Improving Linux Security with DevSecOps

Users, Groups and the Principle of Least Privilege

Everyone knows how to add a user quickly to a Linux system, but how often do you take the added step of creating groups to manage those users' privileges? By adding users to groups and giving those groups permission to certain services, directories and files, you can manage access—and inevitable changes—with more control. From a DevSecOps perspective, you can share information about the groups you create with other teams, which helps them understand your methods without having to guess.

Remember also that if someone doesn't need access to a system, don't grant it. Add only the users you must.

Gain Greater Control with Automation

If you're managing a handful of servers, you can get by with manually making updates, adding users, setting up firewalls and the like. But once you get beyond 25 or 30 systems, you really need to get serious about automation.

Tools like Puppet, Chef and Ansible can help you there. Each works in a slightly different way, but the underlying principle is the same: automate away the routine stuff, and make your systems more consistent and transparent.

Puppet uses manifests to define the desired state of any host you want to manage. Because you define what you want—these firewall ports open, those closed; these users present, those not; these services running, those not—you can create secure systems that stay that way. Puppet tools like Facter and Resource also provide details about your systems that allow you to use regular expressions to define different configurations for different servers easily.

Lumogon is a powerful new tool that gives you an amazing array of data about your Docker containers, providing clean JSON reports or publishing reports to a private web portal. If you're worried about the darkness inside containers, Lumogon can shed a lot of light.

Greater Control with Data-Mining and Visualization Tools

Feeling more confident about security can be a matter of getting a better picture of what's happening. Sure, the command line can give you some nice output in your shell, but graphical visualization tools take it to a whole new level of actionable intelligence and sharing.

Splunk users revel in the depth of machine-generated data it can monitor and dig into. Its reports are great for sharing as well, giving different teams data they need—and need to think about.

Puppet Enterprise offers a number of real-time visualization tools, including "node graph", which shows the relationship between all your managed nodes. Its basic dashboards are anything but, giving you a view of problem nodes at a glance.

Conclusion

If security issues keep you up at night, take a few simple steps toward changing how you think about security in the first place. Step back and consider how everyone can participate and be engaged, and think about the tools and practices that can help. If you're better able to share information, establish repeatable practices and engage all the teams in your organization, you'll have better security and be better prepared to avoid problems that can really ruin your day.

______________________

John S. Tonello is Director of IT for NYSERNet, Inc., in Syracuse, New York. He's been a Linux user and enthusiast since he installed his first Slackware system from diskette 20 years ago. You can follow him @johntonello.