about summary refs log tree commit diff stats
diff options
context:
space:
mode:
-rw-r--r--core/apparmor.html31
-rw-r--r--core/hardening.html118
-rw-r--r--core/sysctl.html5
-rw-r--r--tools/irssi.html42
-rw-r--r--tools/x.html60
5 files changed, 176 insertions, 80 deletions
diff --git a/core/apparmor.html b/core/apparmor.html
index 0052a68..8b7a30c 100644
--- a/core/apparmor.html
+++ b/core/apparmor.html
@@ -109,6 +109,35 @@
 
         <h3 id="auto_profiles">Create profile with audit</h3>
 
+        <p>Tools use log as a source to build profiles, it is
+        necessary to disable log rate limit;</p>
+
+        <pre>
+        # sysctl -w kernel.printk_ratelimit=0
+        </pre>
+
+        <p>Start aa-genprof;</p>
+
+        <pre>
+        $ sudo aa-genprof /usr/bin/lynx
+        </pre>
+
+        <p>Execute application with all common application options
+        and parts;</p>
+
+        <P>After initial automatic configuration enable profile in
+        complain mode. Use aa-logprof when rules need to be adapted.</p>
+
+        <pre>
+        # aa-logprof
+        </pre>
+
+        <p>Once profile rules become well defined enable profile in
+        enforce mode with aa-enforce;</p>
+
+        <p>Monitor logs with aa-notify;</a>
+
+
         <h3 id="man_profiles">Create profile manually</h3>
 
         <p>To create a new profile, let's say for lynx,
@@ -136,8 +165,6 @@
         }
         </pre>
 
-
-
         <a href="index.html">Core OS Index</a>
         <p>This is part of the Hive System Documentation.
         Copyright (C) 2019
diff --git a/core/hardening.html b/core/hardening.html
index 8e9788f..d94cda6 100644
--- a/core/hardening.html
+++ b/core/hardening.html
@@ -10,15 +10,16 @@
 
         <h1>2.6. Hardening</h1>
 
-        <h2>2.6.0.1 System configuration</h2>
+        <h2>2.6.0.2 System security</h2>
 
         <dl>
             <dt>File systems</dt>
             <dd>Check <a href="install.html#fstab">fstab</a> and current mount options. Mount filesystems in read only, only strict necessary in rw.</dd>
             <dt>Sys</dt>
             <dd>Check kernel settings with <a href="sysctl.html">sysctl</a>.</dd>
+            <dd>kernel.yama.ptrace_scope breaks gdb, strace, perf trace and reptyr.</dd>
             <dt>Iptables</dt>
-            <dd>Check if <a href="network.html#iptables">iptables</a> rules are loaded and are correctly logging.</dd>
+            <dd>Check if <a href="network.html#iptables">iptables</a> rules are loaded and are correctly logging.(firewald works as API to iptables).</dd>
             <dt>Apparmor</dt>
             <dd>Check if <a href="apparmor.html">apparmor</a> is active and enforcing policies.</dd>
             <dt>Samhain</dt>
@@ -27,31 +28,120 @@
             <dd>Build ports using hardened <a href="toolchain.html">toolchain</a> settings.</dd>
         </dl>
 
