diff options
| author | Silvino <silvino@bk.ru> | 2019-06-16 05:03:49 +0100 |
|---|---|---|
| committer | Silvino <silvino@bk.ru> | 2019-06-16 05:03:49 +0100 |
| commit | 951a8a84411da6b71cee11d8c9feb993b984acf5 (patch) | |
| tree | 321c716724f139b604fe1b4ecbdd198b8f58fff6 | |
| parent | caf14bbeab74235c8d6574beb8b3ad2b55aef667 (diff) | |
| download | doc-951a8a84411da6b71cee11d8c9feb993b984acf5.tar.gz | |
apparmor and hardening revision
| -rw-r--r-- | core/apparmor.html | 31 | ||||
| -rw-r--r-- | core/hardening.html | 118 | ||||
| -rw-r--r-- | core/sysctl.html | 5 | ||||
| -rw-r--r-- | tools/irssi.html | 42 | ||||
| -rw-r--r-- | tools/x.html | 60 |
5 files changed, 176 insertions, 80 deletions
diff --git a/core/apparmor.html b/core/apparmor.html index 0052a68..8b7a30c 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -109,6 +109,35 @@ <h3 id="auto_profiles">Create profile with audit</h3> + <p>Tools use log as a source to build profiles, it is + necessary to disable log rate limit;</p> + + <pre> + # sysctl -w kernel.printk_ratelimit=0 + </pre> + + <p>Start aa-genprof;</p> + + <pre> + $ sudo aa-genprof /usr/bin/lynx + </pre> + + <p>Execute application with all common application options + and parts;</p> + + <P>After initial automatic configuration enable profile in + complain mode. Use aa-logprof when rules need to be adapted.</p> + + <pre> + # aa-logprof + </pre> + + <p>Once profile rules become well defined enable profile in + enforce mode with aa-enforce;</p> + + <p>Monitor logs with aa-notify;</a> + + <h3 id="man_profiles">Create profile manually</h3> <p>To create a new profile, let's say for lynx, @@ -136,8 +165,6 @@ } </pre> - - <a href="index.html">Core OS Index</a> <p>This is part of the Hive System Documentation. Copyright (C) 2019 diff --git a/core/hardening.html b/core/hardening.html index 8e9788f..d94cda6 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -10,15 +10,16 @@ <h1>2.6. Hardening</h1> - <h2>2.6.0.1 System configuration</h2> + <h2>2.6.0.2 System security</h2> <dl> <dt>File systems</dt> <dd>Check <a href="install.html#fstab">fstab</a> and current mount options. Mount filesystems in read only, only strict necessary in rw.</dd> <dt>Sys</dt> <dd>Check kernel settings with <a href="sysctl.html">sysctl</a>.</dd> + <dd>kernel.yama.ptrace_scope breaks gdb, strace, perf trace and reptyr.</dd> <dt>Iptables</dt> - <dd>Check if <a href="network.html#iptables">iptables</a> rules are loaded and are correctly logging.</dd> + <dd>Check if <a href="network.html#iptables">iptables</a> rules are loaded and are correctly logging.(firewald works as API to iptables).</dd> <dt>Apparmor</dt> <dd>Check if <a href="apparmor.html">apparmor</a> is active and enforcing policies.</dd> <dt>Samhain</dt> @@ -27,31 +28,120 @@ <dd>Build ports using hardened <a href="toolchain.html">toolchain</a> settings.</dd> </dl> - <h2>System security</h2> <pre> $ sudo prt-get depinst checksec </pre> - <dl> - <dt>User / Pam</dt> - <dd>Normal user is not part of wheel group - or have administration rights.</dd> - <dd>Disable su.</dd> - <dt>Processes</dt> - <dd>Check processes running as root</dd> - <dd>Check processes users premissions</dd> + <h2>2.6.0.1 System configuration</h2> + + <h3>1.1 - Users groups, passwords and sudo.</h3> + + <p>Check "normal" users groups, make sure they are not admin or wheel group; ps -U root -u root u, ps axl | awk '$7 != 0 && $10 !~ "Z"', process permission; ps -o gid,rdig,supgid -p "$pid"</p> + + <p>Maintain, secure with hash, and enforce secure passwords with pam-cracklib.</p> + + + <h3>1.2 - Linux PAM</h3> + + <p>Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests.</p> + + <p>Check files (processes) set uid and set gid;</p> + + <pre> + # find / -perm -4000 >> /root/setuid_files + # find / -perm 2000 >> /root/setguid_files + </pre> + + <p>To setuid (4744);</p> + + <pre> + # chmod u+s filename + </pre> + + <p>To remove (0664) from su and Xorg (user must be part of input and video for xorg to run);</p> + + <pre> + # chmod u-s /usr/bin/su + # chmod u-s /usr/bin/X + </pre> + + <p>To set gid (2744)</p> + <pre> + # chmod g+s filename + </pre> + <p>To remove (0774);</p> + <pre> + # chmod g-s filename + </pre> + + <p>Check files (processes); getfacl filename.</p> + , disable admins and root from sshd.</p> + + <h3>1.3. Capabilities</h3> + + <p>Check capabilities;</p> + <pre> + # getcap filename + </pre> + + <dd>1.9 - Limit number of processes.</dd> + <dd>1.10 - Lock user after 3 failed loggins.</dd> + <dd>1.8 - Block host ip based on iptable and services + abuse.</dd> </dl> + <h3>1.4 Sudo</h3> + + <p>Check sudo, sudoers and sudo replay.</p> + + <p>Don't run editor as root, instead run sudoedit filename or sudo --edit filename. Editor can be set as a environment variable;</p> + + <pre> + $ export SUDO_EDITOR=vim + </pre> + + <p>Set rvim as default on sudo config;</p> + + <pre> + # visudo + + Defaults editor=/usr/bin/rvim + </pre> + + <p>Once sudo is correctly configured, disable root login;</p> + + <pre> + # passwd --lock root + </pre> + + <h3>1.5 Auditd</h3> + + <pre> + $ prt-get depinst audit + </pre> + + <p>Example audit when file /etc/passwd get modified;</p> + + <pre> + $ auditctl -w /etc/passwd -p wa -k passwd_changes + </pre> + + <p>Audit when a module get's loaded;</p> + + <pre> + # auditctl -w /sbin/insmod -p x -k module_insertion + </pre> + <h2>2.6.0.2 Lynis</h2> <pre> $ sudo prt-get depinst lynis </pre> - <p>Lynis gives a view of system overall configuration, without changing - default profile it runs irrelevant tests. Create a lynis profile by - coping default one and run lynis;</p> + <p>Lynis gives a view of system overall configuration, + without changing default profile it runs irrelevant tests. + Create a lynis profile by coping default one and run lynis;</p> <pre> $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf diff --git a/core/sysctl.html b/core/sysctl.html index a5af197..afee463 100644 --- a/core/sysctl.html +++ b/core/sysctl.html @@ -33,6 +33,9 @@ # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 + #Yama LSM by default + kernel.yama.ptrace_scope = 1 + # # Filesystem Protections # @@ -48,6 +51,8 @@ # Network Protections # + net.core.bpf_jit_enable = 0 + # Increase Linux auto tuning TCP buffer limits # min, default, and max number of bytes to use # set max to at least 4MB, or higher if you use very high BDP paths diff --git a/tools/irssi.html b/tools/irssi.html index d4fcc0d..dbb1372 100644 --- a/tools/irssi.html +++ b/tools/irssi.html @@ -1,9 +1,39 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>Irssi</title> + </head> + <body> - Start up irssi, then: - /connect irc.freenode.net - /nick MyIRCNick - /SERVER ADD -auto -network freenode irc.freenode.net 6667 <password> + <a href="index.html">Tools Index</a> + + <h1>Irssi</h1> + + <p>Default configuration file is at /usr/etc/irssi.conf;</p> + + <pre> + $ mkdir .irssi + $ cp /usr/etc/irssi.conf .irssi/config + </pre> + + <p>Start up irssi, then:</p> + + <pre> + /connect irc.freenode.net + /nick MyIRCNick + /SERVER ADD -auto -network freenode irc.freenode.net 6667 <password> + /CHANNEL ADD -auto #crux freenode + </pre> - (you may have to shutdown and restart irssi at this point for it to recognize the network name "freenode" in the next step) - /CHANNEL ADD -auto #crux freenode + + <a href="index.html">Tools Index</a> + <p> + This is part of the Hive System Documentation. + Copyright (C) 2019 + Hive Team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + </body> +</html> diff --git a/tools/x.html b/tools/x.html index c693062..3efaf7a 100644 --- a/tools/x.html +++ b/tools/x.html @@ -17,34 +17,7 @@ <h3>Xorg</h3> <pre> - $ sudo prt-get depinst xorg-server \ - xorg-xinit \ - xorg-xrdb \ - xorg-xdpyinfo \ - xorg-xauth \ - xorg-xmodmap \ - xorg-xrandr \ - xorg-xgamma \ - xorg-xf86-input-evdev \ - xorg-xf86-input-synaptics \ - xsel \ - xkeyboard-config - </pre> - - <h3>Fonts</h3> - - <pre> - $ sudo prt-get depinst xorg-font-util \ - xorg-font-alias \ - xorg-font-dejavu-ttf \ - xorg-font-cursor-misc \ - xorg-font-misc-misc \ - console-font-terminus \ - xorg-font-terminus \ - xorg-font-mutt-misc - - $ prt-get search xorg-font-bitstream | xargs sudo prt-get depinst - $ prt-get search xorg-font-bh | xargs sudo prt-get depinst + $ prt-get depinst meta-desktop </pre> @@ -53,35 +26,6 @@ $ prt-get depinst otf-sourcecode </pre> - <h3>Utilities</h3> - - <pre> - $ sudo prt-get depinst \ - alsa-utils \ - libdrm \ - mesa3d \ - ffmpeg \ - gstreamer \ - gstreamer-vaapi \ - gst-plugins-base \ - gst-plugins-good \ - gst-plugins-bad \ - gst-plugins-ugly \ - cmus \ - dmenu \ - st \ - gparted \ - gimp \ - libreoffice \ - ca-certificates \ - linux-pam \ - gstreamer \ - libgd \ - icu \ - syndaemon \ - firefox - </pre> - <h3>Window Managers</h3> <pre> @@ -92,7 +36,7 @@ mate </pre> - <h2>Configure</h2> + <h2 id="config">Configure</h2> <h3>Local xinitrc</h3> |