HardeningRedHat9
From Rivalug Wiki
Notes for Hardening a RedHat 9 installation.
Back to HowToList Also see HardeningRedHat9_Appendix and HardeningRedHat9_Evaluation
WARNING: This document is no longer being maintained.
--Carlisle 06:35, 26 Feb 2005 (EST)
This document
This document is no longer being maintained.
Disclaimer
Please don't try any of this suggestions on important systems without researching and understanding what they do first.
History
started on 25 Dec 2004
Please post any problems with this document or other comments here: http://rivalug.org/forums/index.php?topic=89.0
RedHat 9
Why Use RedHat 9?
Probably if one wanted to choose the best operating system to run on a hardened system, one would go with something like OpenBSD. But the goal with this document is to show how to harden a linux system. But why choose RedHat 9 when three releases of the Fedore Core system have been made? One, RedHat 9 is very close to RedHat Enterprise Linux 3, which will be around for at least four more years. RedHat 9 is still free for all users, and even though RedHat no longer supports it, the Fedora Legacy project still does. Redhat 9 uses the 2.4 kernel which has undergone review and updating since --. Yum has been released for RedHat 9. Bastille Linux and CIS Linux Benchmark are currently available for RedHat 9 and are not fully available for Fedora Core 3.
Features
RedHat 9 was released in March 2003. It reached end-of-life from Redhat in April 2004 and continues to be updated by the Fedora Legacy Project.
Release Notes: ftp://ftp.redhat.com/pub/redhat/linux/9/en/os/i386/RELEASE-NOTES.html
Selected Features:
kernel 2.4.20 gcc 3.2.2 glibc 2.3.2 openssh 3.5p1 sendmail 8.12.8 bind 9.2.1 apache vsftpd
References for Hardening
CIS Red Hat Enterprise Linux Benchmark v1.0(CIS)
Center for Internet Security:
http://www.cisecurity.org/
Linux Benchmark:
http://www.cisecurity.org/bench_linux.html
As of 17 Jan 2005, this superceeds CIS Linux Benchmark v1.1.0 (RedHat 7.0 and later). The new benchmarking tool can be used with RedHat 9, if the the following files from the previous benchmarking tool are placed in the directory with the new tool:
cis_ruler_sgid_programs_redhat_9 cis_ruler_suid_programs_redhat_9 cis_ruler_world_writable_files_redhat_9
SANS Securing Linux version 2.0 (SL)
Oct 2003 ISBN 0-9743727-7-3 $39 https://store.sans.org/store_item.php?item=83
Bastille Linux (BL)
SANS Track 506: Securing Unix/Linux Track (SU)
Simpaticus Bare-Bones Server HOWTO
http://www.simpaticus.com/linux/barebones-server-howto.php by Rodolfo J. Paiz
Installation
Download
Since we will be doing a minimum install, we need to only get the first ISO image.
Official Site: ftp://ftp.redhat.com/pub/redhat/linux/9/en/iso/i386/shrike-i386-disc1.iso Selected Mirrors: ftp://carroll.cac.psu.edu/pub/linux/distributions/redhat/redhat/linux/9/en/iso/i386/shrike-i386-disc1.iso
Installing a Minimum System
The test system I'm using has a Pentium II 333 Mhz cpu with 128 Mb Ram.
You will need to do a graphical installation to get to the option to choose a minimum installation.
If this is a newly burned CD, do media check, else skip it.
Choose Language (defaults: English), Keyboard (default: U.S. English), Mouse.
Choose Custom Installation.
Partition with Disk Druid. For this hardened system, will will choose several partitions so that different security can be applied to each partition. Some recommendations:
swap of at least twice physical ram. / of at least 200 Mb, more if you don't have a separate /home, /tmp /boot at least 60 Mb. /usr at least 600 Mb, more if you don't have a separate /usr/local /var of at least 384 Mb possible a /usr/local partition of at least 100 Mb possible /tmp parition possible /home partiton
Select a network setting appropriate to you situation, Choose Firewall Security: High, but allow incomming ssh, Choose Additional Language Support (default: English), select Time Zone, use of Daylight Saving Time, and if System Clock uses UTC (In general, you can select this unless you dual boot with windows).
Enter root password, and select MD5 and shadow passwords.
Choose Package Group Selection -> Miscellaneous -> Minimal.
Installation will now begin, once it is finished create a boot disk.
After the new system has booted, log in as root and create a user account for youself.
Tuning IDE Harddrive performance
edit /etc/sysconfig/harddrive
HardeningRedHat9_Appendix#harddisks
Reference: http://support.pa.msu.edu/help/faqs/linux/harddisks.html
Updating with Yum
Yum did not originally come installed with RedHat 9, but because of its ability to resolve package dependency issues, yum becomes very handy for package management.
