2.6. Hardening

2.6.0.2 System security

File systems

Check fstab and current mount options. Mount filesystems in read only, only strict necessary in rw.

Sys

Check kernel settings with sysctl.

kernel.yama.ptrace_scope breaks gdb, strace, perf trace and reptyr.

Iptables

Check if iptables rules are loaded and are correctly logging.(firewald works as API to iptables).

Apparmor

Check if apparmor is active and enforcing policies.

Samhain

Check if samhain is running.

Toolchain

Build ports using hardened toolchain settings.

        $ sudo prt-get depinst checksec
        

2.6.0.1 System configuration

1.1 - Users groups, passwords and sudo.

Check "normal" users groups, make sure they are not admin or wheel group; ps -U root -u root u, ps axl | awk '$7 != 0 && $10 !~ "Z"', process permission; ps -o gid,rdig,supgid -p "$pid"

Maintain, secure with hash, and enforce secure passwords with pam-cracklib.

1.2 - Linux PAM

Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests. Check files (processes); getfacl filename.

Check files (processes) set uid and set gid;

        # find / -perm 4000 >> /root/setuid_files
        # find / -perm 2000 >> /root/setguid_files
        

To setuid (4744);

        # chmod u+s filename
        

To remove (0664) from su and Xorg (user must be part of input and video for xorg to run);

        # chmod u-s /usr/bin/su
        # chmod u-s /usr/bin/X
        

To set gid (2744)

        # chmod g+s filename
        

To remove (0774);

        # chmod g-s filename
        

Find world writable files;

        # find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
        

No owner files;

        # find /dir -xdev \( -nouser -o -nogroup \) -print
        

1.3. Capabilities

Check capabilities;

        # getcap filename
        

1.4 Sudo

Check sudo, sudoers and sudo replay.

Don't run editor as root, instead run sudoedit filename or sudo --edit filename. Editor can be set as a environment variable;

        $ export SUDO_EDITOR=vim
        

Set rvim as default on sudo config;

        # visudo

        Defaults editor=/usr/bin/rvim
        

Once sudo is correctly configured, disable root login;

        # passwd --lock root
        

1.5 Auditd

        $ prt-get depinst audit
        

Example audit when file /etc/passwd get modified;

        $ auditctl -w /etc/passwd -p wa -k passwd_changes
        

Audit when a module get's loaded;

        # auditctl -w /sbin/insmod -p x -k module_insertion
        

1.6 Network

Find listening services with command;

        # ss -tulpn
        # nmap -sT -O localhost
        # nmap -sT -O machine.example.org
        

2.6.0.2 Lynis

        $ sudo prt-get depinst lynis
        

Lynis gives a view of system overall configuration, without changing default profile it runs irrelevant tests. Create a lynis profile by coping default one and run lynis;

        $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
        $ sudo lynis configure settings color=yes
        $ sudo lynis show settings
        $ sudo lynis show profile
        

        $ lynis audit system > lynis_report
        $ mv /tmp/lynis.log .
        $ mv /tmp/lynis-report.dat .
        

Add unnecessary tests to profile to have less noise.

This is part of the Hive System Documentation. Copyright (C) 2019 Hive Team. See the file Gnu Free Documentation License for copying conditions.