LOUCA23 Yusuf Hadiwinata Linux Security BestPractice

LibreOffice Conf.
Asia
UbuCon Asia 2023
Surakarta | October, 8th 2023
UBUNTU SECURITY
BEST PRACTICE
LERN HOW TO IMPLEMENT
SECURITY ON LINUX
Yusuf Hadiwinata Sutandar
yusuf@biznetgio.com https://www.biznetgio.com
https://louca.id

Linux Geek, Opensource Enthusiast, Security Hobbies
RHCT, RHCSAv5-v7, RHCEv5-v7, RHCVA, RHCI, RHCX, RHCSA-RHOS,
RHCJA, CEI, CEH, CHFI, CND, EDRP, CCNA, MCTCNA, Security+,
Network+, VCA, vExpert 2017-2018
Vice President Operation & Services – PT Biznet Gio Nusantara
Yusuf Hadiwinata S.
Disclaimer: All the information on this slide has been pass Legal & Compliance review on PT Biznet GIO Nusantara or the resources is Public accessible on the Internet

LibreOffice Conf.
Asia
UbuCon Asia 2023
An Introduction about Cyber Security
Perimeter in general
Deep dive learn about security
implementation on Ubuntu Operating System
Learn more about security Principal on
Linux Operating System
Ask a question and win merchandize
from Biznet Gio
1 2
3 4
CYBER SECURITY 101
Q & A
LINUX SECURITY
HARDENING

CYBER SECURITY 101
Human Layer: Training
1
Perimeter: Firewalls, Spamfilters,
Instrusion Detection / Prevention
2
Network: Secure Design & Topology,
VLANs, Multi-Layer Firewalls/Switchers
3
4
Endpoint: Anti-virus, Software Firewalls,
Breach Detection Agents
5 Application: Patching, Updates
6 Data: Encryption at rest and in motion
7
Mission Critical: Backups, Response and
Recovery Plans

Security awareness training is a strategy used by IT and
security professionals to prevent and mitigate user risk.
These programs are designed to help users and employees
understand the role they play in helping to combat
information security breaches.
Ex: Certified Secure Computer User (CSCU)
Human Layer: Training
1

The perimeter layer stops most attackers.
It stops the spam, the petty thief, the automatic
scanning tools ran by anonymous curious cats
DDoS Protection
WAF Protection
Perimeter: Firewalls, Spamfilter,
Intrusion Detection/Prevention, WAF, etc
2
Linux Protection
Security Operation
Center
IDS/IPS

LINUX SECURITY
Know your system(s)
The first principle is about knowing what your
system is supposed to do.
What is its primary role, what software
packages does it need and who needs access?
Security Measures:
• Password policy
• Proper software patch management
• Configuration management
• Documentation

LINUX SECURITY
Least Amount of Privilege
Each process running, or package installed, might
become a target. Security professionals call this
the “attack surface”.
What you want is to minimize this attack surface
by removing unneeded components, limit access
and by default use a “deny unless” strategy.
Security Measures:
• Use minimal/basic installation
• Only allow access to people who really need it

LINUX SECURITY
Perform Defense in Depth
Protect the system by applying several layers of
security. This principle is named “defense in depth”
and can be compared with an onion: to get to the
core, you have to peel of layer by layer.
One broken defense might help us protect against
full compromise.
Security Measures:
• IPtables / Nftables
• Hardening of software components

LINUX SECURITY
Protection is Key, Detection is a Must
Security focuses on the protection of assets. While this
is a primary objective, we should consider that one day
our defenses are broken.
Therefore we want to know this as soon as possible, so
we can properly act. This is where principle 3 and 4 both
are linked. Set-up proper detection methods, similar
to the trip wires used by the military.
Security Measures:
• Linux audit framework
• Remote Logging
• Create backups and test them

LINUX SECURITY
Know your Enemy
You can only protect a system the right way.
If you know what threats you are facing.
Why would this system be a target and who
would be targeting it?
Perform a risk analysis and determine what
potential threats your system might endure.
!

CIS HARDENING
CIS compliance with Ubuntu Pro Plan
Ubuntu contains native tooling to automate compliance and auditing with
the Center for Internet Security (CIS) benchmarks.
The Center for Internet Security (CIS), develops the CIS benchmark
documents for Ubuntu LTS releases. As these documents contain a large
number of hardening rules, compliance and auditing can be very efficient
when using the Ubuntu native tooling that is available to subscribers
of Ubuntu Pro.
With Ubuntu 20.04 we introduce the Ubuntu Security Guide (USG) an easy
to use tool for compliance and auditing that replaces our older tooling.
See the following sections for more information.
https://ubuntu.com/security/certifications/docs/usg/cis
https://ubuntu.com/security/certifications/docs/usg/cis/compliance
https://github.com/francsw/ubuntu2204_cis

CIS HARDENING
Use Cloud Provider
CIS Image
Many cloud provider like Biznet Gio
Cloud provide CIS Hardened image,
this is the easy way to use Secure
Image in the Cloud Environment

CIS HARDENING
CIS Ubuntu Linux 22.04 LTS Benchmark
CIS Benchmarks focus on technical configuration settings used to maintain
and/or increase the security of the addressed technology, and they should
be used in conjunction with other essential cyber hygiene tasks like:
• Monitoring the base operating system for vulnerabilities and quickly
updating with the latest security patches
• Monitoring applications and libraries for vulnerabilities and quickly updating
with the latest security patches
At the CIS Benchmarks are designed as a key component of
a comprehensive cybersecurity program.

CIS HARDENING
Initial Setup
Items in this section are advised for all systems, but
may be difficult or require extensive preparation after
the initial setup of the system
Services
While applying system updates and patches helps correct
known vulnerabilities, one of the best ways to protect
the system against as yet unreported vulnerabilities is to
disable all services that are not required for normal
system operation

CIS HARDENING
Networking
Configuration
This section provides guidance on for securing the
network configuration of the system through kernel
parameters, access list control, and firewall settings
Access Authentication and Authorization
System
Maintenance
Recommendations in this section are intended as
maintenance and are intended to be checked on a
frequent basis to ensure system stability

CIS HARDENING
CIS CAS Lite (free version)
CIS-CAT Lite is the free assessment tool developed by the CIS
(Center for Internet Security, Inc.).
CIS-CAT Lite helps users implement secure configurations for multiple
technologies. With unlimited scans available via CIS-CAT Lite.
With CIS-CAT Lite, We Can Easily:
• Instantly check your systems against CIS Benchmarks.
• Receive a compliance score 1-100.
• Follow remediation steps to improve your security.

CIS HARDENING
1
2
3

CIS HARDENING
CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.1
• Level 1 - Server
• Wednesday, October 4 2023 21:57:14
• Assessment Duration: 1 minute, 4 seconds
yhs-cis-ubuntu-CIS_Ubuntu_Linux_20.04_LTS_Benchmark-20231004T215819Z.html
Summary :

CIS HARDENING DOC
CIS Ubuntu Linux 22.04 LTS Ben

Question?
Lets discuss and Win
Merchandize or Voucher
Neocloud

LOUCA23 Yusuf Hadiwinata Linux Security BestPractice

More Related Content

Similar to LOUCA23 Yusuf Hadiwinata Linux Security BestPractice (20)

More from Yusuf Hadiwinata Sutandar (20)

Recently uploaded (20)

LOUCA23 Yusuf Hadiwinata Linux Security BestPractice