about summary refs log tree commit diff stats
path: root/linux/hardening.html
blob: 041f999ce3f9fa188c951916dcd45e96b776e90c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>2.6. Hardening</title>
    </head>
    <body>

        <a href="index.html">Core OS Index</a>

        <h1>2.6. Hardening</h1>

        <h2>2.6.0.2 System security</h2>

        <dl>
            <dt>File systems</dt>
            <dd>Check <a href="install.html#fstab">fstab</a> and current mount options. Mount filesystems in read only, only strict necessary in rw.</dd>
            <dt>Sys</dt>
            <dd>Check kernel settings with <a href="sysctl.html">sysctl</a>.</dd>
            <dd>kernel.yama.ptrace_scope breaks gdb, strace, perf trace and reptyr.</dd>
            <dt>Iptables</dt>
            <dd>Check if <a href="network.html#iptables">iptables</a> rules are loaded and are correctly logging.(firewald works as API to iptables).</dd>
            <dt>Apparmor</dt>
            <dd>Check if <a href="apparmor.html">apparmor</a> is active and enforcing policies.</dd>
            <dt>Samhain</dt>
            <dd>Check if <a href="samhain.html">samhain</a> is running.</dd>
            <dt>Toolchain</dt>
            <dd>Build ports using hardened <a href="toolchain.html">toolchain</a> settings.</dd>
        </dl>


        <pre>
        $ sudo prt-get depinst checksec
        </pre>

        <h2>2.6.0.1 System configuration</h2>

        <h3>1.1 - Users groups, passwords and sudo.</h3>

        <p>Check "normal" users groups, make sure they are not admin or wheel group; ps -U root -u root u, ps axl | awk '$7 != 0 &amp;&amp; $10 !~ "Z"', process permission; ps -o gid,rdig,supgid -p "$pid"</p>

        <p>Maintain, secure with hash, and enforce secure passwords with pam-cracklib.</p>


        <h3>1.2 - Linux PAM</h3>

        <p>Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests. Check files (processes); getfacl filename.</p>

        <p>Check files (processes) set uid and set gid;</p>

        <pre>
        # find / -perm 4000 >> /root/setuid_files
        # find / -perm 2000 >> /root/setguid_files
        </pre>

        <p>To setuid (4744);</p>

        <pre>
        # chmod u+s filename
        </pre>

        <p>To remove (0664) from su and Xorg (user must be part of input and video for xorg to run);</p>

        <pre>
        # chmod u-s /usr/bin/su
        # chmod u-s /usr/bin/X
        </pre>

        <p>To set gid (2744)</p>
        <pre>
        # chmod g+s filename
        </pre>
        <p>To remove (0774);</p>
        <pre>
        # chmod g-s filename
        </pre>

        <p>Find world writable files;</p>

        <pre>
        # find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
        </pre>

        <p>No owner files;</p>

        <pre>
        # find /dir -xdev \( -nouser -o -nogroup \) -print
        </pre>

        <h3>1.3. Capabilities</h3>

        <p>Check capabilities;</p>
        <pre>
        # getcap filename
        </pre>

            <dd>1.9 - Limit number of processes.</dd>
            <dd>1.10 - Lock user after 3 failed loggins.</dd>
            <dd>1.8 - Block host ip based on iptable and services
            abuse.</dd>
        </dl>

        <h3>1.4 Sudo</h3>

        <p>Check sudo, sudoers and sudo replay.</p>

        <p>Don't run editor as root, instead run sudoedit filename or sudo --edit filename. Editor can be set as a environment variable;</p>

        <pre>
        $ export SUDO_EDITOR=vim
        </pre>

        <p>Set rvim as default on sudo config;</p>

        <pre>
        # visudo

        Defaults editor=/usr/bin/rvim
        </pre>

        <p>Once sudo is correctly configured, disable root login;</p>

        <pre>
        # passwd --lock root
        </pre>

        <h3>1.5 Auditd</h3>

        <pre>
        $ prt-get depinst audit
        </pre>

        <p>Example audit when file /etc/passwd get modified;</p>

        <pre>
        $ auditctl -w /etc/passwd -p wa -k passwd_changes
        </pre>

        <p>Audit when a module get's loaded;</p>

        <pre>
        # auditctl -w /sbin/insmod -p x -k module_insertion
        </pre>

        <h3>1.6 Network</h3>

        <p>Find listening services with command;</p>

        <pre>
        # ss -tulpn
        # nmap -sT -O localhost
        # nmap -sT -O machine.example.org
        </pre>

        <h2>2.6.0.2 Lynis</h2>

        <pre>
        $ sudo prt-get depinst lynis
        </pre>

        <p>Lynis gives a view of system overall configuration,
        without changing default profile it runs irrelevant tests.
        Create a lynis profile by coping default one and run lynis;</p>

        <pre>
        $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
        $ sudo lynis configure settings color=yes
        $ sudo lynis show settings
        $ sudo lynis show profile
        </pre>

        <pre>
        $ lynis audit system > lynis_report
        $ mv /tmp/lynis.log .
        $ mv /tmp/lynis-report.dat .
        </pre>

        <p>Add unnecessary tests to profile to have less noise.</p>

        <a href="index.html">Core OS Index</a>
        <p>This is part of the Tribu System Documentation.
        Copyright (C) 2020
        Tribu Team.
        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
        for copying conditions.</p>

    </body>
</html>