---

Security

One of the most important factors about an OS is security. Axis Linux Docs provides a complete guide to security.

Passwords

First and the most obvious, the biggest security flaw is caused by setting and using an insecure password.

Examples of insecure passwords:

• Personally identifiable information (e.g., your dog's name, date of birth, area code, favorite video game)

• Simple character substitutions on words (e.g., k1araj0hns0n), as modern dictionary attacks can easily work with these

• Root "words" or common strings followed or preceded by added numbers, symbols, or characters (e.g., DG091101%)

• Common phrases or strings of dictionary words (e.g. photocopyhauntbranchexpose) including with character substitution (e.g. Ph0toc0pyh4uN7br@nch3xp*se)

• Any of the most common passwords

Backups

Another painfully obvious security move - creating backups.

Regularly create backups of important data. Regularly test the integrity of the backups. Regularly test that the backups can be restored.

Make sure that at least one copy of the data is stored offline, i.e. not connected to the system under threat in any way. Ransomware and other destructive attacks may also attack any connected backup systems.

Users and groups

The root account isn't meant for every-day use. It is dangerous to work on all time, because of a higher chance to break something or for malware to get it.

Instead, you should create and use unprivileged user account(s) for most tasks, only using the root account for system administration. For example:

useradd -m -G additional_groups -s login_shell username

Although it's not required, it's highly recommended to protect a new account with a password:

passwd username

• -m / --create-home - the user's home directory is created as /home/username. The directory is populated by the files in the skeleton directory. The created files are owned by the new user.

• -G / --groups - a comma separated list of supplementary groups which the user is also a member of. The default is for the user to belong only to the initial group.

• -s / --shell - a path to the user's login shell. Ensure the chosen shell is installed if choosing something other than Bash.

View other options by running useradd --help.

Upgrades

It is important to regularly upgrade the system:

pacman -Syu

Don't forget to update packages not tracked by pacman e.g. npm, AUR packages.

NPM packages can be updated using:

npm update

For AUR packages you can use a helper, like yay.

yay

or manually reinstall them.

Audit tools

Use audit tools to protect your system:

• arch-audit (arch-audit package) - simple tool to display currently installed vulnerable packages.

• auditd (audit package) - userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk.

umask

The umask utility is used to control the file-creation mode mask, which determines the initial value of file permission bits for newly created files.

The default umask value 0022 can be changed to improve security for newly created files. The NSA RHEL5 Security Guide suggests a umask of 0077 for maximum security, which makes new files not readable by users other than the owner.

System-wide umask can be set in /etc/profile or in the default shell configuration files, e.g. /etc/bash.bashrc and in /etc/login.defs.

You can temporarily (for the current session) change the umask by running:

umask 077

Core dumps

A core dump is a file containing a process's address space (memory) when the process terminates unexpectedly.

You can set the maximum core dump size in via PAM:

* hard core 0

Passwords rounds

The rounds=N option helps to improve key strengthening. The number of rounds has a larger impact on security than the selection of a hash function. For example, rounds=65536 means that an attacker has to compute 65536 hashes for each password he tests against the hash in your /etc/shadow. Therefore the attacker will be delayed by a factor of 65536. This also means that your computer must compute 65536 hashes every time you log in, but even on slow computers that takes less than 1 second.

Open /etc/pam.d/passwd with a text editor and add the rounds option at the end of of the uncommented line. After applying this change the line should look like this:

password	required	pam_unix.so sha512 shadow nullok rounds=65536

Limit amount of processes

On systems with many, or untrusted users, it is important to limit the number of processes each can run at once, therefore preventing fork bombs and other denial of service attacks.

* soft nproc 100
* hard nproc 200

Random number generation

Generation of random data is crucial for several applications like making cryptographic keys. Random data boosts the entropy, which is a value in bits. The maximum amount of entropy is 4096 bits.

You can check the current amount of entropy by running:

cat /proc/sys/kernel/random/entropy_avail

If it is rather low (less than 1000), you should follow the next steps.

From Wikipedia: A random number generator (RNG) is a computational or physical device designed to generate a sequence of numbers or symbols that lack any pattern, i.e. appear random.

Random number generators are the easiest way to boost entropy, which contributes to a more stable and secure system. There are tools available:

• rngd (rng-tools package) - a set of utilities related to random number generation in kernel.

• haveged (haveged package) - an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm.

Enable rngd service:

systemctl enable rngd

Enable haveged service:

systemctl enable haveged

Disable hyper-threading

Simultaneous multithreading (SMT), also called hyper-threading on Intel CPUs, is a hardware feature that may be a source of L1 Terminal Fault and Microarchitectural Data Sampling vulnerabilities. The Linux kernel and microcode updates contain mitigations for known vulnerabilities, but disabling SMT may still be required on certain CPUs if untrusted virtualization guests are present.

SMT can often be disabled in your system's firmware. Consult your motherboard or system documentation for more information. You can also disable SMT in the kernel by adding the following kernel parameters:

l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force

Malware prevention

• rkhunter (rkhunter package) - a security monitoring tool for POSIX compliant systems. It scans for rootkits, and other possible vulnerabilities.

Banners and identification

Warn unauthorized users before entering the system. You can use /etc/issue and /etc/issue.net files for that.

Example banner:

Axis Linux \r (\l)
********************************************************************
*                                                                  *
* This system is for the use of authorized users only.  Usage of   *
* this system may be monitored and recorded by system personnel.   *
*                                                                  *
* Anyone using this system expressly consents to such monitoring   *
* and is advised that if such monitoring reveals possible          *
* evidence of criminal activity, system personnel may provide the  *
* evidence from such monitoring to law enforcement officials.      *
*                                                                  *
********************************************************************

Privilege elevation

The following command line utilities allow running commands or starting an interactive shell as another user (e.g. root):

• su (util-linux package, preinstalled with base) - Allows to assume the identity of another user as long as you know the target user's password. root can assume other identities without needing a password. | comes preinstalled

• sudo (sudo package) - Allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. In default configuration only usable by root. | sudo package

• doas (opendoas package) - A smaller, simpler alternative to sudo.

Microcode updates

Processor manufacturers release stability and security updates to the processor microcode. These updates provide bug fixes that can be critical to the stability of your system. Without them, you may experience spurious crashes or unexpected system halts that can be difficult to track down.

All users with an AMD or Intel CPU should install the microcode updates to ensure system stability.

Microcode updates are usually shipped with the motherboard's firmware and applied during firmware initialization. Since OEMs might not release firmware updates in a timely fashion and old systems do not get new firmware updates at all, the ability to apply CPU microcode updates during boot was added to the Linux kernel.

The Linux microcode loader supports three loading methods:

1. Early loading updates the microcode very early during boot, before the initramfs stage, so it is the preferred method. This is mandatory for CPUs with severe hardware bugs, like the Intel Haswell and Broadwell processor families.

2. Late loading updates the microcode after booting which could be too late since the CPU might have already tried to use a bugged instruction set. Even if already using early loading, late loading can still be used to apply a newer microcode update without needing to reboot.

3. Built-in microcode can be compiled into the kernel that is then applied by the early loader.

Depending on the processor you're using, install the following package:

• amd-ucode - for AMD CPUs

• intel-ucode - for Intel CPUs

Microcode updates must be enabled by adding /boot/amd-ucode.img or /boot/intel-ucode.img as the first initrd in the bootloader config file. This is before the normal initrd file.

Enforce a delay after a failed login attempt

Add the following line to /etc/pam.d/system-login to add a delay of at least 4 seconds between failed login attempts:

auth optional pam_faildelay.so delay=4000000