Security Handbook/Pre-deployment considerations

From Gentoo Wiki
Jump to:navigation Jump to:search
Security Handbook
Concepts
General Guidance
Boot Path Security
Information Security
Logging
Mounting partitions
User and group limitations
File permissions
PAM
Kernel security
Firewalls and Network Security
Securing services
Chrooting and virtual servers
Intrusion detection
Staying up-to-date

While ideally all aspects of security would be considered before deploying Gentoo, some controls are harder to implement after a deployment than others; This section provides guidance on items that should be considered before a secure Gentoo deployment is attempted.


Storage Configuration

The storage configuration of a system can have an impact on its security; the following outlines some best-practice guidelines related to the topic.

Locations that users (or services) have permission to write to (e.g. /home or /tmp) should be on a separate filesystem to system data and should leverage disk quotas or other similar mechanisms to prevent excessive utilisation. This reduces the risk of filling up filesystems that are critical to the operation of the host, accidentally or maliciously, which may result in a Denial of Service.

Category Subcategory Control Maturity
System Configuration Storage User and System data should be logically separated wherever practical 0
System Configuration Storage An appropriate technical control should be implemented to prevent users from filling up critical filesystems 1
Tip
lvm and tmpfs are often used to accomplish this in other distributions.
Note
Portage uses /var/tmp to compile packages; ensure that this location is sufficient for compiling even the largest package (if not using binpkgs).
Important
Consider placing /var/log on its own filesystem; misconfigured system logs have caused many a full rootfs.

Disk Encryption

Disk encryption is the process of protecting data on a storage device by scrambling it so that it cannot be read without the correct decryption key. This is often used to protect data on laptops and other mobile devices, but can also be used to protect data on servers and workstations. Disk encryption is not a replacement for other security controls, but can be used to mitigate the risk of data being accessed by an unauthorised party if the physical disk is stolen.

Category Subcategory Control Maturity
System Configuration Storage Disk encryption should be implemented to protect data at rest 0

LUKS (Linux Unified Key Setup) is a popular disk encryption method that is supported by most Linux distributions. LUKS uses a combination of encryption algorithms and key management tools to provide strong data protection.

Modern systems implement some form of hardaware-backed cryptographic acceleration (such as AES[1]) which can be leveraged to reduce the performance impact of disk encryption.

There are a number of reasons that disk encryption should be considered:

  • Data protection: Disk encryption can help to protect data from unauthorized access, such as in the case of a lost or stolen device
  • Compliance: Disk encryption can help organisations to comply with data security regulations, such as the General Data Protection Regulation (GDPR) or Health Insurance Portability and Accountability Act (HIPAA)
  • Ease of use: Disk encryption tools are becoming increasingly easy to use, making it possible for even non-technical users to protect their data