Linux Security Fundamentals

Overview

• What you will learn: Core security principles including defense in depth, least privilege, attack surface reduction, automatic security updates, system auditing with auditd, PAM configuration, sudo hardening, file integrity monitoring with AIDE, and CIS security benchmarks.
• Prerequisites: Module 1 (Linux Fundamentals), basic familiarity with systemd and package management
• Estimated reading time: 25 minutes

Introduction

Security is not a single product or configuration — it is a continuous process that spans every layer of a system. A well-secured Linux server combines multiple overlapping controls so that the failure of any one mechanism does not compromise the entire system. This principle is known as defense in depth.

In this lesson we explore the foundational security concepts that every Linux administrator must understand. We begin with guiding principles, then move into practical tools and configurations available on Ubuntu Server: automatic security patching, kernel-level audit logging, Pluggable Authentication Modules (PAM), sudo hardening, file integrity checking, and industry benchmarks published by the Center for Internet Security (CIS).

By the end of this lesson you will be able to assess a server’s security posture, apply baseline hardening steps, and set up ongoing monitoring to detect unauthorized changes.

Security Principles

Defense in Depth

Defense in depth means layering multiple security controls so that an attacker must defeat several independent mechanisms to reach a target. Layers typically include network firewalls, host firewalls, mandatory access controls, application-level authentication, and encrypted transport.

Principle of Least Privilege

Every user, process, and service should operate with the minimum set of permissions required to complete its task. A web server, for example, should not run as root; it should run under a dedicated service account with access only to its document root and log directory.

# Check which processes run as root
$ ps aux | awk '$1 == "root"' | head -20

# Identify SUID binaries — potential privilege escalation vectors
$ find / -perm -4000 -type f 2>/dev/null

Attack Surface Reduction

Remove or disable anything that is not strictly necessary. Every open port, every installed package, and every running service is a potential entry point for an attacker.

# List listening ports
$ ss -tulnp

# Remove unnecessary packages
$ sudo apt purge telnetd rsh-server

# Disable an unused service
$ sudo systemctl disable --now cups

Automatic Security Updates

Ubuntu provides the unattended-upgrades package to automatically install security patches. On Ubuntu Server it is usually installed by default, but it is important to verify and tune its configuration.

# Install if not present
$ sudo apt install unattended-upgrades

# Enable automatic updates interactively
$ sudo dpkg-reconfigure -plow unattended-upgrades

Configuration Files

# /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
};
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Mail "admin@example.com";

# /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

If a kernel update requires a reboot, consider using Automatic-Reboot with a maintenance window, or use Canonical Livepatch to apply critical kernel fixes without rebooting.

# Check unattended-upgrades log
$ sudo cat /var/log/unattended-upgrades/unattended-upgrades.log

# Dry run
$ sudo unattended-upgrade --dry-run --debug

System Auditing with auditd

The Linux Audit Framework provides comprehensive logging of security-relevant events at the kernel level. It records system calls, file access, user authentication events, and more.

# Install the audit daemon
$ sudo apt install auditd audispd-plugins

# Check status
$ sudo systemctl status auditd

# View current rules
$ sudo auditctl -l

Writing Audit Rules

Audit rules can watch files for changes or monitor specific system calls.

# Watch /etc/passwd for writes and attribute changes
$ sudo auditctl -w /etc/passwd -p wa -k passwd_changes

# Watch /etc/shadow
$ sudo auditctl -w /etc/shadow -p wa -k shadow_changes

# Monitor all execve system calls by a specific user (UID 1001)
$ sudo auditctl -a always,exit -F arch=b64 -S execve -F uid=1001 -k user_cmds

Persistent Rules

# /etc/audit/rules.d/hardening.rules
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/sudoers -p wa -k sudoers_changes
-w /var/log/auth.log -p wa -k auth_log

# Reload rules
$ sudo augenrules --load

Searching Audit Logs

# Search by key
$ sudo ausearch -k passwd_changes

# Search by time range
$ sudo ausearch -ts today -k sudoers_changes

# Generate a summary report
$ sudo aureport --summary

# Authentication report
$ sudo aureport -au

Pluggable Authentication Modules (PAM)

PAM provides a flexible framework for authentication on Linux. Every service that requires user authentication (login, ssh, sudo) uses PAM configuration files in /etc/pam.d/.

