Secure Configuration Standard CentOS Linux (hardening Centos)

1. Overview

1.1 Introduction

This document aims to serve as secure configuration standard for CentOS

1.2 Objective

The document aims to provide a common security base-line and is for internal circulation only.

1.3 Index terms

2. Hardening CentOS configuration

2.1 Install Updates, Patches and Additional Security Software

2.1.1. Filesystem Configuration

2.1.1.1. Create separate partition for /tmp

· #cp /etc/fstab /etc/fstab.bak

· #cd /var

· #dd if=/dev/zero of=tmpMnt bs=1024 count=1048576

· #mkfs.ext3 -j /var/tmpMnt (Press Y when asked)

· #cp -Rp /tmp /tmp_backup

· #mount -o loop,noexec,nosuid,rw /var/tmpMnt /tmp

· #chmod 1777 /tmp

· #cp -Rp /tmp_backup/* /tmp/

· # rm -rf /tmp-backup

· #echo “/var/tmpMnt /tmp ext3 loop,rw,noexec,nosuid,nodev 0 0″ >> /etc/fstab

· #rm -rf /var/tmp/

· #ln -s /tmp/ /var/tmp

2.1.1.2. Set nodev option for /tmp partition

· #mount –o remount,nodev /tmp

2.1.1.3. Set nosuid option for /tmp partition

· #mount –o remount,nosuid /tmp

2.1.1.4. Set noexec option for /tmp Partition

· # mount -o remount,noexec /tmp

2.1.1.5. Create Separate Partition for /var

· For new installations, check the box to "Review and modify partitioning" and create a separate partition for /var.

· For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions.

2.1.1.6. Bind Mount the /var/tmp directory to /tmp

· # mount --bind /tmp /var/tmp

· edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0

2.1.1.7. Create Separate Partition for /var/log

· For new installations, check the box to "Review and modify partitioning" and create a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions

2.1.1.8. Create Separate Partition for /var/log/audit

· For new installations, check the box to "Review and modify partitioning" and create a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions.

2.1.1.9. Create Separate Partition for /home

· For new installations, check the box to "Review and modify partitioning" and create a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions

2.1.1.10. Add nodev option to /home

· # mount -o remount,nodev /home

2.1.1.11. Add nodev Option to /dev/shm Partition

· # mount -o remount,nodev /dev/shm

2.1.1.12. Add nosuid Option to /dev/shm Partition

· # mount -o remount,nosuid /dev/shm

2.1.1.13. Add noexec Option to /dev/shm Partition

· # mount -o remount,noexec /dev/shm

2.1.1.14. Set Sticky Bit on All World-Writable Directories

· # df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | chmod a+t

2.1.2. Configure Software Updates

2.1.2.1. Verify Red Hat GPG Key is Installed

· # gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

2.1.2.2. Verify that gpgcheck is Globally Activated

· Edit the /etc/yum.conf file and set the gpgcheck to 1 as follows: gpgcheck=1

2.1.3. Advanced Intrusion Detection Environment (AIDE)

2.1.3.1. Install AIDE

· # yum install aide

· # /usr/sbin/aide –init

· # mv /var/lib/aide/aidb.db.new.gz /var/lib/aide/aide.db.gz

2.1.3.2. Implement Periodic Execution of File Integrity

· Execute the following command: # crontab -u root –e

· Add the following line to the crontab: 0 5 * * * /usr/sbin/aide –check

2.1.4. Configure SELinux

2.1.4.1. Enable SELinux in /etc/grub.conf

· # ed /etc/grub.conf

g/selinux = 0/d

g/enforcing = 0/d

2.1.4.2. Set the SELinux State

· # ed /etc/selinux/config

g/SELINUX=/d

g/SELINUXTYPE=/d

SELINUX=enforcing

. w

2.1.4.3. Set the SELinux Policy

· # ed /etc/selinux/config

g/SELINUX=/d

g/SELINUXTYPE=/d

SELINUXTYPE=targeted

. w

2.1.4.4. Remove SETroubleshoot

· # yum erase setroubleshoot

2.1.4.5. Remove MCS Translation Service (mcstrans)

· # yum erase mcstrans

2.1.4.6. Check for Unconfined Daemons

· Investigate any unconfined daemons found during the audit action.

