diff options
Diffstat (limited to 'core')
| -rw-r--r-- | core/apparmor.html | 31 | ||||
| -rw-r--r-- | core/hardening.html | 118 | ||||
| -rw-r--r-- | core/sysctl.html | 5 |
3 files changed, 138 insertions, 16 deletions
diff --git a/core/apparmor.html b/core/apparmor.html index 0052a68..8b7a30c 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -109,6 +109,35 @@ <h3 id="auto_profiles">Create profile with audit</h3> + <p>Tools use log as a source to build profiles, it is + necessary to disable log rate limit;</p> + + <pre> + # sysctl -w kernel.printk_ratelimit=0 + </pre> + + <p>Start aa-genprof;</p> + + <pre> + $ sudo aa-genprof /usr/bin/lynx + </pre> + + <p>Execute application with all common application options + and parts;</p> + + <P>After initial automatic configuration enable profile in + complain mode. Use aa-logprof when rules need to be adapted.</p> + + <pre> + # aa-logprof + </pre> + + <p>Once profile rules become well defined enable profile in + enforce mode with aa-enforce;</p> + + <p>Monitor logs with aa-notify;</a> + + <h3 id="man_profiles">Create profile manually</h3> <p>To create a new profile, let's say for lynx, @@ -136,8 +165,6 @@ } </pre> - - <a href="index.html">Core OS Index</a> <p>This is part of the Hive System Documentation. Copyright (C) 2019 diff --git a/core/hardening.html b/core/hardening.html index 8e9788f..d94cda6 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -10,15 +10,16 @@ <h1>2.6. Hardening</h1> - <h2>2.6.0.1 System configuration</h2> + <h2>2.6.0.2 System security</h2> <dl> <dt>File systems</dt> <dd>Check <a href="install.html#fstab">fstab</a> and current mount options. Mount filesystems in read only, only strict necessary in rw.</dd> <dt>Sys</dt> <dd>Check kernel settings with <a href="sysctl.html">sysctl</a>.</dd> + <dd>kernel.yama.ptrace_scope breaks gdb, strace, perf trace and reptyr.</dd> <dt>Iptables</dt> - <dd>Check if <a href="network.html#iptables">iptables</a> rules are loaded and are correctly logging.</dd> + <dd>Check if <a href="network.html#iptables">iptables</a> rules are loaded and are correctly logging.(firewald works as API to iptables).</dd> <dt>Apparmor</dt> <dd>Check if <a href="apparmor.html">apparmor</a> is active and enforcing policies.</dd> <dt>Samhain</dt> @@ -27,31 +28,120 @@ <dd>Build ports using hardened <a href="toolchain.html">toolchain</a> settings.</dd> </dl> - <h2>System security</h2> <pre> $ sudo prt-get depinst checksec </pre> - <dl> - <dt>User / Pam</dt> - <dd>Normal user is not part of wheel group - or have administration rights.</dd> - <dd>Disable su.</dd> - <dt>Processes</dt> - <dd>Check processes running as root</dd> - <dd>Check processes users premissions</dd> + <h2>2.6.0.1 System configuration</h2> + + <h3>1.1 - Users groups, passwords and sudo.</h3> + + <p>Check "normal" users groups, make sure they are not admin or wheel group; ps -U root -u root u, ps axl | awk '$7 != 0 && $10 !~ "Z"', process permission; ps -o gid,rdig,supgid -p "$pid"</p> + + <p>Maintain, secure with hash, and enforce secure passwords with pam-cracklib.</p> + + + <h3>1.2 - Linux PAM</h3> + + <p>Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests.</p> + + <p>Check files (processes) set uid and set gid;</p> + + <pre> + # find / -perm -4000 >> /root/setuid_files + # find / -perm 2000 >> /root/setguid_files + </pre> + + <p>To setuid (4744);</p> + + <pre> + # chmod u+s filename + </pre> + + <p>To remove (0664) from su and Xorg (user must be part of input and video for xorg to run);</p> + + <pre> + # chmod u-s /usr/bin/su + # chmod u-s /usr/bin/X + </pre> + + <p>To set gid (2744)</p> + <pre> + # chmod g+s filename + </pre> + <p>To remove (0774);</p> + <pre> + # chmod g-s filename + </pre> + + <p>Check files (processes); getfacl filename.</p> + , disable admins and root from sshd.</p> + + <h3>1.3. Capabilities</h3> + + <p>Check capabilities;</p> + <pre> + # getcap filename + </pre> + + <dd>1.9 - Limit number of processes.</dd> + <dd>1.10 - Lock user after 3 failed loggins.</dd> + <dd>1.8 - Block host ip based on iptable and services + abuse.</dd> </dl> + <h3>1.4 Sudo</h3> + + <p>Check sudo, sudoers and sudo replay.</p> + + <p>Don't run editor as root, instead run sudoedit filename or sudo --edit filename. Editor can be set as a environment variable;</p> + + <pre> + $ export SUDO_EDITOR=vim + </pre> + + <p>Set rvim as default on sudo config;</p> + + <pre> + # visudo + + Defaults editor=/usr/bin/rvim + </pre> + + <p>Once sudo is correctly configured, disable root login;</p> + + <pre> + # passwd --lock root + </pre> + + <h3>1.5 Auditd</h3> + + <pre> + $ prt-get depinst audit + </pre> + + <p>Example audit when file /etc/passwd get modified;</p> + + <pre> + $ auditctl -w /etc/passwd -p wa -k passwd_changes + </pre> + + <p>Audit when a module get's loaded;</p> + + <pre> + # auditctl -w /sbin/insmod -p x -k module_insertion + </pre> + <h2>2.6.0.2 Lynis</h2> <pre> $ sudo prt-get depinst lynis </pre> - <p>Lynis gives a view of system overall configuration, without changing - default profile it runs irrelevant tests. Create a lynis profile by - coping default one and run lynis;</p> + <p>Lynis gives a view of system overall configuration, + without changing default profile it runs irrelevant tests. + Create a lynis profile by coping default one and run lynis;</p> <pre> $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf diff --git a/core/sysctl.html b/core/sysctl.html index a5af197..afee463 100644 --- a/core/sysctl.html +++ b/core/sysctl.html @@ -33,6 +33,9 @@ # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 + #Yama LSM by default + kernel.yama.ptrace_scope = 1 + # # Filesystem Protections # @@ -48,6 +51,8 @@ # Network Protections # + net.core.bpf_jit_enable = 0 + # Increase Linux auto tuning TCP buffer limits # min, default, and max number of bytes to use # set max to at least 4MB, or higher if you use very high BDP paths |