PAM Configuration Structure

# /etc/pam.d/common-auth (simplified)
auth    required    pam_faildelay.so    delay=2000000
auth    required    pam_unix.so         nullok
auth    optional    pam_permit.so

# Module types:
#   auth       — verify identity (password, token, biometric)
#   account    — authorization checks (account expiry, time-of-day)
#   password   — update authentication tokens
#   session    — setup/teardown session (mount home, set ulimits)

# Control flags:
#   required   — must succeed; continue checking other modules
#   requisite  — must succeed; fail immediately if not
#   sufficient — if succeeds and no prior required failed, stop
#   optional   — result only matters if it is the only module

Password Quality with pam_pwquality

# Install
$ sudo apt install libpam-pwquality

# /etc/security/pwquality.conf
minlen = 12
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
maxrepeat = 3
reject_username
enforce_for_root

Account Lockout with pam_faillock

# /etc/pam.d/common-auth — add before pam_unix
auth    required    pam_faillock.so preauth silent deny=5 unlock_time=900
auth    required    pam_unix.so     nullok
auth    [default=die] pam_faillock.so authfail deny=5 unlock_time=900

# Check failed attempts
$ sudo faillock --user jdoe

# Reset lockout
$ sudo faillock --user jdoe --reset

Sudo Hardening

The sudo command allows designated users to run commands as root. Proper configuration is critical for both usability and security.

# Always edit sudoers with visudo (syntax checking)
$ sudo visudo

# /etc/sudoers best practices
Defaults    env_reset
Defaults    mail_badpass
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults    logfile="/var/log/sudo.log"
Defaults    log_input, log_output
Defaults    passwd_timeout=1
Defaults    timestamp_timeout=5

# Grant specific commands instead of ALL
admin   ALL=(ALL) /usr/bin/systemctl restart nginx, /usr/bin/journalctl

Drop-in Files

# /etc/sudoers.d/dev-team
%developers ALL=(ALL) NOPASSWD: /usr/bin/docker ps, /usr/bin/docker logs *

# Verify syntax before saving
$ sudo visudo -cf /etc/sudoers.d/dev-team

File Integrity Monitoring with AIDE

AIDE (Advanced Intrusion Detection Environment) creates a database of file checksums and attributes. Periodic checks detect unauthorized modifications to critical system files.

# Install
$ sudo apt install aide aide-common

# Initialize the database
$ sudo aideinit
$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# Run a check
$ sudo aide --check

# After legitimate changes, update the database
$ sudo aide --update
$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

AIDE Configuration

# /etc/aide/aide.conf (key excerpts)
database_in=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new

# Define what to monitor
/etc    p+i+u+g+sha256
/bin    p+i+u+g+sha256
/sbin   p+i+u+g+sha256
/usr/bin  p+i+u+g+sha256
/usr/sbin p+i+u+g+sha256

# Exclude noisy directories
!/var/log
!/var/cache
!/tmp

Automated Daily Check

# /etc/cron.daily/aide-check
#!/bin/bash
/usr/bin/aide --check | mail -s "AIDE Report $(hostname)" admin@example.com

CIS Security Benchmarks

The Center for Internet Security (CIS) publishes detailed hardening guides for Ubuntu and other operating systems. These benchmarks provide hundreds of specific recommendations organized by category.

