Core OS Index

2.6. Hardening System security

File systems
Check fstab and current mount options. Mount filesystems in read only, only strict necessary in rw.
Check kernel settings with sysctl.
kernel.yama.ptrace_scope breaks gdb, strace, perf trace and reptyr.
Check if iptables rules are loaded and are correctly logging.(firewald works as API to iptables).
Check if apparmor is active and enforcing policies.
Check if samhain is running.
Build ports using hardened toolchain settings.
        $ sudo prt-get depinst checksec
 System configuration

1.1 - Users groups, passwords and sudo.

Check "normal" users groups, make sure they are not admin or wheel group; ps -U root -u root u, ps axl | awk '$7 != 0 && $10 !~ "Z"', process permission; ps -o gid,rdig,supgid -p "$pid"

Maintain, secure with hash, and enforce secure passwords with pam-cracklib.

1.2 - Linux PAM

Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests. Check files (processes); getfacl filename.

Check files (processes) set uid and set gid;

        # find / -perm 4000 >> /root/setuid_files
        # find / -perm 2000 >> /root/setguid_files

To setuid (4744);

        # chmod u+s filename

To remove (0664) from su and Xorg (user must be part of input and video for xorg to run);

        # chmod u-s /usr/bin/su
        # chmod u-s /usr/bin/X

To set gid (2744)

        # chmod g+s filename

To remove (0774);

        # chmod g-s filename

Find world writable files;

        # find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

No owner files;

        # find /dir -xdev \( -nouser -o -nogroup \) -print

1.3. Capabilities

Check capabilities;

        # getcap filename
1.9 - Limit number of processes.
1.10 - Lock user after 3 failed loggins.
1.8 - Block host ip based on iptable and services abuse.

1.4 Sudo

Check sudo, sudoers and sudo replay.

Don't run editor as root, instead run sudoedit filename or sudo --edit filename. Editor can be set as a environment variable;

        $ export SUDO_EDITOR=vim

Set rvim as default on sudo config;

        # visudo

        Defaults editor=/usr/bin/rvim

Once sudo is correctly configured, disable root login;

        # passwd --lock root

1.5 Auditd

        $ prt-get depinst audit

Example audit when file /etc/passwd get modified;

        $ auditctl -w /etc/passwd -p wa -k passwd_changes

Audit when a module get's loaded;

        # auditctl -w /sbin/insmod -p x -k module_insertion

1.6 Network

Find listening services with command;

        # ss -tulpn
        # nmap -sT -O localhost
        # nmap -sT -O

        $ sudo prt-get depinst lynis

Lynis gives a view of system overall configuration, without changing default profile it runs irrelevant tests. Create a lynis profile by coping default one and run lynis;

        $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
        $ sudo lynis configure settings color=yes
        $ sudo lynis show settings
        $ sudo lynis show profile
        $ lynis audit system > lynis_report
        $ mv /tmp/lynis.log .
        $ mv /tmp/lynis-report.dat .

Add unnecessary tests to profile to have less noise.

Core OS Index

This is part of the Tribu System Documentation. Copyright (C) 2020 Tribu Team. See the file Gnu Free Documentation License for copying conditions.