-        <h2>System security</h2>
 
         <pre>
         $ sudo prt-get depinst checksec
         </pre>
 
-        <dl>
-            <dt>User / Pam</dt>
-            <dd>Normal user is not part of wheel group
-            or have administration rights.</dd>
-            <dd>Disable su.</dd>
-            <dt>Processes</dt>
-            <dd>Check processes running as root</dd>
-            <dd>Check processes users premissions</dd>
+        <h2>2.6.0.1 System configuration</h2>
+
+        <h3>1.1 - Users groups, passwords and sudo.</h3>
+
+        <p>Check "normal" users groups, make sure they are not admin or wheel group; ps -U root -u root u, ps axl | awk '$7 != 0 &amp;&amp; $10 !~ "Z"', process permission; ps -o gid,rdig,supgid -p "$pid"</p>
+
+        <p>Maintain, secure with hash, and enforce secure passwords with pam-cracklib.</p>
+
+
+        <h3>1.2 - Linux PAM</h3>
+
+        <p>Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests.</p>
+
+        <p>Check files (processes) set uid and set gid;</p>
+
+        <pre>
+        # find / -perm -4000 >> /root/setuid_files
+        # find / -perm 2000 >> /root/setguid_files
+        </pre>
+
+        <p>To setuid (4744);</p>
+
+        <pre>
+        # chmod u+s filename
+        </pre>
+
+        <p>To remove (0664) from su and Xorg (user must be part of input and video for xorg to run);</p>
+
+        <pre>
+        # chmod u-s /usr/bin/su
+        # chmod u-s /usr/bin/X
+        </pre>
+
+        <p>To set gid (2744)</p>
+        <pre>
+        # chmod g+s filename
+        </pre>
+        <p>To remove (0774);</p>
+        <pre>
+        # chmod g-s filename
+        </pre>
+
+        <p>Check files (processes); getfacl filename.</p>
+        , disable admins and root from sshd.</p>
+
+        <h3>1.3. Capabilities</h3>
+
+        <p>Check capabilities;</p>
+        <pre>
+        # getcap filename
+        </pre>
+
+            <dd>1.9 - Limit number of processes.</dd>
+            <dd>1.10 - Lock user after 3 failed loggins.</dd>
+            <dd>1.8 - Block host ip based on iptable and services
+            abuse.</dd>
         </dl>
 
+        <h3>1.4 Sudo</h3>
+
+        <p>Check sudo, sudoers and sudo replay.</p>
+
+        <p>Don't run editor as root, instead run sudoedit filename or sudo --edit filename. Editor can be set as a environment variable;</p>
+
+        <pre>
+        $ export SUDO_EDITOR=vim
+        </pre>
+
+        <p>Set rvim as default on sudo config;</p>
+
+        <pre>
+        # visudo
+
+        Defaults editor=/usr/bin/rvim
+        </pre>
+
+        <p>Once sudo is correctly configured, disable root login;</p>
+
+        <pre>
+        # passwd --lock root
+        </pre>
+
+        <h3>1.5 Auditd</h3>
+
+        <pre>
+        $ prt-get depinst audit
+        </pre>
+
+        <p>Example audit when file /etc/passwd get modified;</p>
+
+        <pre>
+        $ auditctl -w /etc/passwd -p wa -k passwd_changes
+        </pre>
+
+        <p>Audit when a module get's loaded;</p>
+
+        <pre>
+        # auditctl -w /sbin/insmod -p x -k module_insertion
+        </pre>
+
         <h2>2.6.0.2 Lynis</h2>
 
         <pre>
         $ sudo prt-get depinst lynis
         </pre>
 
-        <p>Lynis gives a view of system overall configuration, without changing
-        default profile it runs irrelevant tests. Create a lynis profile by
-        coping default one and run lynis;</p>
+        <p>Lynis gives a view of system overall configuration,
+        without changing default profile it runs irrelevant tests.
+        Create a lynis profile by coping default one and run lynis;</p>
 
         <pre>
         $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
diff --git a/core/sysctl.html b/core/sysctl.html
index a5af197..afee463 100644
--- a/core/sysctl.html
+++ b/core/sysctl.html
@@ -33,6 +33,9 @@
         # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
         kernel.pid_max = 65536
 
+        #Yama LSM by default
+        kernel.yama.ptrace_scope = 1
+
         #
         # Filesystem Protections
         #
@@ -48,6 +51,8 @@
         # Network Protections
         #
 