2.1.5. Secure Boot Settings

2.1.5.1. Set User/Group Owner on /etc/grub.conf

· # chown root:root /etc/grub.conf

2.1.5.2. Set Permissions on /etc/grub.conf

· # chmod og-rwx /etc/grub.conf

2.1.5.3. Set Boot Loader Password

· Create password with md5 encryption: # grub-md5-crypt

· # vi /etc/grub.conf

· insert the encrypted password generted by grub-md5-crypt just below the title menu as in the below figure

· save the file with ”:wq!”

2.1.5.4. Require Authentication for Single-User Mode

· # sed -i "/SINGLE/s/sushell/sulogin/" /etc/sysconfig/init

· # sed -i "/PROMPT/s/yes/no/" /etc/sysconfig/init

2.1.5.5. Disable Interactive Boot

· Set the PROMPT parameter in /etc/sysconfig/init to no

2.1.6. Additional Process Hardening

2.1.6.1. Restrict Core Dumps

· Add the following line to the /etc/security/limits.conf file: * hard core 0

· Add the following line to the /etc/sysctl.conf file: fs.suid_dumpable = 0

2.1.6.2. Configure ExecShield

· Add the following line to the /etc/sysctl.conf file: kernel.exec-shield = 1

2.1.6.3. Enable Randomized Virtual Memory Region Placement

· Add the following line to the /etc/sysctl.conf file: kernel.randomize_va_space = 2

2.2 OS Services

2.2.1. Remove Legacy Services

2.2.1.1. Remove telnet-server

· # yum erase telnet-server

2.2.1.2. Remove telnet Clients

· # yum erase telnet

2.2.1.3. Remove rsh-server

· # yum erase rsh-server

2.2.1.4. Remove rsh

· # yum erase rsh

2.2.1.5. Remove NIS Client

· # yum erase ypbind

2.2.1.6. Remove NIS Server

· # yum erase ypserv

2.2.1.7. Remove tftp

· # yum erase tftp

2.2.1.8. Remove tftp-server

· # yum erase tftp-server

2.2.1.9. Remove talk

· # yum erase talk

2.2.1.10. Remove talk-server

· # yum erase talk-server

2.2.1.11. Remove xinetd

· # yum erase xinetd

2.2.1.12. Disable chargen-dgram

· # chkconfig chargen-dgram off

2.2.1.13. Disable chargen-stream

· # chkconfig chargen-stream off

2.2.1.14. Disable daytime-dgram

· # chkconfig daytime-dgram off

2.2.1.15. Disable daytime-stream

· # chkconfig daytime-stream off

2.2.1.16. Disable echo-dgram

· # chkconfig echo-dgram off

2.2.1.17. Disable echo-stream

· # chkconfig echo-stream off

2.2.1.18. Disable tcpmux-server

· # chkconfig tcpmux-server off

2.3 Special Purpose Services

2.3.1. Set Daemon umask

· Add the following line to the /etc/sysconfig/init file: umask 027

2.3.2. Remove X Windows

· # ed /etc/inittab

/^id:/

s/:5:/:3:/

· # yum groupremove "X Window System"

2.3.3. Disable Avahi Server

· # chkconfig avahi-daemon off

· edit the /etc/sysconfig/network file and remove zeroconf

2.3.4. Remove DHCP Server

· # yum erase dhcp

2.3.5. Configure Network Time Protocol (NTP)

· # cp /etc/ntp.conf /tmp/ntp.conf.$$

· # egrep -v '(restrict default|restrict -6 default)' /tmp/ntp.conf.$$ > /etc/ntp.conf

· # ed /etc/ntp.conf

restrict default kod nomodify notrap nopeer noquery

restrict -6 default kod nomodify notrap nopeer noquery

· Specify NTP server: # server <ntp-server>

2.3.6. Configure Mail Transfer Agent for Local-Only Mode

· Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below.

inet_interfaces = localhost

· # service postfix restart

2.4 Network Configuration and Firewalls

2.4.1. Modify Network Parameters (Host Only)

2.4.1.1. Disable IP Forwarding

· # /sbin/sysctl -w net.ipv4.ip_forward=0

· # /sbin/sysctl -w net.ipv4.route.flush=1

· · # /bin/ed /etc/sysctl.conf

g/^net\.ipv4\.ip_forward.*=/d

\$a

net.ipv4.ip_forward = 0

. w

2.4.1.2. Disable Send Packet Redirects

· # /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0

· # /sbin/sysctl -w net.ipv4.conf.default.send_redirects=0

· # /sbin/sysctl -w net.ipv4.route.flush=1

· # /bin/ed /etc/sysctl.conf

g/^net\.ipv4.conf\.all\.send_redirects.*=/d g/^net\.ipv4\.conf\.default\.send_redirects.*=/d

\$a

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

2.4.2. Modify Network Parameters (Host and Router)

2.4.2.1. Disable Source Routed Packet Acceptance

· # /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0

· # /sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0

· # /sbin/sysctl -w net.ipv4.route.flush=1

· # /bin/ed /etc/sysctl.conf

· g/^net\.ipv4\.conf\.all\.accept_source_route.*=/d g/^net\.ipv4\.conf\.default\.accept_source_route. =*/d

\$a

net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0

. w

2.4.2.2. Disable ICMP Redirect Acceptance

· # /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0

· # /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0

· # /sbin/sysctl -w net.ipv4.route.flush=1

· # /bin/ed /etc/sysctl.conf

g/^net\.ipv4\.conf\.all\.accept_redirects.*=/d g/^net\.ipv4\.conf\.default\.accept_redirects. =*/d

\$a

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

2.4.2.3. Disable Secure ICMP Redirect Acceptance

· # /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0

· # /sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0

· # /sbin/sysctl -w net.ipv4.route.flush=1

· # /bin/ed /etc/sysctl.conf

· g/^net\.ipv4\.conf\.all\.secure_redirects.*=/d g/^net\.ipv4\.conf\.default\.secure_redirects.*=/d

\$a

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

2.4.2.4. Log Suspicious Packets

· # /sbin/sysctl -w net.ipv4.conf.all.log_martians=1

· # /sbin/sysctl -w net.ipv4.conf.default.log_martians=1

· # /sbin/sysctl -w net.ipv4.route.flush=1

· # /bin/ed /etc/sysctl.conf

g/^net\.ipv4\.conf\.all\.log_martians.*=/d g/^net\.ipv4\.conf\.default\.log_martians.*=/d

\$a

net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.default.log_martians = 1

2.4.2.5. Enable Ignore Broadcast Requests

· # /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

· # /sbin/sysctl -w net.ipv4.route.flush=1

· # /bin/ed /etc/sysctl.conf

g/^net\.ipv4\.icmp_echo_ignore_broadcasts.*=/d

\$a

net.ipv4.icmp_echo_ignore_broadcasts = 1

. w

2.4.2.6. Enable Bad Error Message Protection

· # /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1

· # /sbin/sysctl -w net.ipv4.route.flush=1

· # /bin/ed /etc/sysctl.conf

g/^net\.ipv4\.icmp_ignore_bogus_error_responses.*=/d

\$a

net.ipv4.icmp_ignore_bogus_error_responses = 1

. w

2.4.2.7. Enable RFC-recommended Source Route Validation

· # /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1

· # /sbin/sysctl -w net.ipv4.conf.default.rp_filter=1

· # /sbin/sysctl -w net.ipv4.route.flush=1

· # /bin/ed /etc/sysctl.conf

g/^net\.ipv4\.conf\.all\.rp_filter.*=/d g/^net\.ipv4\.conf\.default\.rp_filter.*=/d

\$a

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

2.4.2.8. Enable TCP SYN Cookies

· # /sbin/sysctl -w net.ipv4.tcp_syncookies=1

· # /sbin/sysctl -w net.ipv4.route.flush=1

· # /bin/ed /etc/sysctl.conf

g/^net\.ipv4\.tcp_syncookies.*=/d

\$a

net.ipv4.tcp_syncookies = 1

2.4.3. Install TCP Wrappers

2.4.3.1. Verify Permissions on /etc/hosts.allow

· # /bin/chmod 644 /etc/hosts.allow

2.4.3.2. Verify Permissions on /etc/hosts.deny

· # /bin/chmod 644 /etc/hosts.deny

2.4.4. Enable IPtables

· # service iptables restart

· # chkconfig iptables on

2.5 Logging and Auditing

2.5.1. Configure rsyslog

2.5.1.1. Install the rsyslog package

· # yum install rsyslog

2.5.1.2. Activate the rsyslog Service

· # chkconfig syslog off

· # chkconfig rsyslog on

2.5.1.3. Create and Set Permissions on rsyslog Log Files

· For sites that have not implemented a secure admin group: Create the /var/log/ directory and for each <logfile> listed in the /etc/rsyslog.conf file, perform the following commands:

- # touch <logfile>

- # chown root:root <logfile>

- # chmod og-rwx <logfile>

· For sites that have implemented a secure admin group: Create the /var/log/ directory and for each <logfile> listed in the /etc/rsyslog.conf file, perform the following commands (where is the name of the security group):

- # touch <logfile>

- # chown root:<securegrp> <logfile>

- # chmod g-wx,o-rwx<logfile>

2.5.1.4. Configure rsyslog to Send Logs to a Remote Log Host

· Edit the /etc/rsyslog.conf file and add the following line (where logfile.example.com is the name of your central log host): *.* @@loghost.example.com

· # pkill -HUP rsyslogd

Note: The double "at" sign (@@) directs rsyslog to use TCP to send log messages to the server, which is a more reliable transport mechanism than the default UDP protocol.

2.5.2. Configure System Accounting (auditd)

2.5.2.1. Configure Data Retention

2.5.2.2. Keep All Auditing Information

· Add the following line to the /etc/audit/auditd.conf file: max_log_file_action = keep_logs

2.5.2.3. Enable auditd Service

· # chkconfig auditd on

2.5.2.4. Enable Auditing for Processes That Start Prior to auditd

· # ed /etc/grub.conf

g/audit=1/s///g

g/kernel/s/$/ audit=1/

2.5.2.5. Record Events That Modify Date and Time Information

· For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change

-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change

-a always,exit -F arch=b64 -S clock_settime -k time-change

-a always,exit -F arch=b32 -S clock_settime -k time-change

-w /etc/localtime -p wa -k time-change

Execute the following command to restart auditd:

# pkill -P 1-HUP auditd

· For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change

-a always,exit -F arch=b32 -S clock_settime -k time-change

-w /etc/localtime -p wa -k time-change

Execute the following command to restart auditd

# pkill -P 1-HUP auditd

2.5.2.6. Record Events That Modify User/Group Information

· Add the following lines to the /etc/audit/audit.rules file.

-w /etc/group -p wa -k identity

-w /etc/passwd -p wa -k identity

-w /etc/gshadow -p wa -k identity

-w /etc/shadow -p wa -k identity

-w /etc/security/opasswd -p wa -k identity

· Execute the following command to restart auditd

# pkill -P 1-HUP auditd

2.5.2.7. Record Events That Modify the System's Network Environment

· For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale

-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale

-w /etc/issue -p wa -k system-locale

-w /etc/issue.net -p wa -k system-locale

-w /etc/hosts -p wa -k system-locale

-w /etc/sysconfig/network -p wa -k system-locale

Execute the following command to restart auditd

# pkill -P 1-HUP auditd

· For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale

-w /etc/issue -p wa -k system-locale

-w /etc/issue.net -p wa -k system-locale

-w /etc/hosts -p wa -k system-locale

-w /etc/sysconfig/network -p wa -k system-locale

Execute the following command to restart auditd

# pkill -P 1-HUP auditd

2.5.2.8. Record Events That Modify the System's Mandatory Access Controls

· Add the following lines to the /etc/audit/audit.rules file

-w /etc/selinux/ -p wa -k MAC-policy

· Execute the following command to restart auditd:

# pkill -P 1-HUP auditd

2.5.2.9. Collect Login and Logout Events

· Add the following lines to the /etc/audit/audit.rules file.

-w /var/log/faillog -p wa -k logins

-w /var/log/lastlog -p wa -k logins

-w /var/log/tallylog -p -wa -k logins

· Execute the following command to restart auditd

# pkill -HUP -P 1 auditd

2.5.2.10. Collect Session Initiation Information

· Add the following lines to the /etc/audit/audit.rules file.

-w /var/run/utmp -p wa -k session

-w /var/log/wtmp -p wa -k session

-w /var/log/btmp -p wa -k session

· Execute the following command to restart auditd

# pkill -HUP -P 1 auditd

2.5.2.11. Collect Discretionary Access Control Permission Modification Events

· For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 \

-F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 \

-F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 \

-F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 \

-F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \

lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \

lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

Execute the following command to restart auditd

# pkill -HUP -P 1 auditd

· For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 \

-F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 \

-F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \

lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

Execute the following command to restart auditd

# pkill -HUP -P 1 auditd

2.5.2.12. Collect Unsuccessful Unauthorized Access Attempts to Files

· For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \

-F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access

-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \

-F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access

-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \

-F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \

-F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

Execute the following command to restart auditd

# pkill -HUP -P 1 auditd

· For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \

-F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access

-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \

-F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

Execute the following command to restart auditd

# pkill -HUP -P 1 auditd

2.5.2.13. Collect Use of Privileged Commands

· At a minimum the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid programs:

# find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null

·         Then, for each setuid program on the system, add a line of the following form to /etc/audit/audit.rules, where SETUID_PROG_PATH is the full path to each setuid program in the list:

-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

2.5.2.14. Collect Successful File System Mounts

· For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts

-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts

Execute the following command to restart auditd

# pkill -HUP -P 1 auditd

· For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts

Execute the following command to restart auditd

# pkill -HUP -P 1 auditd

2.5.2.15. Collect File Deletion Events by User

· For 64 bit systems, add the following to the /etc/audit/audit.rules file.

-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \

-F auid!=4294967295 -k delete

-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \

-F auid!=4294967295 -k delete

Execute the following command to restart auditd

# pkill -HUP -P 1 auditd

· For 32 bit systems, add the following to the /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \

-F auid!=4294967295 -k delete

Execute the following command to restart auditd

# pkill -P 1-HUP auditd

2.5.2.16. Collect Changes to System Administration Scope (sudoers)

· Add the following lines to the /etc/audit/audit.rules file.

-w /etc/sudoers -p wa -k scope

· Execute the following command to restart auditd

# pkill -HUP -P 1 auditd

2.5.2.17. Collect System Administrator Actions (sudolog)

· Add the following lines to the /etc/audit/audit.rules file.

