FedoraCore6 Hardened
From Rivalug Wiki
Notes for Hardening a Fedora Core 6 installation.
Back to HowToList
Also see FedoraCore6, FedoraCore6_Hardened_Evaluation and FedoraCore6_Appendix
This document
- Written by Carlisle
This document is a draft and currently a work in progress. Heading begining with a '*' have not been updated to reflect Fedora Core 6 Yet.
--Carlisle 14:29, 16 Jan 2007 (PST)
Disclaimer
Please don't try any of these suggestions on important systems without researching and understanding what they do first.
History
started on 15 Nov 2006
Reporting errors
Fedora Core 6
Why Use Fedora Core 6?
Features
Fedora Core 6 was released in August 24, 2006.
Release Notes: http://fedora.redhat.com/docs/release-notes/fc6/en_US/
Selected Features:
kernel 2.6.18 gcc 4.1.1 glibc 2.5 gnome 2.16 kde 3.5.4 openssh 4.3 firefox 1.5.0.7 thunderbird 1.5.0.7
*References for Hardening
*CIS Red Hat Enterprise Linux Benchmark 1.0.5 (CIS)
Center for Internet Security:
http://www.cisecurity.org/
Linux Benchmark:
http://www.cisecurity.org/bench_linux.html
*SANS Securing Linux version 2.0 (SL)
Oct 2003 ISBN 0-9743727-7-3 $39 https://store.sans.org/store_item.php?item=83
*Bastille Linux 3.0.9 (BL)
http://www.bastille-linux.org/
*SANS Track 506: Securing Unix/Linux Track (SU)
*Simpaticus Bare-Bones Server HOWTO
http://www.simpaticus.com/linux/barebones-server-howto.php by Rodolfo J. Paiz
*NIST Recommended Security Controls for Federal Information Systems
http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf
Securing and Hardening Red Hat Linux Production Systems
by Werner Puschitz http://www.puschitz.com/SecuringLinux.shtml
National Security Agency Security Configuration Guides
Installation
Download
Official Site: http://download.fedora.redhat.com/pub/fedora/linux/core/6/i386/iso/ Local Mirror: http://mirror.vcu.edu/pub/linux/fedora/6/i386/iso/ Bittorrent: http://torrent.fedoraproject.org/
If you intend to download the Fedora Core 6 DVD ISO image, keep in mind that not all file downloading tools can accommodate files larger than 2GB in size. For example, wget will exit with a File size limit exceeded error. Under Windows, all browsers can not do http transfers of files over 2Gb, but ftp transfers work.
The curl and ncftpget file downloading tools do not have this limitation, and can successfully download files larger than 2GB.
How to download ISOs with wget
FTP: wget -c ftp://mirror.vcu.edu/pub/linux/fedora/6/i386/iso/FC-6-i386-disc*.iso wget ftp://mirror.vcu.edu/pub/linux/fedora/6/i386/iso/SHA1SUM
HTTP: wget -c http://mirror.vcu.edu/pub/linux/fedora/6/i386/iso/FC-6-i386-disc1.iso wget -c http://mirror.vcu.edu/pub/linux/fedora/6/i386/iso/FC-6-i386-disc2.iso wget -c http://mirror.vcu.edu/pub/linux/fedora/6/i386/iso/FC-6-i386-disc3.iso wget -c http://mirror.vcu.edu/pub/linux/fedora/6/i386/iso/FC-6-i386-disc4.iso wget http://mirror.vcu.edu/pub/linux/fedora/6/i386/iso/SHA1SUM
How to download ISOs with curl
curl -C - -0 <url>
How to verify ISOs
sha1sum -c SHA1SUM
Support
Sites:
http://fedora.redhat.com/ http://fedoranews.org/ http://fedorasolved.org http://www.fedorafaq.org/ http://www.fedoraforum.org/ http://www.tldp.org/ http://fcp.homelinux.org/ http://fcp.homelinux.org/modules/wffaq/
For Laptops:
http://www.linux-laptop.net/ http://fedoramobile.org/
Mailing Lists with archives:
http://www.redhat.com/mailman/listinfo/fedora-list http://www.redhat.com/mailman/listinfo/fedora-test-list
IRC:
http://fedora.redhat.com/participate/communicate/
*Installing a Minimum System
The test system I'm using has a Pentium II 333 Mhz cpu with 128 Mb Ram.
You will need to do a graphical installation to get to the option to choose a minimum installation.
If this is a newly burned CD, do media check, else skip it.
Choose Language (defaults: English), Keyboard (default: U.S. English), Mouse.
Choose Custom Installation.
Partition with Disk Druid. For this hardened system, will will choose several partitions so that different security can be applied to each partition. Some recommendations:
swap of at least twice physical ram. / of at least 200 Mb, more if you don't have a separate /home, /tmp /boot at least 60 Mb. /usr at least 600 Mb, more if you don't have a separate /usr/local /var of at least 384 Mb possible a /usr/local partition of at least 100 Mb possible /tmp parition possible /home partiton
Select a network setting appropriate to you situation, Choose Firewall Security: High, but allow incomming ssh, Choose Additional Language Support (default: English), select Time Zone, use of Daylight Saving Time, and if System Clock uses UTC (In general, you can select this unless you dual boot with windows).
Enter root password, and select MD5 and shadow passwords.
Choose Package Group Selection -> Miscellaneous -> Minimal.
Installation will now begin, once it is finished create a boot disk.
After the new system has booted, log in as root and create a user account for youself.
*Tuning IDE Harddrive performance
(this appears not to be needed under fc5 - researching)
edit /etc/sysconfig/harddrive
FedoraCore3_Appendix#harddisks
Reference: http://support.pa.msu.edu/help/faqs/linux/harddisks.html
*FC5 Issues with Binary Video Drivers (nVidia & ATI)
see http://www.mjmwired.net/resources/mjm-fedora-fc5.html#nvidia
This issue has now been fixed with the release of the 2.6.16-1.2080 kernel
If you install manually, the packages: binutils, gcc, kernel-[smp-]devel needs to be installed.
else use livna repository to install their kernel modules.
*Updating with Yum
Yum is a package updater that was originally created for Yellow Dog Linux. It now is used by many systems to download and resolve package dependencies.
*Installing GPG Keys
In past distributions, one had to manually load GPG keys that would be used to authenicate that downloaded packages were identical to the one released by the vendor.
That is no longer necessary, once you update to beyond yum version XX.
So the first thing to do is update yum. We will do this using rpm as follows:
yum update yum
We can now embed the GPG Keys into the yum.conf file and the keys will be installed before the packages.
*Yum Repositories
| Label | Primary Repository Location | Description |
|---|---|---|
| base | http://download.fedora.redhat.com/pub/fedora/linux/core/5/i386/os/Fedora/RPMS/ | These are the official packages that exist at release time. |
| updates-released | http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/i386/ | These are the official updates. The ones developed after RedHat support ended have the word legacy in the package name. |
| fedora-extras | http://download.fedora.redhat.com/pub/fedora/linux/extras/5/i386/ | 3rd party packages created by the Fedora Extras Project |
| livna | http://rpm.livna.org/fedora/5/i386/ | 3rd party packages created by the Livna Project To use read the Configuration Page |
*yum.conf
see FedoraCore3_Appendix#yum.conf
*Using Yum Commands
| Action | Command | Example |
|---|---|---|
| apply all updates | yum update | |
| apply all updates with exclusions | yum --exclude <package> update | yum --exclude kernel* update |
| show all packages available | yum list | |
| install package | yum install <package name> | |
| remove package | yum remove <package name> | |
| get information on a package | yum info <package name> | |
| which package provides a feature or file | yum provide <feature> | |
| search packages contain this word | yum search <string> |
*Hardening
*Backup original files
Installing Java
The latest CIS Benchmarking Tool is java based, requiring us to install jre 1.5.x
*Installing the CIS Benchmark Tool
go to this page:
http://www.cisecurity.org/bench_linux.html
click the download link select your user classification: Public, Government, Education enter your name, organization, email address check Linux level-1 read License Agreement, check I Accept click on link: Download the Linux Tool archive
you then download the file: cis_score_tool_linux_v1.6.4.sh.bz2
run bunzip2 cis_score_tool_linux_v1.6.4.sh.bz2 run ./cis_score_tool_linux_v1.6.4.sh
To use:
run ./cis-scan
to see changes that need to be made to get a better score:
egrep "^Negative" ./cis-most-recent-log
*Evaluating the Unhardened System
*CIS Benchmark Scoring Tool
*Chkconfig List of a Minimal Install
*Process List
*Disk Usage
*Open Network Connections
*Open Files
*nessus
Making the Minimum System even smaller
