9 Physical security #
Physical security is very important. Linux production servers should be in locked data centers accessible only to people that have passed security checks. Depending on the environment and circumstances, you can also consider boot loader passwords.
Additionally, consider questions like:
Who has direct physical access to the host?
Of those that do, should they?
Can the host be protected from tampering and should it be?
The amount of physical security needed on a particular system depends on the situation, and can also vary widely depending on available funds.
9.1 System locks #
Most server racks in data centers include a locking feature. This is a hasp/cylinder lock on the front of the rack that allows you to turn an included key to a locked or unlocked position—granting or denying entry. Cage locks can help prevent someone from tampering or stealing devices/media from the servers, or opening the cases and directly manipulating/sabotaging the hardware. Preventing system reboots or the booting from alternate devices is also important (for example CD, DVDs, flash disks, etc.).
Some servers also have case locks. These locks can do different things according to the designs of the system vendor and construction. Many systems are designed to self-disable if attempts are made to open the system without unlocking. Others have device covers that do not let you plug in or unplug keyboards or mice. While locks are sometimes a useful feature, they are lower quality and easily defeated by attackers with ill intent.
9.2 Locking down the BIOS #
This section describes only basic methods to secure the boot process. To find out about more advanced boot protection using UEFI and the secure boot feature, see Abschnitt 17.1, „Secure Boot“.
The BIOS (Basic Input/Output System) or its successor UEFI (Unified Extensible Firmware Interface) is the lowest level of software/firmware on PC class systems. Other hardware types (POWER, IBM Z) that run Linux have low-level firmware that performs similar functions as the PC BIOS. When this document references the BIOS, it means BIOS and/or UEFI. The BIOS dictates system configuration, puts the system into a well defined state and provides routines for accessing low-level hardware. The BIOS executes the configured Linux boot loader (like GRUB 2) to boot the host.
Most BIOS implementations can be configured to prevent unauthorized users from manipulating system and boot settings. This is typically done by setting a BIOS administrator or boot password. The administrator password only needs to be entered for changing the system configuration but the boot password is required during every normal boot. For most use cases, it is enough to set an administrator password and restrict booting to the built-in hard disk. This way an attacker is not able to simply boot a Linux live CD or flash drive, for example. Although this does not provide a high level of security (a BIOS can be reset, removed or modified—assuming case access), it can be another deterrent.
Many BIOS firmware implementations have other security-related settings. Check with the system vendor, the system documentation, or examine the BIOS during a system boot to find out more.
If a system has been set up with a boot password, the host does not boot up unattended (for example, in case of a system reboot or power failure). This is a trade-off.
Once a system is set up for the first time, the BIOS administrator password is not required often. Do not forget the password or you may need to clear the BIOS memory via hardware manipulation to get access again.
9.3 Security via the boot loaders #
The Linux boot loader GRUB 2, which is used by default in SUSE Linux Enterprise Server can have a boot password set. It also provides a password feature, so that only administrators can start the interactive operations (for example editing menu entries and entering the command line interface). If a password is specified, GRUB 2 disallows any interactive control until you press the key C and E and enter a correct password.
You can refer to the GRUB 2 man page for examples.
It is important to keep in mind that when setting these passwords they need to be remembered. Also, enabling these passwords can merely slow an intrusion, not necessarily prevent it. Again, someone could boot from a removable device, and mount your root partition. If you are using BIOS-level security and a boot loader, it is a good practice to disable the ability to boot from removable devices in your computer's BIOS, and then password-protect the BIOS itself.
Also keep in mind that the boot loader configuration files need to be
protected by changing their mode to 600
(read/write for
root
only), or others can read your passwords or hashes.
9.4 Retiring Linux servers with sensitive data #
Security policies contain certain procedures for the treatment of
storage media that is going to be retired or disposed of. Disk and media
wipe procedures are frequently prescribed, as is complete destruction of
the media. You can find several free tools on the Internet. A search for
“dod disk wipe utility” yields several variants. To
retire servers with sensitive data, it is important to ensure that data
cannot be recovered from the hard disks. To ensure that all traces of data
are removed, a wipe utility—such as
scrub
—can be used. Many wipe utilities overwrite
the data several times. This assures that even sophisticated methods are
not able to retrieve any parts of the wiped data. Some tools can even be
operated from a bootable removable device and remove data according to the
U.S. Department of Defense (DoD) standards. Many government
agencies specify their own standards for data security. Some standards are
stronger than others, yet may require more time to implement.
Some devices, like SSDs, use wear leveling and do not necessarily write new data in the same physical locations. Such devices provide their own erasing functionality.
9.4.1 scrub: disk overwrite utility #
scrub
overwrites hard disks, files and other devices
with repeating patterns intended to make recovering data from these
devices more difficult. It operates in three basic modes: on a character
or block device, on a file, or on a specified directory. For more
information, see the manual page man 1 scrub
.
- nnsa
4-pass NNSA Policy Letter NAP-14.1-C (XVI-8) for sanitizing removable and non-removable hard disks, which requires overwriting all locations with a pseudo-random pattern twice and then with a known pattern: random (x2), 0x00, verify.
- dod
4-pass DoD 5220.22-M section 8-306 procedure (d) for sanitizing removable and non-removable rigid disks. This requires overwriting all addressable locations with a character, its complement, a random character and then verifying. Note: scrub performs the random pass first to make verification easier: random, 0x00, 0xff, verify.
- bsi
9-pass method recommended by the German Center of Security in Information Technologies (https://www.bsi.bund.de): 0xff, 0xfe, 0xfd, 0xfb, 0xf7, 0xef, 0xdf, 0xbf, 0x7f.
- gutmann
The canonical 35-pass sequence described in Gutmann's paper cited below.