-w /var/log/sudo.log -p wa -k actions

· Execute the following command to restart auditd

# pkill -HUP -P 1 auditd

2.5.2.18. Collect Kernel Module Loading and Unloading

· For 64 bit systems, add the following lines to the /etc/audit/audit.rules file

-w /sbin/insmod -p x -k modules

-w /sbin/rmmod -p x -k modules

-w /sbin/modprobe -p x -k modules

-a always,exit arch=b64 -S init_module -S delete_module -k modules

· For 32 bit systems, add the following lines to the /etc/audit/audit.rules file

-w /sbin/insmod -p x -k modules

-w /sbin/rmmod -p x -k modules

-w /sbin/modprobe -p x -k modules

-a always,exit arch=b32 -S init_module -S delete_module -k modules

2.5.2.19. Make the Audit Configuration Immutable

· Add the following lines to the /etc/audit/audit.rules file: -e 2

2.6 System Access, Authentication and Authorization

2.6.1. Configure cron and anacron

2.6.1.1. Enable anacron Daemon

· # yum install cronie-anacron

2.6.1.2. Enable crond Daemon

· # chkconfig crond on

2.6.1.3. Set User/Group Owner and Permission on /etc/anacrontab

# chown root:root /etc/anacrontab

· # chmod og-rwx /etc/anacrontab

2.6.1.4. Set User/Group Owner and Permission on /etc/crontab

· # chown root:root /etc/crontab

· # chmod og-rwx /etc/crontab

2.6.1.5. Set User/Group Owner and Permission on /etc/cron.hourly

· # chown root:root /etc/cron.hourly

· # chmod og-rwx /etc/cron.hourly

2.6.1.6. Set User/Group Owner and Permission on /etc/cron.daily

· # chown root:root /etc/cron.daily

· # chmod og-rwx /etc/cron.daily

2.6.1.7. Set User/Group Owner and Permission on /etc/cron.weekly

· # chown root:root /etc/cron.weekly

· # chmod og-rwx /etc/cron.weekly

2.6.1.8. Set User/Group Owner and Permission on /etc/cron.monthly

· # chown root:root /etc/cron.monthly

· # chmod og-rwx /etc/cron.monthly

2.6.1.9. Set User/Group Owner and Permission on /etc/cron.d

· # chown root:root /etc/cron.d

· # chmod og-rwx /etc/cron.d

2.6.1.10. Restrict at Daemon

· # rm /etc/at.deny

· # touch /etc/at.allow

· # chown root:root /etc/at.allow

· # chmod og-rwx /etc/at.allow

2.6.1.11. Restrict at/cron to Authorized Users

If /etc/cron.allow or /etc/at.allow do not exist on your system create them. Run the following to ensure cron.deny and at.deny are removed and permissions are set correctly:

· # /bin/rm /etc/cron.deny

· # /bin/rm /etc/at.deny

· # chmod og-rwx /etc/cron.allow

· # chmod og-rwx /etc/at.allow

· # chown root:root /etc/cron.allow

· # chown root:root /etc/at.allow

2.6.2. Configure SSH

2.6.2.1. Set SSH Protocol to 2

· Edit the /etc/ssh/sshd_config file to set the parameter as follows:

Protocol 2

2.6.2.2. Set LogLevel to INFO

· Edit the /etc/ssh/sshd_config file to set the parameter as follows:

LogLevel INFO

2.6.2.3. Set Permissions on /etc/ssh/sshd_config

· # chown root:root /etc/ssh/sshd_config

· # chmod 600 /etc/ssh/sshd_config

2.6.2.4. Disable SSH X11 Forwarding

· Edit the /etc/ssh/sshd_config file to set the parameter as follows:

X11Forwarding no

2.6.2.5. Set SSH MaxAuthTries to 4 or Less

· Edit the /etc/ssh/sshd_config file to set the parameter as follows:

MaxAuthTries 4

2.6.2.6. Set SSH IgnoreRhosts to Yes

· Edit the /etc/ssh/sshd_config file to set the parameter as follows:

IgnoreRhosts yes

2.6.2.7. Set SSH HostbasedAuthentication to No

· Edit the /etc/ssh/sshd_config file to set the parameter as follows:

HostbasedAuthentication no

2.6.2.8. Disable SSH Root Login

· Edit the /etc/ssh/sshd_config file to set the parameter as follows:

PermitRootLogin no

2.6.2.9. Set SSH PermitEmptyPasswords to No

· Edit the /etc/ssh/sshd_config file to set the parameter as follows:

PermitEmptyPasswords no

2.6.2.10. Do Not Allow Users to Set Environment Options

· Edit the /etc/ssh/sshd_config file to set the parameter as follows:

PermitUserEnvironment no

2.6.2.11. Use Only Approved Cipher in Counter Mode

· Edit the /etc/ssh/sshd_config file to set the parameter as follows:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

2.6.2.12. Set Idle Timeout Interval for User Login

· Edit the /etc/ssh/sshd_config file to set the parameter as follows:

ClientAliveInterval 300

ClientAliveCountMax 0

2.6.2.13. Limit Access via SSH

· Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows:

AllowUsers <userlist>

AllowGroups <grouplist>

DenyUsers <userlist>

DenyGroups <grouplist>

2.6.2.14. Set SSH Banner

· Edit the /etc/ssh/sshd_config file to set the parameter as follows:

Banner <bannerfile>

2.6.3. Configure PAM

2.6.3.1. Upgrade Password Hashing Algorithm to SHA-512

· # authconfig --passalgo=sha512 –update

· # cat /etc/passwd | awk -F: ' ( $3 >=500 && $1 != "nfsnobody" ) { print $1 } | xargs - n 1 chage -d 0

2.6.3.2. Set Password Creation Requirement Parameters Using pam_cracklib

· # ed /etc/pam.d/system-auth

password required pam_cracklib.so try_first_pass retry=3 minlen=14,dcredit=-1,ucredit=-1,ocredit=-1 lcredit=-1

. w

2.6.3.3. Set Strong Password Creation Policy Using pam_passwdqc

· # ed /etc/pam.d/system-auth

password requisite pam_passwdqc.so min=disabled,disabled,16,12,8

2.6.3.4. Limit Password Reuse

· # ed /etc/pam.d/system-auth

s/$/remember=5/

2.6.4. Restrict Access to the su Command

· Open /etc/pam.d/su

·

Append line as follows:

auth
required pam_wheel.so use_uid

2.7 User Accounts and Environment

2.7.1. Set Shadow Password Suite Parameters (/etc/login.defs)

2.7.1.1. Set Password Expiration Days

· # ed /etc/login.defs

/[ ].*/s// 90/

· #chage --maxdays 90 <user>

2.7.1.2. Set Password Change Minimum Number of Days

· # ed /etc/login.defs

/[ ].*/s// 7/

· # chage --mindays 7 <user>

2.7.1.3. Set Password Expiring Warning Days

· # ed /etc/login.defs

/[ ].*/s// 7/

· # chage --warndays 7 <user>

2.7.2. Disable System Accounts

· To make sure system accounts cannot be accessed, using the following script:

#!/bin/bash

for user in `awk -F: '($3 < 500) {print $1 }' /etc/passwd`; do if [ $user != "root" ]

then

/usr/sbin/usermod -L $user

if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]

then

/usr/sbin/usermod -s /sbin/nologin $user

done

2.7.3. Set Default Group for root Account

· # usermod -g 0 root

2.7.4. Set Default umask for Users

· Edit the /etc/bashrc and /etc/profile files (and the appropriate files for any other shell supported on your system) and add the following the UMASK parameter as shown: UMASK=77

2.7.5. Lock Inactive User Accounts

· # useradd -D -f 35

2.8 Warning Banners

2.8.1. Set Warning Banner for Standard Login Services

· # echo "Authorized uses only. All activity may be monitored and reported." > /etc/motd

· # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue

· # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net

· # chown root:root /etc/motd

· # chmod 644 /etc/motd

· # chown root:root /etc/issue

· # chmod 644 /etc/issue

· # chown root:root /etc/issue.net

· # chmod 644 /etc/issue.net

2.8.2. Remove OS Information from Login Warning Banners

· Edit the /etc/motd, /etc/issue and /etc/issue.net files and remove any lines containing \m, \r, \s or \v

2.9 System Maintenance

2.9.1. Verify System File Permissions

2.9.1.1. Verify Permissions on /etc/passwd

· # /bin/chmod 644 /etc/passwd

2.9.1.2. Verify Permissions on /etc/shadow

· # /bin/chmod 000 /etc/shadow

2.9.1.3. Verify Permissions on /etc/gshadow

· # /bin/chmod 000 /etc/gshadow

2.9.1.4. Verify Permissions on /etc/group

· # /bin/chmod 644 /etc/group

2.9.1.5. Verify User/Group Ownership on /etc/passwd

· # /bin/chown root:root /etc/passwd

2.9.1.6. Verify User/Group Ownership on /etc/shadow

· # /bin/chown root:root /etc/shadow

2.9.1.7. Verify User/Group Ownership on /etc/gshadow

· # /bin/chown root:root /etc/gshadow

2.9.1.8. Verify User/Group Ownership on /etc/gr

· # /bin/chown root:root /etc/group

2.9.1.9. Find Un-owned Files and Directories

· Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate.

2.9.1.10. Find Un-grouped Files and Directories

· Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate.

2.9.2. Review User and Group Settings

2.9.2.1. Ensure Password Fields are Not Empty

· If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # /usr/bin/passwd -l <username>

2.9.2.2. Verify No Legacy "+" Entries Exist in /etc/passwd File

· If there exist “+” entries in /etc/passwd file, delete them

2.9.2.3. Verify No Legacy "+" Entries Exist in /etc/shadow File

· If there exist “+” entries in /etc/shadow file, delete them

2.9.2.4. Verify No Legacy "+" Entries Exist in /etc/group File

· If there exist “+” entries in /etc/group file, delete them

2.9.2.5. Verify No UID 0 Accounts Exist Other Than root

· Delete any accounts with UID 0 other than root

#sudo userdel <users>

2.9.2.6. Ensure root PATH Integrity

· Correct or justify any items discovered in the Audit step.

2.9.2.7. Check Permissions on User Home Directories

· It is recommended that a monitoring policy be established to report user file permissions and determine the action to be taken in accordance with site policy.

2.9.2.8. Check User Dot File Permissions

· Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user dot file permissions and determine the action to be taken in accordance with site policy

2.9.2.9. Check Permissions on User .netrc Files

· It is recommended that a monitoring policy be established to report user .netrc file permissions and determine the action to be taken in accordance with site policy.

2.9.2.10. Check for Presence of User .rhosts Files

· If any users have .rhosts files determine why they have them.

2.9.2.11. Check Groups in /etc/passwd

· Groups defined in the /etc/passwd file but not in the /etc/group file pose a threat to system security since group permissions are not properly managed. Analyze the output of the Audit step and perform the appropriate action to correct any discrepancies found

2.9.2.12. Check That Users Are Assigned Home Directories

· All users must be assigned a home directory in the /etc/passwd file. Based on the results of the Audit script, perform the appropriate action for your environment (e.g. delete unneeded users or assign them a home directory).

2.9.2.13. Check That Defined Home Directories Exist

· If any users' home directories do not exist, create them and make sure the respective user owns the directory.

2.9.2.14. Check User Home Directory Ownership

· Change the ownership any home directories that are not owned by the defined user to the correct user

2.9.2.15. Check for Duplicate UIDs

· Users must be assigned unique UIDs for accountability and to ensure appropriate access protections. Establish unique UIDs and review all files owned by the shared UID to determine which UID they are supposed to belong to.

· Change the user ID with command: usermod –u <userID>

2.9.2.16. Check for Duplicate GIDs

· User groups must be assigned unique GIDs for accountability and to ensure appropriate access protections. Establish unique GIDs and review all files owned by the shared GID to determine which group they are supposed to belong to.

· Change the group ID with command: usermod –g <groupID>

2.9.2.17. Check That Reserved UIDs Are Assigned to System Accounts

· UNIX systems establish "reserved" UIDs (0-499 range) that are intended for system accounts. Change any UIDs that are in the reserved range to one that is in the user range. Review all files owned by the reserved UID to determine which UID they are supposed to belong to.

Followers

Search This Blog

Blog Archive

Labels

Link list 1

Translate

Report Abuse

Link list 4

Link list 3

Featured Post

Burpsuite – A Beginner’s Guide For Web Application Security or Penetration Testing

Pages