Hardening (computer)

from Wikipedia, the free encyclopedia

In computer technology, hardening is understood to mean increasing the security of a system by using only dedicated software that is necessary for the operation of the system and whose correct operation can be guaranteed from a security perspective. The system should be better protected against attacks.

The Federal Office for Information Security called hardening in the IT security "[...] the removal of all software components and features that are not absolutely necessary for the fulfillment of the action planned by the program." .

The aim is to create a system that can be used by many, even less trustworthy people. For example, there is the hardened project for Gentoo Linux, which compiles a kernel version and other system services with which a secure Linux system can also be made available to third-party users.

aims

In practice, the goals of hardening measures have emerged:

  • the reduction of the possibilities for exploiting vulnerabilities
  • the minimization of possible attack methods
  • the limitation of the tools available to an attacker after a successful attack
  • the minimization of the privileges available to an attacker after a successful attack
  • increasing the likelihood of a successful attack being discovered

A possible reduction in the complexity and maintenance effort of the system can also be seen as a secondary objective of the hardening , which can lead to greater controllability and thus a minimization of administration errors.

Methods

Common methods of hardening are for example:

  • Removal or deactivation of software components that are not absolutely necessary for operation
  • Use of unprivileged user accounts to execute server processes
  • Adjustment of file system rights and their inheritance
  • Using chroot or other jails to run software
  • Use of Mandatory Access Control
  • Use of encryption , e.g. B. for data transmission
  • Use of software that is as error-free as possible and without known vulnerabilities

An operating system can be described as a "hardened system":

  • When address ranges for program libraries ( ASLR ) and programs (PIE) are randomly assigned in virtual memory. ASLR can only be implemented by the manufacturer of these libraries at the time of creation, not afterwards during operation.
  • In which only the components and services are installed that are required for actual operation
  • All unnecessary user accounts are deleted
  • All unneeded ports are closed
  • Restrictive rights are set
  • Strict system guidelines are assigned

Hardening measures are to be viewed separately from other security measures such as patch cycles, the introduction of antivirus solutions , firewalls or IDS / IPS , which represent complementary methods of prevention.

See also

Individual evidence

  1. Claudia Eckert: IT Security: Concepts - Procedures - Protocols , 8th edition 2013, p. 181 ( excerpt from Google Books )
  2. IT Security Guide, BSI, 2012
  3. The Gentoo hardened project documentation overview

Web links