Linux: Troubleshooting Security Issues

SELinux Issues

SELinux Policy defines what actions users and applications can perform on a system based on security rules.

A too restricted or misconfigured policy can prevent the system from working properly.

avc: denied is a typical error message found in logs if dealing SELinux policy issues.

SELinux uses context to label every file, process, and resource on the system, determining what access is allowed.

Incorrect or misconfigured label can prevent applications for accessing the resources they need to function

User ls -Z for files and ps -Z for processes to look for SELinux context issues
Does the file or process have incorrect context?
Restore the context with sudo restorecon -v <FILE PATH>
Running restorecon regularly on key directories helps avoid repeated context mislabeling issues

SELinux Boolean allow adjustment of certain security settings without modifying the underlying policy.

An incorrectly set boolean can cause certain services or applications to malfunction

File attributes control certain behaviors and restrictions on files and directories, which go beyond the regular rwx permissions.

ACLs provide more fine-grained control over who can access a file or directory and what actions can be performed.

Check if a file is using ACLs with getfacl
Adjust the ACLs with setfacl. ex: give read-only access to user tom setfacl -m u:tom:r <FILE PATH>
Verify proper access and document changes

Most common issue

Are the credentials incorrect?
Maybe the account is locked or disable
Check system logs for messages
Check if account is locked with sudo passwd -S tom
Unlock account with sudo passwd -u tom
Reset the user password with sudo passwd tom
Re-enable a disable account with sudo usermod -e '' tom. '' means no account expiration date

Issues with VPN or SSH

Common messages: SSL certificate expired, SSL handshake failure

This issue occur when system services are either left open to the public or configured incorrectly.

Does the service have proper security settings? The db should not accessible from the internet
Review security logs
Use tools like nmap to scan open ports
Configure the firewall to restrict access to trusted IPs
Disable unused services
Ensure critical services are only accessible when necessary

This issue prevents the system from accessing the correct software sources. It prevents software updates and installations.

What errors show when running sudo apt update or sudo dnf update
Check repository configuration files: /etc/apt/sources.list on Debian-based systems or /etc/yum.repo.d/ on RHEL-based systems
Edit repository url if necessary

Vulnerabilities are weaknesses of flaws in the system that can be exploited by attackers bo compromise security.

Do i have the latest security patches?
Use vulnerability scanners to detect security issues
Regular apply update with sudo apt update && sudo apt upgrade on Debian or sudo dnf update on RHEL.

Is the system using secure ciphers for data and communication protection?
Are insecure cipher like disable in the system? SSLv3 is vulnerable to POODLE Attack, RC4 is vulnerable to RC4 Bias Attack
Check used protocols in sshd_config for SSH and apache2.conf for Apache.
Disable outdated protocol
Remove week ciphers in the configuration files
Use strong ciphers like AES and protocols like TLS1.2, 1.3

This issue occurs when there is a failure in the negotiation or encryption methods between a client and a server.

Review connection logs to confirm both server and client are using strong encryption methods