Key CIS Recommendations

• Filesystem: Ensure /tmp, /var, and /home are on separate partitions with appropriate mount options (nodev, nosuid, noexec).
• Services: Disable unnecessary services (avahi-daemon, cups, rpcbind) and ensure NTP is configured.
• Network: Disable IP forwarding, ICMP redirects, and source routing unless explicitly needed.
• Logging: Ensure rsyslog or journald is configured, log files have correct permissions, and remote logging is enabled.
• Access control: Ensure password expiration policies are set, root login is restricted, and SSH is hardened.

# Example: Harden mount options for /tmp
# /etc/fstab
tmpfs   /tmp    tmpfs   defaults,nodev,nosuid,noexec    0 0

# Example: Disable IP forwarding
$ sudo sysctl -w net.ipv4.ip_forward=0
$ echo "net.ipv4.ip_forward = 0" | sudo tee /etc/sysctl.d/60-cis.conf

# Audit with OpenSCAP (CIS content)
$ sudo apt install libopenscap8 ssg-debderived
$ sudo oscap xccdf eval --profile cis 
    /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml

Key Takeaways

• Defense in depth layers multiple independent controls — firewalls, MAC, authentication, encryption — so no single failure compromises the system.
• The principle of least privilege limits users, processes, and services to only the permissions they need.
• Automatic security updates via unattended-upgrades keep the system patched with minimal administrator intervention.
• The Linux Audit Framework (auditd) provides kernel-level event logging; use ausearch and aureport to query logs.
• PAM controls authentication, account, password, and session behavior through stackable modules in /etc/pam.d/.
• Sudo should be configured with specific command grants, logging, and secure defaults rather than blanket ALL=(ALL) ALL.
• AIDE detects unauthorized file modifications by comparing current checksums against a known-good database.
• CIS benchmarks provide a comprehensive, auditable hardening checklist for Ubuntu Server.

What’s Next

In the next lesson you will learn how to configure OpenSSH for secure remote access, including key-based authentication, server hardening, and advanced features like SSH tunneling and jump hosts.

# 安裝（如果不存在）
$ sudo apt install unattended-upgrades

# 檢查日誌
$ sudo cat /var/log/unattended-upgrades/unattended-upgrades.log

# 模擬執行
$ sudo unattended-upgrade --dry-run --debug

# 安裝稽核守護程式
$ sudo apt install auditd audispd-plugins

# 監視 /etc/passwd 的寫入和屬性變更
$ sudo auditctl -w /etc/passwd -p wa -k passwd_changes

# 依關鍵字搜尋
$ sudo ausearch -k passwd_changes

# 產生摘要報告
$ sudo aureport --summary

# 始終使用 visudo 編輯 sudoers（語法檢查）
$ sudo visudo

# 授予特定命令而非 ALL
admin   ALL=(ALL) /usr/bin/systemctl restart nginx, /usr/bin/journalctl

# 驗證語法
$ sudo visudo -cf /etc/sudoers.d/dev-team

# 安裝
$ sudo apt install aide aide-common

# 初始化資料庫
$ sudo aideinit

# 執行檢查
$ sudo aide --check

# インストール
$ sudo apt install unattended-upgrades

# ログの確認
$ sudo cat /var/log/unattended-upgrades/unattended-upgrades.log

# ドライラン
$ sudo unattended-upgrade --dry-run --debug

# 監査デーモンのインストール
$ sudo apt install auditd audispd-plugins

# /etc/passwd の書き込みと属性変更を監視
$ sudo auditctl -w /etc/passwd -p wa -k passwd_changes

# キーで検索
$ sudo ausearch -k passwd_changes

# サマリーレポートの生成
$ sudo aureport --summary

# 常に visudo で sudoers を編集（構文チェック）
$ sudo visudo

# ALL ではなく特定のコマンドを付与
admin   ALL=(ALL) /usr/bin/systemctl restart nginx, /usr/bin/journalctl

# 構文の検証
$ sudo visudo -cf /etc/sudoers.d/dev-team

# インストール
$ sudo apt install aide aide-common

# データベースの初期化
$ sudo aideinit

# チェックの実行
$ sudo aide --check