History
Previous versions of this are found here: http://vculug.sometimes.org/forum/viewtopic.php?p=242#242 http://rivalug.org/forums/index.php?topic=8.0 http://rivalug.org/forums/index.php?topic=14.0
Upgrading RPM
To prevent a rpm lockup problem, we need to upgrade the rpm package itself before starting other package installations. read http://www.fedora.us/wiki/LegacyRPMUpgrade
wget http://download.fedora.us/patches/redhat/9/i386/RPMS.stable/rpm-4.2-1.i386.rpm wget http://download.fedora.us/patches/redhat/9/i386/RPMS.stable/rpm-python-4.2-1.i386.rpm wget http://download.fedora.us/patches/redhat/9/i386/RPMS.stable/popt-1.8-1.i386.rpm
rpm -Fvh rpm*rpm popt*rpm
Installing Yum
Documentation:
http://linux.duke.edu/projects/yum/ http://www.fedora.us/wiki/FedoraHOWTO http://www.fedoralegacy.org/docs/yum-rh9.php
Install Prequerisits: libxml2 libxml2-python
rpm -Uvh http://download.fedoralegacy.org/redhat/9/updates/i386/libxml2-2.5.4-3.rh9.i386.rpm rpm -Uvh http://download.fedoralegacy.org/redhat/9/updates/i386/libxml2-python-2.5.4-3.rh9.i386.rpm
Install Yum:
rpm -Uvh http://download.fedoralegacy.org/redhat/9/legacy-utils/i386/yum-2.0.5-0.9.2.legacy.noarch.rpm
Installing GPG Keys
base
rpm --import http://www.redhat.com/security/db42a60e.txt
( this key is the same as ftp://ftp.redhat.com/pub/redhat/linux/9/en/os/i386/RPM-GPG-KEY )
updates-released: rpm --import http://www.fedoralegacy.org/FEDORA-LEGACY-GPG-KEY
fedora-us-stable: rpm --import http://www.fedora.us/FEDORA-GPG-KEY
Yum Repositories
| Label | Primary Repository Location | Description |
|---|---|---|
| base | http://download.fedoralegacy.org/redhat/9/os/i386/ | These are the official packages that exist at release time. |
| updates-released | http://download.fedoralegacy.org/redhat/9/updates-testing/i386/ | These are the official updates. The ones developed after RedHat support ended have the word legacy in the package name. |
| fedora-extras-stable | http://download.fedora.us/fedora/redhat/9/i386/RPMS.stable/ http://www.fedora.us/pkglists/fedora-9-stable.html | 3rd party packages created by the Fedora Extras Project at University of Hawaii. There wiki is http://www.fedora.us/wiki/ |
yum.conf
see HardeningRedHat9_Appendix#yum.conf
Using Yum Commands
| Action | Command | Example |
|---|---|---|
| apply all updates | yum update | |
| apply all updates with exclusions | yum --exclude <package> update | yum --exclude kernel* update |
| show all packages available | yum list | |
| install package | yum install <package name> | |
| remove package | yum remove <package name> | |
| get information on a package | yum info <package name> | |
| which package provides a feature or file | yum provide <feature> | |
| search packages contain this word | yum search <string> |
Hardening
Backup original files
Installing the CIS Benchmark Tool
go to this page:
http://www.cisecurity.org/bench_linux.html
click the download link select your user classification: Public, Government, Education enter your name, organization, email address check Linux level-1 read License Agreement, check I Accept click on link: Download the Linux Tool archive
you then download the file: cis_score_tool_linux_v1.6.4.sh.bz2
run bunzip2 cis_score_tool_linux_v1.6.4.sh.bz2 run ./cis_score_tool_linux_v1.6.4.sh
To use:
run ./cis-scan
to see changes that need to be made to get a better score:
egrep "^Negative" ./cis-most-recent-log
Evaluating the Unhardened System
CIS Benchmark Scoring Tool
Final rating = 6.25 / 10.00
Chkconfig List of a Minimal Install
# chkconfig --list | sort anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off pcmcia 0:off 1:off 2:on 3:on 4:on 5:on 6:off portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off random 0:off 1:off 2:on 3:on 4:on 5:on 6:off rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off rhnsd 0:off 1:off 2:off 3:on 4:on 5:on 6:off saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off yum 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Process List
ps faux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 3 0.0 0.0 0 0 ? SW 13:18 0:00 [migration/1] root 2 0.0 0.0 0 0 ? SW 13:18 0:00 [migration/0] root 1 0.0 0.1 1372 136 ? S 13:18 0:04 init root 4 0.0 0.0 0 0 ? SW 13:18 0:00 [keventd] root 5 0.0 0.0 0 0 ? SWN 13:18 0:00 [ksoftirqd_CPU0] root 6 0.0 0.0 0 0 ? SWN 13:18 0:00 [ksoftirqd_CPU1] root 11 0.0 0.0 0 0 ? SW 13:18 0:00 [bdflush] root 7 0.0 0.0 0 0 ? SW 13:18 0:04 [kswapd] root 8 0.0 0.0 0 0 ? SW 13:18 0:00 [kscand/DMA] root 9 0.0 0.0 0 0 ? SW 13:18 0:03 [kscand/Normal] root 10 0.0 0.0 0 0 ? SW 13:18 0:00 [kscand/HighMem] root 12 0.0 0.0 0 0 ? SW 13:18 0:00 [kupdated] root 13 0.0 0.0 0 0 ? SW 13:18 0:00 [mdrecoveryd] root 19 0.0 0.0 0 0 ? SW 13:18 0:00 [scsi_eh_0] root 22 0.0 0.0 0 0 ? SW 13:18 0:00 [kjournald] root 80 0.0 0.0 0 0 ? SW 13:19 0:00 [khubd] root 154 0.0 0.0 0 0 ? SW 13:19 0:00 [kjournald] root 155 0.0 0.0 0 0 ? SW 13:19 0:00 [kjournald] root 156 0.0 0.0 0 0 ? SW 13:19 0:00 [kjournald] root 157 0.0 0.0 0 0 ? SW 13:19 0:00 [kjournald] root 439 0.0 0.1 1440 156 ? S 13:19 0:00 syslogd -m 0 root 443 0.0 0.0 1364 4 ? S 13:19 0:00 klogd -x rpc 461 0.0 0.0 1540 0 ? SW 13:19 0:00 [portmap] rpcuser 480 0.0 0.0 1524 0 ? SW 13:19 0:00 [rpc.statd] root 612 0.0 0.3 5916 392 ? S 13:19 0:00 [sendmail] smmsp 621 0.0 0.2 5712 312 ? S 13:19 0:00 [sendmail] root 631 0.0 0.0 1408 4 ? S 13:19 0:00 gpm -t ps/2 -m /dev/mouse root 640 0.0 0.1 1420 132 ? S 13:19 0:00 crond daemon 658 0.0 0.1 1408 160 ? S 13:19 0:00 [atd] root 667 0.0 0.0 1352 4 tty2 S 13:19 0:00 /sbin/mingetty tty2 root 668 0.0 0.0 1352 4 tty3 S 13:19 0:00 /sbin/mingetty tty3 root 669 0.0 0.0 1344 4 tty4 S 13:19 0:00 /sbin/mingetty tty4 root 670 0.0 0.0 1344 4 tty5 S 13:19 0:00 /sbin/mingetty tty5 root 671 0.0 0.0 1344 4 tty6 S 13:19 0:00 /sbin/mingetty tty6 root 1048 0.0 0.2 3500 364 ? S 13:36 0:00 /usr/sbin/sshd root 6940 0.0 0.6 6744 796 ? S 14:31 0:00 \_ /usr/sbin/sshd joeuser 6942 0.0 0.8 6784 1100 ? S 14:31 0:01 \_ [sshd] joeuser 6943 0.0 1.0 4292 1264 pts/0 S 14:31 0:00 \_ -bash root 6986 0.0 0.5 4092 716 pts/0 S 14:41 0:00 \_ [su] root 6987 0.0 1.0 4304 1328 pts/0 S 14:41 0:02 \_ -bash root 7132 0.0 0.5 2616 668 pts/0 R 15:24 0:00 \_ ps faux root 6980 0.0 0.3 1348 388 tty1 S 14:32 0:00 /sbin/mingetty tty1
