core/hardening.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>2.6. Hardening</title>
    </head>
    <body>

        <a href="index.html">Core OS Index</a>

        <h1>2.6. Hardening</h1>

        <h2>2.6.0.1 System configuration</h2>

        <dl>
            <dt>File systems</dt>
            <dd>Check <a href="install.html#fstab">fstab</a> and current mount options. Mount filesystems in read only, only strict necessary in rw.</dd>
            <dt>Sys</dt>
            <dd>Check kernel settings with <a href="sysctl.html">sysctl</a>.</dd>
            <dt>Iptables</dt>
            <dd>Check if <a href="network.html#iptables">iptables</a> rules are loaded and are correctly logging.</dd>
            <dt>Apparmor</dt>
            <dd>Check if <a href="apparmor.html">apparmor</a> is active and enforcing policies.</dd>
            <dt>Samhain</dt>
            <dd>Check if <a href="samhain.html">samhain</a> is running.</dd>
            <dt>Toolchain</dt>
            <dd>Build ports using hardened <a href="toolchain.html">toolchain</a> settings.</dd>
        </dl>

        <h2>System security</h2>

        <pre>
        $ sudo prt-get depinst checksec
        </pre>

        <dl>
            <dt>User / Pam</dt>
            <dd>Normal user is not part of wheel group
            or have administration rights.</dd>
            <dd>Disable su.</dd>
            <dt>Processes</dt>
            <dd>Check processes running as root</dd>
            <dd>Check processes users premissions</dd>
        </dl>

        <h2>2.6.0.2 Lynis</h2>

        <pre>
        $ sudo prt-get depinst lynis
        </pre>

        <p>Lynis gives a view of system overall configuration, without changing
        default profile it runs irrelevant tests. Create a lynis profile by
        coping default one and run lynis;</p>

        <pre>
        $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
        $ sudo lynis configure settings color=yes
        $ sudo lynis show settings
        $ sudo lynis show profile
        </pre>

        <pre>
        $ lynis audit system > lynis_report
        $ mv /tmp/lynis.log .
        $ mv /tmp/lynis-report.dat .
        </pre>

        <p>Add unnecessary tests to profile to have less noise.</p>

        <a href="index.html">Core OS Index</a>
        <p>This is part of the Hive System Documentation.
        Copyright (C) 2019
        Hive Team.
        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
        for copying conditions.</p>

    </body>
</html>