Linux/Unix Security Controls

Relatively new to the Unix/Linux space (but with good working knowledge of Windows) I'm curious to hear what people believe are essential security controls to deploy to these server OS.

Antimalware / Antivirus (AV)
Endpoint Detect & Response (EDR)
Application Control
HIDS / HIPS
Local Firewall
File Integrity Monitoring (FIM)
Log Monitoring
Data Loss Protection (DLP), Port Control
Web Reputation
etc...

I know the OS is not as susceptible to the same exploits as Windows, but at the same time I don't believe that these OS are organically secure out of the box. With that said, I'd love to hear from people what controls are necessary, or nice to have.

Thanks!

Hello,

Welcome to the forum ! We hope you enjoy your time here, and find this to be a friendly and helpful place.

Now, this is a tricky one to give a definitive set of answers to. In short, which of these types of solutions you deploy on Linux depends entirely on what the server in question is going to be doing. For example, your approach to security would be very different on a front-end Web server deployed by an Internet hosting company which is going to host many thousands of customer Web sites, as compared to a server deployed by an investment bank which was to be used for hosting a single high-frequency trading application.

So there's no one-size-fits-all answer here. And this is generally true of any OS, and not merely Linux. What the server is going to be used for, what kind of environment it will find itself being used in, and what type of users will be accessing it are the biggest factors in determining how - or indeed if - some or all of the things on your list are required.

The other big divide in the Linux world is between free solutions (software provided as part of the Linux distribution, or which is easily available from third-party package repositories) and commercial solutions (software you buy in and install, and which is supported by a vendor). Larger organisations which have to provably meet regulatory requirements - such as banks, hospitals, governments, etc. - are more likely to require commercial solutions which are officially certified for use for within their industry. Businesses with less in the way of formal legal security requirements can very often make do just as well with the software that Linux either comes with or which they can install and run for free.

Another factor here will be the level of UNIX/Linux skill that you have in-house. If you don't have a team with particularly strong Linux skills, or if the skillset of your Linux team perhaps lacks a focus on the specific areas of concern that you've listed, then a commercial solution might be best. That way if you have any questions or need any help, you have a vendor to assist you that's only a phone call or an e-mail away, and it's their job to fix things if they go wrong (terms and conditions notwithstanding, naturally).

And you're right when you say that whilst in general you don't have to always worry about every single one of these things on a Linux system, that it's also wrong to just not think about security or monitoring at all. Linux and Windows are a lot closer in terms of feature parity and security these days than they have ever been before, but there's no doubt that a lot more malware is floating around out there that targets Windows than Linux.

In short then, the first thing to do is to understand your threat model, and to also understand what you are legally required to provide from this list in your industry. The next thing to consider is what skills you have in-house to support or provide these requirements, and to then take all of the above factors into consideration when deciding how to proceed.

In closing, here's a quick short list of some software that could be used to meet some of what you mention. Note that none of these constitute a specific recommendation, merely a list of options for you to explore:

• Antimalware / Antivirus
  • Non-commercial: ClamAV
  • Commercial: Bitdefender, Avast, TrendMicro, Trellix(McAfee)
• EDR
  • Non-commercial: Not sure
  • Commercial: Tanium
• HIDS / HIPS
  • Non-commercial: rkhunter
• Local Firewall
  • Here you don't need anything better than what Linux has built-in, so either iptables or firewalld most likely
• File Integrity Monitoring
  • Non-commercial: Tripwire
  • Commercial: Not sure
• Log Monitoring
  • Non-commercial: Logwatch, Logstash
  • Commercial: Grafana

Anyway, hope this helps ! If you have any further thoughts or questions do let us know and we can take things from there. And if anyone else has any other recommendations for particular solutions I'm sure they'll be happy to chime in if they have anything to share.

This is extremely informative and helpful. I do work for a large bank and we have relationships with most of the commercial vendors you have identified. I have no doubt they will draw solid lines in their solutions to many of these controls.

And you’re right - I generalized and did not factor in use case. I will have to look at how they are employed before making any determinations.

As a follow-up - does the version of Linux matter? Is there a difference between what applies to Linux vs Unix? (Thanks in advance)

Hello,

In the world of Linux, there are multiple Linux distributions to choose from. Some of these come from commercial vendors, some are entirely free and community-supported, and others are a hybrid of the two.

For a bank, I'd imagine you'd be looking at a fully-commercially-supported offering. The closest thing there is to a default choice in the commercial Linux world would be Red Hat Enterprise Linux (RHEL). This is a version of Linux provided by Red Hat, who are in turn owned by IBM these days. You pay for support, for access to updates, and do so on a ongoing basis as part of a subscription.

The next-most-common commercial Linux distribution is SUSE Linux Enterprise Server (SLES). This is provided by SUSE, a German-based Linux company which, like Red Hat, has been going since the 1990s. In Continental Europe this one has a very big following, and was one of the first successful commercial Linuxes there. Again, they provide support and updates on an ongoing basis for a recurring fee.

Another commercial option worth mentioning these days is possibly Ubuntu, from Canonical. Now normally most people tend to run this one unsupported and as-is, since it's one of the (many) Linux distributions that are available free of charge and which you can run and get regular ongoing updates for at no cost. But Canonical do offer commercial support as well. I've no experience myself with their paid-for offerings, but you could look into this.

One last one that's probably worth mentioning is Oracle Linux. This one is available for free to download, install and get updates for - you only have to pay Oracle if you actually want a support contract. This began its life as a re-spin of Red Hat, and still basically is that under the hood - it's really just Oracle's take on RHEL, more or less. So if you have an existing commercial relationship with Oracle, and don't want to set up a new contract with Red Hat/IBM, looking at this could be worth your time.

Outside of commercial offerings, your choices are near-limitless. Debian, Ubuntu, CentOS, Fedora..the list goes on and on. But given that you've mentioned that you're working in the financial industry, you might well find that one of the commercially-supported offerings mentioned above is the best way to go (or at least the way that'll be approved for use).

In closing, you ask what the difference is between Linux and UNIX. UNIX is a trademark that indicates that a given operating system descends in some fashion from the original AT&T UNIX from back in the day. Linux, interestingly, cannot claim such a direct line of ancestry - strictly speaking, Linux is not a UNIX operating system, but is very much UNIX-like, and is effectively a UNIX in all but name (and in all but legal fact). A full discussion of why and how this all came about would take longer than we have here, but suffice to say one of the design goals of most Linux distributions is to be as UNIX-like as possible, without actually being UNIX.

Anyway, hope this helps ! If you have any further questions let us know and we'll see what we can do.

You have my sincere gratitude for putting forward such a clear and concise answer to my question. You’re a credit to this forum. Thank you!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.