• No results found

In this post we ll lock down the server even more, adding google authenticator and auditd.

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "In this post we ll lock down the server even more, adding google authenticator and auditd."

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

This is some sort of part two of Creating a baseline Ubuntu 14.04 server

(http://konstruktoid.net/2014/04/25/creating‐a‐baseline‐ubuntu‐14‐04‐server/), so read that first and check back afterwards.

In this post we’ll lock down the server even more, adding google authenticator and auditd.

Let’s start with modifying /etc/login.defs:

LOG_OK_LOGINS yes SULOG_FILE /var/log/sulog

Set the default shell to /bin/false in both /etc/default/useradd and /etc/adduser.conf.

Modify /etc/skel/.bashrc:

HISTSIZE=10 HISTFILESIZE=0

Stricter /etc/fstab mount options:

~# egrep ‐v "#|swap" /etc/fstab | awk '{print $2,$4}' / errors=remount‐ro

/boot defaults,nodev,nosuid,noexec /home defaults,nodev,nosuid,noexec /usr defaults,nodev

/var/log defaults,nodev,noexec

/tmp defaults,nosuid,nodev,noatime,size=100M,mode=1700

/var/tmp defaults,nosuid,nodev,noatime,noexec,size=100M,mode=1700 Remove suid bits:

chmod ‐s /bin/fusermount /bin/mount /bin/su /bin/umount /usr/bin

/bsd‐write /usr/bin/chage /usr/bin/chfn /usr/bin/chsh /usr/bin/mlocate /usr/bin/mtr /usr/bin/newgrp /usr/bin/traceroute6.iputils /usr/bin/wall Verify that all network connected services except sshd are in Apparmor enforce mode with

apparmor_status ‐‐verbose

(2)

netstat ‐anlp ‐‐inet

We’ll be using the Google authenticator for two‐factor authentication.

sudo aptitude update && sudo aptitude install libpam‐google‐

authenticator

Run google‐authenticator as the user with sudo.

Choose Disallow multiple uses of the same authentication token, Do not increase the time window and Enable rate‐limiting.

Add auth required pam_google_authenticator.so to the top of the “Primary”

block in /etc/pam.d/common‐auth

Since we got an encrypted $HOME we need to move the pam_google_authenticator.so secret.

auth required pam_google_authenticator.so secret=/etc/auth/${USER}

/.google_authenticator

(http://konstruktoid.files.wordpress.com/2014/04/ath.png) Set up the directories:

~# mkdir ‐p /etc/auth/${USER}

~# chmod 0755 /etc/auth

~# chown ‐R ${USER}:${USER} /etc/auth/${USER}

~# chmod ‐R 0700 /etc/auth/${USER}

~# cat /home/${USER}/.google_authenticator > /etc/auth/${USER}

/.google_authenticator

~# chmod 0600 /etc/auth/${USER}/.google_authenticator Don’t forget to install and set up the Google authenticator app.

(3)

And finally we’ll install auditd ‐ The Linux Audit daemon.

~# sudo aptitude update && sudo aptitude install auditd

Edit /etc/default/grub to include audit=1 as part of GRUB_CMDLINE_LINUX:

GRUB_CMDLINE_LINUX="audit=1"

~# update‐grub

Add auditd rules to /etc/audit/audit.rules:

#

# Rules grabbed from https://security.stackexchange.com/questions /4629/simple‐example‐auditd‐configuration

(https://security.stackexchange.com/questions/4629/simple‐example‐

auditd‐configuration)

