Final days to save $300 off practical cyber security training during SANSFIRE 2021! Choose from 30 Live Online courses.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Linux Issues

Featuring 24 Papers as of January 20, 2021

  • Network Segmentation of Users on Multi-User Servers and Networks Graduate Student Research
    by Ryan Cox - January 20, 2021 

    In High Performance Computing (HPC) environments, hundreds of users can be logged in and running batch jobs simultaneously on clusters of servers in a multi-user environment. Security controls may be in place for much of the overall HPC environment, but user network communication is rarely included in those controls. Some users run software that must listen on arbitrary network ports, exposing user software to attacks by others. This creates the possibility of account compromise by fellow users who have access to those same servers and networks. A solution was developed to transparently segregate users from each other both locally and over the network. The result is easy to install and administer.

  • Mitigating Attacks on a Supercomputer with KRSI Graduate Student Research
    by Billy Wilson - December 9, 2020 

    Kernel Runtime Security Instrumentation (KRSI) provides a new form of mandatory access control, starting in the 5.7 Linux kernel. It allows systems administrators to write modular programs that inject errors into unwanted systems operations. This research deploys KRSI on eight compute nodes in a high-performance computing (HPC) environment to determine whether KRSI can successfully thwart attacks on a supercomputer without degrading performance. Five programs are written to demonstrate KRSI’s ability to target unwanted behavior related to filesystem permissions, process execution, network events, and signals. System performance and KRSI functionality are measured using various benchmarks and an adversary emulation script. The adversary emulation activities are logged and mitigated with minimal performance loss, but very extreme loads from stress testing tools can overload a ring buffer and cause logs to drop.

  • Securing the Soft Underbelly of a Supercomputer with BPF Probes Graduate Student Research
    by Billy Wilson - June 18, 2020 

    High-performance computing (HPC) sites have a mission to help researchers obtain results as quickly as possible, but research contracts often require security controls that degrade performance. One standard solution is to secure a set of login nodes that mediate access to an enclave of lightly monitored compute nodes, referred to as “the soft underbelly of a supercomputer” by one DoD representative (National, 2016). Recent advances in the BPF subsystem, a Linux tracing technology, have provided a new means to monitor compute nodes with minimal performance degradation. Well-crafted BPF traces can detect malicious activity on an HPC cluster without slowing down systems or the researchers that depend on them. In this paper, a series of low-profile attacks are conducted against a compute cluster under heavy computational load, and BPF probes are attached to detect the attacks. The probes successfully log all attacks, and performance loss is less than one percent for all benchmarks save for one inconclusive set.

  • Taming the Wild West: Finding Security in Linux Analyst Paper (requires membership in community)
    by Matt Bromiley - November 22, 2019 

    Although Linux has historically been less prone to attacks, increased enterprise use on-premises and in the cloud means it has become as common a target as Windows environments. This paper looks at the deficiencies of Linux from a security perspective and how to lock Linux down more effectively.

  • Shell Scripting for Reconnaissance and Incident Response by Mark Gray - January 25, 2019 

    It has been said that scripting is a process with three distinct phases that include: identification of a problem and solution, implementation, and maintenance. By applying an analytical mindset, anyone can create reusable scripts that are easily maintainable for the purpose of automating redundant and tedious tasks of a daily workflow. This paper serves as an introduction to the common structure and the various uses of shell scripts and methods for observing script execution, how shells operate, and how commands are found and executed. Additionally, this paper also covers how to apply functions, and control structure and variables to increase readability and maintainability of scripts. Best practices for system and network reconnaissance, as well as incident response, are provided; the examples of employment demonstrate the utilization of shell scripting as an alternative to applying similar functionality in more intricate programming languages.

  • All-Seeing Eye or Blind Man? Understanding the Linux Kernel Auditing System Graduate Student Research
    by David Kennel - September 21, 2018 

    The Linux kernel auditing system provides powerful capabilities for monitoring system activity. While the auditing system is well documented, the manual pages, user guides, and much of the published writings on the audit system fail to provide guidance on the types of attacker-related activities that are, and are not, likely to be logged by the auditing system. This paper uses simulated attacks and analyzes logged artifacts for the Linux kernel auditing system in its default state and when configured using the Controlled Access Protection Profile (CAPP) and the Defense Information Systems Agency’s (DISA) Security Implementation Guide (STIG) auditing rules. This analysis provides a clearer understanding of the capabilities and limitations of the Linux audit system in detecting various types of attacker activity and helps to guide defenders on how to best utilize the Linux auditing system.

  • Immutability Disrupts the Linux Kill Chain Analyst Paper (requires membership in community)
    by Hal Pomeranz - February 20, 2018 

    New exploits aimed at Linux systems are able to succeed by achieving root access to the OS. But what if you could lock down the OS and enforce security policies from outside of it? This Spotlight Paper explores the concept of ‘immutability’ as a way of interdicting the Linux kill chain.

  • Attack and Defend: Linux Privilege Escalation Techniques of 2016 Graduate Student Research
    by Michael Long II - January 30, 2017 

    Recent kernel exploits such as Dirty COW show that despite continuous improvements in Linux security, privilege escalation vectors are still in widespread use and remain a problem for the Linux community. Linux system administrators are generally cognizant of the importance of hardening their Linux systems against privilege escalation attacks; however, they often lack the knowledge, skill, and resources to effectively safeguard their systems against such threats. This paper will examine Linux privilege escalation techniques used throughout 2016 in detail, highlighting how these techniques work and how adversaries are using them. Additionally, this paper will offer remediation procedures in order to inform system administrators on methods to mitigate the impact of Linux privilege escalation attacks.

  • Securing Linux Containers by Major Hayden - August 10, 2015 

    The components that make Linux containers possible have been available for several years, but recent projects, such as LXC and Docker, have made the technology much more accessible to users. Containers allow for even more efficient utilization of server resources through greater density and faster provisioning. However, securing containers is much more challenging than traditional virtualization methods, including KVM. The isolation layer between the container and the kernel, as well as between each container, is extremely thin. Weaknesses in the kernel or the container configuration can lead to compromises of containers or the entire system. The responsibility of managing the operating system within the container can also become blurry with time, and that can also lead to compromises of the container. Fortunately, Linux security modules, such as SELinux and AppArmor, along with careful configuration and container operating system management, can strengthen the thin walls around each container. Organizations that use mature Dev/Ops practices can also improve security within each container by automating the creation and deployment of container images. This paper will discuss the best strategies for securing a system running containers and the trade-offs that come with each.

  • Securing Blackboard Learn on Linux by David Lyon - December 1, 2011 

    Blackboard Learn (Bb Learn) is an application suite providing educational technology to facilitate online, web based learning. It is typical to see Bb Learn hosting courses and content. Common add-ons include the Community and Content systems which are licensed separately.

  • Hardening Debian 4.0 – Creating a simple and solid foundation for your applications by Alexandre Dery - January 14, 2008 

    Any operating system is vulnerable to attacks if it's not properly configured. People get really emotional about the security of their preferred operating system: every mildly technical forum is bound to be a battle ground for flame wars between OS lovers. But the bottom line is: company politics and policies aside, whatever the operating system is, its security depends mainly on the knowledge of its administrator. Debate all you want, but even an OpenBSD server will be hacked if its administrator has no clue!

  • NFS Security in Both Trusted and Untrusted Environments by Jakub Dlugolecki - November 1, 2007 

    This paper describes risks of using NFSv3 and NFSv4 in environments where performance is considered to be a more important factor than security. The paper also describes ways to mitigate those risks.

  • Secure Network Configuration Management for Linux based Routers by Ron Young - May 5, 2005 

    This paper presents a detailed implementation and operation plan for remote configuration management of a research network infrastructure. GIAC University is currently involved with several large-scale research projects that utilize individually identifiable medical records.

  • Step by Step Installation of a Secure Linux Web, DNS and Mail Server by John Holbrook - April 8, 2004 

    This paper will show how the author configured a Linux based web and e-mail server for a small company. This server is co-located at a local ISP. Because of budget limitations, the company can only locate one physical box at the ISP which limits what security measures that can be installed.

  • Linux Kernel Hardening by Taylor Merry - December 21, 2003 

    This paper outlines the installation and configuration of a Grsecurity-enhanced kernel.

  • Linux Process Containment - A practical look at chroot and User Mode by Paul Lessard - June 3, 2003 

    This document will explore some of the general ideas of how process containment is performed with chroot and User-mode Linux, and how to help ensure that a successful attack on a jailed process does not affect the main system.

  • Secure OS Environments for Linux by Pedro Luz-Romero - June 3, 2003 

    In this paper I make a review of the main set of tools and resources available for Linux system administrators willing to build an operating system with enhanced security features that allow applications to run securely in a network accessible from the Internet.

  • Linux RootKits For Beginners - From Prevention to Removal by Jeromey Hannel - March 2, 2003 

    This paper provides an understanding of rootkits and will discuss how to monitor for a rootkit, and the steps taken to remove one.

  • Using Linux Scripts to Monitor Security by Harvey Newstrom - August 23, 2002 

    This paper will demonstrate how to create a generic tool using Linux scripting to enable network security monitoring.

  • Aggressive Patching and the Use of a Standard Build: An OpenBSD Example by Michael Sullenszino - April 5, 2002 

    This paper discusses the importance of a standard build and defines Aggressive Patching as a vital part of defense in depth. It then goes on to demonstrate how to implement Aggressive Patching by creating a Standard Build internet server farm and support structures that allow for automated patching and rapid deployment of hardened servers.

  • The Role of Bastille Linux in Information Security by Michael Grimaila - February 18, 2002 

    In this paper, the author will briefly examine the evolution of Linux, discuss its popularity, and examine in detail Bastille Linux, which is used to increase the security of RedHat and Mandrake Linux distributions.

  • An Introduction to the NSA's Security-Enhanced Linux: SELinux by Susan Rajnic - February 8, 2002 

    This paper will introduce the NSA's research project termed "Security-enhanced" Linux.

  • The Easily Recoverable CD-ROM Booted Linux Internet Server: A How-To by Brian Otto - January 21, 2002 

    The purpose of this paper is to detail the general steps to create a read-only Internet Server providing DNS and static web pages (bind and Apache).

  • Security Applications of Bootable Linux CD-ROMs by Richard Bajusz - November 30, 2001 

    This paper examines the security applications of bootable Linux CD-ROMs.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.