diff options
| author | Silvino <silvino@bk.ru> | 2019-07-02 18:33:31 +0100 |
|---|---|---|
| committer | Silvino <silvino@bk.ru> | 2019-07-02 18:33:31 +0100 |
| commit | 6bb04903d70881ce2d17d5e1ce7685f02c48dd24 (patch) | |
| tree | aa5f5ce42984bf8cc0dd7783375dae634d38a0be | |
| parent | bb4fd340e7a1faffc363c6baa2f67e84b3a34f0c (diff) | |
| parent | 1fb8842d469c36e5b43e843d3759e3c18c120c47 (diff) | |
| download | doc-6bb04903d70881ce2d17d5e1ce7685f02c48dd24.tar.gz | |
core revison
| -rw-r--r-- | core/hardening.html | 27 | ||||
| -rw-r--r-- | core/linux.html | 4 | ||||
| -rw-r--r-- | core/reboot.html | 16 | ||||
| -rw-r--r-- | core/toolchain.html | 3 |
4 files changed, 36 insertions, 14 deletions
diff --git a/core/hardening.html b/core/hardening.html index d94cda6..200adfb 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -44,12 +44,12 @@ <h3>1.2 - Linux PAM</h3> - <p>Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests.</p> + <p>Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests. Check files (processes); getfacl filename.</p> <p>Check files (processes) set uid and set gid;</p> <pre> - # find / -perm -4000 >> /root/setuid_files + # find / -perm 4000 >> /root/setuid_files # find / -perm 2000 >> /root/setguid_files </pre> @@ -75,8 +75,17 @@ # chmod g-s filename </pre> - <p>Check files (processes); getfacl filename.</p> - , disable admins and root from sshd.</p> + <p>Find world writable files;</p> + + <pre> + # find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print + </pre> + + <p>No owner files;</p> + + <pre> + # find /dir -xdev \( -nouser -o -nogroup \) -print + </pre> <h3>1.3. Capabilities</h3> @@ -133,6 +142,16 @@ # auditctl -w /sbin/insmod -p x -k module_insertion </pre> + <h3>1.6 Network</h3> + + <p>Find listening services with command;</p> + + <pre> + # ss -tulpn + # nmap -sT -O localhost + # nmap -sT -O machine.example.org + </pre> + <h2>2.6.0.2 Lynis</h2> <pre> diff --git a/core/linux.html b/core/linux.html index 670d0e7..d265925 100644 --- a/core/linux.html +++ b/core/linux.html @@ -686,8 +686,7 @@ <h3 id="crypt">2.1.2.14 Cryptographic API</h3> - <pre> - + <dl> <dt>CONFIG_CRYPTO_LRW</dt> <dd>Liskov Rivest Wagner, a tweakable, non malleable, non movable narrow block cipher mode for dm-crypt.</dd> @@ -714,6 +713,7 @@ <dt>CONFIG_CRYPTO_TWOFISH=y<dt> <dd>Twofish cipher algorithm</dd> + </dl> <pre> * MD4 digest algorithm diff --git a/core/reboot.html b/core/reboot.html index f7a34d6..fbf9cc1 100644 --- a/core/reboot.html +++ b/core/reboot.html @@ -2,13 +2,13 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>1.4. Boot</title> + <title>1.3. Boot</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>1.4. Boot</h1> + <h1>1.3. Boot</h1> <p>Follow this instructions with active chroot, first <a href="configure.html#chroot">mount partitions</a> @@ -31,7 +31,7 @@ /bin/bash --login </pre> - <h2 id="linux">1.4.1. Kernel</h2> + <h2 id="linux">1.3.1. Kernel</h2> <p>Install <a href="ports/linux-gnu">linux-gnu</a> port, linux libre kernel is a true source based kernel that @@ -60,7 +60,7 @@ # pkgadd /usr/ports/packages/linux-gnu#4.9.86-2.pkg.tar.gz </pre> - <h2 id="dracut">1.4.2. Dracut</h2> + <h2 id="dracut">1.3.2. Dracut</h2> <p>Install dracut;</p> @@ -101,7 +101,7 @@ # dracut --kver 4.9.86-gnu </pre> - <h2 id="grub">1.4.3. Grub</h2> + <h2 id="grub">1.3.3. Grub</h2> <p>Create grub file in /etc/default/grub with values;</p> @@ -146,7 +146,7 @@ # grub-probe --target=hints_string / </pre> - <h3>1.4.3.1. Rescue iso</h3> + <h3>1.3.3.1. Rescue iso</h3> <p>Simple way to have "resque" system is to mount boot as read only, this assures that even as root nothing can be changed without remount. @@ -176,7 +176,7 @@ } </pre> - <h2 id="recover">1.4.4. Recover</h2> + <h2 id="recover">1.3.4. Recover</h2> <h3>Root password</h3> @@ -204,7 +204,7 @@ <p>Reboot computer using power / reset.</p> - <h2 id="checkup">1.4.5. Checkup</h2> + <h2 id="checkup">1.3.5. Checkup</h2> <p>If you have qemu installed you can see if it boots, in this example sdb is usb external drive;</p> diff --git a/core/toolchain.html b/core/toolchain.html index 9662217..34a6c34 100644 --- a/core/toolchain.html +++ b/core/toolchain.html @@ -25,6 +25,9 @@ export LDFLAGS="-z relro" </pre> + <p>Above should compile most of the packages, for more + "restrict" and other flags combinations check <a href="conf/pkgmk.conf.harden">pkgmk.conf.handen</a>.</p> + <h3>Core</h3> <p>Ports in core collection that need to be changed in order |