Scribd Logo
Upload

Welcome to Scribd!

  • UCD Linux Security Checklist

    Uploaded by

    test
    86 views5 pages
    linux

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    linux

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    86 views5 pages

    UCD Linux Security Checklist

    Uploaded by

    test
    linux

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    LinuxHardeningChecklist

    SystemInstallation&Patching

    1 Ifmachineisanewinstall,protectitfromhostilenetworktrafficuntiltheoperating

    systemisinstalledandhardened .

    2 UsethelatestversionoftheOperatingSystemifpossible

    Refertothevendorsupportdocumentationtoconfirmthelifecycleoftheversion.Considerboththemajorand
    minor(orservicepack)releasewhereavendorreleasesboth.

    3 Createaseparatevolumewiththenodev,nosuid,andnoexecoptionssetfor/tmp.

    Since/tmpisintendedtobeworldwritable,creatingaseparatepartitionforitcanpreventresource
    exhaustion.Settingnodevpreventsusersfromcreatingorusingblockorspecialcharacterdevices.Setting
    noexecpreventsusersfromrunningbinaryexecutablesfrom/tmp.Settingnosuidpreventsusersfrom
    creatingsetuseridfilesin/tmp.

    4 Createseparatevolumesfor/var,/var/log,and/home.

    Anydirectorieswherenonadminusershavewriteaccessshouldbeseparatefromtherootvolumetolimitthe
    impactofthosevolumesbeingfilled.

    5 Setstickybitonallworldwritabledirectories.

    Thestickybitstopsuserswithwriteaccesstothedirectorydeletingfilesownedbyotherusers.

    6 Ensurethesystemisconfiguredtobeabletoreceivesoftwareupdates

    ForRedHatEnterpriseLinux(RHEL)orSUSELinuxEnterpriseServer(SLES)thisrequiresasubscriptionto
    beallocatedtothesystem.Formostothermajordistributionsthisisasimpleconfigurationchange.


    OSHardening

    1 Restrictcoredumps.

    Coredumpsareintendedtohelpdeterminewhyaprogramaborted.Theymaycontainsensitiveor
    confidentialdatafrommemory.Itisrecommendedthatcoredumpsbedisabledorrestricted.

    2 Removelegacyservices

    Servicesthatprovide/relyonunencryptedauthenticationshouldbedisabledunlesstherearegroundsforan
    exception.Theseincludetelnetserverrsh,rlogin,rcpypserv,ypbindtftp,tftpservertalkandtalkserver.

    3 Disableanyservicesandapplicationsstartedbyxinetdorinetdthatarenotbeing

    utilized.Removexinetd,ifpossible

    Theinetdorxinetdserviceallowsforprogramstoberanwhenaconnectionismadetoadesignatednetwork
    port.Allunneededinetdapplicationsshouldbedisablediftherearenoapplicationsrequiredthendisable
    (x)inetd.

    4 Disableorremoveserverservicesthatarenotgoingtobeutilized

    (e.g.,FTP,DNS,LDAP,SMB,DHCP,NFS,SNMP,etc.)

    5 Ensuresyslog(rsyslog,syslog,syslogng)serviceisrunning.

    Thesyslogservicemanagesthelogsin/var/log/.Mostmodernsyslogimplementationsalsosupportremote
    logforwarding.

    6 EnableanNetworkTimeProtocol(NTP)servicetoensureclockaccuracy

    Accuratetimekeepingfacilitatesanalysisofsystemlogswhenneeded


    cron
    7 Restricttheuseofthe at
    and services.

    Thesecanbeusedtoruncommandsonthesystemandshouldonlybeallowedtoaccountswhichneedthis
    access


    UserAccess&Passwords

    1 Createanaccountforeachuserwhoshouldaccessthesystem

    Avoidingsharedaccounts/passwordsmakesiteasiertokeepanaudittrailandremoveaccesswhenno
    longerneeded.

    2 Enforcetheuseofstrongpasswords

    Passwordsecurityrulescanbesetin/etc/pam.d/passwordauth

    3 Usesudotodelegateadminaccess

    Thesudocommandallowsforfinegrainedcontrolofrightstoruncommandsasroot(orotheruserids).The
    /etc/sudoers
    configurationfile visudo
    shouldbeeditedwiththe command.

    NetworkSecurity&RemoteAccess

    1 Limitconnectionstoservicesrunningonthehosttoauthorizedusersoftheservice

    viafirewallsandotheraccesscontroltechnologies
    .

    Theiptablesfirewallisakernelcomponentcommontoalllinuxsystems,butthetoolsusetomanagefirewall
    rulesdiffersignificantlybetweenvendorssocheckwiththeversionspecificconfigurationguide.

    2 Disable:

    IPforwarding.
    sendpacketredirects.
    sourceroutedpacketacceptance.
    ICMPredirectacceptance.

    Enable:
    IgnoreBroadcastRequests.
    BadErrorMessageProtection.
    TCP/SYNcookies.

    Thesekerneltuningparametersshouldbesetin/etc/sysctl.conf

    3 IntheSSHserverconfigurationensurethat:

    Protocolversionissetto2
    LogLevelissettoINFO
    PermitEmptyPasswordsissettoNo

    Thesesettingsarethedefaultonmostplatforms,settingthemtoothervaluesimpactsthesecurityoftheSSH
    server.

    4 DisablerootloginoverSSH.

    RootSSHwithpasswordshouldneverbeallowedusersshouldauthenticatewiththeirownaccountanduse
    PermitRootSSH
    suorsudoifneeded.Validvaluesfor no,
    are withoutpassword
    and
    forcedcommandsonly dependingonwhetherkeybasedaccessisrequired.

    5 DeployanIntrusionPreventionSystem(IPS)suchasfail2ban

    fail2banusestheiptablesfirewalltoblockremotesystemsgeneratingmanyauthenticationfailuresasawayto
    combatbruteforcepasswordattempts.

    ApacheWebserver(HTTPD)

    1 Alwaysrunapachewithadedicatednonadminaccount

    Thesystemuseraccounttheapacheserverrunsinshouldhaveminimalpermissiononthesystemtolimitthe
    potentialforthistobeexploited.ThisisthedefaultinallmajorLinuxdistributions.

    2 Disableanymodulesnotrequired

    Apacheismodularindesigneachmoduleprovidesdifferentfunctionalityandalmostallareoptionalforbasic
    usecases.Inparticularlooktodisablewebdav,status,info,userdirandautoindexunlesstheseareknownto
    berequired.

    3 DisableHTTPTrace:
    TraceEnableOff

    Theinetdorxinetdserviceallowsforprogramstoberanwhenaconnectionismadetoadesignatednetwork
    port.Allunneededinetdapplicationsshouldbedisablediftherearenoapplicationsrequiredthendisable
    (x)inetd.

    4 ConfigureSSLinlinewithbestpractice

    Mozillaprovideresourcesforthis
    https://wiki.mozilla.org/Security/Server_Side_TLS

    5 ConfigureApachenottoadvertisethesoftware/OSversions

    SetServerTokensProdandServerSignatureOfftolimitthesystemconfigurationinformationeasily
    available.

    6 Denyaccesstofilesbydefaultonlyallowaccesstodesignateddirectories.

    Onlydirectoriescontainingapachecontentshouldbereadablebyremoteclients.

    You might also like