path: root/linux/hardening.html



<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>2.6. Hardening</title>
    </head>
    <body>

        <a href="index.html">Core OS Index</a>

        <h1>2.6. Hardening</h1>

        <h2>2.6.0.2 System security</h2>

        <dl>
            <dt>File systems</dt>
            <dd>Check <a href="install.html#fstab">fstab</a> and current mount options. Mount filesystems in read only, only strict necessary in rw.</dd>
            <dt>Sys</dt>
            <dd>Check kernel settings with <a href="sysctl.html">sysctl</a>.</dd>
            <dd>kernel.yama.ptrace_scope breaks gdb, strace, perf trace and reptyr.</dd>
            <dt>Iptables</dt>
            <dd>Check if <a href="network.html#iptables">iptables</a> rules are loaded and are correctly logging.(firewald works as API to iptables).</dd>
            <dt>Apparmor</dt>
            <dd>Check if <a href="apparmor.html">apparmor</a> is active and enforcing policies.</dd>
            <dt>Samhain</dt>
            <dd>Check if <a href="samhain.html">samhain</a> is running.</dd>
            <dt>Toolchain</dt>
            <dd>Build ports using hardened <a href="toolchain.html">toolchain</a> settings.</dd>
        </dl>


        <pre>
        $ sudo prt-get depinst checksec
        </pre>

        <h2>2.6.0.1 System configuration</h2>

        <h3>1.1 - Users groups, passwords and sudo.</h3>

        <p>Check "normal" users groups, make sure they are not admin or wheel group; ps -U root -u root u, ps axl | awk '$7 != 0 &amp;&amp; $10 !~ "Z"', process permission; ps -o gid,rdig,supgid -p "$pid"</p>

        <p>Maintain, secure with hash, and enforce secure passwords with pam-cracklib.</p>


        <h3>1.2 - Linux PAM</h3>

        <p>Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests. Check files (processes); getfacl filename.</p>

        <p>Check files (processes) set uid and set gid;</p>

        <pre>
        # find / -perm 4000 >> /root/setuid_files
        # find / -perm 2000 >> /root/setguid_files
        </pre>

        <p>To setuid (4744);</p>

        <pre>
        # chmod u+s filename
        </pre>

        <p>To remove (0664) from su and Xorg (user must be part of input and video for xorg to run);</p>

        <pre>
        # chmod u-s /usr/bin/su
        # chmod u-s /usr/bin/X
        </pre>

        <p>To set gid (2744)</p>
        <pre>
        # chmod g+s filename
        </pre>
        <p>To remove (0774);</p>
        <pre>
        # chmod g-s filename
        </pre>

        <p>Find world writable files;</p>

        <pre>
        # find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
        </pre>

        <p>No owner files;</p>

        <pre>
        # find /dir -xdev \( -nouser -o -nogroup \) -print
        </pre>

        <h3>1.3. Capabilities</h3>

        <p>Check capabilities;</p>
        <pre>
        # getcap filename
        </pre>

            <dd>1.9 - Limit number of processes.</dd>
            <dd>1.10 - Lock user after 3 failed loggins.</dd>
            <dd>1.8 - Block host ip based on iptable and services
            abuse.</dd>
        </dl>

        <h3>1.4 Sudo</h3>

        <p>Check sudo, sudoers and sudo replay.</p>

        <p>Don't run editor as root, instead run sudoedit filename or sudo --edit filename. Editor can be set as a environment variable;</p>

        <pre>
        $ export SUDO_EDITOR=vim
        </pre>

        <p>Set rvim as default on sudo config;</p>

        <pre>
        # visudo

        Defaults editor=/usr/bin/rvim
        </pre>

        <p>Once sudo is correctly configured, disable root login;</p>

        <pre>
        # passwd --lock root
        </pre>

        <h3>1.5 Auditd</h3>

        <pre>
        $ prt-get depinst audit
        </pre>

        <p>Example audit when file /etc/passwd get modified;</p>

        <pre>
        $ auditctl -w /etc/passwd -p wa -k passwd_changes
        </pre>

        <p>Audit when a module get's loaded;</p>

        <pre>
        # auditctl -w /sbin/insmod -p x -k module_insertion
        </pre>

        <h3>1.6 Network</h3>

        <p>Find listening services with command;</p>

        <pre>
        # ss -tulpn
        # nmap -sT -O localhost
        # nmap -sT -O machine.example.org
        </pre>

        <h2>2.6.0.2 Lynis</h2>

        <pre>
        $ sudo prt-get depinst lynis
        </pre>

        <p>Lynis gives a view of system overall configuration,
        without changing default profile it runs irrelevant tests.
        Create a lynis profile by coping default one and run lynis;</p>

        <pre>
        $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
        $ sudo lynis configure settings color=yes
        $ sudo lynis show settings
        $ sudo lynis show profile
        </pre>

        <pre>
        $ lynis audit system > lynis_report
        $ mv /tmp/lynis.log .
        $ mv /tmp/lynis-report.dat .
        </pre>

        <p>Add unnecessary tests to profile to have less noise.</p>

        <a href="index.html">Core OS Index</a>
        <p>This is part of the Tribu System Documentation.
        Copyright (C) 2020
        Tribu Team.
        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
        for copying conditions.</p>

