common x86_64 2.9.1-2.el8 baseos 1.7 M sssd-kcm x86_64 2.9.1-2.el8 baseos 262 k sssd-nfs-idmap x86_64 2.9.1-2.el8 baseos 127 k sysstat x86_64 11.7.3-11.el8 appstream 443 k systemd x86_64 239-78.el8 baseos 3.6 M systemd-libs x86_64 239-78.el8 baseos 1.1 M systemd-pam x86_64 239-78.el8 baseos 510 k systemd-udev x86_64 239-78.el8 baseos 1.6 M tpm2-tss x86_64 2.3.2-5.el8 baseos 279 k tuned noarch 2.21.0-1.el8 baseos 435 k util-linux x86_64 2.32.1-43.el8 baseos 2.5 M virt-what x86_64 1.25-4.el8 baseos 38 k xfsprogs x86_64 5.0.0-12.el8 baseos 1.1 M yum noarch 4.7.0-19.el8 baseos 209 k Installing dependencies: kernel-core x86_64 4.18.0-514.el8 baseos 43 M kernel-modules x86_64 4.18.0-514.el8 baseos 35 M libbrotli x86_64 1.0.9-10.el7 epel 308 k Skipping packages with broken dependencies: libidn2 x86_64 2.3.4-1.el7 epel 159 k Transaction Summary ====================================================================================================== Install 4 Packages Upgrade 134 Packages Skip 1 Package Total download size: 516 M Is this ok [y/N]:
Conclusion
Local security is a critical aspect of Linux system administration. In this exercise, you've learned about sudo for controlled command execution, the concept of process isolation, methods for limiting hardware access, and the significance of keeping Linux systems current with security updates. By following these security principles and best practices, you can help protect your Linux systems from potential threats and vulnerabilities.