Created
October 18, 2016 19:44
-
-
Save samjaninf/da76242f5650fb07ff60a1e0f1513832 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This page can be found at: https://highon.coffee/blog/security-harden-centos-7/ | |
| echo "install usb-storage /bin/false" > /etc/modprobe.d/usb-storage.conf | |
| authconfig --passalgo=sha512 --update | |
| vim /etc/security/pwquality.conf | |
| # Configuration for systemwide password quality limits | |
| # Defaults: | |
| # | |
| # Number of characters in the new password that must not be present in the | |
| # old password. | |
| difok = 5 | |
| # | |
| # Minimum acceptable size for the new password (plus one if | |
| # credits are not disabled which is the default). (See pam_cracklib manual.) | |
| # Cannot be set to lower value than 6. | |
| minlen = 14 | |
| # | |
| # The maximum credit for having digits in the new password. If less than 0 | |
| # it is the minimum number of digits in the new password. | |
| dcredit = 1 | |
| # | |
| # The maximum credit for having uppercase characters in the new password. | |
| # If less than 0 it is the minimum number of uppercase characters in the new | |
| # password. | |
| ucredit = 1 | |
| # | |
| # The maximum credit for having lowercase characters in the new password. | |
| # If less than 0 it is the minimum number of lowercase characters in the new | |
| # password. | |
| lcredit = 1 | |
| # | |
| # The maximum credit for having other characters in the new password. | |
| # If less than 0 it is the minimum number of other characters in the new | |
| # password. | |
| ocredit = 1 | |
| # | |
| # The minimum number of required classes of characters for the new | |
| # password (digits, uppercase, lowercase, others). | |
| minclass = 4 | |
| # | |
| # The maximum number of allowed consecutive same characters in the new password. | |
| # The check is disabled if the value is 0. | |
| maxrepeat = 3 | |
| # | |
| # The maximum number of allowed consecutive characters of the same class in the | |
| # new password. | |
| # The check is disabled if the value is 0. | |
| maxclassrepeat = 3 | |
| # | |
| # Whether to check for the words from the passwd entry GECOS string of the user. | |
| # The check is enabled if the value is not 0. | |
| gecoscheck = 1 | |
| # | |
| # Path to the cracklib dictionaries. Default is to use the cracklib default. | |
| # dictpath = | |
| vim /etc/login.defs | |
| PASS_MIN_LEN 14 | |
| PASS_MIN_DAYS 1 | |
| PASS_MAX_DAYS 60 | |
| vim /etc/pam.d/system-auth | |
| # and add the following line immediately after session required pam_limits.so: | |
| session required pam_lastlog.so showfailed | |
| Set the amount of password reprompts per session, by editing the pam_pwquality.so statement in /etc/pam.d/system-auth to retry=3 or lower. | |
| # Add the following lines immediately below the pam_unix.so statement in AUTH section of both | |
| vim /etc/pam.d/system-auth | |
| vim /etc/pam.d/password-auth | |
| auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 | |
| auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 | |
| # Open /etc/pam.d/system-auth, append remember=24 to the pam_unix.so line - preventing users from reusing passwords, remembering 24 times is the DoD standard. | |
| # The line should look like: | |
| password sufficient pam_unix.so existing_options remember=24 | |
| #make sure you have a grub.cfg in /boot/grub2/grub.cfg | |
| grub2-mkconfig -o /boot/grub2/grub.cfg | |
| #Set grub.conf to chmod 600: | |
| sudo chmod 600 /boot/grub2/grub.cfg | |
| # Set Boot Loader Password | |
| # The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. | |
| # To do so, select a superuser account and password and add them into the appropriate grub2 configuration file(s) under /etc/grub.d. Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: | |
| grub2-mkpasswd-pbkdf2 | |
| # When prompted, enter the password that was selected and insert the returned password hash into the appropriate grub2 configuration file(s) under /etc/grub.d immediately after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as the value of password-hash): | |
| password_pbkdf2 superusers-accountpassword-hash | |
| # Require root password when entering single user mode | |
| vim /etc/sysconfig/init | |
| SINGLE=/sbin/sulogin | |
| # Prevent ALT+CTRL+DEL from rebooting. | |
| # Open /etc/init/control-alt-delete.conf and modify the existing line: | |
| vim /etc/init/control-alt-delete.conf | |
| exec /sbin/shutdown -r now "Control-Alt-Delete pressed" | |
| # To: | |
| exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed" | |
| # Install the screen Package to allow console screen locking. | |
| sudo yum install screen | |
| # Zeroconf network typically occours when you fail to get an address via DHCP, the interface will be assigned a 169.254.0.0 address. | |
| echo "NOZEROCONF=yes" >> /etc/sysconfig/network | |
| # Open /etc/modprobe.d/disabled.conf and add the line: | |
| vim /etc/modprobe.d/disabled.conf | |
| options ipv6 disable=1 | |
| # Add the following to /etc/sysconfig/network | |
| NETWORKING_IPV6=no | |
| IPV6INIT=no | |
| # RPC services like NFSv4 attempt to start using IPv6 even if it’s disabled in /etc/modprobe.d. To prevent this behaviour open /etc/netconfig and comment the following lines: | |
| udp6 tpi_clts v inet6 udp - - | |
| tcp6 tpi_cots_ord v inet6 tcp - - | |
| # Only allow root logins via local terminal: | |
| echo "tty1" > /etc/securetty | |
| chmod 700 /root | |
| # Enable UMASK 077 | |
| # Can causes issues on systems where users share files: | |
| perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc | |
| perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc | |
| # Prune Idle Users | |
| echo "Idle users will be removed after 15 minutes" | |
| echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh | |
| echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh | |
| chmod +x /etc/profile.d/os-security.sh | |
| # Securing Cron | |
| echo "Locking down Cron" | |
| touch /etc/cron.allow | |
| chmod 600 /etc/cron.allow | |
| awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny | |
| echo "Locking down AT" | |
| touch /etc/at.allow | |
| chmod 600 /etc/at.allow | |
| awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny | |
| # Sysctl Security | |
| vim /etc/sysctl.conf | |
| net.ipv4.ip_forward = 0 | |
| net.ipv4.conf.all.send_redirects = 0 | |
| net.ipv4.conf.default.send_redirects = 0 | |
| net.ipv4.tcp_max_syn_backlog = 1280 | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.all.secure_redirects = 0 | |
| net.ipv4.conf.all.log_martians = 1 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| net.ipv4.conf.default.secure_redirects = 0 | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
| net.ipv4.tcp_syncookies = 1 | |
| net.ipv4.conf.all.rp_filter = 1 | |
| net.ipv4.conf.default.rp_filter = 1 | |
| net.ipv4.tcp_timestamps = 0 | |
| # Deny All TCP Wrappers | |
| # TCP wrappers can provide a quick and easy method for controlling access to applications linked to them. Examples of TCP Wrapper aware applications are sshd, and portmap. | |
| # Below commands block all but SSH: | |
| echo "ALL:ALL" >> /etc/hosts.deny | |
| echo "sshd:ALL" >> /etc/hosts.allow | |
| # Basic iptables Firewall Rules | |
| #Drop anything we aren't explicitly allowing. All outbound traffic is okay | |
| *filter | |
| :INPUT DROP [0:0] | |
| :FORWARD DROP [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| :RH-Firewall-1-INPUT - [0:0] | |
| -A INPUT -j RH-Firewall-1-INPUT | |
| -A FORWARD -j RH-Firewall-1-INPUT | |
| -A RH-Firewall-1-INPUT -i lo -j ACCEPT | |
| -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
| -A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | |
| -A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT | |
| # Accept Pings | |
| -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
| # Log anything on eth0 claiming it's from a local or non-routable network | |
| # If you're using one of these local networks, remove it from the list below | |
| -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: " | |
| -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: " | |
| -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: " | |
| -A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: " | |
| -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: " | |
| -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: " | |
| # Accept any established connections | |
| -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Accept ssh traffic. Restrict this to known ips if possible. | |
| -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT | |
| #Log and drop everything else | |
| -A RH-Firewall-1-INPUT -j LOG | |
| -A RH-Firewall-1-INPUT -j DROP | |
| COMMIT | |
| systemctl enable iptables | |
| systemctl start iptables.service | |
| # Disable Uncommon Protocols | |
| # The following Protocols will be disabled: | |
| # Datagram Congestion Control Protocol (DCCP) | |
| # Stream Control Transmission Protocol (SCTP) | |
| # Reliable Datagram Sockets (RDS) | |
| # Transparent Inter-Process Communication (TIPC) | |
| echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf | |
| echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf | |
| echo "install rds /bin/false" > /etc/modprobe.d/rds.conf | |
| echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf | |
| # Ensure Rsyslog is installed | |
| yum install -y rsyslog | |
| systemctl enable rsyslog.service | |
| systemctl start rsyslog.service | |
| # Auditd - Audit Daemon | |
| systemctl enable auditd.service | |
| systemctl start auditd.service | |
| # Audit Processes Which Start Prior to auditd | |
| Add the following line to /etc/grub.conf | |
| kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1 | |
| # Auditd Number of Logs Retained | |
| # Open /etc/audit/auditd.conf and add or modify: | |
| num_logs = 5 | |
| # Auditd Max Log File Size | |
| max_log_file = 30MB | |
| # Auditd max_log_file_action | |
| max_log_file_action = rotate | |
| # Auditd space_left | |
| space_left_action = email | |
| # Auditd admin_space_left | |
| admin_space_left_action = halt | |
| # Auditd mail_acct | |
| action_mail_acct = root | |
| # Configure auditd to use audispd plugin | |
| #Auditd does not have the functionality to send logs directly to an external log server, however the audispd plugin pass audit records to the local syslog server, to enable this open /etc/audisp/plugins.d/syslog.conf and set the active line to yes, then restart audispd daemon: | |
| vim /etc/audisp/plugins.d/syslog.conf | |
| service auditd restart | |
| # Open /etc/audit/audit.rules and add the following lines to monitor various system files and activities: | |
| # audit_time_rules - Record attempts to alter time through adjtime | |
| -a always,exit -F arch=b64 -S adjtimex -k audit_time_rules | |
| # audit_time_rules - Record attempts to alter time through settimeofday | |
| -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules | |
| # audit_time_rules - Record Attempts to Alter Time Through stime | |
| -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime | |
| -k audit_time_rules | |
| # audit_time_rules - Record Attempts to Alter Time Through clock_settime | |
| -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules | |
| # Record Attempts to Alter the localtime File | |
| -w /etc/localtime -p wa -k audit_time_rules | |
| # Record Events that Modify User/Group Information | |
| # audit_account_changes | |
| -w /etc/group -p wa -k audit_account_changes | |
| -w /etc/passwd -p wa -k audit_account_changes | |
| -w /etc/gshadow -p wa -k audit_account_changes | |
| -w /etc/shadow -p wa -k audit_account_changes | |
| -w /etc/security/opasswd -p wa -k audit_account_changes | |
| # Record Events that Modify the System's Network Environment | |
| # audit_network_modifications | |
| -a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications | |
| -w /etc/issue -p wa -k audit_network_modifications | |
| -w /etc/issue.net -p wa -k audit_network_modifications | |
| -w /etc/hosts -p wa -k audit_network_modifications | |
| -w /etc/sysconfig/network -p wa -k audit_network_modifications | |
| #Record Events that Modify the System's Mandatory Access Controls | |
| -w /etc/selinux/ -p wa -k MAC-policy | |
| #Record Events that Modify the System's Discretionary Access Controls - chmod | |
| -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - chown | |
| -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - fchmod | |
| -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - fchmodat | |
| -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - fchown | |
| -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - fchownat | |
| -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - fremovexattr | |
| -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - fsetxattr | |
| -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - lchown | |
| -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - lremovexattr | |
| -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - lsetxattr | |
| -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - removexattr | |
| -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - fchown | |
| -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - fchownat | |
| -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - fremovexattr | |
| -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - fsetxattr | |
| -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - removexattr | |
