Center for Internet Security benchmarks provide detailed best practices for configuring secure systems. To automate checking systems against benchmarks, tools like OpenSCAP can scan systems for compliance, security gaps, etc.
Vulnerability detection
Service configurations occur when a Linux daemon is left with unsafe defaults or overly permissive settings. For example, leaving SSH-login with password allowed, which can lead to brute force attacks. Another common example is binding critical services to 0.0.0.0 (all interfaces) instead of alocalhost.
To detect vulnerabilities, port scanners and protocol analysers are common tools. The former is often used first: they check which services are open to the internet with tools like nmap or zenmap (the GUI version of nmap).
Example
This will perform a sealth SYN scan and service version detection accross the entire subnet.y
nmap -sS -sV 10.0.0.0/24
On the other hand, there are protocol analyzers. The most common GUI tool is wireshark or its CLI counterpart tshark, which can be used to check and follow suspected http stream packets.
To check for file integrity, use rkhunter (or other Indicators of compromise). Alternatively, use AIDE (Advanced Intrusion Detection Environment), which builds a baseline snapshot of selected files and then compares the system to the snapshot during regular scans.
Malware
Anti-malware tools use signature databases and behavioural heuristics to detect and quarantine known viruses, ransomware, and other malicious code. An example of anti-malware tools is ClamAV, which can scan the file system recursively against the latest signature database.
Example
To make ClamAV check the contents of the /usr directory, run the following:
sudo clamscan -r /usr
LMD (Linux Malware Detect) builds on ClamAV to automatically scan for uploads for PHP backdoor and known malware families. For rootkit detection, there are tools such as rkhunter, which will run a system search. Alternative, use chrootkit, which will search for odd configs, hidden binaries, and tampered libraries.
Indicators of compromise
When checking for malware, etc. IoC are the clues left behind by attackers. They involve things like unexpected processes, odd network connections, unauthorised file changes, and the like.
Example
To check for IoC we can use standard linux tools:
grep -i "failed password" /var/log/auth.log # check for brute force loginsss -tulnp # to search for open ports
Alternatively, use programs like YARA, Wazuh, or auditd.
CVE
The Common Vulnerabilities and Exposures program assigns a unique identifier to every publicly disclosed vulnerability. Each CVE is formatted as CVE-YYYY-NNNNN. The system is complemented by CVSS, the security score, which runs from 0.0 to 10.0, based on complexity, privilege, and impact.
When deleting data we can use shred, dd, or badblocks to ensure that there is no trace of the original data available. These tools work by overwriting the memory locations with random bits or useless noise.
Example
This command will overwrite the file 3 times, and then delete it.
shred -u -v -n 3 secrets.txt
Example
This command will write an entire filesystem with random bits. Useful to ensure that a hard drive or such is properly managed prior to being discarded
We can also safely remove data from a drive while also checking for health (say if we want to reuse the drive else):
badblocks -wsv /dev/sdX
We can also do cryptsetup luksErase /dev/sdX (for a LUKS partition). This will delete the metadata headers, effectively removing the decryption key for the device.