1.1Minimum Password Length
Change PASS_MIN_LEN 8
[root@localhost ~]# sed -i -e 's/PASS_MIN_LEN.*5/PASS_MIN_LEN 8/g'
/etc/login.defs
1.2 Maximum Password Age
update PASS_MAX_DAYS 90
[root@localhost ~]# sed -i -e 's/PASS_MAX_DAYS.*99999/PASS_MAX_DAYS 90/' /etc/login.defs
1.3 Default Password Expiration Warning Period
PASS_WARN_AGE 14
[root@localhost ~]# sed -i -e 's/PASS_WARN_AGE.*7/PASS_WARN_AGE 14/'
/etc/login.defs
1.4 Default Time between Password Changes
[root@localhost ~]# sed -i -e 's/PASS_MIN_DAYS.*0/PASS_MIN_DAYS 7/'
/etc/login.defs
1.5 Unnecessary System Account Removal
Remove unnecessary system accounts such as sync, shutdown, news, uucp, and games
[root@localhost ~]# sed -i -e '/games:x/d' /etc/passwd
[root@localhost ~]# sed -i -e '/sync:x/d' /etc/passwd
[root@localhost ~]# sed -i -e '/shutdown:x/d' /etc/passwd
[root@localhost ~]# sed -i -e '/news:x/d' /etc/passwd
[root@localhost ~]# sed -i -e '/uucp:x/d' /etc/passwd
1.6 System Account Locking
This check disables system accounts that should not be used
interactively under Linux.
Lock system accounts, such as daemon, bin, nobody, smmsp, and rpm, to
prevent use as a regular account.
lock account
[root@localhost ~]# usermod -L -s /dev/null chang
unlock account
[root@localhost ~]# usermod -U -s /bin/bash chang
1.7. Existing User Password Settings
Use the change command to set the password settings for existing users.
Where time between passwords (-m 7)
Password expires every 60 or 90 days (-M 60)
Provide expiration warning 14 days (-W 14)
[root@localhost ~]# chage -m 7 -M 60 -W 14 chang
1.8. Verify Accounts Do Not Have Empty Passwords
[root@localhost ~]# awk -F: '($2 == "") { print $1 }' /etc/shadow
2. Access Control
Access controls restrict access to system objects such as files,
directories, and devices based upon the identity of the user or the
group to which the user belongs. The purpose of access controls is to
protect against the unauthorized disclosure, modification, or
destruction of the data residing in these systems, as well as the
applications themselves. Automated systems are vulnerable to
fraudulent or malicious activity by individuals who have the authority
or capability to access information that is not required to perform
their job-related duties.
Access control policy is designed to reduce the risk of an individual
acting alone from engaging in such fraudulent or malicious behavior.
The Principle of Least Privilege states that users should only be able
to access the system resources needed to fulfill the users’ job
responsibilities.
2.1 Login Warning Banner
[root@localhost hardening]# cat warning
WARNING: THIS IS A WARNING.
[root@localhost hardening]# cat warning >> /etc/motd
[root@localhost hardening]# cat warning >> /etc/issue
[root@localhost hardening]# cat warning >> /etc/issue.net
2.2 GUI Login Warning Banner
2.3 Restrict Substitute User (su) access
The su command allows users to change their effective UIDs, typically to escalate privileges. This is a weak method for controlling access to elevated privileges and should not be used in environments where the Superuser Do (sudo) is available. The sudo utility is discussed in section 6.
sed -i -e 's/#auth.*required.*pam_wheel.so/auth required pam_wheel.so/' /etc/pam.d/su
=======================================================
Add a user to sudo before do 2.4
[root@localhost ~]# chmod +w /etc/sudoers
[root@localhost ~]# vim /etc/sudoers
root ALL=(ALL) ALL
greg ALL=(ALL) ALL
[root@localhost ~]# chmod -w /etc/sudoers
=======================================================
2.4 Restrict Root Login to the Console
Logging onto a system directly as root is strongly discouraged, as it defeats the principles of least privilege and separation of duties. Furthermore, direct root logins prevent accurate logging of events to individuals.
2.4.1. Limit Root Login to Local Physical Devices (NO NEED to do anything)
This check will verify that console definitions are restricted to the console, tty, and vc devices. The file /etc/securetty should not list pseudo devices of the format "tty
[root@localhost ~]# less /etc/securetty
2.4.2 Disallow Root Login under X11 (NOT APPLICABLE TO CENTOS)
Ensure X11 disallows root login.
2.5 Remote Access with Secure Shell (SSH)
2.5.1. Limit SSH Protocol Use to Version 2
The Protocol parameter restricts SSH protocols to Version 2.
[root@localhost ~]# less /etc/ssh/sshd_config
2.5.2 Disable Root Login Via SSH
The PermitRootLogin parameter disallows remote root access via SSH.
[root@localhost ~]# sed -i -e 's/#PermitRootLogin.*yes/PermitRootLogin no/' /etc/ssh/sshd_config
[root@localhost ~]# /etc/init.d/sshd restart
2.5.3. Display Secure Shell Warning Banner
The Banner parameter instructs SSH to display the shell warning banner when SSH connections are first established.
[root@localhost ~]# sed -i -e 's/#Banner.*\/some\/path/Banner \/etc\/issue/' /etc/ssh/sshd_config
[root@localhost ~]# /etc/init.d/sshd restart
2.5.4 Use Secure Shell RSA Authentication
2.5.5. Allow X11 Forwarding under SSH
2.5.6 Force Secure Shell Account Lockout
Secure shell X11 Forwarding deals with configuring the SSH daemon to forward X11 connections over an SSH session. This configuration option will protect X11 sessions with the encrypted SSH tunnel between two systems. X11 should not be used over the network without encryption. In addition, if the server does not run X or does not need remote access to X services, then disable X11Forwarding.
[root@localhost ~]# sed -i -e 's/#MaxAuthTries.*6/MaxAuthTries 3/' /etc/ssh/sshd_config
[root@localhost ~]# /etc/init.d/sshd restart
2.5.7 Force Secure Shell to ignore rhosts
Secure shell IgnoreRhosts instructs the SSH daemon to ignore authentication bypass control files (e.g., .rhosts).
[root@localhost ~]# sed -i -e 's/#IgnoreRhosts/IgnoreRhosts/' /etc/ssh/sshd_config
[root@localhost ~]# /etc/init.d/sshd restart
2.5.8. Disallow Empty Passwords under SSH
Secure shell PermitEmptyPasswords instructs the SSH daemon to disallow connections to accounts with empty passwords.
root@localhost ~]# sed -i -e 's/#PermitEmptyPasswords.*no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
[root@localhost ~]# /etc/init.d/sshd restart
3. Audit Trail
Audit trails maintain a record of system activity by either system or application processes, as well as by individual user activity. In conjunction with appropriate tools and procedures, auditing can further several security-related objectives including the following:
* Individual accountability
* Reconstruction of events
* Intrusion detection
* Problem identification
Specifically, audit trails can track the identity of each subject attempting to access the system, the time and date of access, and time of log off. In addition, audit trails can capture all activities performed during a session and can specifically identify those activities that have the potential to modify, bypass, or negate the system’s security safeguards. The auditing technique used must be able to support after-the-fact investigations of how, when, and why normal operations ceased. Audit trail controls also involve ensuring that these logs are protected from tampering designed to hide unauthorized activity.
3.1. User Login Activity Auditing
The lastlog file is a database that contains information on the last login of each user. This check verifies that interactive login activity will be recorded.
[chang@localhost ~]$ sudo lastlog
4. Network Security
This section addresses vulnerabilities inherent in network security and the technical controls needed to mitigate the risks associated with these vulnerabilities. Network security encompasses remote access, network monitoring, external connections, boundary protection, Internet usage, e-mail security, network services, and vulnerability scanning.
4.1. Kernel TCP Stack Tuning
[root@localhost hardening]# vim kerneltuning
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
cat kerneltuning >> /etc/sysctl.conf
4.2. Configuring Stand-alone Services
Stand-alone services are independent of XINETD and remain in an executing state even when the service is not processing network connections. Many of the stand-alone services are unnecessary and contain vulnerabilities that can lead to the loss of availability of the system or a breach of system security.
