diff options
| author | Silvino Silva <silvino@bk.ru> | 2021-02-12 03:59:34 +0000 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2021-02-12 03:59:34 +0000 |
| commit | a3628fc49db4d88ff3e4067268650710d1da3f6f (patch) | |
| tree | 8fdac6dfc8cabb9f85a2db3a3bd628cfe44438cd /core/hardening.html | |
| parent | 0a6b0fc9769daf0932cb207c3285baa31547b489 (diff) | |
| download | doc-a3628fc49db4d88ff3e4067268650710d1da3f6f.tar.gz | |
initial openbsd support
Diffstat (limited to 'core/hardening.html')
| -rw-r--r-- | core/hardening.html | 188 |
1 files changed, 0 insertions, 188 deletions
diff --git a/core/hardening.html b/core/hardening.html deleted file mode 100644 index 041f999..0000000 --- a/core/hardening.html +++ /dev/null @@ -1,188 +0,0 @@ -<!DOCTYPE html> -<html dir="ltr" lang="en"> - <head> - <meta charset='utf-8'> - <title>2.6. Hardening</title> - </head> - <body> - - <a href="index.html">Core OS Index</a> - - <h1>2.6. Hardening</h1> - - <h2>2.6.0.2 System security</h2> - - <dl> - <dt>File systems</dt> - <dd>Check <a href="install.html#fstab">fstab</a> and current mount options. Mount filesystems in read only, only strict necessary in rw.</dd> - <dt>Sys</dt> - <dd>Check kernel settings with <a href="sysctl.html">sysctl</a>.</dd> - <dd>kernel.yama.ptrace_scope breaks gdb, strace, perf trace and reptyr.</dd> - <dt>Iptables</dt> - <dd>Check if <a href="network.html#iptables">iptables</a> rules are loaded and are correctly logging.(firewald works as API to iptables).</dd> - <dt>Apparmor</dt> - <dd>Check if <a href="apparmor.html">apparmor</a> is active and enforcing policies.</dd> - <dt>Samhain</dt> - <dd>Check if <a href="samhain.html">samhain</a> is running.</dd> - <dt>Toolchain</dt> - <dd>Build ports using hardened <a href="toolchain.html">toolchain</a> settings.</dd> - </dl> - - - <pre> - $ sudo prt-get depinst checksec - </pre> - - <h2>2.6.0.1 System configuration</h2> - - <h3>1.1 - Users groups, passwords and sudo.</h3> - - <p>Check "normal" users groups, make sure they are not admin or wheel group; ps -U root -u root u, ps axl | awk '$7 != 0 && $10 !~ "Z"', process permission; ps -o gid,rdig,supgid -p "$pid"</p> - - <p>Maintain, secure with hash, and enforce secure passwords with pam-cracklib.</p> - - - <h3>1.2 - Linux PAM</h3> - - <p>Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests. Check files (processes); getfacl filename.</p> - - <p>Check files (processes) set uid and set gid;</p> - - <pre> - # find / -perm 4000 >> /root/setuid_files - # find / -perm 2000 >> /root/setguid_files - </pre> - - <p>To setuid (4744);</p> - - <pre> - # chmod u+s filename - </pre> - - <p>To remove (0664) from su and Xorg (user must be part of input and video for xorg to run);</p> - - <pre> - # chmod u-s /usr/bin/su - # chmod u-s /usr/bin/X - </pre> - - <p>To set gid (2744)</p> - <pre> - # chmod g+s filename - </pre> - <p>To remove (0774);</p> - <pre> - # chmod g-s filename - </pre> - - <p>Find world writable files;</p> - - <pre> - # find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print - </pre> - - <p>No owner files;</p> - - <pre> - # find /dir -xdev \( -nouser -o -nogroup \) -print - </pre> - - <h3>1.3. Capabilities</h3> - - <p>Check capabilities;</p> - <pre> - # getcap filename - </pre> - - <dd>1.9 - Limit number of processes.</dd> - <dd>1.10 - Lock user after 3 failed loggins.</dd> - <dd>1.8 - Block host ip based on iptable and services - abuse.</dd> - </dl> - - <h3>1.4 Sudo</h3> - - <p>Check sudo, sudoers and sudo replay.</p> - - <p>Don't run editor as root, instead run sudoedit filename or sudo --edit filename. Editor can be set as a environment variable;</p> - - <pre> - $ export SUDO_EDITOR=vim - </pre> - - <p>Set rvim as default on sudo config;</p> - - <pre> - # visudo - - Defaults editor=/usr/bin/rvim - </pre> - - <p>Once sudo is correctly configured, disable root login;</p> - - <pre> - # passwd --lock root - </pre> - - <h3>1.5 Auditd</h3> - - <pre> - $ prt-get depinst audit - </pre> - - <p>Example audit when file /etc/passwd get modified;</p> - - <pre> - $ auditctl -w /etc/passwd -p wa -k passwd_changes - </pre> - - <p>Audit when a module get's loaded;</p> - - <pre> - # auditctl -w /sbin/insmod -p x -k module_insertion - </pre> - - <h3>1.6 Network</h3> - - <p>Find listening services with command;</p> - - <pre> - # ss -tulpn - # nmap -sT -O localhost - # nmap -sT -O machine.example.org - </pre> - - <h2>2.6.0.2 Lynis</h2> - - <pre> - $ sudo prt-get depinst lynis - </pre> - - <p>Lynis gives a view of system overall configuration, - without changing default profile it runs irrelevant tests. - Create a lynis profile by coping default one and run lynis;</p> - - <pre> - $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf - $ sudo lynis configure settings color=yes - $ sudo lynis show settings - $ sudo lynis show profile - </pre> - - <pre> - $ lynis audit system > lynis_report - $ mv /tmp/lynis.log . - $ mv /tmp/lynis-report.dat . - </pre> - - <p>Add unnecessary tests to profile to have less noise.</p> - - <a href="index.html">Core OS Index</a> - <p>This is part of the Tribu System Documentation. - Copyright (C) 2020 - Tribu Team. - See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> - for copying conditions.</p> - - </body> -</html> |