2.6. Hardening

2.6.0.1 System configuration

File systems

Check fstab and current mount options. Mount filesystems in read only, only strict necessary in rw.

Sys

Check kernel settings with sysctl.

Iptables

Check if iptables rules are loaded and are correctly logging.

Apparmor

Check if apparmor is active and enforcing policies.

Samhain

Check if samhain is running.

Toolchain

Build ports using hardened toolchain settings.

System security

        $ sudo prt-get depinst checksec
        

User / Pam

Normal user is not part of wheel group or have administration rights.

Disable su.

Processes

Check processes running as root

Check processes users premissions

2.6.0.2 Lynis

        $ sudo prt-get depinst lynis
        

Lynis gives a view of system overall configuration, without changing default profile it runs irrelevant tests. Create a lynis profile by coping default one and run lynis;

        $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
        $ sudo lynis configure settings color=yes
        $ sudo lynis show settings
        $ sudo lynis show profile
        

        $ lynis audit system > lynis_report
        $ mv /tmp/lynis.log .
        $ mv /tmp/lynis-report.dat .
        

Add unnecessary tests to profile to have less noise.

This is part of the Hive System Documentation. Copyright (C) 2019 Hive Team. See the file Gnu Free Documentation License for copying conditions.