core revison

author: Silvino <silvino@bk.ru> 2019-07-02 18:33:31 +0100
committer: Silvino <silvino@bk.ru> 2019-07-02 18:33:31 +0100
commit: 6bb04903d70881ce2d17d5e1ce7685f02c48dd24 (patch)
tree: aa5f5ce42984bf8cc0dd7783375dae634d38a0be
parent: bb4fd340e7a1faffc363c6baa2f67e84b3a34f0c (diff)
parent: 1fb8842d469c36e5b43e843d3759e3c18c120c47 (diff)
download: doc-6bb04903d70881ce2d17d5e1ce7685f02c48dd24.tar.gz
4 files changed, 36 insertions, 14 deletions
diff --git a/core/hardening.html b/core/hardening.html
index d94cda6..200adfb 100644
--- a/core/hardening.html
+++ b/core/hardening.html
@@ -44,12 +44,12 @@
 
         <h3>1.2 - Linux PAM</h3>
 
-        <p>Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests.</p>
+        <p>Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests. Check files (processes); getfacl filename.</p>
 
         <p>Check files (processes) set uid and set gid;</p>
 
         <pre>
-        # find / -perm -4000 >> /root/setuid_files
+        # find / -perm 4000 >> /root/setuid_files
         # find / -perm 2000 >> /root/setguid_files
         </pre>
 
@@ -75,8 +75,17 @@
         # chmod g-s filename
         </pre>
 
-        <p>Check files (processes); getfacl filename.</p>
-        , disable admins and root from sshd.</p>
+        <p>Find world writable files;</p>
+
+        <pre>
+        # find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
+        </pre>
+
+        <p>No owner files;</p>
+
+        <pre>
+        # find /dir -xdev \( -nouser -o -nogroup \) -print
+        </pre>
 
         <h3>1.3. Capabilities</h3>
 
@@ -133,6 +142,16 @@
         # auditctl -w /sbin/insmod -p x -k module_insertion
         </pre>
 
+        <h3>1.6 Network</h3>
+
+        <p>Find listening services with command;</p>
+
+        <pre>
+        # ss -tulpn
+        # nmap -sT -O localhost
+        # nmap -sT -O machine.example.org
+        </pre>
+
         <h2>2.6.0.2 Lynis</h2>
 
         <pre>
diff --git a/core/linux.html b/core/linux.html
index 670d0e7..d265925 100644
--- a/core/linux.html
+++ b/core/linux.html
@@ -686,8 +686,7 @@
 
         <h3 id="crypt">2.1.2.14 Cryptographic API</h3>
 
-        <pre>
-
+        <dl>
             <dt>CONFIG_CRYPTO_LRW</dt>
             <dd>Liskov Rivest Wagner, a tweakable, non malleable, non movable
             narrow block cipher mode for dm-crypt.</dd>
@@ -714,6 +713,7 @@
 
             <dt>CONFIG_CRYPTO_TWOFISH=y<dt>
             <dd>Twofish cipher algorithm</dd>
+        </dl>
 
 	    <pre>
 	    *   MD4 digest algorithm
diff --git a/core/reboot.html b/core/reboot.html
index f7a34d6..fbf9cc1 100644
--- a/core/reboot.html
+++ b/core/reboot.html
@@ -2,13 +2,13 @@
 <html dir="ltr" lang="en">
     <head>
         <meta charset='utf-8'>
-        <title>1.4. Boot</title>
+        <title>1.3. Boot</title>
     </head>
     <body>
 
         <a href="index.html">Core OS Index</a>
 
-        <h1>1.4. Boot</h1>
+        <h1>1.3. Boot</h1>
 
         <p>Follow this instructions with active chroot,
         first <a href="configure.html#chroot">mount partitions</a>
@@ -31,7 +31,7 @@
           /bin/bash --login
         </pre>
 
-        <h2 id="linux">1.4.1. Kernel</h2>
+        <h2 id="linux">1.3.1. Kernel</h2>
 
         <p>Install <a href="ports/linux-gnu">linux-gnu</a> port,
         linux libre kernel is a true source based kernel that
@@ -60,7 +60,7 @@
         # pkgadd /usr/ports/packages/linux-gnu#4.9.86-2.pkg.tar.gz
         </pre>
 
-        <h2 id="dracut">1.4.2. Dracut</h2>
+        <h2 id="dracut">1.3.2. Dracut</h2>
 
         <p>Install dracut;</p>
 
@@ -101,7 +101,7 @@
         # dracut --kver 4.9.86-gnu
         </pre>
 
-        <h2 id="grub">1.4.3. Grub</h2>
+        <h2 id="grub">1.3.3. Grub</h2>
 
         <p>Create grub file in /etc/default/grub with values;</p>
 
@@ -146,7 +146,7 @@
         # grub-probe --target=hints_string /
         </pre>
 
-        <h3>1.4.3.1. Rescue iso</h3>
+        <h3>1.3.3.1. Rescue iso</h3>
 
         <p>Simple way to have "resque" system is to mount boot as read only,
         this assures that even as root nothing can be changed without remount.
@@ -176,7 +176,7 @@
         }
         </pre>
 
-        <h2 id="recover">1.4.4. Recover</h2>
+        <h2 id="recover">1.3.4. Recover</h2>
 
         <h3>Root password</h3>
 
@@ -204,7 +204,7 @@
 
         <p>Reboot computer using power / reset.</p>
 
-        <h2 id="checkup">1.4.5. Checkup</h2>
+        <h2 id="checkup">1.3.5. Checkup</h2>
 
         <p>If you have qemu installed you can see if it boots, in this
         example sdb is usb external drive;</p>
diff --git a/core/toolchain.html b/core/toolchain.html
index 9662217..34a6c34 100644
--- a/core/toolchain.html
+++ b/core/toolchain.html
@@ -25,6 +25,9 @@
         export LDFLAGS="-z relro"
         </pre>
 
+        <p>Above should compile most of the packages, for more 
+        "restrict" and other flags combinations check <a href="conf/pkgmk.conf.harden">pkgmk.conf.handen</a>.</p>
+
         <h3>Core</h3>
 
         <p>Ports in core collection that need to be changed in order
author	Silvino <silvino@bk.ru>	2019-07-02 18:33:31 +0100
committer	Silvino <silvino@bk.ru>	2019-07-02 18:33:31 +0100
commit	6bb04903d70881ce2d17d5e1ce7685f02c48dd24 (patch)
tree	aa5f5ce42984bf8cc0dd7783375dae634d38a0be
parent	bb4fd340e7a1faffc363c6baa2f67e84b3a34f0c (diff)
parent	1fb8842d469c36e5b43e843d3759e3c18c120c47 (diff)
download	doc-6bb04903d70881ce2d17d5e1ce7685f02c48dd24.tar.gz