SecPro #24: Explainer on Linux Hardening, Cloud Pentesting Compliance
In today’s issue:
- Cloud Pentesting and Staying on the Right Side of the Law
- SecPro Explainer: Linux Security and Hardening
- Events & Recordings
- Recent Security Issues
- Secret Knowledge: Building Your Security Arsenal
- The SecPro Quiz
Cloud Security & Compliance
Cloud Pentesting and Staying on the Right Side of the Law
By Tigran Avetisyan
TL;DR:
Compliance with the law and cloud platform policies is important with cloud penetration testing. To avoid legal issues, pentesters should:
- Obtain permission for pentesting from their customers and cloud providers.
- Have a clear penetration testing scope in order not to accidentally miss critical system components or affect the resources of third parties.
- Follow the pentesting policies of cloud service providers.
Penetration testing pursues a noble goal – testing your cyber defenses against possible and likely attacks. But even though pentesting isn’t malicious in nature, it entails quite a few legal and compliance questions. This is especially true for public cloud environments where we don’t have exclusive access to compute and storage resources.
When it comes to penetration testing, compliance is a complex subject and likely requires the assistance of a lawyer. However, we can still introduce you to some of the top legal aspects of cloud pentesting to let you know what to expect!
The Top 3 Legal Aspects of Cloud Penetration Testing
Authorization to Pentest
Authorization to pentest is perhaps the most important legal aspect of cloud penetration testing. Cybercrime laws typically view unauthorized access to computer networks as a criminal offense, so attempts to carry out penetration testing without the permission of relevant third parties may lead to unpleasant consequences for the pentester.
With that, you may need to obtain authorization for penetration testing from your customers. Additionally, if the penetration tests will be carried out in the cloud environment of a third-party service provider, you will need to get permission from them as well.
Scope of Pentesting
It’s critical that you have a clear scope for your penetration tests. A well-defined scope outlines not only what SHOULD but also what SHOULD NOT be tested.
Formulating a scope in cloud environments can be particularly tricky because public clouds are shared between hundreds and thousands of users. Accurate scoping is thus necessary to make sure that you:
- Comprehensively test all system components that should be tested. Inadequate testing may leave you vulnerable to attacks. Besides, if you perform a superficial pentest for a business client, you may face legal action if a breach occurs after the tests.
- Don’t accidentally affect resources belonging to other cloud users. Damaging assets of third parties can lead to lawsuits – not only from those third parties themselves but also from cloud service providers whose policies usually specifically prohibit testing the properties of other customers.
Cloud Service Provider Policies and Requirements
If you are intending to carry out penetration tests in a public cloud environment (like Microsoft Azure or Google Cloud Platform), you must be mindful of the policies and requirements of the cloud service provider.
Because cloud resources are shared between numerous customers, penetration tests can potentially harm other users’ experiences or hinder their access to the systems they are paying for. To protect their own business interests, cloud service providers often have certain procedures and rules that define things like:
- Services that may be scanned or tested.
- What kind of tests may be performed.
- Whether or not advance notice is required before pentesting.
Aside from policies specifically pertaining to penetration testing, you must also stay compliant with the providers’ general terms of service.
To give you an idea of what you should expect with cloud providers, here are some details from the policies of AWS, Microsoft Cloud, and Google Cloud Platform.
Google Cloud Platform Pentesting Policy
Google actually doesn’t define any penetration testing policies, and you don’t need to contact them before running tests. However, you need to stay compliant with the GCP Terms of Service and Acceptable Use Policy.
The Acceptable Use Policy in particular has a few clauses specifying that cloud users must not interfere with the access of other GCP customers to the service, distribute malicious files, or perform fraudulent activities.
Amazon Web Services Pentesting Policy
Customers may carry out penetration tests against these eight services without prior approval:
- Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers.
- Amazon RDS.
- Amazon CloudFront.
- Amazon Aurora.
- Amazon API Gateways.
- AWS Lambda and Lambda Edge Functions.
- Amazon Lightsail resources.
- Amazon Elastic Beanstalk environments.
At the same time, AWS prohibits activities like:
- Port flooding.
- Protocol flooding.
- Request flooding.
- DoS, DDoS, Simulated DoS, and Simulated DDoS attacks. DDoS simulation is actually permitted on AWS, but it has separate terms and conditions.
- DNS zone walking through Amazon Route 53 Hosted Zones.
- Security assessments of AWS infrastructure or AWS services themselves.
Microsoft Cloud Pentesting Policy
Microsoft allows pentesting across the following eight Microsoft products:
- Azure Active Directory.
- Microsoft Intune.
- Microsoft Azure.
- Microsoft Dynamics 365.
- Microsoft Power Platform.
- Microsoft Account.
- Office 365.
- Azure DevOps.
As for prohibited activities, they include:
- Testing or scanning assets of any other Microsoft Cloud customers.
- Accessing data that the pentester doesn’t fully own.
- DoS or DDoS testing.
- Automated testing that generates significant traffic.
- Attempting social engineering attacks against Microsoft employees.
Linux Hardening
SecPro Explainer: Linux Security and Hardening
By Merlyn Shelley
Linux systems have large modules of components designed to provide extreme capabilities. This also means that there could be many loose ends that have to be taken care of from a security standpoint. Remember when the system gets more and more complex, then the security measures would also get increasingly complex!
Generally, we call them the “Surface” and if the surface is complex then it is susceptible to more attacks. And the uniqueness of these complex surfaces is that the components would have their own allowances of security. And if a component is compromised to an attack, then it would allow the intruder to go deep into the system.
Before implementing the hardening measures, we need to scan and audit the systems for scrutinizing open vulnerabilities that are prone to attacks. So, let’s jump into how to perform scanning and auditing operations across complex Linux systems.
Linux Hardening: Auditing Vulnerabilities across Linux Systems
Vulnerabilities occur mostly when the coding standards are not met during the software development stages such as weak configs of applications and if the bug in the code is not resolved properly. Moreover, we cannot always say the system is 100% secure even if we have scrutinized all the programming errands. Only when using the system, we tend to know which part of the source code must be improved and which are the components that are weak in terms of security. So, we need to scan and audit systems regularly to check for new emerging vulnerabilities.
Conducting Linux Security Audit with Lynis
One of the battle-tested tools for performing security audits on systems that are running on Linux is Lynis. It is free, open-source, and found to be flexible that can be used for different purposes like security auditing, compliance testing (for example PCI, HIPPA, SOx), pentesting, vulnerability detection, and system hardening.
This tool runs with almost no dependencies, it performs extensive scanning customized to every operating system. For instance, if you are using Apache it starts with regular tests related to Apache and if it finds any specifics based on SSL/TLS it runs additional tests tailored to the system security needs.
You can download Lynis from https://cisofy.com/downloads/lynis/.
The best part of using Lynis is you don’t need to install any other additional tools to run the audit. It can be used across any Unix/Unix-like/Linux operating system including macOS. You just will use the common shell script to extract the archive file and run Lynis:
tar xzvf lynis-2.7.5.tar.gz
cd lynis
sudo ./lynis -h
To perform the scanning operation, you need to execute the following command:
sudo lynis audit system
You will get a detailed section on the output about the vulnerable points found across your systems.
You will view a similar screen like this after running your security audit on Lynis that gives you insights on the hardening measures and the errands in your system configurations.
Lynis also comes with an enterprise version that consists of scanning for compliances and so on. You can find their pricing option here.
Now let’s move on to reducing these vulnerabilities.
How to Mitigate Vulnerabilities in Linux Systems?
We have now discovered the vulnerabilities found in our system, so let’s look at ways to reduce or prevent them from posing a greater threat to our entire infrastructure.
Filtering Traffic with a Firewall
While hardening your Linux servers network traffic must be your priority when you’re using cloud infrastructures. You should always filter the unwanted traffic that is coming into your systems.
Ingress filtering is the method of restricting the incoming traffic. That is when there is a suspicious request posing to be from your local network but actually arising from the external internet, then you need to filter all such kinds of traffic. That way you can avoid spoofing attacks.
Egress filtering is about limiting your outgoing traffic. For this, you need to be so sure about the network protocols that are used in your infrastructure. The most commonly used protocols are:
-
HTTP and HTTPS to retrieve updates (port 80/443, TCP, sometimes UDP)
-
DNS traffic to resolve names and IP addresses (port 53, UDP and TCP)
-
Time synchronization (port 123, UDP)
-
Outgoing email (port 25, TCP)
Filtering outgoing traffic greatly helps in preventing the attacker from downloading malware into your system.
Localhost interface is helpful when using network-based services that should not be publicly available. The command “ip addr show lo” will show the details of the interface you are using.
Limiting the Installations
One of the best ways to secure your system is not to install tools or other software that you don’t use frequently. This is sometimes also called “apply minimal installation.” Here you can also remove the unwanted users in your system as well. This is otherwise called restricting the users based on their roles and usage, ie., role-based access control or removing users when they don’t belong to your system anymore.
Conducting Code Audit
A code audit can check whether you have used any undeclared variables or unexpected logic while developing your software systems. You can apply Linting or use Lint Tools to check on the source code for any unexpected errors.
Regularly Updating Installed Software
Of course, it is wise to periodically update all the software packages that you have installed in your systems. More importantly, when there is a security update that pops up in your software notification, do it immediately. That way you could seal off the vulnerable points in your systems.
Linux Hardening: Fixing the Most Common Vulnerabilities and Exposure (CVE)
The effect of vulnerability is determined by factors such as existence, access, and exploitation. That is the presence of weaknesses in the software system, the probability of intruders accessing these weaknesses, and finally the degree of exploitation it costs when the attack is found to be compromised of resources.
The most common vulnerabilities across Linux Kernel are:
1. DoS – Denial of Service – CVE-2019-11477
This is called TCP selective acknowledgment (SACK) which is caused by an integer overflow when Linux processing subsystems of the networks. Here the buffer data segment is fragmented and when the Kernel tries to merge them into one, it will lead to the overflow of variables. This is a major vulnerability that could allow malicious SACK requests from intruders that leads to denial of service.
Events & Recordings
At the Code Blue 2021 OpenTalks, Hiroki Suezawa discussed why CI/CD pipeline security is important and relevant public breaches, an ATT&CK-like matrix focus on CI/CD Pipeline specific risk, attack scenarios, and how to defend.
#OBTS or Objective by the Sea v4.0, the world’s only macOS security conference, brought together the world’s top macOS security researchers and passionate mac users. All recordings here.
fwd:cloudsec 2021: Discussions about all the major cloud platforms, both attack and defense research, limitations of security features, the pros and cons of different security strategies, and generally the types of things cloud practitioners want to know. All recordings here.
Recent Security Issues
- MITRE released ATTA&CK v10 last week. The newest version of the framework includes a new set of Data Source and Data Component objects in Enterprise ATT&CK, complementing the ATT&CK Data Source name changes released in ATT&CK v9. Read more.
Data Source STIX Model
- From the latest reports by the FBI, Ranzy locker ransomware threat operators have compromised at least 30 US companies this year across various industries. It was done mostly by brute-forcing the remote desktop protocol (RDP) identity credentials. FBI along with CISA provides technical details of the compromised files and data in the way to help security experts to safeguard their systems against such kind of ransomware attacks in the future. You can find them here.
- A homicidal WordPress plugin has been discovered that allows subscribers to wipe sites clean of content. The high-severity security flaw is found in Hashthemes Demo Importer, a plugin that’s used in more than 8,000 active installations. The vulnerability allows any authenticated user to completely exsanguinate a vulnerable site, “permanently deleting nearly all database content as well as all uploaded media.”
Secret Knowledge: Building Your Security Arsenal
Discover useful security resources, cheatsheets, hacks, and open-source CLI/web tools.
Offensive Security 🛑
milabs/awesome-linux-rootkits – Repo with links to source code of 10s of Linux rootkits, both user mode and kernel mode.
qilingframework/qiling – An advanced binary emulation framework. You can build your own dynamic analysis tools on top of it using Python, can perform dynamic instrumentation and more.
Raccoon – A high-performance offensive security tool for reconnaissance and vulnerability scanning.
WhatWaf – Detect & bypass web application firewalls and protection systems.
Recon-ng – A full-featured Web Reconnaissance framework written in Python.
Sn1per – An automated pentest framework for offensive security experts.
Container Security 🔃
trivy – Vulnerability scanner for containers, suitable for CI.
kong – Vloud-native API Gateway.
nginx-proxy – Automated Nginx proxy for Docker containers using docker-gen.
rancher – Complete container management platform.
The SecPro Quiz 🤔
1.Which of these utilities would you use to fix an incorrect SELinux security context?
A. chattr
B. chcontext
C. restorecon
D. Setsebool
2.Which file does the auditd service use to log auditing events?
A. /var/log/messages
B. /var/log/syslog
C. /var/log/auditd/audit
D. /var/log/audit/audit.log
3.Which of the following would you use as a general-purpose, external vulnerability scanner?
A. OpenVAS
B. Nikto
C. OpenSCAP
D. Lynis
*Answers are at the bottom of this page.
Quiz Answers:
The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes.