Following suggestions found here: http://www.simpaticus.com/linux/small-netserver-fc3-howto.php
(sadly this page no longer existed, but can be found on the wayback machine: http://web.archive.org/web/20050405142905/www.simpaticus.com/linux/barebones-server-howto.php )
and my own experiments, I was able to remove the following packages without affecting normal operations:
yum remove acl acpid apmd aspell aspell-en authconfig autofs bluez-utils bluez-libs bluez-pin ccid coolkey cpuspeed crash desktop-file-utils dhcdbd dhcpv6_client diskdumputils dos2unix dosfstools dump fbset finger firstboot-tui gpm htmlview ifd-egate irda-utils ipsec-tools iptstate jwhois krb5-workstation ksh libevent libgssapi libnl lftp mailcap mgetty mkbootdisk mtools mtr NetworkManager nano netdump nc nfs-utils nfs-utils-lib nscd nss_db nss_ldap pam_ccreds pam_krb5 pam_pkcs11 pam_smb pcmciautils pcsc-lite perl-String-CRC32 pinfo portmap ppp quota rdate rdist readahead redhat-menus rmt rp-pppoe rsh setuptool specspo stunnel syslinux system-config-network-tui talk tcpdump telnet traceroute tree unix2dos unzip usbutils vconfig which wpa_supplicant ypbind yp-tools zip
Finally now that we have minimized the system, we can do a complete update:
yum update
Reference: Simpaticus http://www.simpaticus.com/linux/barebones-server-howto.php#trimfat1
*remove lingering files and accounts
find / -nouser find / -nogroup
rm -rf /var/lib/nfs
change shell on rpm to /dev/null or /sbin/nologin CIS recommends changing /sbin/nologin to /dev/null on accounts:
bin daemon lp mail nobody vcsa sshd rpc mailnull smmsp ntp
rpcuser apache http httpd named dns mysql postgress squid
use usermod -L -s /dev/null <account>
SL uses /sbin/nologin to create a banner when reaching an account with nologin shell edit /etc/nologin.txt
Reference: CIS 3.6
kickstart file
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/ch-kickstart2.html
The kickstart file created by your initial install is located in /root/anaconda-ks.cfg An example of the original kickstart file is here: HardeningRedHat9_Appendix#original_kickstart_file
# Kickstart file automatically generated by anaconda.
install text cdrom lang en_US.UTF-8 keyboard us skipx monitor --hsync 30-70 --vsync 50-120 network --device eth0 --bootproto static --ip 192.168.1.2 --netmask 255.255.255.0 --gateway 192.168.1.1 --nameserver 192.168.1.1 --hostname example.host network --device eth1 --onboot no --bootproto dhcp --hostname example.host rootpw --iscrypted $1$blah firewall --enabled --port=22:tcp authconfig --enableshadow --enablemd5 selinux --enforcing timezone --utc America/New_York #zerombr yes bootloader --location=mbr --driveorder=sda # The following is the partition information you requested # Note that any partitions you deleted are not expressed # here so unless you clear all partitions first, this is # not guaranteed to work clearpart --linux part /boot --fstype ext3 --ondisk=sda --size=200 --asprimary part /usr/local --fstype ext3 --ondisk=sda --size=3000 part /home --fstype ext3 --ondisk=sda --size=3000 part /var --fstype ext3 --ondisk=sda --size=3000 part /usr --fstype ext3 --ondisk=sda --size=3000 part / --fstype ext3 --ondisk=sda --size=3000 --asprimary part swap --size=512 --ondisk=sda part /tmp --fstype ext3 --ondisk=sda --size=100 --grow
%packages @base @core cracklib-dicts kernel-headers nash tzdata -acl -acpid -apmd -aspell -aspell-en -authconfig -autofs -bluez-libs -bluez-utils -ccid -coolkey -cpuspeed -crash -desktop-file-utils -dhcdbd -dhcpv6_client -diskdumputils -dos2unix -dosfstools -dump -finger -firstboot-tui -gpm -htmlview -irda-utils -jwhois -krb5-workstation -ksh -libevent -libgssapi -libnl -lftp -mailcap -mgetty -mkbootdisk -mtools -mtr -NetworkManager -nano -netdump -nc -nfs-utils -nfs-utils-lib -nscd -nss_db -nss_ldap -pam_ccreds -pam_krb5 -pam_smb -pcmciautils -pcsc-lite -perl-String-CRC32 -pinfo -portmap -ppp -quota -rdate -rdist -readahead -redhat-menus -rmt -rp-pppoe -rsh -setuptool -specspo -stunnel -syslinux -system-config-network-tui -tcsh -telnet -traceroute -unix2dos -unzip -vconfig -which -wpa_supplicant -ypbind -yp-tools -zip
%post chkconfig --level 2345 atd off chkconfig --level 2345 cups off chkconfig --level 2345 netfs off chkconfig --level 2345 kudzu off
irqbalance mdmonitor messagebus smartd yum-updatesd
updating with yum
yum list updates yum -y update reboot
CIS Benchmark after removing packages and updating the system: 6.88
# df -h Filesystem Size Used Avail Use% Mounted on /dev/hda3 981M 116M 816M 13% / /dev/hda2 99M 15M 79M 16% /boot /dev/hda8 3.7G 241M 3.3G 7% /home none 62M 0 62M 0% /dev/shm /dev/hda5 587M 274M 284M 50% /usr /dev/hda6 373M 106M 248M 30% /var
*Bastille Linux Script
Installation
http://www.bastille-unix.org/
Prerequisites:
yum install perl-Curses (for CLI) yum install perl-Tk (for GUI)
http://www.bastille-linux.org http://aleron.dl.sourceforge.net/sourceforge/bastille-linux/Bastille-2.1.7-1.0.noarch.rpm Bastille-2.1.6-1.0.noarch.rpm
*Running
This runs Bastille Linux in command line/curses mode:
/usr/sbin/bastille -c
*What it does
File Permissions
mount/umount ping at usernetctl traceroute
Account Security
password aging - 180 days restrict cron set default umask
Boot Security
disallow root login on tty's 1-6 password protect grub disable Ctrl-Alt-Del password protect single user mode
Secure Inetd
set defautl deny on tcp wrappers and xinetd disable telnet disable ftp display Authorized Use message
Disable User Tools
disable gcc - root access to gcc only
Configure Misc PAM
limit core dumps, processes restrict console
Logging
additional logging
Miscellaneous Daemons
stop sendmail running in daemon mode
Tmp directory
install tmpdir/tmp scripts
Firewall
turns on and configures iptables
*Turning off or removing unused services
apmd (CIS 3.6) atd - removed with autofs - removed (CIS 3.9) gpm - removed (CIS 3.6) irda - removed (CIS 3.6) isdn - removed (CIS 3.6) kudzu (CIS 3.21) netfs (CIS 3.8) nfs - removed (CIS 3.8) nfslock - removed (CIS 3.9) pcmcia - removed (CIS 3.6) portmap - removed (CIS 3.12) rhnsd sendmail (CIS 3.3)
References: CIS 2 & 3
*Evaluation
*CIS Benchmarking Tool
*Services
*Processes
*Reducing remote access
*Physical Access
Computer security starts with physical security. If a hacker can physically reach your computer then they will be able to break in or steal data.
*Banners
http://ciac.llnl.gov/ciac/bulletins/j-043.shtml
Banner recommended by Bastille Linux script. Replace $owner with your name if you wish. If you have a company that specifies a banner, use that banner instead:
***************************************************************************
NOTICE TO USERS
This computer system is the private property of $owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
****************************************************************************
rewrite /etc/rc.d/rc.local with this file: HardeningRedHat9_Appendix#rc.local to have the above banner written to /etc/issue and /etc/issue.net. In /etc/motd the above banner will be displayed again along with system information once someone logs in.
execute /etc/rc.d/rc.local so that /etc/motd, /etc/issue, and /etc/issue.net get written correctly. chown root:root /etc/motd /etc/issue /etc/issue.net chmod 644 /etc/motd /etc/issue /etc/issue.net
References: CIS 9.1
*TCP Wrappers
Setting up the TCP Wrappers banner:
mkdir /etc/banners write your banner message in /etc/banners/prototype Authorized Users Only. All activity may be monitored and reported. cd /etc/banners /usr/bin/make -f /usr/share/doc/tcp_wrappers-7.6/Banners.Makefile
To do the above you need to have make and gcc installed. After it has been done on one computer, in could be transported to other installations with the same operating system by creating a tar file of /etc/banners.
Setting up warning message for /sbin/nologin:
cp /etc/banners/prototype /etc/nologin.txt chown root:root /etc/nologin.txt chmod 644 /etc/nologin.txt
/etc/hosts.allow
# # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. #
ALL: LOCAL : banners /etc/banners sshd: ALL
/etc/hosts.deny
# # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap!
ALL: ALL : spawn (/bin/echo -e `/bin/date` "\n%c attempted connection to %s and was denied"\ | /bin/mail -s "Connection attempt to %s" root) &
References: SL 2.5.6.1, CIS 2.2
*Secure Shell
before you proceed with this configuration, verify that you have a non-root login created.
The following changes will need to be made: /etc/ssh/sshd_config
Protocol 2 PermitRootLogin no ChallengeResponseAuthentication no X11Forwarding no Banner /etc/issue.net AllowUsers joeuser (others as needed)
X11Forwarding is turned off because X is not installed on this system. For systems with X installed you will want this on. The AllowUsers option should probably only be used on systems with small numbers of users due to the amount of administration involved -- every time you add a user you want to be able to log in remotely they will need to be added here.
restart sshd
services sshd restart
/etc/ssh/ssh_config
Host * ForwardX11 no Protocol 2
Again, ForwardX11 is set to no only because there is no X installed on this system.
The complete files are found here: HardeningRedHat9_Appendix#sshd_config and HardeningRedHat9_Appendix#ssh_config
also see chroot-ing ssh http://chrootssh.sourceforge.net/index.php
References: CIS 1.3, SL 3.3.4, Simpaticus http://www.simpaticus.com/linux/barebones-server-howto.php#opensshserver
*Network Kernel Parameters
/etc/sysctl.conf
net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1
#do not perform below if system is firewall or gateway. net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0
chown root:root /etc/sysctl.conf chmod 0600 /etc/sysctl.conf service network restart
The complete sysctl.conf file is here: HardeningRedHat9_Appendix#sysctl.conf
References: CIS 4.1, CIS 4.2, SL 2.2.1 http://www.cromwell-intl.com/security/security-stack-hardening.html http://www.eth0.us/sysctl http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html
*inittab
If X is installed, disable GUI login change:
id:5:initdefault
to:
id:3:initdefault
Reference: CIS 3.4
Require root to log into single user mode:
add
~~:S:wait:/sbin/sulogin
Reference: CIS 7.9
Disable Ctrl-Alt-Del for automatic reboot:
comment out
##ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Reference: SL 2.3.2
Remove unused login daemons
comment out
# Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 # Disable gettys not being used ##2:2345:respawn:/sbin/mingetty tty2 ##3:2345:respawn:/sbin/mingetty tty3 ##4:2345:respawn:/sbin/mingetty tty4 ##5:2345:respawn:/sbin/mingetty tty5 ##6:2345:respawn:/sbin/mingetty tty6
SU recommends the use of the GNU Screen command to run multiple shell sessions instead of multiple gettys. This can be installed with: yum install screen.
The complete inittab file is here: HardeningRedHat9_Appendix#sysctl.conf
Reference: SU 506.2 2-16
chown root:root /etc/inittab chmod 644 /etc/inittab
*securetty
Edit /etc/securetty so that it looks like this
console tty1
chown root:root /etc/securetty chmod 400 /etc/securetty
Reference: CIS 7.7, SL 2.3.1
*grub.conf
/boot/grub/grub.conf To force a grub password, add line before first uncommented line in /etc/grub.conf
password <clear-text password>
The complete grub file is here: HardeningRedHat9_Appendix#grub.conf
Refernces CIS 7.8, SL 2.1.3
*Evaluation
*CIS Benchmarking Tool
*Services
*Processes
*Open Files
*netstat
*nessus
*Reducing local access
*fstab
Following the principle of least-privledge, the partitions are adjusted to restrict access.
before:
LABEL=/ / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /proc proc defaults 0 0 none /dev/shm tmpfs defaults 0 0 LABEL=/usr /usr ext3 defaults 1 2 LABEL=/var /var ext3 defaults 1 2 LABEL=/tmp /tmp ext3 defaults 1 2 /dev/hda7 swap swap defaults 0 0 /dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0 /dev/fd0 /mnt/floppy auto noauto,owner,kudzu 0 0
edit /etc/fstab
after:
LABEL=/ / ext3 defaults 1 1 LABEL=/boot /boot ext3 nodev 1 2 # LABEL=/boot /boot ext3 nodev,ro 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /proc proc defaults 0 0 none /dev/shm tmpfs defaults 0 0 LABEL=/usr /usr ext3 nodev 1 2 # LABEL=/usr /usr ext3 nodev,ro 1 2 LABEL=/var /var ext3 nodev 1 2 LABEL=/tmp /tmp ext3 nodev,nosuid,noexec 1 2 swap swap defaults 0 0 /dev/cdrom /mnt/cdrom udf,iso9660 noauto,nosuid,nodev,ro 0 0 /dev/fd0 /mnt/floppy auto noauto,nosuid,nodev 0 to run multiple shell sessions
If /usr and/or /boot are mounted as read-only, it will need to be remounted as read-write anytime updates or new applications are installed. Use the command:
mount -o remount,rw /usr
to do this, install binaries, then use:
mount -o remount,ro /usr
to return it to read-only.
Some scripts run installers from /tmp. The noexec blocks this, to remove this block should this happen, use the command:
mount -o remount,exec /tmp
run the script, then
mount -o remount,noexec /tmp
to return it to its secure settings
*removable media
Make it so that only root can mount removable media
edit /etc/security/console.perms
comment out the following lines:
##<console> 0660 <floppy> 0660 root.floppy
##<console> 0600 <cdrom> 0660 root.disk ##<console> 0600 <pilot> 0660 root.uucp ##<console> 0600 <jaz> 0660 root.disk ##<console> 0600 <zip> 0660 root.disk ##<console> 0600 <ls120> 0660 root.disk
##<console> 0600 <camera> 0600 root ##<console> 0600 <memstick> 0600 root ##<console> 0600 <flash> 0600 root ##<console> 0600 <diskonkey> 0660 root.disk ##console> 0600 <rem_ide> 0660 root.disk
##<console> 0600 <rio500> 0600 root
chmod 600 /etc/security/console.perms
References: CIS 6.3
*cron & at
restrict the adding of cron and at jobs to only root. Jobs can still be run at other users, but only root can install these jobs
remove /etc/cron.deny if it exists edit /etc/cron.allow /etc/at.allow so that root is only authorized user chown root:root chmod 400
Reference: CIS 7.4
chmod 400 /etc/crontab chmod -R go-rwx /etc/cron.*
Reference: CIS 7.5
*remove unused accounts
backup /etc/passwd /etc/group /etc/shadow
remove accounts: uucp games gopher operator
userdel uucp userdel operator userdel games userdel gopher
userdel adm userdel news userdel ftp userdel pcap
remove groups: uucp games gopher dip
groupdel uucp groupdel dip groupdel games groupdel gopher (may be gone because gopher account already removed)
search for accounts from uninstalled packages (SL 2.4.2)
verify passwd & group
/usr/sbin/pwck /usr/sbin/grpck
find files that are owned by deleted users or groups and make then to be owned by root
find / -nouser -exec /bin/chown root {} \;
find / -nogroup -exec /bin/chgrp root {} \;
change shell on rpm to /dev/null or /sbin/nologin
CIS recommends changing /sbin/nologin to /dev/null on accounts:
bin daemon lp mail nobody vcsa sshd rpc mailnull smmsp ntp rpm
use usermod -L -s /dev/null <account>
SL uses /sbin/nologin to create a banner when reaching an account with nologin shell edit /etc/nologin.txt
Reference: CIS 8.1, SL 2.4.2
*passwords
*Setting values
Default values:
Maximum Password age: 99999 days = never Minimum Password age between changes: 0 days Maximum warning period: 7 days before maximum password age Minimum password length: 5 characters
Recommended values by CIS:
Maximum Password age: 90 days Minimum Password age between changes: 7 days Maximum warning period: 28 days before maximum password age Minimum password length: 6 characters
Recommended values by SL:
Maximum Password age: 180 days Minimum Password age between changes: 2 days Maximum warning period: 7 days before maximum password age Minimum password length: 5 characters
edit /etc/login.defs
##PASS_MAX_DAYS 99999 PASS_MAX_DAYS 90
##PASS_MIN_DAYS 0 PASS_MIN_DAYS 7
##PASS_MIN_LEN 5 PASS_MIN_LEN 6
##PASS_WARN_AGE 7 PASS_WARN_AGE 28
for existing accounts:
chage -M 90 -m 7 -W 28 <account>
search all account above uid=500
awk -F: `$3 >= 500 { system ("chage -M 90 -m 7 -W 28 " $1) }' /etc/passwd
Reference: CIS 8.3, SL 2.4.1
*using pam
*determining quality of passwords
johntheripper
*umask
services edit /etc/rc.d/init.d/functions change
umask 022
to
umask 027
Reference: CIS 8.13
edit
/etc/profile /etc/csh.login
append to <file> umask 077 chmod 444 <file>
/etc/csh.cshrc
##if $status then ## umask 022 ##else ## umask 002 ##endif
umask 077
chmod 444 /etc/csh.cshrc
/etc/bashrc
change in <file> umask 022 to 077 and umask 002 to 007 chmod 444 <file>
/root/.bash_profile /root/.bashrc /root/.cshrc
tsch has been removed, but if it existed do the following:
/root/.tschrc
append to <file> umask 077 SL notes that this may result in a warning message during the upgrade of some packages.
References: CIS 8.10, SL 2.4.5
*logout of inactive sessions
for bash, edit /etc/profile
# logout after 15 minutes TMOUT=900
for csh, etc /etc/csh.cshrc
#logout after 15 minutes set autologout=15
Reference: SL 2.4.5.1
*limits.conf
prevent core dumps edit /etc/security/limits.conf
#* soft core 0 * soft core 0 #* hard rss 10000 * hard core 0
limit users to 150 concurrent processes
* hard nproc 150
Not necessary, but this file can also limit max file size: limit file sizes to 100 Mb
* hard fsize 102400
Reference: CIS 8.11, SL 2.4.6.1
*suid audit
Determine list of suid programs:
find <partition> \( -perm -04000 -o -perm -02000 \) -type f -xdev -print
Removing suid privledges:
chmod u-s <program>
Adding suid privleges:
chmod u+s <program>
Recommendations:
mount/umount ping at usernetctl
References: BL - FilePermissions, CIS 6.7
*su and sudo
Important note about "su" and "su -"
su - <account> applies all the environmental varibles
UPDATE: see new CIS Benchmark 8.13
edit /etc/pam.d/su enable this line:
# Uncomment the following line to require a user to be in the "wheel" group. auth required /lib/security/$ISA/pam_wheel.so use_uid
add users to wheel group with:
usermod -G joeuser,wheel joeuser
or
gpasswd -a <user> <group>
sudo
visudo
# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. #
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# User privilege specification root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL
# Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL
# Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now
*Evaluation
*Enhancing Logging
time
In order to get logs with accurate times, one needs to have an accurate clock.
If not installed, install ntp, this also requires libcap.
edit /etc/ntp.conf edit /etc/ntp/
Sidenote: one can use a gps unit as a time source for ntp. (researching) see http://www.boulder.nist.gov/timefreq/service/gpscal.htm
References: CIS 5
http://support.ntp.org/bin/view/Servers/NTPPoolServers http://www.ntp.org/ http://www.ntp.org/ntpfaq/NTP-a-faq.htm http://www.sun.com/blueprints/0701/NTP.pdf http://www.sun.com/blueprints/0801/NTPpt2.pdf
Logs are frequently reported to administrators by email. Unlike previous versions of sendmail, verion 8.12 requires the daemon to be running to send outgoing mail, unless a specific mail relay had been specified.
edit /etc/mail/submit.cf
find: D{MTAHost} [127.0.0.1]
replace 127.0.0.1 with ip address of mail relay.
to turn off MTA daemon edit /etc/sysconfig/sendmail
set DAEMON=no
If mail deamon needs to run, make sure that /etc/hosts.allow is configured to allow connections, else the mail won't reach the sendmail daemon on the same computer.
sendmail: 127.0.0.1
Reference: SU 506.2 2-18
*sysstat
yum install sysstat
Documentation for sysstat
http://perso.wanadoo.fr/sebastien.godard/
Reference: CIS 1.5
syslog
Add the following to /etc/syslog.conf
#If you have a remote logging host, uncomment the lines corresponding to #the types of messages you want to forward to it. Replace this string #loghost with the IP address of your central logging server. #kern.* @loghost #authpriv,auth.* @loghost #mail.* @loghost # or to send everything #*.* @loghost ################ # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console kern.* /dev/console #Send kernel messages to a separate file. Note this will #include messages generated by iptables about blocked #network traffic. kern.* /var/log/kernel # Log anything (except mail) of level info or higher. # Don't log private authentication messages! ##*.info;mail.none;authpriv.none;cron.none /var/log/messages *.info;authpriv,auth,mail,cron,kern,local7.none /var/log/messages # The authpriv file has restricted access. ##authpriv.* /var/log/secure # capture auth messages also auth,authpriv.* /var/log/secure
Create file for kernel log, and set to proper permissions
touch /var/log/kernel chmod 400 /var/log/kernel
restart syslogd
References: CIS 5.2, SL 2.8.1.1, SL Appendix B http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-log-file.html
*logrotate
edit /etc/logrotate.conf
# rotate log files weekly ##weekly monthly
# keep 4 weeks worth of backlogs #rotate 4 rotate 12
# uncomment this if you want your log files compressed #compress compress
edit /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/kernel {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
Restart syslogd
/sbin/service syslog restart
Force log rotation to verify all is correct.
/usr/sbin/logrotate -f /etc/logrotate.conf
Reference: SL 2.8.2.1, SL 2.8.2.2
*logwatch
Configuring logwatch vi /etc/logwatch/conf/logwatch.conf add this line: MailTo = <address> You will be emailed nightly.
References: http://www.logwatch.org
*logcheck
installing logcheck (must have gcc installed) see http://sourceforge.net/projects/sentrytools/
download logcheck-1.1.1.tar.gz
tar -xvzf logcheck-1.1.1.tar.gz cd logcheck-1.1.1 make linux
set address to mail logs to
vi /usr/local/etc/logcheck.sh
add to crontab
00 * * * * /usr/local/etc/logcheck.sh
verify only root can use directory /usr/local/etc/tmp
note: this location will need to be changed if /usr is made read-only
*process accounting
Install and start process acccount. Warning: This could be very system intensive.
yum install psacct service psacct start
Associated commands:
ac - displays statistics about how long users have been logged on lastcomm - displays information about previous executed commands sa - summarizes information about previously executed commmands
*Firewall
*system-config-securitylevel
/usr/bin/system-config-securitylevel
creates file at /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
*Shorewall
http://www.shorewall.net/
Installation - 3.0.5 is in Extras
yum install shorewall
*Modify files
Edit /etc/shorewall/shorewall.conf Templates for one, two, or three interface rules are found here:
/usr/share/doc/shorewall-3.0.5/Samples
copy one-interface to /etc/shorewall Edit /etc/shorewall/rules to allow SSH
SSH/ACCEPT net $FW
To allow for logging of dropped packets
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT ##net all DROP info net all DROP warning # The FOLLOWING POLICY MUST BE LAST ##all all REJECT info all all REJECT warning
*replace iptables with shorewall
remove iptables from chkconfig
chkconfig --level 12345 iptables off
stop iptables
service shorewall start
To restart shorewall always
service shorewall stop service shorewall start
Blacklists: http://www.shorewall.net/blacklisting_support.htm
*Firestarter
http://www.fs-security.com/ Firestarter 1.0.3 is in Extras
SELinux
http://fedorasolved.org/security-solutions/selinux-module-building/
An Introduction to SELinux for Administrators http://www.giac.org/certified_professionals/practicals/gcux/296.php
*FC5 Release Notes
The new SELinux project pages have troubleshooting tips, explanations, and pointers to documentation and references. Some useful links include the following:
- New SELinux project pages: http://fedoraproject.org/wiki/SELinux
- Troubleshooting tips: http://fedoraproject.org/wiki/SELinux/Troubleshooting
- Frequently Asked Questions: http://fedora.redhat.com/docs/selinux-faq/
- Listing of SELinux commands: http://fedoraproject.org/wiki/SELinux/Commands
- Details of confined domains: http://fedoraproject.org/wiki/SELinux/Domains
*Multi Category Security (MCS)
MCS is a general-use implementation of the more stringent Multilevel Security (MLS). MCS is an enhancement to SELinux to allow users to label files with categories. Categories might include Company_Confidential, CEO_EYES_ONLY, or Sysadmin_Passwords. For more information about MCS, refer to http://james-morris.livejournal.com/5583.html, an article by the author.
*Multilevel Security (MLS)
MLS is a specific Mandatory Access Control (MAC) scheme that labels processes and objects with special security levels. For example, an object such as a document file can have the security level of { Secret, ProjectMeta }, where Secret is the sensitivity level, and ProjectMeta is the category. For more information about MLS, refer to http://james-morris.livejournal.com/5020.html.
*Applications
java
see FedoraCore6#Java
*compilers
sometimes binaries are not available and you need to compile a binary. This configuration does not contain compilers. It would be best to have a separate machine to do development on, but that is not always the case.
researching: determining what to install
yum install gcc
Removing compilers
yum remove gcc gcc3 gcc3-c++ gcc3-g77 gcc3-java gcc3-objc gcc-c++ gcc-chill gcc-g77 gcc-java gcc-objc bin86 dev86 nasm
Reference: CIS 8.12
*sendmail
http://www.deer-run.com/~hal/dns-sendmail/ http://www.deer-run.com/~hal/sysadmin/sendmail.html http://www.deer-run.com/~hal/sysadmin/sendmail2.html
*syslog-ng
http://www.balabit.com/products/syslog_ng/
*aide
http://www.cs.tut.fi/~rammer/aide.html http://sourceforge.net/projects/aide
*bind
*web servers
*apache
*tux
*lighttpd
*ftp servers
*wu-ftp
*vsftp
*vpn
http://www.openswan.org/
intrusion detection
psad
http://www.cipherdyne.com/psad/
Download
wget http://www.cipherdyne.com/psad/download/psad-2.1-1.i386.rpm
Verify
md5sum psad-2.1-1.i386.rpm
Edit /etc/psad/psad.conf
EMAIL_ADDRESSES root@localhost,myaddress@mail.com; HOSTNAME server.com;
*snort
http://www.snort.org/
*VmWare
possible issues with fc5 http://www.vmware.com/community/thread.jspa?threadID=31877
*Administering the Hardened System
*Adding Users
useradd <account>
To allow user to log in with ssh: add <account> to /etc/ssh/sshd_config Append line:
AllowUsers
with <account>
service sshd restart
To allow user to use su
gpasswd -a <account> wheel
*Install/Updating Software
Because /usr is now mounted as read-only, it will need to be remounted as read-write anytime updates or new applications are installed. Use the command:
mount -o remount,rw /usr
to do this, install binaries, then use:
mount -o remount,ro /usr
to return it to read-only.
*Installing new hardware
before shutting down the machine
chkconfig kudzu on halt
install hardware, then boot after kudzu detects the hardware
service kudzu stop chkconfig kudzu off
*Security Checks
These conditions exist if one followed the steps above. They are added for the purpose of doing security checks.
*system utilites
*ps
*netstat
*lsof
*CIS Benchmarking Tool
*confirm that password-less accounts do not exist
awk -F: '($2 == "") {print $1}' /etc/shadow
should return empty.
Reference: SL 2.4.4
*chkrootkit
http://www.chkrootkit.org/
*aide
*nessus
*Other References
O'Reilly Book: Building Secure Servers with Linux
http://www.oreilly.com/catalog/bssrvrlnx/
http://www.fedorafaq.org/ http://www.fedoraforum.org/ http://fedorasolved.org/ http://www.mjmwired.net/resources/mjm-fedora-fc5.html http://www.stanton-finley.net/fedora_core_5_installation_notes.html http://www.stud.uni-karlsruhe.de/~usge/fc2_install_notes.html http://fedoranews.org/colin/fnu/issue12.shtml http://fedoranews.org/colin/fnu/issue13.shtml http://fedoranews.org/colin/fnu/issue14.shtml http://users.netwit.net.au/~pursang/game.html
This page has been accessed 2008 times. This page was last modified 12:27, 16 Jun 2008.