| -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Events that Modify the System's Discretionary Access Controls - setxattr | |
| -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| #Record Attempts to Alter Logon and Logout Events | |
| -w /var/log/faillog -p wa -k logins | |
| -w /var/log/lastlog -p wa -k logins | |
| #Record Attempts to Alter Process and Session Initiation Information | |
| -w /var/run/utmp -p wa -k session | |
| -w /var/log/btmp -p wa -k session | |
| -w /var/log/wtmp -p wa -k session | |
| #Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) | |
| -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access | |
| -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access | |
| -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access | |
| -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access | |
| #Ensure auditd Collects Information on the Use of Privileged Commands | |
| # | |
| # Find setuid / setgid programs then modify and uncomment the line below. | |
| # | |
| ## sudo find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null | |
| # | |
| # -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged | |
| #Ensure auditd Collects Information on Exporting to Media (successful) | |
| -a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export | |
| #Ensure auditd Collects File Deletion Events by User | |
| -a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete | |
| #Ensure auditd Collects System Administrator Actions | |
| -w /etc/sudoers -p wa -k actions | |
| #Ensure auditd Collects Information on Kernel Module Loading and Unloading | |
| -w /sbin/insmod -p x -k modules | |
| -w /sbin/rmmod -p x -k modules | |
| -w /sbin/modprobe -p x -k modules | |
| -a always,exit -F arch=b64 -S init_module -S delete_module -k modules | |
| #Make the auditd Configuration Immutable | |
| -e 2 | |
| # Bulk Remove of Services | |
| # Remove | |
| yum remove -y xinetd | |
| yum remove -y telnet-server | |
| yum remove -y rsh-server | |
| yum remove -y telnet | |
| yum remove -y rsh-server | |
| yum remove -y rsh | |
| yum remove -y ypbind | |
| yum remove -y ypserv | |
| yum remove -y tftp-server | |
| yum remove -y cronie-anacron | |
| yum remove -y bind | |
| yum remove -y vsftpd | |
| yum remove -y dovecot | |
| yum remove -y squid | |
| yum remove -y net-snmpd | |
| # Bulk Enable / Disable Services | |
| # Disable / Enable | |
| systemctl disable xinetd | |
| systemctl disable rexec | |
| systemctl disable rsh | |
| systemctl disable rlogin | |
| systemctl disable ypbind | |
| systemctl disable tftp | |
| systemctl disable certmonger | |
| systemctl disable cgconfig | |
| systemctl disable cgred | |
| systemctl disable cpuspeed | |
| systemctl enable irqbalance | |
| systemctl disable kdump | |
| systemctl disable mdmonitor | |
| systemctl disable messagebus | |
| systemctl disable netconsole | |
| systemctl disable ntpdate | |
| systemctl disable oddjobd | |
| systemctl disable portreserve | |
| systemctl enable psacct | |
| systemctl disable qpidd | |
| systemctl disable quota_nld | |
| systemctl disable rdisc | |
| systemctl disable rhnsd | |
| systemctl disable rhsmcertd | |
| systemctl disable saslauthd | |
| systemctl disable smartd | |
| systemctl disable sysstat | |
| systemctl enable crond | |
| systemctl disable atd | |
| systemctl disable nfslock | |
| systemctl disable named | |
| systemctl disable dovecot | |
| systemctl disable squid | |
| systemctl disable snmpd | |
| # Disable Secure RPC Client Service | |
| #Disable rpcgssd: | |
| #The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcgssd service can be disabled with the following command: | |
| systemctl disable rpcgssd | |
| systemctl disable rpcsvcgssd | |
| systemctl disable rpcidmapd | |
| systemctl disable netfs | |
| systemctl disable nfs | |
| # IF | |
| # systemctl disable sshd | |
| # -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT | |
| ###Remove Rsh Trust Files | |
| rm /etc/hosts.equiv | |
| rm ~/.rhosts | |
| # Disable Avahi Server Software | |
| systemctl disable avahi-daemon | |
| # Disable the CUPS Service | |
| # If you don’t need CUPS, disable it to further reduce your attack surface: | |
| systemctl disable cups | |
| # The dhcpd service should be disabled on any system that does not need to act as a DHCP server. | |
| systemctl disable dhcpd | |
| # If you don’t need a DHCP client, remove it: | |
| yum erase dhcp | |
| Open /etc/sysconfig/network-scripts/ifcfg-eth0 (if you have more interfaces, do this for each one) and make sure the address is statically assigned with the BOOTPROTO=none | |
