ENDPOINT SECURITY – LINUX – PART 1

Hello Everyone

Before we Start, ask yourself a question; What do you know in Cyber Security and What do you do for security?
Most of the Peoples answers will be like Offensive Strategies(Hack the Box, VAPT, Bug Bounty and few more).
How many of us are doing something in Defensive Strategies? If you are doing one these days, well its appreciated.

If you are not, Don’t worry you will learn a lot from us in the upcoming days.

Today we will learn about Endpoint security in Linux Operating Systems.

What is Endpoint Security?
First of all What is an Endpoint?
A Device or a node that is being used for communication is called as an endpoint. Examples are Computers, Routers, Servers, Mobile Devices etc.
I think now you come to an Idea what is Endpoint Security is.

When we deal with different Endpoints, we have to follow different sets of Procedures to secure. We are not going to discuss all the theory stuffs and get bored. We will learn few tools here that will help us to secure our Linux Environment.

In today’s Blog we are going to learn how to secure our Linux Environment Using Mandatory Access Control (MAC) System
Mandatory Access Control (MAC) :
“In computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target” Credit Goes to Wikipedia lol.
“Simply we can say limiting out the resources only to the people who or which needs in necessarily”

We will use a tool called AppArmor to restrict the programs to utilize up to only limited amount of resources.
We will learn how to restrict basic ARP-SCAN Package with this tool.

AppArmor works based on profiles loaded into the kernel. We have two profiles in it.
Complain Mode : There is no profile rules enforced with this mode but violations will be recorded in logs
Enforced Mode : Profile rules are adhered and application profiles are not allowed to work that violates the rules and log will also generated in syslog or auditd.

How to Do it?

Installing AppArmor

Next Step we need to check what are the profiles running in which mode

Next Step we need to create our own profile, for that we need the Apparmor Utilities, So we will install that too in this step.
command : apt install apparmor apparmor-utils

To check out the commands that can be used in Apparmor, use aa and press tab twice. We can use lot of commands with apparmor but here we are going to secure linux either in enforce mode or complain mode.

Now lets check that our machine can do the arp-scan or not: and its working very fine for now
command : arp-scan -local

Let me make a directory inside the apparmor directory for creation of a new profile so it won’t create any conflicts or error in future.
command : mkdir -p /var/lib/snapd/apparmor/snap-confine

Its time to create the profile
command : aa-autodep arp-scan

We have to verify that in which mode the newly added profile is working.
command : apparmor_status

You can see that our new profile that we created is running in complain mode, we need to change it to enforce mode to make it effective.
command : aa-enforce arp-scan

Once again check the apparmor status and verify the arp-scan is working or not

We successfully applied our Mandatory access control system in our Linux Endpoint by restricting the user not to use the arp-can package. Similarly we can do with other tools as well. Practice this with your Environment

Stay tuned for the next part, where we are going to learn more on Linux Hardening and Auditing of Linux Endpoints.

Thank you.

Author:
SAM NIVETHAN V J
SECURITY ANALYST & TRAINER

Leave a Comment

Your email address will not be published. Required fields are marked *