Wskazówki odnośnie zabezpieczania i pielęgnowania systemów Linux SUSE Expert Days 2016 Paweł Mirończuk Starszy Konsultant pmironczuk@suse.com
Profilaktyka (i to by było na tyle - dziękuję wszystkim za przybycie ) 2
Zagrożenia Lokalne Fizyczny dostęp do serwera Dostęp do konsoli serwera Elewacja uprawnień przez użytkowników Zdalne Wykorzystujące luki w oprogramowaniu Błędy w oprogramowaniu Brak aktualizacji Brak kopii bezpieczeństwa Niespójność konfiguracji w środowisku 3
Wykrywanie zagrożeń lokalnych Kontrolowanie dostępu fizycznego Sprawdzanie nieautoryzowanych zmian w systemie chkrootkit http://chkrootkit.org/ rkhunter - https://rootkit.nl/ fileschanged - http://fileschanged.sourceforge.net/ apparmor kolega opowiadał SIEM NetIQ Sentinel - https://www.netiq.com/products/sentinel/ OSSIM - https://www.alienvault.com/products/ossim 4
Wykrywanie zagrożeń sieciowych nmap (skaner portów) snort (NIDS/NIPS) suricata (NIDS/NIPS) OpenVAS Nessus (płatne*) 5
Demo OpenVAS Nessus
Aktualizacja 0 % 0 % UPDATE ROLLBACK 7
Backup Filesystem (btrfs) tar zcvf /mnt/backup.tgz / rsync Pauv / /mnt/backup_dir/ rsnapshot duplicity bacula 8
Bacula Veritas Legato Networker CA ARCserve Arkeia Network Backup Backup Levels Full, Differential, Incremental,Consolidation Full, Differential, Incremental Full, Differential, Incremental, Consolidation Full 3, Synthetic Full, Differential, Incremental, Infinite Block-Level Incremental 24 Full, Differential, Incremental Data Format Custom, fully open Custom Custom Custom, Microsoft Tape Format (MTF) Custom, open-source restore Autochangers Fully supported optional Fully supported Fully supported Deduplication File-Level 23 Either-side Global Variable Block Lenght Deduplication, Target-side Either-side 18 Backup to Tape Yes Yes Yes Yes Yes Backup to Disk Yes Yes optional Yes Yes Backup to DVD Yes No No SQL Catalog Yes No Yes No Can handle 1 billion objects Yes Yes Yes OpenSource Yes No No No Only restore Commercial Support Yes Yes Yes Yes Yes GUI Yes - bat Yes Yes Yes Yes Virus Scanning No Yes Yes No Tripwire like functions Yes Backup span multiple volumes Yes Yes Yes Yes Yes Backup Reports Yes (Via breport) Yes Yes 5 Yes Backup Alerts (notify) Yes Yes Yes Yes Incremental handles deleted files Yes Yes Yes Encryption Datastream Yes (TLS) Yes Yes Yes PostgreSQL-Support 21 Yes 16,22 No VMWare vstorage Support 19 Yes 16 Yes Yes Yes Yes http://wiki.bacula.org/doku.php?id=comparisons 9
Demo bacula http://www.bacula.pl/
Niespójna konfiguracja Jedynie słuszne Ansible http://www.ansible.com/ Puppet http://puppetlabs.com/ CFEngine (używany w SUSE Manager 2.1) http://cfengine.com/ Chef (używany w SUSE OpenStack Cloud 6) http://www.chef.io/ To też jest fajne, ale to nie będę o tym mówił Spacewalk (używany w SUSE Manager od zawsze ) Salt (używany w SUSE Manager 3) 11
Demo Chef
Bonus https://letsencrypt.org darmowe, lecz uznawane certyfikaty TLS https://mmazur.eu.org/darmowy-certyfikat-tls-od-letsencrypt/# - opis jak z nich korzystać 13
Konkurs wiedzy o systemach open source: www.suse.pl/konkurs
Odwiedź SUSE Green Room i zdobądź zielonego kameleona!
Unpublished Work of SUSE LLC. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE LLC. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All thirdparty trademarks are the property of their respective owners.