Disk Usage
/bin/df -h
Filesystem Size Used Avail Use% Mounted on /dev/hda3 981M 120M 812M 13% / /dev/hda2 99M 15M 79M 16% /boot /dev/hda8 3.7G 241M 3.3G 7% /home none 62M 0 62M 0% /dev/shm /dev/hda5 587M 343M 215M 62% /usr /dev/hda6 373M 120M 234M 34% /var
Open Network Connections
netstat -a
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:1024 *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 hard9:smtp *:* LISTEN tcp 0 128 192.168.0.1:ssh 192.168.0.2:38569 ESTABLISHED udp 0 0 *:1024 *:* udp 0 0 *:710 *:* udp 0 0 *:sunrpc *:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 8 [ ] DGRAM 1020 /dev/log unix 2 [ ACC ] STREAM LISTENING 1383 /dev/gpmctl unix 2 [ ] DGRAM 1417 unix 2 [ ] DGRAM 1400 unix 2 [ ] DGRAM 1365 unix 2 [ ] DGRAM 1351 unix 2 [ ] DGRAM 1081 unix 2 [ ] DGRAM 1028
Open Files
lsof 359 open files
nessus
Making the Minimum System even smaller
Following suggestions found here: http://www.simpaticus.com/linux/small-netserver-fc3-howto.php
I was able to remove the following packages without affecting normal operations:
yum remove mailcap pam_krb5 wireless-tools nfs-utils portmap yp-tools ypbind kernel-pcmcia-cs ash tcsh irda-utils aspell mkbootdisk syslinux isdn4k-utils wvdial libwvstreams ppp rp-pppoe minicom pinfo specspo comps autofs dos2unix dosfstools unix2dos lha lrzsz zip unzip telnet nss_ldap nscd mtr lftp jwhois finger authconfig redhat-config-mouse redhat-config-network-tui vconfig stunnel setuptool rsh rmt dump rdist quota pax parted mt-st gpm file ed bc acl at hotplug
Reference: Simpaticus http://www.simpaticus.com/linux/barebones-server-howto.php#trimfat1
remove lingering files and accounts
find / -nouser find / -nogroup
rm -rf /var/lib/nfs
change shell on rpm to /dev/null or /sbin/nologin CIS recommends changing /sbin/nologin to /dev/null on accounts:
bin daemon lp mail nobody vcsa sshd rpc mailnull smmsp ntp
rpcuser apache http httpd named dns mysql postgress squid
use usermod -L -s /dev/null <account>
SL uses /sbin/nologin to create a banner when reaching an account with nologin shell edit /etc/nologin.txt
Reference: CIS 3.6
kickstart file
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/ch-kickstart2.html
The kickstart file created by your initial install is located in /root/anaconda-ks.cfg An example of the original kickstart file is here: HardeningRedHat9_Appendix#original_kickstart_file
updating with yum
yum list updates yum update
CIS Benchmark after removing packages and updating the system: 6.88
# df -h Filesystem Size Used Avail Use% Mounted on /dev/hda3 981M 116M 816M 13% / /dev/hda2 99M 15M 79M 16% /boot /dev/hda8 3.7G 241M 3.3G 7% /home none 62M 0 62M 0% /dev/shm /dev/hda5 587M 274M 284M 50% /usr /dev/hda6 373M 106M 248M 30% /var
Bastille Linux Script
Installation
http://www.bastille-unix.org/perl-rpm-chart.html http://www.bastille-unix.org/perl-Curses-1.06-219.i586.rpm perl-Curses-1.06-219.i586.rpm
http://www.bastille-unix.org http://aleron.dl.sourceforge.net/sourceforge/bastille-linux/Bastille-2.1.7-1.0.noarch.rpm Bastille-2.1.6-1.0.noarch.rpm
Running
This runs Bastille Linux in command line/curses mode:
/usr/sbin/bastille -c
What it does
File Permissions
mount/umount ping at usernetctl traceroute
Account Security
password aging - 180 days restrict cron set default umask
Boot Security
disallow root login on tty's 1-6 password protect grub disable Ctrl-Alt-Del password protect single user mode
Secure Inetd
set defautl deny on tcp wrappers and xinetd disable telnet disable ftp display Authorized Use message
Disable User Tools
disable gcc - root access to gcc only
Configure Misc PAM
limit core dumps, processes restrict console
Logging
additional logging
Miscellaneous Daemons
stop sendmail running in daemon mode
Tmp directory
install tmpdir/tmp scripts
Firewall
turns on and configures iptables
Turning off or removing unused services
apmd (CIS 3.6) atd - removed with autofs - removed (CIS 3.9) gpm - removed (CIS 3.6) irda - removed (CIS 3.6) isdn - removed (CIS 3.6) kudzu (CIS 3.21) netfs (CIS 3.8) nfs - removed (CIS 3.8) nfslock - removed (CIS 3.9) pcmcia - removed (CIS 3.6) portmap - removed (CIS 3.12) rhnsd sendmail (CIS 3.3)
References: CIS 2 & 3
Evaluation
CIS Benchmarking Tool
CIS score = 7.08
[root@hard9 cis]# egrep "^Negative" ./cis-most-recent-log Negative: 1.3 sshd_config parameter Protocol is not set. Negative: 1.3 sshd_config parameter Banner is not set. Negative: 1.3 ssh_config must have 'Protocol 2' underneath Host *. Negative: 1.4 sysstat system accounting package is NOT installed. Negative: 3.1 umask not found in first /etc/rcX.d script /etc/rc3.d/S08iptables. Negative: 4.1 sysctl net.ipv4.conf.default.secure_redirects=1 and should be '0'. Negative: 4.1 sysctl net.ipv4.conf.all.secure_redirects=1 and should be '0'. Negative: 4.1 sysctl net.ipv4.conf.all.rp_filter=0 and should be '1'. Negative: 4.1 sysctl net.ipv4.icmp_echo_ignore_broadcasts=0 and should be '1'. Negative: 4.1 sysctl net.ipv4.conf.all.accept_redirects=1 and should be '0'. Negative: 4.1 sysctl net.ipv4.conf.default.accept_source_route=1 and should be '0'. Negative: 4.1 sysctl net.ipv4.tcp_syncookies=0 and should be '1'. Negative: 4.1 sysctl net.ipv4.conf.default.accept_redirects=1 and should be '0'. Negative: 4.1 sysctl net.ipv4.tcp_max_syn_backlog=256 and should be >= 4096. Negative: 4.2 sysctl net.ipv4.conf.all.send_redirects=1 and should be '0'. Negative: 4.2 sysctl net.ipv4.conf.default.send_redirects=1 and should be '0'. Negative: 4.2 /etc/sysctl.conf should not be world or group readable. Negative: 6.1 /usr is not mounted nodev. Negative: 6.1 /var is not mounted nodev. Negative: 6.1 /home is not mounted nodev. Negative: 6.1 /boot is not mounted nodev. Negative: 6.2 Removable filesystem /mnt/cdrom is not mounted nosuid. Negative: 6.2 Removable filesystem /mnt/cdrom is not mounted nodev. Negative: 6.2 Removable filesystem /mnt/floppy is not mounted nosuid. Negative: 6.2 Removable filesystem /mnt/floppy is not mounted nodev. Negative: 6.3 PAM allows users to mount removable media: <floppy>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <cdrom>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <pilot>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <jaz>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <zip>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <ls120>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <camera>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <memstick>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <flash>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <diskonkey>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <rem_ide>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <rio500>. (/etc/security/console.perms) Negative: 7.4 Couldn't open cron.allow Negative: 7.4 Couldn't open at.allow Negative: 7.5 The permissions on /etc/crontab are not sufficiently restrictive. Negative: 7.7 /etc/securetty has a non console or tty 1-6 line: tty7. Negative: 7.7 /etc/securetty has a non console or tty 1-6 line: tty8. Negative: 7.7 /etc/securetty has a non console or tty 1-6 line: tty9. Negative: 7.7 /etc/securetty has a non console or tty 1-6 line: tty10. Negative: 7.7 /etc/securetty has a non console or tty 1-6 line: tty11. Negative: 7.8 GRUB isn't password-protected. Negative: 7.9 /etc/inittab needs a /sbin/sulogin line for single user mode. Negative: 8.1 bin has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 daemon has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 adm has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 lp has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 mail has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 news has a valid shell of /bin/sh. Remember, an empty shell field in /etc/passwd signifies /bin/sh. Negative: 8.1 uucp has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 operator has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 games has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 gopher has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 ftp has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 nobody has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 rpm has a valid shell of /bin/bash. Negative: 8.1 vcsa has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 sshd has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 rpc has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 mailnull has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 smmsp has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 pcap has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.3 /etc/login.defs value PASS_MAX_DAYS = 99999, but should not exceed 90. Negative: 8.3 /etc/login.defs value PASS_MIN_DAYS = 0, but should not be less than 7. Negative: 8.3 /etc/login.defs value PASS_MIN_LEN = 5, but should be at least 6. Negative: 8.10 Current umask setting in file /etc/bashrc is 022 -- it should be stronger to block world-read/write/execute. Negative: 8.10 Current umask setting in file /etc/bashrc is 022 -- it should be stronger to block group-read/write/execute. Negative: 8.10 Current umask setting in file /etc/csh.cshrc is 002 -- it should be stronger to block world-read/write/execute. Negative: 8.10 Current umask setting in file /etc/csh.cshrc is 002 -- it should be stronger to block group-read/write/execute. Negative: 8.11 Coredumps aren't deactivated. Negative: 8.13 Pam /etc/pam.d/su does not require wheel group for su access. Negative: 9.1 /etc/motd doesn't contain an authorized usage only banner. Negative: 9.1 /etc/issue doesn't contain an authorized usage only banner. Negative: 6.8 Found an unowned file /home/RESTORE/etc/ntp Negative: 6.8 Found an unowned file /home/RESTORE/etc/ntp/step-tickers Negative: 6.8 Found an unowned file /home/RESTORE/etc/ntp/drift Negative: 6.8 Found an unowned file /home/RESTORE/etc/ntp/keys Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/portsentry.c Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/portsentry.h Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/portsentry_io.c Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/portsentry_io.h Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/portsentry_util.c Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/portsentry_util.h Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/portsentry_config.h Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/portsentry_tcpip.h Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/portsentry.ignore Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/portsentry.conf Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/Makefile Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/README.COMPAT Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/README.install Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/README.methods Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/README.stealth Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/CHANGES Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/CREDITS Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/LICENSE Negative: 6.8 Found an unowned file /home/RESTORE/root/portsentry/portsentry_beta/ignore.csh Negative: 6.8 Found an unowned file /home/carlisle Negative: 6.8 Found an unowned file /home/carlisle/.bash_logout Negative: 6.8 Found an unowned file /home/carlisle/.bash_profile Negative: 6.8 Found an unowned file /home/carlisle/.bashrc Negative: 6.8 Found an unowned file /home/carlisle/.bash_history Negative: 6.8 Found an unowned file /home/RESTORE-OLD/etc/ntp Negative: 6.8 Found an unowned file /home/RESTORE-OLD/etc/ntp/step-tickers Negative: 6.8 Found an unowned file /homeetc/shells, leaves a user potentially able to u an unowned file /home/RESTORE-OLD/etc/ntp/keys Negative: 6.8 Found an unowned file /var/lib/nfs/statd Negative: 6.8 Found an unowned file /var/lib/nfs/statd/state Negative: 6.8 Found an unowned file /var/lib/nfs/statd/sm Negative: 6.8 Found an unowned file /var/lib/nfs/statd/sm.bak
Services
chkconfig --list | grep on | sort
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:off 2:on 3:on 4:on 5:on 6:off rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Processes
ps faux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 3 0.0 0.0 0 0 ? SW 23:56 0:00 [migration/1] root 2 0.0 0.0 0 0 ? SW 23:56 0:00 [migration/0] root 1 2.8 0.3 1364 464 ? S 23:56 0:03 init root 4 0.0 0.0 0 0 ? SW 23:56 0:00 [keventd] root 5 0.0 0.0 0 0 ? SWN 23:56 0:00 [ksoftirqd_CPU0] root 6 0.0 0.0 0 0 ? SWN 23:56 0:00 [ksoftirqd_CPU1] root 11 0.0 0.0 0 0 ? SW 23:56 0:00 [bdflush] root 7 0.0 0.0 0 0 ? SW 23:56 0:00 [kswapd] root 8 0.0 0.0 0 0 ? SW 23:56 0:00 [kscand/DMA] root 9 0.0 0.0 0 0 ? SW 23:56 0:00 [kscand/Normal] root 10 0.0 0.0 0 0 ? SW 23:56 0:00 [kscand/HighMem] root 12 0.0 0.0 0 0 ? SW 23:56 0:00 [kupdated] root 13 0.0 0.0 0 0 ? SW 23:56 0:00 [mdrecoveryd] root 19 0.0 0.0 0 0 ? SW 23:56 0:00 [scsi_eh_0] root 22 0.0 0.0 0 0 ? SW 23:56 0:00 [kjournald] root 80 0.0 0.0 0 0 ? SW 23:56 0:00 [khubd] root 154 0.0 0.0 0 0 ? SW 23:57 0:00 [kjournald] root 155 0.0 0.0 0 0 ? SW 23:57 0:00 [kjournald] root 156 0.0 0.0 0 0 ? SW 23:57 0:00 [kjournald] root 157 0.0 0.0 0 0 ? SW 23:57 0:00 [kjournald] root 451 0.1 0.4 1436 576 ? S 23:57 0:00 syslogd -m 0 root 455 0.0 0.3 1372 432 ? S 23:57 0:00 klogd -x root 492 0.6 1.1 3504 1496 ? S 23:57 0:00 /usr/sbin/sshd root 526 0.4 1.5 6748 1988 ? S 23:58 0:00 \_ /usr/sbin/sshd joeuser 528 0.2 1.7 6788 2216 ? S 23:58 0:00 \_ [sshd] joeuser 529 0.3 1.0 4296 1376 pts/0 S 23:58 0:00 \_ -bash root 563 0.1 0.7 4088 920 pts/0 S 23:58 0:00 \_ [su] root 564 0.9 1.0 4296 1376 pts/0 S 23:58 0:00 \_ -bash root 605 0.0 0.5 2616 664 pts/0 R 23:58 0:00 \_ ps faux root 505 0.0 0.4 1420 568 ? S 23:57 0:00 crond root 520 0.0 0.3 1352 400 tty1 S 23:57 0:00 /sbin/mingetty tty1 root 521 0.0 0.3 1352 400 tty2 S 23:57 0:00 /sbin/mingetty tty2 root 522 0.0 0.3 1352 400 tty3 S 23:57 0:00 /sbin/mingetty tty3 root 523 0.0 0.3 1352 400 tty4 S 23:57 0:00 /sbin/mingetty tty4 root 524 0.0 0.3 1352 400 tty5 S 23:57 0:00 /sbin/mingetty tty5 root 525 0.0 0.3 1352 400 tty6 S 23:57 0:00 /sbin/mingetty tty6
Reducing remote access
Physical Access
Computer security starts with physical security. If a hacker can physically reach your computer then they will be able to break in or steal data.
Banners
http://ciac.llnl.gov/ciac/bulletins/j-043.shtml
Banner recommended by Bastille Linux script. Replace $owner with your name if you wish. If you have a company that specifies a banner, use that banner instead:
***************************************************************************
NOTICE TO USERS
This computer system is the private property of $owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
****************************************************************************
rewrite /etc/rc.d/rc.local with this file: HardeningRedHat9_Appendix#rc.local to have the above banner written to /etc/issue and /etc/issue.net. In /etc/motd the above banner will be displayed again along with system information once someone logs in.
execute /etc/rc.d/rc.local so that /etc/motd, /etc/issue, and /etc/issue.net get written correctly. chown root:root /etc/motd /etc/issue /etc/issue.net chmod 644 /etc/motd /etc/issue /etc/issue.net
References: CIS 9.1
TCP Wrappers
Setting up the TCP Wrappers banner:
mkdir /etc/banners write your banner message in /etc/banners/prototype Authorized Users Only. All activity may be monitored and reported. cd /etc/banners /usr/bin/make -f /usr/share/doc/tcp_wrappers-7.6/Banners.Makefile
To do the above you need to have make and gcc installed. After it has been done on one computer, in could be transported to other installations with the same operating system by creating a tar file of /etc/banners.
Setting up warning message for /sbin/nologin:
cp /etc/banners/prototype /etc/nologin.txt chown root:root /etc/nologin.txt chmod 644 /etc/nologin.txt
/etc/hosts.allow
# # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. #
ALL: LOCAL : banners /etc/banners sshd: ALL
/etc/hosts.deny
# # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap!
ALL: ALL : spawn (/bin/echo -e `/bin/date` "\n%c attempted connection to %s and was denied"\ | /bin/mail -s "Connection attempt to %s" root) &
References: SL 2.5.6.1, CIS 2.2
Secure Shell
before you proceed with this configuration, verify that you have a non-root login created.
The following changes will need to be made: /etc/ssh/sshd_config
Protocol 2 PermitRootLogin no ChallengeResponseAuthentication no X11Forwarding no Banner /etc/issue.net AllowUsers joeuser (others as needed)
X11Forwarding is turned off because X is not installed on this system. For systems with X installed you will want this on. The AllowUsers option should probably only be used on systems with small numbers of users due to the amount of administration involved -- every time you add a user you want to be able to log in remotely they will need to be added here.
restart sshd
services sshd restart
/etc/ssh/ssh_config
Host * ForwardX11 no Protocol 2
Again, ForwardX11 is set to no only because there is no X installed on this system.
The complete files are found here: HardeningRedHat9_Appendix#sshd_config and HardeningRedHat9_Appendix#ssh_config
also see chroot-ing ssh http://chrootssh.sourceforge.net/index.php
References: CIS 1.3, SL 3.3.4, Simpaticus http://www.simpaticus.com/linux/barebones-server-howto.php#opensshserver
Network Kernel Parameters
/etc/sysctl.conf
net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1
#do not perform below if system is firewall or gateway. net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0
chown root:root /etc/sysctl.conf chmod 0600 /etc/sysctl.conf service network restart
The complete sysctl.conf file is here: HardeningRedHat9_Appendix#sysctl.conf
References: CIS 4.1, CIS 4.2, SL 2.2.1
inittab
If X is installed, disable GUI login change:
id:5:initdefault
to:
id:3:initdefault
Reference: CIS 3.4
Require root to log into single user mode:
add
~~:S:wait:/sbin/sulogin
Reference: CIS 7.9
Disable Ctrl-Alt-Del for automatic reboot:
comment out
##ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Reference: SL 2.3.2
Remove unused login daemons
comment out
# Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 # Disable gettys not being used ##2:2345:respawn:/sbin/mingetty tty2 ##3:2345:respawn:/sbin/mingetty tty3 ##4:2345:respawn:/sbin/mingetty tty4 ##5:2345:respawn:/sbin/mingetty tty5 ##6:2345:respawn:/sbin/mingetty tty6
SU recommends the use of the GNU Screen command to run multiple shell sessions instead of multiple gettys. This can be installed with: yum install screen.