| # Specify Additional Remote NTP Servers | |
| # Use an internal NTP server if possible. | |
| # Open /etc/ntp.conf and add the following line: | |
| server <ntpserver> | |
| # Enable Postfix | |
| systemctl enable postfix | |
| # Remove sendmail | |
| yum erase sendmail | |
| # Postfix Disable Network Listening | |
| # Open, /etc/postfix/main.cf and ensure the following inet_interfaces line appears: | |
| inet_interfaces = localhost | |
| # Configure SMTP Greeting Banner | |
| # In /etc/postfix.main.cf uncomment or add the following line | |
| smtpd_banner = $myhostname ESMTP $mail_name | |
| System Audit Logs Permissions | |
| chmod 0640 audit_file | |
| # System Audit Logs Must Be Owned By Root | |
| sudo chown root/var/log | |
| # Disable autofs | |
| chkconfig --level 0123456 autofs off | |
| service autofs stop | |
| # Disable uncommon filesystems | |
| echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf | |
| echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf | |
| echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf | |
| echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf | |
| echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf | |
| echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf | |
| echo "install udf /bin/false" > /etc/modprobe.d/udf.conf | |
| # Disable core dumps for all users | |
| vim /etc/security/limits.conf | |
| * hard core 0 | |
| # Disable core dumps for SUID programs | |
| # Set runtime for fs.suid_dumpable | |
| # | |
| sysctl -q -n -w fs.suid_dumpable=0 | |
| # | |
| # If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0" | |
| # else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf | |
| # | |
| if grep --silent ^fs.suid_dumpable /etc/sysctl.conf ; then | |
| sed -i 's/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g' /etc/sysctl.conf | |
| else | |
| echo "" >> /etc/sysctl.conf | |
| echo "# Set fs.suid_dumpable to 0 per security requirements" >> /etc/sysctl.conf | |
| echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf | |
| fi | |
| # Buffer Overflow Protection | |
| sysctl -w kernel.exec-shield=1 | |
| # Add to /etc/sysctl.conf: | |
| kernel.exec-shield = 1 | |
| # Check / Enable ASLR | |
| sysctl -q -n -w kernel.randomize_va_space=2 | |
| # Add to /etc/sysctl.conf | |
| kernel.randomize_va_space = 2 | |
| # Enable XD or NX Support on x86 Systems | |
| # Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature. | |
| # Check bios and ensure XD/NX is enabled | |
| # Not relevant for VM’s. | |
| # Selinux | |
| sed -i "s/selinux=0//gI" /etc/grub.conf | |
| sed -i "s/enforcing=0//gI" /etc/grub.conf | |
| # Open /etc/selinux/config and check for SELINUXTYPE=targeted or SELINUXTYPE=enforcing, depending on your requirements. | |
| # Enable the SELinux restorecond Service | |
| # The restorecond service utilizes inotify to look for the creation of new files listed in the /etc/selinux/restorecond.conf configuration file. When a file is created, restorecond ensures the file receives the proper SELinux security context. The restorecond service can be enabled with the following command: | |
| # Enable restorecond for all run levels: | |
| chkconfig --level 0123456 restorecond on | |
| service restorecond start | |
| # Check no daemons are unconfined by SELinux | |
| sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }’ | |
| # Prevent Log In to Accounts With Empty Password | |
| sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth | |
| # Secure SSH | |
| vim /etc/ssh/sshd_config | |
| Protocol 2 | |
| DenyUsers USER1 USER2 | |
| ClientAliveInterval interval | |
| ClientAliveCountMax 0 | |
| IgnoreRhosts yes | |
| HostbasedAuthentication no | |
| PermitRootLogin no | |
| PermitEmptyPasswords no | |
| PermitUserEnvironment no | |
| Banner /etc/issue | |
| Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc | |
| # Enable ssh banner | |
| # Add below to /etc/issue | |
| ############################################################### | |
| # Welcome to nlcinkstore.com # | |
| # All connections are monitored and recorded # | |
| # Disconnect IMMEDIATELY if you are not an authorized user! # | |
| ############################################################### | |
| ### Secure X Windows | |
| Add id:3:initdefault: to /etc/inittab | |
| yum groupremove "X Window System" | |
| # Prompt OS update install | |
| chkconfig yum-cron on | |
| yum -y install yum-cron |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment