Skip to content

Instantly share code, notes, and snippets.

@nomicode

nomicode/README.md

Last active February 25, 2025 16:36
Show Gist options
  • Save nomicode/47cc118939469e3c49a912c12bc15805 to your computer and use it in GitHub Desktop.
Save nomicode/47cc118939469e3c49a912c12bc15805 to your computer and use it in GitHub Desktop.
Download ZIP
A short guide outlines key hardening techniques for GNU/Linux
Raw
README.md

GNU/Linux System Hardening Techniques

Introduction

System hardening is an essential security practice for GNU/Linux environments.

This short guide outlines key hardening techniques that reduce attack surface and enhance overall security posture in Debian-based systems.

File Permission Controls

Overview

Proper file permission management prevents unauthorized access to sensitive data and limits the potential for privilege escalation attacks.

Implementation Options

ACL Management with setfacl and getfacl

Access Control Lists provide granular permission controls beyond standard chmod operations.

# View current ACL
getfacl /path/to/file

# Grant specific user read access
setfacl -m u:username:r /path/to/file

# Grant group read/write permissions
setfacl -m g:groupname:rw /path/to/file

The commands above demonstrate how to view existing ACLs for a file, grant a specific user read-only permissions, and assign read-write access to a particular group. These fine-grained controls allow administrators to implement the principle of least privilege effectively.

Group-Based Access Control

Efficient permission management through strategic group assignments.

# Create security-focused group
sudo groupadd securityteam

# Add users to group
sudo usermod -aG securityteam username

# Set group ownership
sudo chgrp securityteam /path/to/sensitive/dir

# Configure appropriate group permissions
sudo chmod g+rw,o-rwx /path/to/sensitive/dir

This sequence creates a dedicated security team group, adds a user to that group, sets group ownership of a sensitive directory, and configures permissions to allow group members read-write access while removing all access for others. Group-based access simplifies permission management in environments with multiple users requiring similar access levels.

System Logging Configuration

Overview

Comprehensive logging is critical for security monitoring, troubleshooting, and forensic analysis after incidents.

Primary Logging Systems

Rsyslog Implementation

# Confirm installation on Debian systems
sudo apt install rsyslog

# Configure separate auth logging
echo 'auth,authpriv.* /var/log/auth.log' > /etc/rsyslog.d/auth-separate.conf

# Apply configuration
sudo systemctl restart rsyslog

The above commands ensure Rsyslog is installed, create a configuration to direct authentication events to a dedicated log file, and restart the service to apply changes. This separation of authentication logs makes security monitoring and auditing more efficient by isolating security-relevant events.

Auditd for Enhanced Monitoring

# Install the audit system
sudo apt install auditd

# Configure critical file monitoring
echo '-w /etc/passwd -p wa -k passwd_changes' >> /etc/audit/rules.d/audit.rules
echo '-w /etc/sudoers -p wa -k sudoers_changes' >> /etc/audit/rules.d/audit.rules

# Enable and start service
sudo systemctl enable auditd
sudo systemctl restart auditd

# Query audit logs
sudo ausearch -k passwd_changes

This sequence installs the Debian audit daemon, adds rules to monitor critical system files for write and attribute changes, enables the service at boot, and demonstrates how to query for specific events. Auditd provides detailed insights into system activities, particularly those with security implications, making it essential for compliance and security monitoring.

Password Policy Enforcement

Overview

Strong password policies significantly reduce vulnerability to brute force attacks and credential compromises.

Key Configuration Areas

Password Complexity Requirements

# Edit password quality configuration
sudo nano /etc/security/pwquality.conf

# Minimum recommended settings
minlen = 12
ucredit = -1  # At least one uppercase
lcredit = -1  # At least one lowercase
dcredit = -1  # At least one digit
ocredit = -1  # At least one special character

These configuration settings establish baseline password strength requirements by enforcing a minimum length of 12 characters and requiring at least one character from each category: uppercase letters, lowercase letters, digits, and special characters. Such requirements help prevent easily guessable passwords that are vulnerable to dictionary and brute force attacks.

Password Aging Controls

# Edit global defaults
sudo nano /etc/login.defs

# Set 90-day expiration
PASS_MAX_DAYS 90

# Apply to existing user
sudo chage -M 90 username

These commands configure system-wide password expiration policies and apply them to specific users. Enforcing a 90-day maximum password age ensures that compromised credentials have a limited window of usefulness to attackers, reducing the impact of password breaches that may occur outside the organization's control.

Account Lockout Protection

# Add to PAM authentication configuration
sudo nano /etc/pam.d/common-auth

# Add lockout after failed attempts
auth required pam_tally2.so deny=5 unlock_time=600

This configuration implements temporary account lockouts after five failed login attempts, with automatic unlocking after 10 minutes (600 seconds). Account lockout mechanisms effectively mitigate brute force attacks by significantly increasing the time required to attempt multiple password combinations.

Conclusion

These hardening techniques represent essential security measures for Debian-based environments. While not exhaustive, implementing these controls creates a solid security foundation that addresses common attack vectors and aligns with security best practices.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment