This is some sort of part two of Creating a baseline Ubuntu 14.04 server
(http://konstruktoid.net/2014/04/25/creating‐a‐baseline‐ubuntu‐14‐04‐server/), so read that first and check back afterwards.
In this post we’ll lock down the server even more, adding google authenticator and auditd.
Let’s start with modifying /etc/login.defs:
LOG_OK_LOGINS yes SULOG_FILE /var/log/sulog
Set the default shell to /bin/false in both /etc/default/useradd and /etc/adduser.conf.
Modify /etc/skel/.bashrc:
HISTSIZE=10 HISTFILESIZE=0
Stricter /etc/fstab mount options:
~# egrep ‐v "#|swap" /etc/fstab | awk '{print $2,$4}' / errors=remount‐ro
/boot defaults,nodev,nosuid,noexec /home defaults,nodev,nosuid,noexec /usr defaults,nodev
/var/log defaults,nodev,noexec
/tmp defaults,nosuid,nodev,noatime,size=100M,mode=1700
/var/tmp defaults,nosuid,nodev,noatime,noexec,size=100M,mode=1700 Remove suid bits:
chmod ‐s /bin/fusermount /bin/mount /bin/su /bin/umount /usr/bin
/bsd‐write /usr/bin/chage /usr/bin/chfn /usr/bin/chsh /usr/bin/mlocate /usr/bin/mtr /usr/bin/newgrp /usr/bin/traceroute6.iputils /usr/bin/wall Verify that all network connected services except sshd are in Apparmor enforce mode with
apparmor_status ‐‐verbose
netstat ‐anlp ‐‐inet
We’ll be using the Google authenticator for two‐factor authentication.
sudo aptitude update && sudo aptitude install libpam‐google‐
authenticator
Run google‐authenticator as the user with sudo.
Choose Disallow multiple uses of the same authentication token, Do not increase the time window and Enable rate‐limiting.
Add auth required pam_google_authenticator.so to the top of the “Primary”
block in /etc/pam.d/common‐auth
Since we got an encrypted $HOME we need to move the pam_google_authenticator.so secret.
auth required pam_google_authenticator.so secret=/etc/auth/${USER}
/.google_authenticator
(http://konstruktoid.files.wordpress.com/2014/04/ath.png) Set up the directories:
~# mkdir ‐p /etc/auth/${USER}
~# chmod 0755 /etc/auth
~# chown ‐R ${USER}:${USER} /etc/auth/${USER}
~# chmod ‐R 0700 /etc/auth/${USER}
~# cat /home/${USER}/.google_authenticator > /etc/auth/${USER}
/.google_authenticator
~# chmod 0600 /etc/auth/${USER}/.google_authenticator Don’t forget to install and set up the Google authenticator app.
And finally we’ll install auditd ‐ The Linux Audit daemon.
~# sudo aptitude update && sudo aptitude install auditd
Edit /etc/default/grub to include audit=1 as part of GRUB_CMDLINE_LINUX:
GRUB_CMDLINE_LINUX="audit=1"
~# update‐grub
Add auditd rules to /etc/audit/audit.rules:
#
# Rules grabbed from https://security.stackexchange.com/questions /4629/simple‐example‐auditd‐configuration
(https://security.stackexchange.com/questions/4629/simple‐example‐
auditd‐configuration)
# First rule ‐ delete all
‐D
# Increase the buffers to survive stress events.
# Make this bigger for busy system
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
‐b 1024
## special files
‐a exit,always ‐F arch=b64 ‐S mknod ‐S mknodat ‐k specialfiles
## Mount operations
‐a exit,always ‐F arch=b64 ‐S mount ‐S umount2 ‐k mount
## changes to the time
##
‐a exit,always ‐F arch=b64 ‐S adjtimex ‐S settimeofday ‐S clock_settime
‐k time
## cron configuration & scheduled jobs
‐w /etc/cron.allow ‐p wa ‐k cron
‐w /etc/cron.deny ‐p wa ‐k cron
‐w /etc/cron.d/ ‐p wa ‐k cron
‐w /etc/cron.daily/ ‐p wa ‐k cron
‐w /etc/cron.hourly/ ‐p wa ‐k cron
‐w /etc/cron.monthly/ ‐p wa ‐k cron
‐w /etc/cron.weekly/ ‐p wa ‐k cron
‐w /etc/crontab ‐p wa ‐k cron
‐w /var/spool/cron/crontabs/ ‐k cron
## user, group, password databases
‐w /etc/group ‐p wa ‐k etcgroup
‐w /etc/passwd ‐p wa ‐k etcpasswd
‐w /etc/gshadow ‐k etcgroup
‐w /etc/shadow ‐k etcpasswd
‐w /etc/security/opasswd ‐k opasswd
## monitor usage of passwd
‐w /usr/bin/passwd ‐p x ‐k passwd_modification
#Monitor for use of tools to change group identifiers
‐w /usr/sbin/groupadd ‐p x ‐k group_modification
‐w /usr/sbin/groupmod ‐p x ‐k group_modification
‐w /usr/sbin/addgroup ‐p x ‐k group_modification
‐w /usr/sbin/useradd ‐p x ‐k user_modification
‐w /usr/sbin/usermod ‐p x ‐k user_modification
‐w /usr/sbin/adduser ‐p x ‐k user_modification
## login configuration and information
‐w /etc/login.defs ‐p wa ‐k login
‐w /etc/securetty ‐p wa ‐k login
‐w /var/log/faillog ‐p wa ‐k login
‐w /var/log/lastlog ‐p wa ‐k login
‐w /var/log/tallylog ‐p wa ‐k login
## network configuration
‐w /etc/hosts ‐p wa ‐k hosts
‐w /etc/network/ ‐p wa ‐k network
## system startup scripts
‐w /etc/inittab ‐p wa ‐k init
‐w /etc/init.d/ ‐p wa ‐k init
‐w /etc/init/ ‐p wa ‐k init
## library search paths
‐w /etc/ld.so.conf ‐p wa ‐k libpath
## local time zone
‐w /etc/localtime ‐p wa ‐k localtime
## kernel parameters
‐w /etc/sysctl.conf ‐p wa ‐k sysctl
## modprobe configuration
‐w /etc/modprobe.conf ‐p wa ‐k modprobe
## pam configuration
‐w /etc/pam.d/ ‐p wa ‐k pam
‐w /etc/security/limits.conf ‐p wa ‐k pam
‐w /etc/security/pam_env.conf ‐p wa ‐k pam
‐w /etc/security/namespace.conf ‐p wa ‐k pam
‐w /etc/security/namespace.init ‐p wa ‐k pam
## postfix configuration
‐w /etc/aliases ‐p wa ‐k mail
‐w /etc/postfix/ ‐p wa ‐k mail
‐w /etc/ssh/sshd_config ‐k sshd
## changes to hostname
‐a exit,always ‐F arch=b64 ‐S sethostname ‐k hostname
## changes to issue
‐w /etc/issue ‐p wa ‐k etcissue
‐w /etc/issue.net ‐p wa ‐k etcissue
## this was to noisy currently.
# log all commands executed by an effective id of 0 aka root.
‐a exit,always ‐F arch=b64 ‐F euid=0 ‐S execve ‐k rootcmd
## Capture all failures to access on critical elements
‐a exit,always ‐F arch=b64 ‐S open ‐F dir=/etc ‐F success=0 ‐k unauthedfileacess
‐a exit,always ‐F arch=b64 ‐S open ‐F dir=/bin ‐F success=0 ‐k unauthedfileacess
‐a exit,always ‐F arch=b64 ‐S open ‐F dir=/sbin ‐F success=0 ‐k unauthedfileacess
‐a exit,always ‐F arch=b64 ‐S open ‐F dir=/usr/bin ‐F success=0 ‐k unauthedfileacess
‐a exit,always ‐F arch=b64 ‐S open ‐F dir=/usr/sbin ‐F success=0 ‐k unauthedfileacess
‐a exit,always ‐F arch=b64 ‐S open ‐F dir=/var ‐F success=0 ‐k unauthedfileacess
‐a exit,always ‐F arch=b64 ‐S open ‐F dir=/home ‐F success=0 ‐k unauthedfileacess
‐a exit,always ‐F arch=b64 ‐S open ‐F dir=/srv ‐F success=0 ‐k unauthedfileacess
## Monitor for use of process ID change (switching accounts) applications
‐w /bin/su ‐p x ‐k priv_esc
‐w /usr/bin/sudo ‐p x ‐k priv_esc
‐w /etc/sudoers ‐p rw ‐k priv_esc
## Monitor usage of commands to change power state
‐w /sbin/shutdown ‐p x ‐k power
‐w /sbin/poweroff ‐p x ‐k power
‐w /sbin/reboot ‐p x ‐k power
‐w /sbin/halt ‐p x ‐k power
## Make the configuration immutable
#‐e 2
Uncomment ‐e 2 only after you’re happy with the logging.
(http://konstruktoid.files.wordpress.com/2014/04/grindmind.png) Recommended reading:
http://benchmarks.cisecurity.org
CIS Ubuntu 12.04 LTS Server Benchmark (https://benchmarks.cisecurity.org/tools2 /ubuntu/CIS_Ubuntu_12.04_LTS_Server_Benchmark_v1.0.0.pdf) [PDF]
Guide to the Secure Configuration of
Red Hat Enterprise Linux 5 (http://www.nsa.gov/ia/_files/os/redhat/rhel5‐guide‐
i731.pdfhttp://) [PDF]
PCI‐DSS v3.0 available at https://www.pcisecuritystandards.org/security_standards /documents.php (https://www.pcisecuritystandards.org/security_standards
/documents.php)
BLOG AT WORDPRESS.COM. | THE TONAL THEME.
Follow
Build a website with WordPress.com