Security Considerations

Overview

Integrating Linux workstations into an enterprise Windows environment requires understanding the security trade-offs and implementing compensating controls where Windows-native tools don’t apply.

Domain Join Security Risks

Risk Description Mitigation

Credential Theft

Kerberos tickets cached locally. If device compromised, attacker gains AD credentials.

Limit ticket lifetime, disable offline credential caching

Lateral Movement

Compromised Linux device can pivot to Windows systems using stolen Kerberos tickets

Network segmentation, limit AD group memberships, dACL restrictions

SSSD Attack Surface

SSSD daemon handles authentication - vulnerabilities could allow privilege escalation

Keep SSSD updated, minimize exposed services, monitor logs

Privilege Escalation

AD group → sudo mapping could grant unintended root access

Strict sudoers config, never map Domain Admins to sudo

Keytab Exposure

/etc/krb5.keytab contains machine credentials in clear form

Restrict permissions (600), monitor file access, rotate periodically

GPO Gaps

Linux ignores Windows Group Policy - security baseline may drift from Windows endpoints

Use Linux-native configuration management (Ansible)

Kerberos Hardening

# /etc/krb5.conf
[libdefaults]
  default_realm = INSIDE.DOMUSDIGITALIS.DEV
  ticket_lifetime = 10h          # Limit ticket lifetime
  renew_lifetime = 7d
  forwardable = false            # Disable ticket forwarding
  proxiable = false              # Disable proxiable tickets
  default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
  default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
  permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

SSSD Hardening

# /etc/sssd/sssd.conf
[sssd]
  services = nss, pam
  domains = inside.domusdigitalis.dev

[domain/inside.domusdigitalis.dev]
  id_provider = ad
  auth_provider = ad
  access_provider = ad

  # Security settings
  cache_credentials = false      # Don't cache creds offline
  krb5_store_password_if_offline = false
  ad_gpo_access_control = enforcing  # Enforce GPO access control where possible

  # Limit who can log in
  ad_access_filter = memberOf=CN=Linux-Users,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev

Keytab Protection

# Restrict keytab permissions
chmod 600 /etc/krb5.keytab
chown root:root /etc/krb5.keytab

# Monitor keytab access with auditd
auditctl -w /etc/krb5.keytab -p r -k keytab_access

Configuration Management Alternatives

Windows Group Policy does not apply to Linux. Use alternative configuration management.

Comparison Matrix

Feature GPO (Windows) Ansible AWX/Semaphore

Agent Required

Yes (built-in)

No (SSH)

No (SSH)

Real-time Enforcement

Yes

No (scheduled)

Scheduled + webhooks

Compliance Reporting

Yes (RSOP)

Yes (callbacks)

Yes (GUI)

Security Baselines

Yes (ADMX)

Yes (STIG/CIS roles)

Yes (via Ansible)

Cost

Included

Free

Free (OSS)

Ansible for Security Baselines

Agentless configuration management using SSH.

Advantages:

  • No agent to maintain

  • Idempotent - can run repeatedly

  • STIG/CIS hardening roles available

  • Version controlled (Infrastructure as Code)

  • Free

Implementation:

# playbook: linux-security-baseline.yml
---
- name: Apply Linux Security Baseline
  hosts: linux_workstations
  become: yes

  roles:
    - cis_arch_linux          # CIS benchmark hardening
    - 8021x_client            # Configure NetworkManager 802.1X
    - ufw_firewall            # Host firewall rules
    - auditd_rules            # System auditing
    - sssd_hardening          # AD integration hardening

CIS Benchmark Role Example:

# roles/cis_hardening/tasks/main.yml
- name: 1.1.1 - Disable unused filesystems
  copy:
    dest: /etc/modprobe.d/cis.conf
    content: |
      install cramfs /bin/true
      install freevxfs /bin/true
      install jffs2 /bin/true
      install hfs /bin/true
      install hfsplus /bin/true

- name: 5.2.1 - Ensure permissions on /etc/ssh/sshd_config
  file:
    path: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: '0600'