- schneier
7-pass method described by Bruce Schneier in "Applied Cryptography" (1996): 0x00, 0xff, random (x5)
- pfitzner7
Roy Pfitzner's 7-random-pass method: random (x7).
- pfitzner33
Roy Pfitzner's 33-random-pass method: random (x33).
- usarmy
US Army AR380-19 method: 0x00, 0xff, random. (Note: identical to DoD 522.22-M section 8-306 procedure (e) for sanitizing magnetic core memory).
- fillzero
1-pass pattern: 0x00.
- fillff
1-pass pattern: 0xff.
- random
1-pass pattern: random (x1).
- random2
2-pass pattern: random (x2).
- old
6-pass pre-version 1.7 scrub method: 0x00, 0xff, 0xaa, 0x00, 0x55, verify.
- fastold
5-pass pattern: 0x00, 0xff, 0xaa, 0x55 and verify.
- custom=string
1-pass custom pattern. String may contain C-style numerical escapes: \nnn (octal) or \xnn (hex).
9.5 Restricting access to removable media #
In certain environments, it is required to restrict access to removable
media such as USB storage or optical devices. The tools included with the
udisks2
package help with such a
configuration.
Create a user group whose users are allowed to mount and eject removable devices, for example mmedia_all:
>
sudo
groupadd mmedia_allAdd a specific user
tux
to the new group:>
sudo
usermod -a -G mmedia_alltux
Create the
/etc/polkit-1/rules.d/10-mount.rules
file with the following content:>
cat /etc/polkit-1/rules.d/10-mount.rules polkit.addRule(function(action, subject) { if (action.id =="org.freedesktop.udisks2.eject-media" && subject.isInGroup("mmedia_all")) { return polkit.Result.YES; } }); polkit.addRule(function(action, subject) { if (action.id =="org.freedesktop.udisks2.filesystem-mount" && subject.isInGroup("mmedia_all")) { return polkit.Result.YES; } });Important: Naming of the rules fileThe name of a rules file must start with a digit, otherwise it is ignored.
Rules files are processed in alphabetical order. Functions are called in the order they were added until one of the functions returns a value. Therefore, to add an authorization rule that is processed before other rules, put it in a file in /etc/polkit-1/rules.d with a name that sorts before other rules files, for example
/etc/polkit-1/rules.d/10-mount.rules
. Each function should return a value frompolkit.Result
.Restart
udisks2
:#
systemctl restart udisks2Restart
polkit
#
systemctl restart polkit
9.6 System protection with enforced USB device authorization via USBGuard #
The USBGuard software framework helps to protect your system with enforced USB device authorization. It implements allowlist and blocklist capabilities based on the device attributes.
The USBGuard provides the following features:
A command-line interface to interact with a running USBGuard daemon
The daemon component with an inter-process communication (IPC) interface for dynamic interaction and policy enforcement
The rule language for writing USB device authorization policies
The C++ API for interacting with the daemon component implemented in a shared library
9.6.1 Installing USBGuard #
The USBGuard daemon decides which USB device to authorize based on a set of rules defined in the policy. To install and configure USBGuard, use the following commands:
To install USBGuard:
>
sudo
zypper install usbguardUSBGuard and the required dependencies are installed. If you want to interact with the USBGuard service, you can install
usbguard-tools
.To generate a rule set based on currently connected USB devices, switch to
root
:#
usbguard generate-policy > /etc/usbguard/rules.confNoteYou can customize USBGuard by editing the
/etc/usbguard/rules.conf
file.You can start the USBGuard daemon or ensure automatic enablement at system start by switching to
root
:#
systemctl enable --now usbguard.serviceYou can either authorize or deauthorize a device from interacting with the system. Note that this depends on the value of the
ImplicitPolicyTarget
option in theusbguard-daemon.conf
file. This option is used to treat devices that do not match any rule in the policy.usbguard allow-device 6
usbguard block-device 6
You can also use the
reject-device
option to deauthorize and remove a device from the system.NoteUse the
usbguard --help
command to see all the options.
9.6.2 How to use USBGuard #
You can configure a security policy to protect your system with enforced USB device authorization by implementing allow and block lists based on the device attributes.
9.6.2.1 The USBGuard configuration file #
The USBGuard daemon loads the usbguard-daemon.conf
file after the command-line
options are parsed and are used to configure the runtime parameters of the daemon. The file is by default, located at
/etc/usbguard/usbguard-daemon.conf
. Some options in the file include:
RuleFile=PATH
The USBGuard daemon uses this file to load the policy rule set from it and to write new rules received through the IPC (inter-process communication) interface. The default is
%sysconfdir%/usbguard/rules.conf
.ImplicitPolicyTarget= TARGET
How to treat devices that do not match any rule in the policy, for example:
allow - authorize every present device
block - deauthorize every present device
reject - logically remove the device node from the system
PresentDevicePolicy= POLICY
How to treat devices that are already connected when the daemon starts.
allow - authorize every present device
block - deauthorize every present device
reject - remove every present device
keep - sync the internal state
apply-policy - evaluate the rule set for all present devices
IPCAllowedUsers= USERNAME
A space-delimited list of user names that the daemon accepts IPC connections from.
IPCAllowedGroups= GROUPNAME
A space-delimited list of group names that the daemon accepts IPC connections from.
IPCAccessControlFiles= PATH
Path to files that are interpreted by the daemon as IPC access control definition files.
IPCAllowedUsers=root joe IPCAllowedGroups=wheel
The example allows full IPC access to the users root
,joe
and to the members of the group wheel
.
9.6.3 More information #
To know more about USBGuard, see:
The upstream documentation at https://usbguard.github.io/
man usbguard
man usbguard-rules.conf
man usbguard-daemon
man usbguard-daemon.conf