The complete inittab file is here: HardeningRedHat9_Appendix#sysctl.conf
Reference: SU 506.2 2-16
chown root:root /etc/inittab chmod 644 /etc/inittab
securetty
Edit /etc/securetty so that it looks like this
console tty1
chown root:root /etc/securetty chmod 400 /etc/securetty
Reference: CIS 7.7, SL 2.3.1
grub.conf
/boot/grub/grub.conf To force a grub password, add line before first uncommented line in /etc/grub.conf
password <clear-text password>
The complete grub file is here: HardeningRedHat9_Appendix#grub.conf
Refernces CIS 7.8, SL 2.1.3
Evaluation
CIS Benchmarking Tool
CIS Score: 7.78
Services
Processes
[root@hard9 ssh]# ps faux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 1380 480 ? S 05:00 0:03 init root 2 0.0 0.0 0 0 ? SW 05:00 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW 05:00 0:00 [kapmd] root 4 0.0 0.0 0 0 ? SWN 05:00 0:00 [ksoftirqd_CPU0] root 9 0.0 0.0 0 0 ? SW 05:00 0:00 [bdflush] root 5 0.0 0.0 0 0 ? SW 05:00 0:00 [kswapd] root 6 0.0 0.0 0 0 ? SW 05:00 0:00 [kscand/DMA] root 7 0.0 0.0 0 0 ? SW 05:00 0:00 [kscand/Normal] root 8 0.0 0.0 0 0 ? SW 05:00 0:00 [kscand/HighMem] root 10 0.0 0.0 0 0 ? SW 05:00 0:00 [kupdated] root 11 0.0 0.0 0 0 ? SW 05:00 0:00 [mdrecoveryd] root 17 0.0 0.0 0 0 ? SW 05:00 0:00 [scsi_eh_0] root 20 0.0 0.0 0 0 ? SW 05:00 0:00 [kjournald] root 89 0.0 0.0 0 0 ? SW 05:00 0:00 [khubd] root 163 0.0 0.0 0 0 ? SW 05:00 0:00 [kjournald] root 164 0.0 0.0 0 0 ? SW 05:00 0:00 [kjournald] root 165 0.0 0.0 0 0 ? SW 05:00 0:00 [kjournald] root 166 0.0 0.0 0 0 ? SW 05:00 0:00 [kjournald] root 497 0.0 1.1 3516 1452 ? S 05:01 0:00 /usr/sbin/sshd root 535 0.0 1.5 6768 1988 ? S 05:01 0:00 \_ /usr/sbin/sshd joeuser 537 0.0 1.7 6808 2244 ? S 05:01 0:01 \_ /usr/sbin/sshd joeuser 538 0.0 1.1 4312 1392 pts/0 S 05:01 0:00 \_ -bash root 574 0.0 0.7 4104 976 pts/0 S 05:09 0:00 \_ su - root 575 0.0 1.1 4348 1452 pts/0 S 05:09 0:00 \_ -bash root 741 0.0 0.5 2620 676 pts/0 R 06:04 0:00 \_ ps faux root 510 0.0 0.4 1432 592 ? S 05:01 0:00 crond root 534 0.0 0.3 1356 380 tty1 S 05:01 0:00 /sbin/mingetty tty1 root 678 0.0 0.4 1448 604 ? S 05:27 0:00 syslogd -m 0 root 682 0.0 0.3 1376 456 ? S 05:27 0:00 klogd -x
Open Files
307 Open files
netstat
nessus
Reducing local access
fstab
Following the principle of least-privledge, the partitions are adjusted to restrict access.
before:
LABEL=/ / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /proc proc defaults 0 0 none /dev/shm tmpfs defaults 0 0 LABEL=/usr /usr ext3 defaults 1 2 LABEL=/var /var ext3 defaults 1 2 /dev/hda7 swap swap defaults 0 0 /dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0 /dev/fd0 /mnt/floppy auto noauto,owner,kudzu 0 0
edit /etc/fstab
after:
LABEL=/ / ext3 defaults 1 1 LABEL=/boot /boot ext3 nodev 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /proc proc defaults 0 0 none /dev/shm tmpfs defaults 0 0 LABEL=/usr /usr ext3 ro,nodev 1 2 LABEL=/var /var #4:2345:respawn:/sbin/mingetty tty4 ##5:2 swap swap defaults 0 0 /dev/cdrom /mnt/cdrom udf,iso9660 noauto,nosuid,nodev,ro 0 0 /dev/fd0 /mnt/floppy auto noauto,nosuid,nodev 0 to run multiple shell sessions
Because /usr is now mounted as read-only, it will need to be remounted as read-write anytime updates or new applications are installed. Use the command:
mount -o remount,rw /usr
to do this, install binaries, then use:
mount -o remount,ro /usr
to return it to read-only.
removable media
Make it so that only root can mount removable media
edit /etc/security/console.perms
comment out the following lines:
##<console> 0660 <floppy> 0660 root.floppy
##<console> 0600 <cdrom> 0660 root.disk ##<console> 0600 <pilot> 0660 root.uucp ##<console> 0600 <jaz> 0660 root.disk ##<console> 0600 <zip> 0660 root.disk ##<console> 0600 <ls120> 0660 root.disk
##<console> 0600 <camera> 0600 root ##<console> 0600 <memstick> 0600 root ##<console> 0600 <flash> 0600 root ##<console> 0600 <diskonkey> 0660 root.disk ##console> 0600 <rem_ide> 0660 root.disk
##<console> 0600 <rio500> 0600 root
chmod 600 /etc/security/console.perms
References: CIS 6.3
cron & at
restrict the adding of cron and at jobs to only root. Jobs can still be run at other users, but only root can install these jobs
remove /etc/cron.deny if it exists edit /etc/cron.allow /etc/at.allow so that root is only authorized user chown root:root chmod 400
Reference: CIS 7.4
chmod 400 /etc/crontab chmod -R go-rwx /etc/cron.*
Reference: CIS 7.5
remove unused accounts
backup /etc/passwd /etc/group /etc/shadow
remove accounts: uucp games gopher operator
userdel uucp userdel operator userdel games userdel gopher
userdel adm userdel news userdel ftp userdel pcap
remove groups: uucp games gopher dip
groupdel uucp groupdel dip groupdel games groupdel gopher (may be gone because gopher account already removed)
search for accounts from uninstalled packages (SL 2.4.2)
verify passwd & group
/usr/sbin/pwck /usr/sbin/grpck
find files that are owned by deleted users or groups
find / -nouser -exec /bin/chown root {} \;
find / -nogroup -exec /bin/group root {} \;
change shell on rpm to /dev/null or /sbin/nologin
CIS recommends changing /sbin/nologin to /dev/null on accounts:
bin daemon lp mail nobody vcsa sshd rpc mailnull smmsp ntp rpm
use usermod -L -s /dev/null <account>
SL uses /sbin/nologin to create a banner when reaching an account with nologin shell edit /etc/nologin.txt
Reference: CIS 8.1, SL 2.4.2
passwords
Default values:
Maximum Password age: 99999 days = never Minimum Password age between changes: 0 days Maximum warning period: 7 days before maximum password age Minimum password length: 5 characters
Recommended values by CIS:
Maximum Password age: 90 days Minimum Password age between changes: 7 days Maximum warning period: 28 days before maximum password age Minimum password length: 6 characters
Recommended values by SL:
Maximum Password age: 180 days Minimum Password age between changes: 2 days Maximum warning period: 7 days before maximum password age Minimum password length: 5 characters
edit /etc/login.defs
##PASS_MAX_DAYS 99999 PASS_MAX_DAYS 90
##PASS_MIN_DAYS 0 PASS_MIN_DAYS 7
##PASS_MIN_LEN 5 PASS_MIN_LEN 6
##PASS_WARN_AGE 7 PASS_WARN_AGE 28
for existing accounts:
chage -M 90 -m 7 -W 28 <account>
search all account above uid=500
awk -F: `$3 >= 500 { system ("chage -M 90 -m 7 -W 28 " $1) }' /etc/passwd
Reference: CIS 8.3, SL 2.4.1
umask
services edit /etc/rc.d/init.d/functions change
umask 022
to
umask 027
Reference: CIS 8.13
edit
/etc/profile /etc/csh.login
append to <file> umask 077 chmod 444 <file>
/etc/csh.cshrc
##if $status then ## umask 022 ##else ## umask 002 ##endif
umask 077
chmod 444 /etc/csh.cshrc
/etc/bashrc
change in <file> umask 022 to 077 and umask 002 to 007 chmod 444 <file>
/root/.bash_profile /root/.bashrc /root/.cshrc
tsch has been removed, but if it existed do the following:
/root/.tschrc
append to <file> umask 077 SL notes that this may result in a warning message during the upgrade of some packages.
References: CIS 8.10, SL 2.4.5
logout of inactive sessions
for bash, edit /etc/profile
# logout after 15 minutes TMOUT=900
for csh, etc /etc/csh.cshrc
#logout after 15 minutes set autologout=15
Reference: SL 2.4.5.1
limits.conf
prevent core dumps edit /etc/security/limits.conf
#* soft core 0 * soft core 0 #* hard rss 10000 * hard core 0
limit users to 150 concurrent processes
* hard nproc 150
Not necessary, but this file can also limit max file size: limit file sizes to 100 Mb
* hard fsize 102400
Reference: CIS 8.11, SL 2.4.6.1
suid audit
Determine list of suid programs:
find <partition> \( -perm -04000 -o -perm -02000 \) -type f -xdev -print
Removing suid privledges:
chmod u-s <program>
Adding suid privleges:
chmod u+s <program>
Recommendations:
mount/umount ping at usernetctl
References: BL - FilePermissions, CIS 6.7
su and sudo
Important note about "su" and "su -"
su - <account> applies all the environmental varibles
UPDATE: see new CIS Benchmark 8.13
edit /etc/pam.d/su enable this line:
# Uncomment the following line to require a user to be in the "wheel" group. auth required /lib/security/$ISA/pam_wheel.so use_uid
add users to wheel group with:
usermod -G joeuser,wheel joeuser
sudo
visudo
# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. #
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# User privilege specification root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL
# Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL
# Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now
Evaluation
CIS Score: 10.0
Enhancing Logging
time
In order to get logs with accurate times, one needs to have an accurate clock.
If not installed, install ntp, this also requires libcap.
edit /etc/ntp.conf edit /etc/ntp/
Sidenote: one can use a gps unit as a time source for ntp. (researching) see http://www.boulder.nist.gov/timefreq/service/gpscal.htm
References: CIS 5
http://www.ntp.org/ http://www.ntp.org/ntpfaq/NTP-a-faq.htm http://www.sun.com/blueprints/0701/NTP.pdf http://www.sun.com/blueprints/0801/NTPpt2.pdf
Logs are frequently reported to administrators by email. Unlike previous versions of sendmail, verion 8.12 requires the daemon to be running to send outgoing mail, unless a specific mail relay had been specified.
edit /etc/mail/submit.cf
find: D{MTAHost} [127.0.0.1]
replace 127.0.0.1 with ip address of mail relay.
to turn off MTA daemon edit /etc/sysconfig/sendmail
set DAEMON=no
If mail deamon needs to run, make sure that /etc/hosts.allow is configured to allow connections, else the mail won't reach the sendmail daemon on the same computer.
sendmail: 127.0.0.1
Reference: SU 506.2 2-18
sysstat
yum install sysstat
Documentation for sysstat
http://perso.wanadoo.fr/sebastien.godard/
Reference: CIS 1.5
syslog
Add the following to /etc/syslog.conf
#If you have a remote logging host, uncomment the lines corresponding to #the types of messages you want to forward to it. Replace this string #loghost with the IP address of your central logging server. #kern.* @loghost #authpriv,auth.* @loghost #mail.* @loghost # or to send everything #*.* @loghost ################
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console kern.* /dev/console
#Send kernel messages to a separate file. Note this will #include messages generated by iptables about blocked #network traffic. kern.* /var/log/kernel
# Log anything (except mail) of level info or higher. # Don't log private authentication messages! ##*.info;mail.none;authpriv.none;cron.none /var/log/messages *.info;authpriv,auth,mail,cron,kern,local7.none /var/log/messages
# The authpriv file has restricted access. ##authpriv.* /var/log/secure # capture auth messages also auth,authpriv.* /var/log/secure
Create file for kernel log, and set to proper permissions
touch /var/log/kernel chmod 400 /var/log/kernel
References: CIS 5.2, SL 2.8.1.1, SL Appendix B
logrotate
edit /etc/logrotate.conf
# rotate log files weekly ##weekly monthly
# keep 4 weeks worth of backlogs #rotate 4 rotate 12
# uncomment this if you want your log files compressed #compress compress
edit /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/kernel {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
Restart syslogd
/sbin/service syslog restart
Force log rotation to verify all is correct.