+        net.core.bpf_jit_enable = 0
+
         # Increase Linux auto tuning TCP buffer limits
         # min, default, and max number of bytes to use
         # set max to at least 4MB, or higher if you use very high BDP paths
diff --git a/tools/irssi.html b/tools/irssi.html
index d4fcc0d..dbb1372 100644
--- a/tools/irssi.html
+++ b/tools/irssi.html
@@ -1,9 +1,39 @@
+<!DOCTYPE html>
+<html dir="ltr" lang="en">
+    <head>
+        <meta charset='utf-8'>
+        <title>Irssi</title>
+    </head>
+    <body>
 
-   Start up irssi, then:
-   /connect irc.freenode.net
-   /nick MyIRCNick
-   /SERVER ADD -auto -network freenode irc.freenode.net 6667 <password>
+        <a href="index.html">Tools Index</a>
+
+        <h1>Irssi</h1>
+
+        <p>Default configuration file is at /usr/etc/irssi.conf;</p>
+
+        <pre>
+        $ mkdir .irssi
+        $ cp /usr/etc/irssi.conf .irssi/config
+        </pre>
+
+        <p>Start up irssi, then:</p>
+
+        <pre>
+        /connect irc.freenode.net
+        /nick MyIRCNick
+        /SERVER ADD -auto -network freenode irc.freenode.net 6667 &lt;password&gt;
+        /CHANNEL ADD -auto #crux freenode
+        </pre>
 
-      (you may have to shutdown and restart irssi at this point for it to
          recognize the network name "freenode" in the next step)
-         /CHANNEL ADD -auto #crux freenode
+
+        <a href="index.html">Tools Index</a>
+        <p>
+        This is part of the Hive System Documentation.
+        Copyright (C) 2019
+        Hive Team.
+        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
+        for copying conditions.</p>
+    </body>
+</html>
diff --git a/tools/x.html b/tools/x.html
index c693062..3efaf7a 100644
--- a/tools/x.html
+++ b/tools/x.html
@@ -17,34 +17,7 @@
         <h3>Xorg</h3>
 
         <pre>
-        $ sudo prt-get depinst xorg-server \
-             xorg-xinit \
-             xorg-xrdb \
-             xorg-xdpyinfo \
-             xorg-xauth \
-             xorg-xmodmap \
-             xorg-xrandr \
-             xorg-xgamma \
-             xorg-xf86-input-evdev \
-             xorg-xf86-input-synaptics \
-             xsel \
-             xkeyboard-config
-        </pre>
-
-        <h3>Fonts</h3>
-
-        <pre>
-        $ sudo prt-get depinst xorg-font-util \
-             xorg-font-alias \
-             xorg-font-dejavu-ttf \
-             xorg-font-cursor-misc \
-             xorg-font-misc-misc \
-             console-font-terminus \
-             xorg-font-terminus \
-             xorg-font-mutt-misc
-
-        $ prt-get search xorg-font-bitstream | xargs sudo prt-get depinst
-        $ prt-get search xorg-font-bh | xargs sudo prt-get depinst
+        $ prt-get depinst meta-desktop
         </pre>
 
 
@@ -53,35 +26,6 @@
         $ prt-get depinst otf-sourcecode
         </pre>
 
-        <h3>Utilities</h3>
-
-        <pre>
-        $ sudo prt-get depinst \
-            alsa-utils \
-            libdrm \
-            mesa3d \
-            ffmpeg \
-            gstreamer \
-            gstreamer-vaapi \
-            gst-plugins-base \
-            gst-plugins-good \
-            gst-plugins-bad \
-            gst-plugins-ugly \
-            cmus \
-            dmenu \
-            st \
-            gparted \
-            gimp \
-            libreoffice \
-            ca-certificates \
-	    linux-pam \
-	    gstreamer \
-	    libgd \
-            icu \
-	    syndaemon \
-	    firefox
-        </pre>
-
         <h3>Window Managers</h3>
 
 	<pre>
@@ -92,7 +36,7 @@
 	 	mate
 	</pre>
 
-        <h2>Configure</h2>
+        <h2 id="config">Configure</h2>
 
         <h3>Local xinitrc</h3>