-rwxr-xr-x 1 root root 243 Feb 26 01:35 standaloneservice_thridpart
-rwxr-xr-x 1 root root 263 Feb 26 01:34 standaloneservice_unixservice
./standaloneservice_unixservice
./standaloneservice_thridpart
4.3 Avoid Using Sendmail
remove sendmail and install postfix
yum erase sendmail
yum install postfix
/etc/init.d/postfix start
/usr/sbin/sendmail -t 'xxxxx@gmail.com' < standaloneservice_unixservice
4.5. Configuring Portmap
[root@localhost hardening]# /sbin/chkconfig --list | grep port
portmap 0:off 1:off 2:off 3:off 4:off 5:off 6:off
4.6 Configuring NFS
[root@localhost hardening]# /sbin/chkconfig --list | grep nfs
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
nfslock 0:off 1:off 2:off 3:off 4:off 5:off 6:off
4.7. Configuring NETFS
[root@localhost hardening]# /sbin/chkconfig --list | grep netfs
netfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
4.8. Configuring NIS
[root@localhost hardening]# /sbin/chkconfig --list | grep nis
[root@localhost hardening]#
4.9. Configuring X Server Listener
4.10. Disable External Connections to Syslog
DEFAULT MEET THE criteria
4.11. Disable Internet Protocol Version 6 (IPv6) Networking
4.12.1 Disable IPv6 at System Boot
[root@localhost hardening]# cat disableipv6
IPV6FORWARDING=no
IPV6_AUTOCONF=no
IPV6_AUTOTUNNEL=no
[root@localhost hardening]# cat disableipv6 >> /etc/sysconfig/network
4.12.2 Ensure IPv6 Module Does Not Load
[root@localhost hardening]# vim /etc/modprobe.conf
[root@localhost hardening]# cat /etc/modprobe.conf
alias scsi_hostadapter mptbase
alias scsi_hostadapter1 mptspi
alias scsi_hostadapter2 ata_piix
# Added by VMware Tools
install pcnet32 /sbin/modprobe -q --ignore-install vmxnet;/sbin/modprobe -q --ignore-install pcnet32 $CMDLINE_OPTS;/bin/true
alias char-major-14 sb
options sb io=0x220 irq=5 dma=1 dma16=5 mpu_io=0x330
alias eth0 vmxnet
alias net-pf-10 off
alias ipv6 off
[root@localhost hardening]# vim /etc/modprobe.conf
[root@localhost hardening]# cat 4.12.2.ipv6notload >> /etc/modprobe.conf
[root@localhost hardening]# less /etc/modprobe.conf
[root@localhost hardening]# cp ipv6_disable.conf /etc/modprobe.d/
4.12.3 Disable IPv6 Functionality at Network Interfaces
[root@localhost hardening]# vim 4.14.3disable_ipv6_nic
[root@localhost hardening]# cat 4.14.3disable_ipv6_nic >> /etc/sysconfig/network-scripts/ifcfg-eth0
[root@localhost hardening]# cat 4.14.3disable_ipv6_nic >> /etc/sysconfig/network-scripts/ifcfg-eth1
[root@localhost hardening]# cat 4.14.3disable_ipv6_nic >> /etc/sysconfig/network-scripts/ifcfg-eth2
[root@localhost hardening]# cat 4.14.3disable_ipv6_nic >> /etc/sysconfig/network-scripts/ifcfg-eth3
4.13.4. Disable IPv6 IPTABLES Firewall
[root@localhost hardening]# /sbin/service ip6tables stop
[root@localhost hardening]# /sbin/chkconfig ip6tables off
5, Host Based Security
5.4 System umask Value
5.4.1. Set umask for Users
[root@localhost hardening]# echo 'umask 027' >> /etc/csh.login
[root@localhost hardening]# less /etc/csh.login
[root@localhost hardening]# echo 'umask 027' >> /etc/csh.cshrc
[root@localhost hardening]# echo 'umask 027' >> /etc/bashrc
5.4.2. Set umask for Daemons
[root@localhost hardening]# echo 'umask 027' >> /etc/init.d/functions
[root@localhost hardening]# less /etc/init.d/functions
5.5 Single User Mode Password
5.6 Disable Control-Alt-Del
[root@localhost hardening]# sed -i -e 's/ca::ctrlaltdel/#ca::ctrlaltdel/' /etc/inittab
[root@localhost hardening]# vim /etc/inittab
No comments:
Post a Comment