/usr/sbin/logrotate -f /etc/logrotate.conf
Reference: SL 2.8.2.1, SL 2.8.2.2
logwatch
Configuring logwatch vi /etc/log.d/logwatch.conf change MailTo = to an address of your choice. You will be emailed nightly.
References: http://www.logwatch.org
logcheck
installing logcheck (must have gcc installed) see http://sourceforge.net/projects/sentrytools/
download logcheck-1.1.1.tar.gz
tar -xvzf logcheck-1.1.1.tar.gz cd logcheck-1.1.1 make linux
set address to mail logs to
vi /usr/local/etc/logcheck.sh
add to crontab
00 * * * * /usr/local/etc/logcheck.sh
verify only root can use directory /usr/local/etc/tmp
note: this location will need to be changed if /usr is made read-only
process accounting
yum install psacct service psacct start
ac - displays statistics about how long users have been logged on lastcomm - displays information about previous executed commands sa - summarizes information about previously executed commmands
Filewall
system-config-securitylevel
/usr/bin/system-config-securitylevel
Easy Firewall Generator
http://easyfwgen.morizot.net/gen/
Shorewall
http://www.shorewall.net/
Download rpm package
wget http://www.invoca.ch/pub/packages/shorewall/2.2/shorewall-2.2.1/shorewall-2.2.1-2.noarch.rpm
Unstated dependency on which
yum install which rpm -ivh shorewall-2.2.1-2.noarch.rpm
Read Quickguides
http://www.shorewall.net/shorewall_quickstart_guide.htm
Download one of these pre-written configuration files:
wget http://www1.shorewall.net/pub/shorewall/Samples/samples-2.2.0/one-interface.tgz wget http://www1.shorewall.net/pub/shorewall/Samples/samples-2.2.0/two-interfaces.tgz wget http://www1.shorewall.net/pub/shorewall/Samples/samples-2.2.0/three-interfaces.tgz
Copy these files into /etc/shorewall
chown root:root /etc/shorewall/* chmod 600 /etc/shorewall/*
Modify files in /etc/shorewall
remove iptables from chkconfig stop iptables service shorewall start
To restart shorewall always
service shorewall stop service shorewall start
Blacklists: http://www.shorewall.net/blacklisting_support.htm
Applications
compilers
sometimes binaries are not available and you need to compile a binary. This configuration does not contain compilers. It would be best to have a separate machine to do development on, but that is not always the case.
researching: determining what to install
yum install make
Gathering header information file(s) from server(s) Server: Fedora Core 9 - i386 - Base Server: Fedora Core 9 - i386 - Released Updates Finding updated packages Downloading needed headers Resolving dependencies Dependencies resolved I will do the following: [install: make 1:3.79.1-17.i386] Is this ok [y/N]: y Getting make-3.79.1-17.i386.rpm Calculating available disk space - this could take a bit make 100 % done 1/1 Installed: make 1:3.79.1-17.i386 Transaction(s) Complete
yum install gcc
Gathering header information file(s) from server(s) Server: Fedora Linux / stable for Red Hat Linux 9 (i386) Server: Red Hat Linux 9 (i386) Server: Red Hat Linux 9 (i386) updates Finding updated packages Downloading needed headers Resolving dependencies ..Dependencies resolved I will do the following: [install: gcc 3.2.2-5.i386] I will install/upgrade these to satisfy the dependencies: [deps: binutils 2.13.90.0.18-9.i386] [deps: glibc-kernheaders 2.4-8.10.i386] [deps: glibc-devel 2.3.2-27.9.7.i386] [deps: cpp 3.2.2-5.i386]
removing compiler yum remove gcc gcc3 gcc3-c++ gcc3-g77 gcc3-java gcc3-objc gcc-c++ gcc-chill gcc-g77 gcc-java gcc-objc bin86 dev86 nasm
Reference: CIS 8.12
sendmail
http://www.deer-run.com/~hal/dns-sendmail/ http://www.deer-run.com/~hal/sysadmin/sendmail.html http://www.deer-run.com/~hal/sysadmin/sendmail2.html
syslog-ng
http://www.balabit.com/products/syslog_ng/
aide
http://www.cs.tut.fi/~rammer/aide.html http://sourceforge.net/projects/aide
bind
apache
vsftp
vpn
http://www.openswan.org/
intrusion detection
portsentry
http://sourceforge.net/projects/sentrytools/
snort
http://www.snort.org/
Changing Administration Behavior
Adding Users
useradd <account>
To allow user to log in with ssh: add <account> to /etc/ssh/sshd_config Append line:
AllowUsers
with <account>
service sshd restart
To allow user to use su
gpasswd -a <account> wheel
Install/Updating Software
Because /usr is now mounted as read-only, it will need to be remounted as read-write anytime updates or new applications are installed. Use the command:
mount -o remount,rw /usr
to do this, install binaries, then use:
mount -o remount,ro /usr
to return it to read-only.
Installing new hardware
before shutting down the machine
chkconfig kudzu on halt
install hardware, then boot after kudzu detects the hardware
service kudzu stop chkconfig kudzu off
Security Checks
These conditions exist if one followed the steps above. They are added for the purpose of doing security checks.
system utilites
ps
netstat
lsof
CIS Benchmarking Tool
confirm that password-less accounts do not exist
awk -F: '($2 == "") {print $1}' /etc/shadow
should return empty.
Reference: SL 2.4.4
chkrootkit
http://www.chkrootkit.org/
aide
nessus
Other References
O'Reilly Book: Building Secure Servers with Linux
http://www.oreilly.com/catalog/bssrvrlnx/
http://www.fedorafaq.org/ http://www.fedoraforum.org/ http://www.mjmwired.net/resources/mjm-fedora-fc2.shtml http://www.stud.uni-karlsruhe.de/~usge/fc2_install_notes.html http://fedoranews.org/colin/fnu/issue12.shtml http://fedoranews.org/colin/fnu/issue13.shtml http://fedoranews.org/colin/fnu/issue14.shtml http://users.netwit.net.au/~pursang/game.html
This page has been accessed 14653 times. This page was last modified 18:11, 2 Oct 2007.