# First rule ‐ delete all

‐D

# Increase the buffers to survive stress events.

# Make this bigger for busy system

# Increase the buffers to survive stress events.

# Make this bigger for busy systems

‐b 1024

## special files

‐a exit,always ‐F arch=b64 ‐S mknod ‐S mknodat ‐k specialfiles

## Mount operations

‐a exit,always ‐F arch=b64 ‐S mount ‐S umount2 ‐k mount

## changes to the time

##

‐a exit,always ‐F arch=b64 ‐S adjtimex ‐S settimeofday ‐S clock_settime

‐k time

## cron configuration & scheduled jobs

‐w /etc/cron.allow ‐p wa ‐k cron

‐w /etc/cron.deny ‐p wa ‐k cron

‐w /etc/cron.d/ ‐p wa ‐k cron

‐w /etc/cron.daily/ ‐p wa ‐k cron

‐w /etc/cron.hourly/ ‐p wa ‐k cron

‐w /etc/cron.monthly/ ‐p wa ‐k cron

‐w /etc/cron.weekly/ ‐p wa ‐k cron

‐w /etc/crontab ‐p wa ‐k cron

‐w /var/spool/cron/crontabs/ ‐k cron

## user, group, password databases

‐w /etc/group ‐p wa ‐k etcgroup

‐w /etc/passwd ‐p wa ‐k etcpasswd

‐w /etc/gshadow ‐k etcgroup

‐w /etc/shadow ‐k etcpasswd

‐w /etc/security/opasswd ‐k opasswd

(4)

## monitor usage of passwd

‐w /usr/bin/passwd ‐p x ‐k passwd_modification

#Monitor for use of tools to change group identifiers

‐w /usr/sbin/groupadd ‐p x ‐k group_modification

‐w /usr/sbin/groupmod ‐p x ‐k group_modification

‐w /usr/sbin/addgroup ‐p x ‐k group_modification

‐w /usr/sbin/useradd ‐p x ‐k user_modification

‐w /usr/sbin/usermod ‐p x ‐k user_modification

‐w /usr/sbin/adduser ‐p x ‐k user_modification

## login configuration and information

‐w /etc/login.defs ‐p wa ‐k login

‐w /etc/securetty ‐p wa ‐k login

‐w /var/log/faillog ‐p wa ‐k login

‐w /var/log/lastlog ‐p wa ‐k login

‐w /var/log/tallylog ‐p wa ‐k login

## network configuration

‐w /etc/hosts ‐p wa ‐k hosts

‐w /etc/network/ ‐p wa ‐k network

## system startup scripts

‐w /etc/inittab ‐p wa ‐k init

‐w /etc/init.d/ ‐p wa ‐k init

‐w /etc/init/ ‐p wa ‐k init

## library search paths

‐w /etc/ld.so.conf ‐p wa ‐k libpath

## local time zone

‐w /etc/localtime ‐p wa ‐k localtime

## kernel parameters

‐w /etc/sysctl.conf ‐p wa ‐k sysctl

## modprobe configuration

‐w /etc/modprobe.conf ‐p wa ‐k modprobe

## pam configuration

‐w /etc/pam.d/ ‐p wa ‐k pam

‐w /etc/security/limits.conf ‐p wa ‐k pam

‐w /etc/security/pam_env.conf ‐p wa ‐k pam

‐w /etc/security/namespace.conf ‐p wa ‐k pam

‐w /etc/security/namespace.init ‐p wa ‐k pam

## postfix configuration

‐w /etc/aliases ‐p wa ‐k mail

‐w /etc/postfix/ ‐p wa ‐k mail

(5)

‐w /etc/ssh/sshd_config ‐k sshd

## changes to hostname

‐a exit,always ‐F arch=b64 ‐S sethostname ‐k hostname

## changes to issue

‐w /etc/issue ‐p wa ‐k etcissue

‐w /etc/issue.net ‐p wa ‐k etcissue

## this was to noisy currently.

# log all commands executed by an effective id of 0 aka root.

‐a exit,always ‐F arch=b64 ‐F euid=0 ‐S execve ‐k rootcmd

## Capture all failures to access on critical elements

‐a exit,always ‐F arch=b64 ‐S open ‐F dir=/etc ‐F success=0 ‐k unauthedfileacess

‐a exit,always ‐F arch=b64 ‐S open ‐F dir=/bin ‐F success=0 ‐k unauthedfileacess

‐a exit,always ‐F arch=b64 ‐S open ‐F dir=/sbin ‐F success=0 ‐k unauthedfileacess

‐a exit,always ‐F arch=b64 ‐S open ‐F dir=/usr/bin ‐F success=0 ‐k unauthedfileacess

‐a exit,always ‐F arch=b64 ‐S open ‐F dir=/usr/sbin ‐F success=0 ‐k unauthedfileacess