    </body>
</html>
<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>2.6. Hardening</title>
    </head>
    <body>

        <a href="index.html">Core OS Index</a>

        <h1>2.6. Hardening</h1>

        <h2>2.6.0.2 System security</h2>

        <dl>
            <dt>File systems</dt>
            <dd>Check <a href="install.html#fstab">fstab</a> and current mount options. Mount filesystems in read only, only strict necessary in rw.</dd>
            <dt>Sys</dt>
            <dd>Check kernel settings with <a href="sysctl.html">sysctl</a>.</dd>
            <dd>kernel.yama.ptrace_scope breaks gdb, strace, perf trace and reptyr.</dd>
            <dt>Iptables</dt>
            <dd>Check if <a href="network.html#iptables">iptables</a> rules are loaded and are correctly logging.(firewald works as API to iptables).</dd>
            <dt>Apparmor</dt>
            <dd>Check if <a href="apparmor.html">apparmor</a> is active and enforcing policies.</dd>
            <dt>Samhain</dt>
            <dd>Check if <a href="samhain.html">samhain</a> is running.</dd>
            <dt>Toolchain</dt>
            <dd>Build ports using hardened <a href="toolchain.html">toolchain</a> settings.</dd>
        </dl>


        <pre>
        $ sudo prt-get depinst checksec
        </pre>

        <h2>2.6.0.1 System configuration</h2>

        <h3>1.1 - Users groups, passwords and sudo.</h3>

        <p>Check "normal" users groups, make sure they are not admin or wheel group; ps -U root -u root u, ps axl | awk '$7 != 0 &amp;&amp; $10 !~ "Z"', process permission; ps -o gid,rdig,supgid -p "$pid"</p>

        <p>Maintain, secure with hash, and enforce secure passwords with pam-cracklib.</p>


        <h3>1.2 - Linux PAM</h3>

        <p>Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests. Check files (processes); getfacl filename.</p>

        <p>Check files (processes) set uid and set gid;</p>

        <pre>
        # find / -perm 4000 >> /root/setuid_files
        # find / -perm 2000 >> /root/setguid_files
        </pre>

        <p>To setuid (4744);</p>

        <pre>
        # chmod u+s filename
        </pre>

        <p>To remove (0664) from su and Xorg (user must be part of input and video for xorg to run);</p>

        <pre>
        # chmod u-s /usr/bin/su
        # chmod u-s /usr/bin/X
        </pre>

        <p>To set gid (2744)</p>
        <pre>
        # chmod g+s filename
        </pre>
        <p>To remove (0774);</p>
        <pre>
        # chmod g-s filename
        </pre>

        <p>Find world writable files;</p>

        <pre>
        # find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
        </pre>

        <p>No owner files;</p>

        <pre>
        # find /dir -xdev \( -nouser -o -nogroup \) -print
        </pre>

        <h3>1.3. Capabilities</h3>

        <p>Check capabilities;</p>
        <pre>
        # getcap filename
        </pre>

            <dd>1.9 - Limit number of processes.</dd>
            <dd>1.10 - Lock user after 3 failed loggins.</dd>
            <dd>1.8 - Block host ip based on iptable and services
            abuse.</dd>
        </dl>

        <h3>1.4 Sudo</h3>

        <p>Check sudo, sudoers and sudo replay.</p>

        <p>Don't run editor as root, instead run sudoedit filename or sudo --edit filename. Editor can be set as a environment variable;</p>

        <pre>
        $ export SUDO_EDITOR=vim
        </pre>

        <p>Set rvim as default on sudo config;</p>

        <pre>
        # visudo

        Defaults editor=/usr/bin/rvim
        </pre>

        <p>Once sudo is correctly configured, disable root login;</p>

        <pre>
        # passwd --lock root
        </pre>

        <h3>1.5 Auditd</h3>

        <pre>
        $ prt-get depinst audit
        </pre>

        <p>Example audit when file /etc/passwd get modified;</p>

        <pre>
        $ auditctl -w /etc/passwd -p wa -k passwd_changes
        </pre>

        <p>Audit when a module get's loaded;</p>

        <pre>
        # auditctl -w /sbin/insmod -p x -k module_insertion
        </pre>

        <h3>1.6 Network</h3>

        <p>Find listening services with command;</p>

        <pre>
        # ss -tulpn
        # nmap -sT -O localhost
        # nmap -sT -O machine.example.org
        </pre>

        <h2>2.6.0.2 Lynis</h2>

        <pre>
        $ sudo prt-get depinst lynis
        </pre>

        <p>Lynis gives a view of system overall configuration,
        without changing default profile it runs irrelevant tests.
        Create a lynis profile by coping default one and run lynis;</p>

        <pre>
        $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
        $ sudo lynis configure settings color=yes
        $ sudo lynis show settings
        $ sudo lynis show profile
        </pre>

        <pre>
        $ lynis audit system > lynis_report
        $ mv /tmp/lynis.log .
        $ mv /tmp/lynis-report.dat .
        </pre>

        <p>Add unnecessary tests to profile to have less noise.</p>

        <a href="index.html">Core OS Index</a>
        <p>This is part of the Tribu System Documentation.
        Copyright (C) 2020
        Tribu Team.
        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
        for copying conditions.</p>

    </body>
</html>