- name: 5.2.4 - Disable SSH root login
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^PermitRootLogin'
    line: 'PermitRootLogin no'
  notify: restart sshd

Security Baseline for Linux

Equivalent GPO Controls

Windows GPO Linux Equivalent Implementation

Password Policy

PAM configuration

/etc/security/pwquality.conf

Account Lockout

PAM faillock

/etc/security/faillock.conf

Audit Policy

auditd rules

/etc/audit/rules.d/

Firewall Rules

UFW / nftables

/etc/ufw/ or /etc/nftables.conf

Software Restriction

AppArmor / SELinux

/etc/apparmor.d/

BitLocker

LUKS dm-crypt

cryptsetup at install time

Windows Update

pacman / unattended-upgrades

/etc/pacman.d/ or cron

Minimum Security Baseline

#!/bin/bash
# Domus Linux Security Baseline Verification

echo "=== Domus Linux Security Baseline Check ==="

# 1. Disk encryption
echo -n "LUKS Encryption: "
lsblk -o NAME,FSTYPE | grep -q crypto_LUKS && echo "PASS" || echo "FAIL"

# 2. Firewall enabled
echo -n "Firewall (nftables/ufw): "
(systemctl is-active nftables &>/dev/null || ufw status | grep -q "Status: active") && echo "PASS" || echo "FAIL"

# 3. AppArmor/SELinux
echo -n "MAC (AppArmor): "
aa-status --enabled &>/dev/null && echo "PASS" || echo "WARN (check SELinux)"

# 4. Auditd running
echo -n "Auditd: "
systemctl is-active auditd &>/dev/null && echo "PASS" || echo "FAIL"

# 5. SSH hardened
echo -n "SSH Root Login Disabled: "
grep -q "^PermitRootLogin no" /etc/ssh/sshd_config && echo "PASS" || echo "FAIL"

# 6. 802.1X configured
echo -n "802.1X (wpa_supplicant): "
systemctl is-active wpa_supplicant &>/dev/null && echo "PASS" || echo "FAIL"

# 7. Certificate present
echo -n "EAP-TLS Certificate: "
[ -f /etc/ssl/certs/*-eaptls.pem ] && echo "PASS" || echo "FAIL"

Monitoring and Alerting

What to Monitor

Event Source Alert Condition

Failed logins

/var/log/auth.log, SSSD

> 5 failures in 10 minutes

Sudo usage

/var/log/auth.log

Any sudo by non-admin

Keytab access

auditd

Any read of /etc/krb5.keytab

Service changes

systemd journal

Critical service stopped (wpa_supplicant, sshd)

Package changes

pacman/apt logs

Unauthorized package installed

AppArmor denials

/var/log/audit/audit.log

Any DENIED event

802.1X failures

wpa_supplicant, journal

Authentication failures

Log Aggregation

# Forward auth logs to central syslog
# /etc/rsyslog.d/50-central.conf

# Auth logs to NAS or log server
auth,authpriv.*   @@nas-02.inside.domusdigitalis.dev:514

# Or use journald remote
# /etc/systemd/journal-upload.conf
# URL=http://log-server:19532

ISE Integration for Security

Network-Level Enforcement

ISE provides the ultimate security control - no network access if non-compliant:

Condition ISE Action

No valid certificate

Deny access (critical-auth VLAN)

Certificate expired

Deny access or limited VLAN

Non-compliant posture

Quarantine VLAN (future: ISE Posture)

Unknown device

MAB → limited access or deny

See also: Hardened dACL for network-level restrictions.

Summary

Question Answer

Security hardening

Ansible with CIS roles - runs on schedule or trigger

Configuration management

Ansible playbooks, version controlled

Network enforcement

ISE 802.1X + dACLs - quarantine non-compliant devices

Monitoring

auditd + journald + central syslog

Compliance verification

Security baseline script + ISE authentication logs

The key insight: Linux requires multiple tools to achieve what GPO does in Windows, but this also provides defense in depth.