From 1fb8842d469c36e5b43e843d3759e3c18c120c47 Mon Sep 17 00:00:00 2001 From: Silvino Date: Tue, 2 Jul 2019 18:33:16 +0100 Subject: core revision --- core/hardening.html | 27 +++++++++++++++++++++++---- core/linux.html | 4 ++-- core/reboot.html | 16 ++++++++-------- core/toolchain.html | 3 +++ 4 files changed, 36 insertions(+), 14 deletions(-) (limited to 'core') diff --git a/core/hardening.html b/core/hardening.html index d94cda6..200adfb 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -44,12 +44,12 @@

1.2 - Linux PAM

-

Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests.

+

Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests. Check files (processes); getfacl filename.

Check files (processes) set uid and set gid;

-        # find / -perm -4000 >> /root/setuid_files
+        # find / -perm 4000 >> /root/setuid_files
         # find / -perm 2000 >> /root/setguid_files
@@ -75,8 +75,17 @@ # chmod g-s filename -

Check files (processes); getfacl filename.

- , disable admins and root from sshd.

+

Find world writable files;

+ + 
+        # find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
+
+ +

No owner files;

+ + 
+        # find /dir -xdev \( -nouser -o -nogroup \) -print
+

1.3. Capabilities

@@ -133,6 +142,16 @@ # auditctl -w /sbin/insmod -p x -k module_insertion +

1.6 Network

+ +

Find listening services with command;

+ + 
+        # ss -tulpn
+        # nmap -sT -O localhost
+        # nmap -sT -O machine.example.org
+
+

2.6.0.2 Lynis

diff --git a/core/linux.html b/core/linux.html
index 670d0e7..d265925 100644
--- a/core/linux.html
+++ b/core/linux.html
@@ -686,8 +686,7 @@
 
         
2.1.2.14 Cryptographic API

 
-        
-
+        

             
CONFIG_CRYPTO_LRW

             
Liskov Rivest Wagner, a tweakable, non malleable, non movable
             narrow block cipher mode for dm-crypt.

@@ -714,6 +713,7 @@
 
             
CONFIG_CRYPTO_TWOFISH=y

             
Twofish cipher algorithm

+        

 
 	    
 	    *   MD4 digest algorithm
diff --git a/core/reboot.html b/core/reboot.html
index f7a34d6..fbf9cc1 100644
--- a/core/reboot.html
+++ b/core/reboot.html
@@ -2,13 +2,13 @@
 
     
         
-        1.4. Boot
+        1.3. Boot
     
     
 
         Core OS Index
 
-        
1.4. Boot

+        
1.3. Boot

 
         
Follow this instructions with active chroot,
         first mount partitions
@@ -31,7 +31,7 @@
           /bin/bash --login
         

 
-        
1.4.1. Kernel

+        
1.3.1. Kernel

 
         
Install linux-gnu port,
         linux libre kernel is a true source based kernel that
@@ -60,7 +60,7 @@
         # pkgadd /usr/ports/packages/linux-gnu#4.9.86-2.pkg.tar.gz
         

 
-        
1.4.2. Dracut

+        
1.3.2. Dracut

 
         
Install dracut;

 
@@ -101,7 +101,7 @@
         # dracut --kver 4.9.86-gnu
-

1.4.3. Grub

+

1.3.3. Grub

Create grub file in /etc/default/grub with values;

@@ -146,7 +146,7 @@ # grub-probe --target=hints_string / -

1.4.3.1. Rescue iso

+

1.3.3.1. Rescue iso

Simple way to have "resque" system is to mount boot as read only, this assures that even as root nothing can be changed without remount. @@ -176,7 +176,7 @@ } -

1.4.4. Recover

+

1.3.4. Recover

Root password

@@ -204,7 +204,7 @@

Reboot computer using power / reset.

-

1.4.5. Checkup

+

1.3.5. Checkup

If you have qemu installed you can see if it boots, in this example sdb is usb external drive;

diff --git a/core/toolchain.html b/core/toolchain.html index 9662217..34a6c34 100644 --- a/core/toolchain.html +++ b/core/toolchain.html @@ -25,6 +25,9 @@ export LDFLAGS="-z relro" +

Above should compile most of the packages, for more + "restrict" and other flags combinations check pkgmk.conf.handen.

+

Core

Ports in core collection that need to be changed in order -- cgit 1.4.1-2-gfad0