Tags
Language
Tags
January 2025
Su Mo Tu We Th Fr Sa
29 30 31 1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31 1

Secure Container Host Operating System

Posted By: IrGens
Secure Container Host Operating System

Secure Container Host Operating System
.MP4, AVC, 1920x1080, 30 fps | English, AAC, 2 Ch | 8.3h | 3.63 GB
Instructor: Ermin Kreponic

This course is created with the goal of teaching how to prepare and harden the operating system so it is secured as much as possible before we actually deploy containers. We will go over various configurations and see how we can use the operating system’s security mechanisms to best protect and harden our system. In the first part of the course, we provide knowledge regarding firewalld and SELinux. firewalld is a Linux tool used for managing iptables. We need a firewall so we can control what kind of traffic can be let through and what kind of traffic will be denied. We will go over the firewalld installation and overall setup. Here we teach several basic firewalld commands and how to utilize them regarding zones, ports, services, and other related system aspects. We will also talk about traffic control where we learn how we can allow traffic from one IP to a port, how to allow traffic from a list of IPs (whitelisting), and how to create a list of IPs we do not want to have access (blacklisting), etc. After firewalld, we will move on to SELinux. SELinux is a tool which allows fine control over access to files, controls, processes, or other things on the system. It is very effective and used by practically all Red Hat-based distributions. In this section, we will start off by talking about SElinux states, the SELinux context, and context adjustments. We will then go over some useful commands that enable us to list restricted ports and protocols, talk about booleans, port labels, SELinux modules, and logs. Later on in the course, we will also have a section dedicated to firewalld and SElinux automated scripts. When we learn the basics of firewalld and SELinux, we will move on to learn about server access and authentication configuration. At this point, we are going to play around with the access to the system. In addition to doing some base configuration by just changing the default port we use to connect via an SSH service port, we will also perform changes such as adding extra layers of authentication and creating a jump point server which is similar to a VPN with SSH. We will show how to set up different authentication methods to work simultaneously: the standard key-based authentication, password-based authentication, plus a third layer of authentication where we integrate Google Authenticator. This will need our phone in order to log in to the server. This significantly improves our security since it is highly unlikely someone has access to our key, our phone, and our password. We will also get acquainted with jump points. We show what jump points are and what they are used for. A jump point is a place where we connect. It allows us to connect to the rest of our infrastructure. They can greatly improve the security of our front-facing and infrastructure servers. Furthermore, we also talk about seccomp (Secure Computing Mode). This is a very important tool that we will use along with containers and properly imposing some additional limitations. We use it to restrict system calls. Basically, it participates in jailing a process and limiting what can be done from the process itself. It gives us the ability to dictate what the process cannot do. After dealing with seccomp, we will move on to a lengthy section regarding logs, where we will learn some very useful commands to help navigate through very large log files. We will also learn about notification systems. In the last section of the course, we will talk about vulnerability scans and reports.


Secure Container Host Operating System