Building upon our previous guides on file permissions and user management, this article delves into advanced techniques for securing your Linux file system. We’ll explore various tools and methods to enhance your system’s security.

Access Control Lists (ACLs)

ACLs provide more granular control over file permissions than traditional Unix permissions.

Checking ACL Support

# Check if filesystem supports ACLs
$ tune2fs -l /dev/sda1 | grep "Default mount options"
Default mount options: user_xattr acl

# Mount with ACL support
$ sudo mount -o acl /dev/sda1 /mount/point

Managing ACLs

# View ACLs
$ getfacl file.txt
# file: file.txt
# owner: john
# group: developers
user::rw-
group::r--
other::r--

# Set ACL for user
$ setfacl -m u:alice:rw file.txt

# Set ACL for group
$ setfacl -m g:project:rx directory/

# Set default ACLs for new files
$ setfacl -d -m u:bob:rx directory/

File System Attributes

Extended attributes provide additional security features.

# View attributes
$ lsattr file.txt
----i-------- file.txt

# Set immutable flag
$ sudo chattr +i important.conf

# Set append-only flag
$ sudo chattr +a log.txt

Common attributes:
- i: Immutable
- a: Append-only
- s: Secure deletion
- u: Undeletable

Disk Encryption

Full Disk Encryption

Using LUKS (Linux Unified Key Setup):

# Create encrypted partition
$ sudo cryptsetup luksFormat /dev/sdb1

# Open encrypted partition
$ sudo cryptsetup luksOpen /dev/sdb1 secure_data

# Format and mount
$ sudo mkfs.ext4 /dev/mapper/secure_data
$ sudo mount /dev/mapper/secure_data /mnt/secure

Encrypted Home Directory

# Create encrypted home
$ sudo ecryptfs-migrate-home -u username

# Automatically mount on login
$ ecryptfs-unwrap-passphrase
$ ecryptfs-setup-swap

Mandatory Access Control (MAC)

SELinux Basics

# Check SELinux status
$ getenforce
Enforcing

# Set SELinux context
$ sudo chcon -t httpd_sys_content_t /var/www/html/

# View security context
$ ls -Z /var/www/html/

AppArmor

# Check AppArmor status
$ sudo aa-status

# Put profile in enforce mode
$ sudo aa-enforce /usr/bin/firefox

# Create new profile
$ sudo aa-genprof /usr/local/bin/custom-app

File System Auditing

Using auditd

# Install audit system
$ sudo apt install auditd

# Monitor file access
$ sudo auditctl -w /etc/passwd -p war -k passwd_changes

# View audit logs
$ sudo ausearch -k passwd_changes

Using inotify

# Monitor directory changes
$ inotifywait -m /important/directory

# Monitor specific events
$ inotifywait -m -e modify,create,delete /path

Secure Mount Options

Hardening Mount Points

# Edit /etc/fstab
/dev/sda1 /home ext4 defaults,nosuid,noexec,nodev 0 2

# Temporary mount with security options
$ sudo mount -o remount,nosuid,noexec /home

Common security options:

• nosuid: Ignore SUID/SGID bits
• noexec: Prevent execution of binaries
• nodev: Prevent device files
• ro: Read-only mount

Best Practices

1. Regular Security Audits

   # Find SUID files
   $ sudo find / -perm -4000 -type f
   
   # Find world-writable files
   $ sudo find / -perm -2 -type f
   
   # Find unowned files
   $ sudo find / -nouser -o -nogroup
   

2. Backup Security

   # Create encrypted backup
   $ tar czf - /important | gpg -c > backup.tar.gz.gpg
   
   # Verify backup integrity
   $ sha256sum backup.tar.gz.gpg > backup.sha256
   

3. File System Monitoring

   # Set up file integrity monitoring
   $ sudo aide --init
   $ sudo aide --check
   

Advanced Security Configurations

Restricting Core Dumps

# Edit /etc/security/limits.conf
* hard core 0

# Using sysctl
$ sudo sysctl -w fs.suid_dumpable=0

Protecting Against Buffer Overflows

# Enable ASLR
$ sudo sysctl -w kernel.randomize_va_space=2

# Compile with security flags
$ gcc -fstack-protector-strong -D_FORTIFY_SOURCE=2 program.c

Troubleshooting Security Issues

1. Permission Problems

   # Check extended attributes
   $ lsattr -a directory/
   
   # View ACL inheritance
   $ getfacl -R directory/
   
   # Check SELinux contexts
   $ ls -Z file
   

2. Encryption Issues

   # Check LUKS status
   $ sudo cryptsetup status secure_data
   
   # Verify encryption setup
   $ sudo dmsetup table
   

Conclusion

Securing your Linux file system requires a multi-layered approach, combining traditional permissions with advanced security features. By implementing the techniques covered in this guide along with proper file permissions and user management (discussed in our previous articles), you can create a robust security framework for your Linux system.

Remember that security is an ongoing process. Regularly audit your system, update security policies, and stay informed about new security threats and mitigation techniques.