Hello, My name is Isaac. Welcome to lean out Security.
The video will discuss linen service is
benchmarks for securing Cyber systems are created to protect legitimate processes from being exploited by threat actors.
So device hardening utilizes security benchmarks to configure devices for the most efficient and secure performance.
Harding Information Systems is a process that attempts to reduce the vulnerability surface by turning off unnecessary service. Is that air not required for the job at hand
so generally? But why set of computing activities running on an information system at the same time make the system more prone to attacks that can compromise the system.
Hardening information systems for security purposes can be achieved by grouping. The hardening process under the types of service is required to run particular tasks.
Also, different operating systems for computing platforms have software, especially configurations, for applying the hardening benchmarks.
So when thinking of device hardening,
there are many strategies that can be documented before the technical details are specified.
So we have hardening concepts for various areas of technology
and for the plethora of linens distributions available, separate benchmarks are created to align with the specific code dependencies of each Linux distribution.
The Center for Internet Security, for example, has published a wide variety of benchmarks that can be used to harden many operating systems, including the various Lena's distributions.
So with the Center for Internet Security controls, the manual hardening of devices can be done using the C. I. S benchmarks.
However, due to the large number of service is which system administrators may need to configure for device Harding benchmarks, the C I s also provides an option for automated processes off scanning devices and detecting loopholes that require hardening as well as automatically configuring systems
for standard hardening bills.
The automatic configurations usually come with a fee.
However, the CIA, as documentations, can be downloaded for free
as a general view of hardening systems. At the basic level, having to do list can be very helpful.
So at the top of the list, you'll want to begin by taking an inventory of all the systems you want to harden, and so you will document the current state of the device configurations. So you're looking for information such as host name I pian, Mac addresses and device you're or registration numbers.
Next, you're looking at how to start hunting the device at boot time, where the power on self test runs based on cheap said configurations
so that she said, settings are hardware platform based settings that depend on the manufacturer of the device.
In the BIOS terminal, the supervisor passwords should be created, and any default passwords should be changed.
The supervisor password. Access to the buyers will be able to manage other user access levels such as full access, limited access and no access to the buyers
Still, within the bio set up,
Universal serial ports can also be disabled to prevent ah, notarized booting by external bootable devices like flash drives, external hard drive for DVD, wrong drives
and then for the linens operating system installation. You'll want to protect the hard drive by encrypting it to protect from confidentiality britches.
Lena's installations provide you with the option of creating and encrypting dispositions as well as encrypting the entire disc.
So encrypting your drives prevents an attacker who happens to steal your disk from accessing the content off the drive.
So these bios, settings and the hard disk and Christian are just a few examples of where you perform hardening for your system.
The list can be endless, so you will want to have a general idea of what areas need hardening.
So you're looking at software patching for system installation, operating system, hardening user access and passwords for local and remote connections.
Password policies can be created to enhance security.
The NOx password aging policy can be set using the change command.
Also, users can be restricted from reusing passwords as a security measure.
Hot any software includes updating softer installations and removing redundant software.
Installing software and having it maintained through updates can be achieved with package management systems that are specific for the different major distributions of Lennox, like red hats and Debbie in
the Debbie and Destruction package Management to consist of software tools that can be accessed at low level in front and interfaces to manage installations.
So at the front and the advanced package to is used to manage software with that D E B file extension,
he's hearing the up gets command can be used to update software packages,
so the commands to view the list off software packages is a pseudo up. Get update command
with the right package information. The pseudo AB get install package is used to install the package.
Another thing you can do beside installing the package is updating the package, either by using the update manager presented by the graphical user interface. When updates or do or you can issue the pseudo AB get off grade command at the command prompt.
It is also possible to uninstall packages using the pseudo AB get Remove package command
so these commands work for the Debian distribution along with its derivatives.
Derivatives of Debian include you, Boon to and Lenox Mids, the Red Hat Distribution and its derivatives. Such a sent US and Fedora also have package management utilities for dating, installing and on installing packages.
So the Red Hat package manages files with dot rpm extensions.
The Red Hat Package management is a leaner standard that is compatible with other Red hat derivatives. Such a Suze and man driver.
The automated command line tools for installation and updates all the young and up to date commands.
So issuing a young search keyword command searches for a package and a young install package installs the package
to update issued a young update package and honest all the young removed package command issues,
so these commands helped the administrator to manage software dependencies with automated tools
when managing queries to view information about files used in installations in order to know the dependencies. The automated processes occurring files comes with the trade off in performance because of the multiple represent trees that are involved over the Internet.
When running these queries, both Debian and Red Hat can use manual input to manage package queries locally,
so red had uses the RPM, and Debian uses the DP kg commands to query packages.
So the administrator uses the commands. The first list, the packages that are currently on the system than another command lease files associated with a particular package. And thirdly, the package information on the state of the package is obtained,
so this table shows the actions performed and the commands for the debian and red hat distributions.
The Linens colonel is the core of the G N U Linux operating system, which is used to manage our operations running on the system.
So when a user issues of command, the colonel, which was loaded into memory during boot time, listens to user inputs and performs actions by initiating and managing system processes in response to application requests.
The colonel monitors the system resources and allocates memory space for user running applications.
It also allocate CPU cycles by multiplexing task according to time frames located teach process.
So the colonel is very active in controlling the system operations.
All these control is transferred to the colonel by the boot loader At the system startup,
the system application interacts with the colonel through application programmable interfaces, and so there is a layer of attraction between the colonel and applications.
The colonel is therefore seeing this abstraction as a process that run on the system.
So the colonel is handling lots of processes that can be in one of many states. Starting, running or stopping
security systems at the colonel is critical to preventing malicious operations from hijacking and controlling system processes.
Leaners environment. The process is running on A system can be viewed with the top command.
All these processes are interacting with the colonel,
so the top command reveals a lot of information about each process.
The P S command can also lists all processes, but the top command provides greater detail showing resource consumption like CPU memory network and so on.
Another alternative command for viewing processes is the hate stop command.
So with these commands of forensic analysis looks out against any suspicious processes.
The system processes have a hierarchical structure, so you have parent processes, child processes or friend processes, zombie processes and Damon processes.
Demons are processes that run at the background, and they're not controlled by the active user.
Apparent process can produce a child process that executes a separate function within the parent shell.
So ideally, the unique process that is the first process that starts at boot time is the only process that does not have a parent.
So the child processes have dependencies on the parent processes.
Dearing. Wrong time apparent process is stopped, but the child process is allowed to keep running. The child process becomes an offering process, and similarly, when the process is no longer using, resources are located to eat. But it's meta Data still remains in the process table.
Such a process is said to be a zombie process.
The Lino's colonel utilizes public and private key pairs to validate kernel mode, you off days before installation and during wrong time.
The Colonel models add functionality to the colonel without having to rebuild or even reboot the Lena's colonel
Security for the colonel when adding models ensures that processes in the system are controlled by a trusted colonel system.
The system. Colonel Public key signatures can be viewed by a route user by issuing the cat Prock Qi's command
so you can see the Colonel Key is an ex 0.509 certificates standard The system bios off a computer. Running linens perform a power on self test went powered on
upon successful completion of the system. Hardware checks by the BIOS.
It hands over control to the operating system boot loader, located on the master boot record off the hard disk, which in turn loads and hands over control to the lyrics. Colonel,
the colonel set up, loads the system drivers and creates the first process off a user space.
This process is the parents of all other processes on the system, and it has a process idee of one.
This is the initializing process for the operating system and can be viewed from the leaner shell by issuing the PS dash a command.
So for listeners distributions that you system d as initializing system
process I d off one will be assigned to the system D
System D is a system Damon that runs in the background for managing system Service is it's a contemporary initialization system for Linda's distributions.
It was developed as a replacement for the older system. The innit implementations of initializing Lennox processes
the System D has improvements over its system. V. Innit predecessor.
This May System D capable off starting process is in peril, thereby effectively increasing the speed of good time process is for the winners operating system
system. Vian. It systems,
which stars processes in serious, is still run on some platforms.
Lino's has many service is running at boot.
The linens command shell provides many commands that can be used to manage and analyze the operations of the system.
The System D and Allies Command shows the total boot time, comprising of the kernel boot time and the user space boot time.
The kernel boot time is a fixed value that cannot be altered by the user. However, the user space boot time has service is that when disabled can improve the CPU circle resources available during boot time and therefore speed abu time by a few seconds or more.
So issue in the system and allies command with the blame option shows the service is initiated, and the time it took for those service is to start.
The user can look at the service, is listed and is able redundant. Service is that may be hugging up system resources.
The System Control Command with the disabled option and the service name will disable the command at boot time.
Using the stop option will only stop the service for the current session. So using the stuff option means the next time the system reboots, the service will run again.
Port you Sage can be restricted to specific applications and user groups.
Some pores are restricted to the root level. Access
the need to authenticate server connections that Ron, well known Port Number Service's make sport restriction useful in determining the identity of the person who configured the service. Because well known Port Number Service's can Onley become figured by an administrator who has root access to the server.
This means a non route user on a server cannot initiate a connection with remote clients on any of the restricted course.
The restricted pores are the Port zero true Port 10 to treat
In this video, we discussed Lin up service is