‐a exit,always ‐F arch=b64 ‐S open ‐F dir=/var ‐F success=0 ‐k unauthedfileacess

‐a exit,always ‐F arch=b64 ‐S open ‐F dir=/home ‐F success=0 ‐k unauthedfileacess

‐a exit,always ‐F arch=b64 ‐S open ‐F dir=/srv ‐F success=0 ‐k unauthedfileacess

## Monitor for use of process ID change (switching accounts) applications

‐w /bin/su ‐p x ‐k priv_esc

‐w /usr/bin/sudo ‐p x ‐k priv_esc

‐w /etc/sudoers ‐p rw ‐k priv_esc

## Monitor usage of commands to change power state

‐w /sbin/shutdown ‐p x ‐k power

‐w /sbin/poweroff ‐p x ‐k power

‐w /sbin/reboot ‐p x ‐k power

‐w /sbin/halt ‐p x ‐k power

## Make the configuration immutable

#‐e 2

Uncomment ‐e 2 only after you’re happy with the logging.

(6)

(http://konstruktoid.files.wordpress.com/2014/04/grindmind.png) Recommended reading:

http://benchmarks.cisecurity.org

CIS Ubuntu 12.04 LTS Server Benchmark (https://benchmarks.cisecurity.org/tools2 /ubuntu/CIS_Ubuntu_12.04_LTS_Server_Benchmark_v1.0.0.pdf) [PDF]

Guide to the Secure Configuration of

Red Hat Enterprise Linux 5 (http://www.nsa.gov/ia/_files/os/redhat/rhel5‐guide‐

i731.pdfhttp://) [PDF]

PCI‐DSS v3.0 available at https://www.pcisecuritystandards.org/security_standards /documents.php (https://www.pcisecuritystandards.org/security_standards

/documents.php)

(7)

BLOG AT WORDPRESS.COM. | THE TONAL THEME.

Follow

Build a website with WordPress.com

References

Download now ( PDF - 7 Page - 197.42 KB )

Related documents

CLASSIC SERIES 1 YEAR WARRANTY / GARANTIE DE UN AN. Suggested Retail Price List C-5 C-5W C-5BTW. Page 1.

Seamless, transparent response in a compact footprint • 7” composite cone, low-frequency driver • Air motion transformer (ribbon) tweeter provides an extremely fast and

Tecnomatix Jack User Manual Version 8.2

Channelset files are a way to save multiple motions or channels (joint angles and positions for each frame) into one motion. Channelset files can be read back in

Ahsay Online Backup Manager

For VMware Server installation on Linux, enter the following command to start the AhsayOBM graphical user interface:. # sh

WRF is a complicated program. This is a Hodor install guide for WRF (not WPS) for WRF version 3.8, with CHEM 3.8, and KPP 2.1.

export EM_CORE=1 export NMM_CORE=0 export WRF_CHEM=1 export WRF_KPP=1 export NETCDF=$HOME/netcdf export YACC='/share/apps/byacc/bin/yacc -d' export FLEX=/usr/bin

The Good, the Bad, and the Evils of the #MeToo Movement’s Sexual Harassment Allegations in Today’s Society: A Cautionary Tale Regarding the Cost of These Claims to the Victims, the Accused, and Beyond

However, because of the #MeToo movement, society—and specifically the courts—are taking sexual harassment claims more seriously, opening the courtroom doors and welcoming

(USR-TCP232-T, USR-TCP232-2) (USR-TCP232-S, USR-TCP232-D) (USR-TCP232-24, USR-TCP ) (USR-TCP , USR-TCP ) File version: V3.

In UDP mode, after the module is powered on listening on port Settings, not take the initiative to establish a connection, when data from by forwarding to the serial port, when a

Energy & Utility Skills The Sector Skills Council for the electricity, gas, waste management and water industries.

The Alliance of Sector Skills Councils is keen to support Government and other stakeholders to identify skills issues and develop skills solutions. Given the growing number of

Comparison of the efficacy of mouth rinses camellia sinensis extract, guava leaves extract and sodium fluoride solution, on Streptococcus mutans and Lactobacillus in children (an in vivo study)

Comparison of the efficacy of mouth rinses camellia sinensis Comparison of the efficacy of mouth rinses camellia sinensis extract, guava leaves extract and sodium fluoride