Linux OSA Cybersecurity Analyst is expected to effectively analyze the operating systems of an organization. In this article, we'll discuss the Linux OS.
What we’ll be learning
Most organizations today use more than ten different computer systems in their network infrastructure! Whether it’s a client, a server, or a mobile device, computer systems require operating systems (OS) to function. There are many different OSs a Cybersecurity Analyst may encounter, and it’s beneficial to be familiar with the common ones.
After this article, you will:
- Understand OSs.
- Explain the OS and its fundamental architecture.
- Understand the Linux OS.
- Understand the Windows client and server OSs.
- Clearly distinguish the differences between Linux, Windows, and other OSs.
- Explain hypervisors and virtualization.
- Explain how mobile device OSs differ from other OSs.
- Understand OS hardening practices for many OSs.
- Clearly identify different file systems.
- Understand cloud computing’s relationship to OS security.
- Understand BYOD practices and their security implications.
What is an OS?
A computer’s architecture is all the parts required for a computer system to function. Computer architecture refers to the interrelationship between the hardware of the system (RAM, chipsets, hard disk drives, CPU, logic busses, etc.) and the software, specifically the OS. A computer’s hardware architecture must align with the OS architecture for a computer to work. The major components and terms of computer architecture that the cybersecurity analyst may want to learn more about are:
- The Central Processing Unit (CPU)
- Memory Management
- Random Access Memory (RAM)
- Read-Only Memory (ROM)
- Cache Memory
- Virtual Memory
Just like the parts of a car engine, the hardware and software that come in stock in a computer may be uninstalled and replaced with alternative components. For example, a Seagate hard disk drive that comes installed on a laptop may be easily replaced by a Samsung solid-state drive.
An OS also has many different options, but what exactly is an OS?
The OS creates the environment where users interact with applications and leverages the underlying hardware of a system. Joining an OS with computer hardware makes the complete system. The OS is the software that dictates what a computer can do. OSs are very complex and have many responsibilities in computing because they must be able to manage the processing, I/O operations, memory, etc.
There are many different OSs. The most common OS used for personal computing are Microsoft’s Windows and Apple’s macOS. Most personal computers (PC) come pre-loaded with Microsoft Windows, while all Mac PCs have MacOS installed.
Note: OSs are not only used for laptop and desktop computers! Mobile devices also run mobile OSs.
Every OS demands security. Each type of OS, whether desktop, mobile, server, or hypervisor, will require different techniques to properly secure them. As a cybersecurity analyst, it is important to understand each OS fundamentally, technically, and functionally.
Architecture of an OS
All modern OSs are broken down to a duet of layers known as the kernel and the shell.
The kernel is the core layer of the OS that directly interfaces with, and manages, the hardware of a computer system. Code executed in a computer’s CPU runs in two modes: kernel mode or user mode. The kernel runs in kernel mode and interfaces with the “user-level” where all applications run. There are a few different types of kernels:
- Monolithic Kernel: all computer processes run in kernel mode
- Microkernel: core processes run in kernel mode while remaining processes run in user mode
- Hybrid Microkernel: all processes run in kernel mode where core processes run in microkernel and the remaining processes run in client/server mode
Older OS operated in a monolithic architecture where the kernel’s core processes were not separated from other processes. OS architectures evolved into a more hybrid architecture seen in modern OS. The separation of kernel and shell keeps the kernel more isolated, protected, and organized. The shell allows users and applications to communicate with the kernel and utilize the hardware resources of a computer system. Applications and utilities are the “User space” of an OS since users use applications and some shell tools to interact with the kernel and hardware.
The Linux kernel
One of the most common OS kernels utilized in modern computing is the Linux kernel. Linux is an open-source OS that was designed to resemble the UNIX OS, but Linux has evolved to be utilized in systems used for many different purposes. The Linux kernel is used in PCs, servers, mobile devices, and in many other computing devices. There are numerous Linux OS in distribution, but one thing that remains constant across every Linux OS is the Linux kernel. In other words, a Linux distribution is an OS that uses a version of the Linux kernel and a unique set of shell applications.
Now that we’ve emphasized the significance of the OS kernel, the shell, and highlighted the Linux kernel, we can explore the concept of the Linux distribution. There are hundreds of Linux OS distributions. Each Linux distribution is unique in purpose and consists of different application packages (and shells). Some Linux distributions remain open source while others are converted to proprietary OS licensed by certain Linux OS vendors.
As a cybersecurity professional, understanding the characteristics of the Linux OS is critical in the analyst function especially since the OS is used with many cybersecurity tools. In fact, there are a few Linux distributions whose purpose is penetration testing and cybersecurity analysis. The most popular of these types of Linux OS is Kali Linux which will be discussed later.
The Linux command-line interface
Linux, when compared to other OS, is distinguished by many characteristics such as the filesystem and command-line interface (CLI) syntax. It should also be mentioned that it is common to interact with popular Linux OS used in organization’s computer infrastructure via command-line only. Most production grade Linux OS come out-of-the-box without a graphical user interface (GUI). Instead, the OS interface displayed to the user may simply be a command-line shell like the image below.
To effectively navigate the Linux OS, the user must be familiar with the Linux CLI syntax and the different shells available to the user. The most common Linux shell is the Bash shell.
The Linux file system
OSs, before they are loaded into memory and activated as processes, are simply files of code. Therefore, it is important to understand where the core OS files reside in an OS file system. Kernel files are typically stored in default locations in an OSs file system, while shell and application files change locations depending on OS version. Additionally, different OS have different file systems which add complexity to the cybersecurity professionals job of securing all systems of an organization. For example, the Linux file system differs significantly to the Microsoft Windows file system. Linux uses Extended Filesystem 4 (EXT4), while Windows uses New Technology FileSystem (NTFS). As an analyst, familiarization with the file system of each OS encountered is important.
/ Root Directory of the Linux Files System (FS) │ └─── /bin User Binaries │ └─── /boot Boot Loader Files │ └─── /dev Device Files │ └─── /etc System-Global Config Files │ └─── /home User’s Home Directory │ └─── /lib System Libraries and Kernel Modules │ └─── /lost+found Stores Corrupted FS Files │ └─── /media Mount Point for External Devices │ └─── /mnt Temp Mount Point │ └─── /opt Folder for Optional Application Files │ └─── /proc Process (and Kernel) Information │ └─── /root Root User’s Home Directory │ └─── /sbin Essential System Binaries │ └─── /srv Services Data Directory │ └─── /sys Devices (and Kernel) Information │ └─── /tmp Temporary Files Directory │ └─── /usr User Utilities and Applications | └─── /var Variable Files
The Linux file system structure begins at the root. Root is identified by a single forward slash “/”. In the Linux CLI, navigating to the root of the Linux OS may be done so by simply typing “cd /”. Root is the top directory in the hierarchy of the Linux OS. From root, all other system directories are available. Here are a few of the directories that cybersecurity analysts should get familiar with:
/boot: Directory that stores kernel files and boot loader files.
/dev: Device files of every hardware device connected to the system are stored here.
/etc: Startup scripts, login files, and configuration files for common system services are stored here.
/lib: Stores system library files and kernel module files.
/proc: Stores data that gets loaded into memory such as: kernel, process, network, etc.
/sbin: Stores binaries and commands related to the system environments settings.
/sys: Stores kernel-related information that typically gets loaded directly into memory upon boot.
/var: Location where system variable files are stored. Dynamic data, log files, cache data, and files generated during system operation are stored here too.
Basic Linux security
Out-of-the-box, most Linux OS require specific hardening techniques to be applied upon installation. It is good practice to know how to properly secure the OS being installed. With Linux, these basic hardening steps should be applied:
Document host information
Any system joined to an enterprise network should be properly documented. Address information should be recorded, as well as other specific host information (hostname, hardware serials, etc.)
Secure the BIOS
The Basic Input/Output System (BIOS) has access to system resources and configuration settings that may be used to alter the bootloader method of an OS. This may be leveraged to compromise a system, therefore securing a BIOS, at a minimum, with a password is good practice.
Encrypting the hard disks, whether encrypting individual files or applying full-disk encryption (FDE), is a good practice. This technique prevents unauthorized theft/access to the data on a systems storage device(s).
Set /boot Directory to Read-Only
Since the /boot directory contains critical kernel files, it’s a good idea to eliminate the possibility of unwanted file alterations in the /boot directory.
Disable unused hardware port(s)
Data Loss Prevention (DLP) practices suggest that all unused hardware ports should be disabled (typically in the BIOS). The most important ports to disable are USB ports, since they may be leveraged to load malicious software and compromise a system.
Disable unused logical port(s)
Disable any open connections unneeded on the system. Any open connection ports are an entry point to a computer system. Therefore, to reduce the compromise risk, close all unused connection ports.
Enable SE Linux
Security-enhanced Linux uses a security mechanism that hardens the kernel significantly. By simply enabling this mechanism, layers of security are added to the Linux kernel of the system.
Properly configure file permissions
The files passwd, group, and shadow are unique to Linux and are where user logins, passwords, and group information are stored. Restricting ownership and permissions of these files to the root account and root group greatly improves the overall security of account compromise of the system.
Enforce strong password policies
Ensure the passwords stored on the system are not reused and that the password length and complexity minimum requirements are sufficient to prevent password attacks.
Patch, patch, patch
Maintain the system as up-to-date as possible. System and application patches contain vital security updates that help reduce system vulnerabilities and increase security.
These are only a few of the most basic hardening techniques when securing a Linux OS. To learn additional Linux OS hardening steps, read the article “Linux Hardening”.
The cybersecurity analyst is expected to be familiar with the OSs, file systems, be able to identify critical system files, and have the skills and ability to properly secure those critical files through system hardening, monitoring, and security analysis.
Explore our courses below to learn more: