ASD-Cyber-Security-Bulletin-2014-06

The Top 4
for Penguins
Application whitelisting on Linux can be very difficult to implement
due to the high amount of resources required for development
and maintenance. While administrators can use the AppLocker
or Software Restriction Policies on Windows-based workstations,
equivalent mechanisms are not present in either the core Linux
kernel or other popular Linux distributions.
However, this does not mean that it can’t be done. ASD is focussed
on technical solutions that are achievable, effective and practical
in the government environment. As a result, ASD’s The Top 4 in a
Linux Environment provides not only guidance on how to implement
application whitelisting on Linux, but also technical advice on how to
harden a Linux machine without it, while still ensuring a comparable
level of security to a Top 4-hardened Windows machine. These
include commercial solutions, SELinux or AppArmour policies, and the
use of custom Linux security modules. The document also provides
technical guidance on patching applications, patching the operating
system and restricting the number of users with administrative
privileges on Linux.
The Top 4 in a Linux Environment is available on ASD’s website
asd.gov.au with a suite of publications designed to assist in
implementation of the Top 4 strategies.
The Top 4 Strategies to Mitigate Targeted Cyber Intrusions has
been shown to prevent at least 85% of cyber intrusion techniques
when implemented as a package. These strategies are based on
those intrusion techniques which target the workstation. The Top 4
strategies are:
1. Application whitelisting
2. Patching applications
3. Patching operating systems
4. Restricting administrator privileges
ASD Contact Details
For non-urgent and general ICT security enquiries:
Email: asd.assist@defence.gov.au
For urgent and operational government ICT security matters:
Phone: 1300 CYBER1 (1300 292 371, select 1 at any time, or
Complete the cyber security incident report form at www.asd.gov.au
Issue #13 – June 2014 Page 6