Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 03. Linux / 01. Enumeration / Protections

Protections

When enumerating host protections, try to identify:

  • Mandatory access control systems
  • Firewall configurations
  • Intrusion prevention mechanisms
  • Endpoint security software
  • Monitoring agents
  • Hardening controls
  • Container restrictions
  • Security-related services

AppArmor

AppArmor restricts what applications can access on the system through security profiles.

Check AppArmor status:

aa-status 2>/dev/null

Useful locations:

/etc/apparmor/
/etc/apparmor.d/
/sys/kernel/security/apparmor/

SELinux

SELinux provides mandatory access control policies that restrict process behavior and resource access.

Check SELinux status:

sestatus 2>/dev/null

Useful locations:

/etc/selinux/
/var/log/audit/
/etc/selinux/config

Firewall

Host-based firewalls may restrict inbound or outbound communication.

UFW:

ufw status 2>/dev/null

iptables:

iptables -L -n -v

nftables:

nft list ruleset 2>/dev/null

Useful locations:

/etc/ufw/
/etc/iptables/
/etc/nftables.conf

Fail2ban

Fail2ban monitors logs and automatically blocks hosts exhibiting suspicious behavior.

Check status:

fail2ban-client status 2>/dev/null

Useful locations:

/etc/fail2ban/
/etc/fail2ban/jail.conf
/etc/fail2ban/jail.d/
/var/log/fail2ban.log

Security Software

Look for endpoint protection, monitoring and security agents.

Common processes:

ps aux | grep -Ei "falco|crowdstrike|falcon|osquery|auditd|suricata|wazuh|clamav"

Common services:

systemctl list-units --type=service

Kernel Protections

Check common kernel hardening features:

cat /proc/sys/kernel/randomize_va_space
cat /proc/sys/kernel/yama/ptrace_scope
sysctl -a 2>/dev/null | grep -E "randomize|ptrace|kptr"

Common protections include:

  • ASLR (Address Space Layout Randomization)
  • Ptrace restrictions
  • Kernel pointer restrictions
  • Seccomp filtering
  • Namespaces
  • Capability restrictions