From 951a8a84411da6b71cee11d8c9feb993b984acf5 Mon Sep 17 00:00:00 2001 From: Silvino Date: Sun, 16 Jun 2019 05:03:49 +0100 Subject: apparmor and hardening revision --- core/apparmor.html | 31 +++++++++++++- core/hardening.html | 118 +++++++++++++++++++++++++++++++++++++++++++++------- core/sysctl.html | 5 +++ tools/irssi.html | 42 ++++++++++++++++--- tools/x.html | 60 +------------------------- 5 files changed, 176 insertions(+), 80 deletions(-) diff --git a/core/apparmor.html b/core/apparmor.html index 0052a68..8b7a30c 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -109,6 +109,35 @@

Create profile with audit

Tools use log as a source to build profiles, it is + necessary to disable log rate limit;

+ +

+        # sysctl -w kernel.printk_ratelimit=0
+

+ +

Start aa-genprof;

+ +

+        $ sudo aa-genprof /usr/bin/lynx
+

+ +

Execute application with all common application options + and parts;

+ +

After initial automatic configuration enable profile in + complain mode. Use aa-logprof when rules need to be adapted.

+ +

+        # aa-logprof
+

+ +

Once profile rules become well defined enable profile in + enforce mode with aa-enforce;

+ +

Monitor logs with aa-notify; + +

Create profile manually

To create a new profile, let's say for lynx, @@ -136,8 +165,6 @@ } - - Core OS Index

This is part of the Hive System Documentation. Copyright (C) 2019 diff --git a/core/hardening.html b/core/hardening.html index 8e9788f..d94cda6 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -10,15 +10,16 @@

2.6. Hardening

2.6.0.1 System configuration

2.6.0.2 System security

File systems: Check fstab and current mount options. Mount filesystems in read only, only strict necessary in rw.
Sys: Check kernel settings with sysctl.; kernel.yama.ptrace_scope breaks gdb, strace, perf trace and reptyr.
Iptables: Check if iptables rules are loaded and are correctly logging.; Check if iptables rules are loaded and are correctly logging.(firewald works as API to iptables).
Apparmor: Check if apparmor is active and enforcing policies.
Samhain: Build ports using hardened toolchain settings.

System security

         $ sudo prt-get depinst checksec

User / Pam: Normal user is not part of wheel group - or have administration rights.; Disable su.
Processes: Check processes running as root; Check processes users premissions; 1.9 - Limit number of processes.; 1.10 - Lock user after 3 failed loggins.; 1.8 - Block host ip based on iptable and services + abuse.

1.4 Sudo

+ +

Check sudo, sudoers and sudo replay.

+ +

Don't run editor as root, instead run sudoedit filename or sudo --edit filename. Editor can be set as a environment variable;

+ +

+        $ export SUDO_EDITOR=vim
+

+ +

Set rvim as default on sudo config;

+ +

+        # visudo
+
+        Defaults editor=/usr/bin/rvim
+

+ +

Once sudo is correctly configured, disable root login;

+ +

+        # passwd --lock root
+

+ +

1.5 Auditd

+ +

+        $ prt-get depinst audit
+

+ +

Example audit when file /etc/passwd get modified;

+ +

+        $ auditctl -w /etc/passwd -p wa -k passwd_changes
+

+ +

Audit when a module get's loaded;

+ +

+        # auditctl -w /sbin/insmod -p x -k module_insertion
+

2.6.0.2 Lynis

         $ sudo prt-get depinst lynis

Lynis gives a view of system overall configuration, without changing - default profile it runs irrelevant tests. Create a lynis profile by - coping default one and run lynis;

Lynis gives a view of system overall configuration, + without changing default profile it runs irrelevant tests. + Create a lynis profile by coping default one and run lynis;

         $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
diff --git a/core/sysctl.html b/core/sysctl.html
index a5af197..afee463 100644
--- a/core/sysctl.html
+++ b/core/sysctl.html
@@ -33,6 +33,9 @@
         # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
         kernel.pid_max = 65536
 
+        #Yama LSM by default
+        kernel.yama.ptrace_scope = 1
+
         #
         # Filesystem Protections
         #
@@ -48,6 +51,8 @@
         # Network Protections
         #
 
+        net.core.bpf_jit_enable = 0
+
         # Increase Linux auto tuning TCP buffer limits
         # min, default, and max number of bytes to use
         # set max to at least 4MB, or higher if you use very high BDP paths
diff --git a/tools/irssi.html b/tools/irssi.html
index d4fcc0d..dbb1372 100644
--- a/tools/irssi.html
+++ b/tools/irssi.html
@@ -1,9 +1,39 @@
+
+
+    
+        
+        Irssi
+    
+    
 
-   Start up irssi, then:
-   /connect irc.freenode.net
-   /nick MyIRCNick
-   /SERVER ADD -auto -network freenode irc.freenode.net 6667 
+        Tools Index
+
+        Irssi
+
+        Default configuration file is at /usr/etc/irssi.conf;
+
+        +        $ mkdir .irssi
+        $ cp /usr/etc/irssi.conf .irssi/config
+        
+
+        Start up irssi, then:
+
+        +        /connect irc.freenode.net
+        /nick MyIRCNick
+        /SERVER ADD -auto -network freenode irc.freenode.net 6667 <password>
+        /CHANNEL ADD -auto #crux freenode
+        
 
-      (you may have to shutdown and restart irssi at this point for it to
          recognize the network name "freenode" in the next step)
-         /CHANNEL ADD -auto #crux freenode
+
+        Tools Index
+        
+        This is part of the Hive System Documentation.
+        Copyright (C) 2019
+        Hive Team.
+        See the file Gnu Free Documentation License
+        for copying conditions.
+    
+
diff --git a/tools/x.html b/tools/x.html
index c693062..3efaf7a 100644
--- a/tools/x.html
+++ b/tools/x.html
@@ -17,34 +17,7 @@
         Xorg
 
         -        $ sudo prt-get depinst xorg-server \
-             xorg-xinit \
-             xorg-xrdb \
-             xorg-xdpyinfo \
-             xorg-xauth \
-             xorg-xmodmap \
-             xorg-xrandr \
-             xorg-xgamma \
-             xorg-xf86-input-evdev \
-             xorg-xf86-input-synaptics \
-             xsel \
-             xkeyboard-config
-        
-
-        Fonts
-
-        -        $ sudo prt-get depinst xorg-font-util \
-             xorg-font-alias \
-             xorg-font-dejavu-ttf \
-             xorg-font-cursor-misc \
-             xorg-font-misc-misc \
-             console-font-terminus \
-             xorg-font-terminus \
-             xorg-font-mutt-misc
-
-        $ prt-get search xorg-font-bitstream | xargs sudo prt-get depinst
-        $ prt-get search xorg-font-bh | xargs sudo prt-get depinst
+        $ prt-get depinst meta-desktop
         
 
 
@@ -53,35 +26,6 @@
         $ prt-get depinst otf-sourcecode

Utilities

- -

-        $ sudo prt-get depinst \
-            alsa-utils \
-            libdrm \
-            mesa3d \
-            ffmpeg \
-            gstreamer \
-            gstreamer-vaapi \
-            gst-plugins-base \
-            gst-plugins-good \
-            gst-plugins-bad \
-            gst-plugins-ugly \
-            cmus \
-            dmenu \
-            st \
-            gparted \
-            gimp \
-            libreoffice \
-            ca-certificates \
-	    linux-pam \
-	    gstreamer \
-	    libgd \
-            icu \
-	    syndaemon \
-	    firefox
-

Window Managers

@@ -92,7 +36,7 @@
 	 	mate

Configure

Local xinitrc

-- cgit 1.4.1-2-gfad0

Create profile with audit

Create profile manually

2.6. Hardening

2.6.0.1 System configuration

2.6.0.2 System security

System security

2.6.0.1 System configuration

1.1 - Users groups, passwords and sudo.

1.2 - Linux PAM

1.3. Capabilities

1.4 Sudo

1.5 Auditd

2.6.0.2 Lynis

Irssi

Xorg

Fonts

Utilities

Window Managers

Configure

Configure

Local xinitrc