about summary refs log blame commit diff stats
path: root/js/games/nluqo.github.io/~bh/downloads/UCBLogo-6.0.dmg.gz
blob: 4baa2cd549f4847a54e7012e63aa5083db967230 (plain) (tree)
blob is binary.
s='oid'>d26a4e1 ^
4cc6765 ^
d26a4e1 ^
44ee767 ^
d26a4e1 ^
951a8a8 ^
da2e015 ^
44ee767 ^




951a8a8 ^
44ee767 ^
951a8a8 ^
44ee767 ^







44ee767 ^




951a8a8 ^























































44ee767 ^

951a8a8 ^









































44ee767 ^
d26a4e1 ^

44ee767 ^
d26a4e1 ^

951a8a8 ^


d26a4e1 ^















4cc6765 ^
214aa23 ^
44ee767 ^
2832cbc ^
d26a4e1 ^




1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169



                              
                                     


           
                                              
 
                               
 
                                        
 




                                                                                                                                                         
                                                                                        
                             
                                                                                                                                                          







                                                                                                    




                                       























































                                                                                                                                                                                                                

             









































                                                                                                                                            
                              

             
                                    

              


                                                                       















                                                                   
                                              
                                                         
                          
                  




                                                                                            
<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>2.6. Hardening</title>
    </head>
    <body>

        <a href="index.html">Core OS Index</a>

        <h1>2.6. Hardening</h1>

        <h2>2.6.0.2 System security</h2>

        <dl>
            <dt>File systems</dt>
            <dd>Check <a href="install.html#fstab">fstab</a> and current mount options. Mount filesystems in read only, only strict necessary in rw.</dd>
            <dt>Sys</dt>
            <dd>Check kernel settings with <a href="sysctl.html">sysctl</a>.</dd>
            <dd>kernel.yama.ptrace_scope breaks gdb, strace, perf trace and reptyr.</dd>
            <dt>Iptables</dt>
            <dd>Check if <a href="network.html#iptables">iptables</a> rules are loaded and are correctly logging.(firewald works as API to iptables).</dd>
            <dt>Apparmor</dt>
            <dd>Check if <a href="apparmor.html">apparmor</a> is active and enforcing policies.</dd>
            <dt>Samhain</dt>
            <dd>Check if <a href="samhain.html">samhain</a> is running.</dd>
            <dt>Toolchain</dt>
            <dd>Build ports using hardened <a href="toolchain.html">toolchain</a> settings.</dd>
        </dl>


        <pre>
        $ sudo prt-get depinst checksec
        </pre>

        <h2>2.6.0.1 System configuration</h2>

        <h3>1.1 - Users groups, passwords and sudo.</h3>

        <p>Check "normal" users groups, make sure they are not admin or wheel group; ps -U root -u root u, ps axl | awk '$7 != 0 &amp;&amp; $10 !~ "Z"', process permission; ps -o gid,rdig,supgid -p "$pid"</p>

        <p>Maintain, secure with hash, and enforce secure passwords with pam-cracklib.</p>


        <h3>1.2 - Linux PAM</h3>

        <p>Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests.</p>

        <p>Check files (processes) set uid and set gid;</p>

        <pre>
        # find / -perm -4000 >> /root/setuid_files
        # find / -perm 2000 >> /root/setguid_files
        </pre>

        <p>To setuid (4744);</p>

        <pre>
        # chmod u+s filename
        </pre>

        <p>To remove (0664) from su and Xorg (user must be part of input and video for xorg to run);</p>

        <pre>
        # chmod u-s /usr/bin/su
        # chmod u-s /usr/bin/X
        </pre>

        <p>To set gid (2744)</p>
        <pre>
        # chmod g+s filename
        </pre>
        <p>To remove (0774);</p>
        <pre>
        # chmod g-s filename
        </pre>

        <p>Check files (processes); getfacl filename.</p>
        , disable admins and root from sshd.</p>

        <h3>1.3. Capabilities</h3>

        <p>Check capabilities;</p>
        <pre>
        # getcap filename
        </pre>

            <dd>1.9 - Limit number of processes.</dd>
            <dd>1.10 - Lock user after 3 failed loggins.</dd>
            <dd>1.8 - Block host ip based on iptable and services
            abuse.</dd>
        </dl>

        <h3>1.4 Sudo</h3>

        <p>Check sudo, sudoers and sudo replay.</p>

        <p>Don't run editor as root, instead run sudoedit filename or sudo --edit filename. Editor can be set as a environment variable;</p>

        <pre>
        $ export SUDO_EDITOR=vim
        </pre>

        <p>Set rvim as default on sudo config;</p>

        <pre>
        # visudo

        Defaults editor=/usr/bin/rvim
        </pre>

        <p>Once sudo is correctly configured, disable root login;</p>

        <pre>
        # passwd --lock root
        </pre>

        <h3>1.5 Auditd</h3>

        <pre>
        $ prt-get depinst audit
        </pre>

        <p>Example audit when file /etc/passwd get modified;</p>

        <pre>
        $ auditctl -w /etc/passwd -p wa -k passwd_changes
        </pre>

        <p>Audit when a module get's loaded;</p>

        <pre>
        # auditctl -w /sbin/insmod -p x -k module_insertion
        </pre>

        <h2>2.6.0.2 Lynis</h2>

        <pre>
        $ sudo prt-get depinst lynis
        </pre>

        <p>Lynis gives a view of system overall configuration,
        without changing default profile it runs irrelevant tests.
        Create a lynis profile by coping default one and run lynis;</p>

        <pre>
        $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
        $ sudo lynis configure settings color=yes
        $ sudo lynis show settings
        $ sudo lynis show profile
        </pre>

        <pre>
        $ lynis audit system > lynis_report
        $ mv /tmp/lynis.log .
        $ mv /tmp/lynis-report.dat .
        </pre>

        <p>Add unnecessary tests to profile to have less noise.</p>

        <a href="index.html">Core OS Index</a>
        <p>This is part of the Hive System Documentation.
        Copyright (C) 2019
        Hive Team.
        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
        for copying conditions.</p>

    </body>
</html>