Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 1 of 39 Testing Environment Virtualization HyperVisor Host Environment Guest Environment Post basic installation tasks Objective 1 Identify Red Hat Common Vulnerabilities and Exposures (CVEs) and Red Hat Security Advisories (RHSAs) and selectively update systems based on this information Objective 2 Verify package security and validity Objective 3 Identify and employ standardsbased practices for configuring file system security, create and use encrypted file systems, tune file system features, and use specific mount options to restrict access to file system volumes. Objective 4 Configure default permissions for users and use special file permissions, attributes, and access control lists (ACLs) to control access to files Objective 5 Install and use intrusion detection capabilities in Red Hat Enterprise Linux to monitor critical system files Objective 6 Manage user account security and user password security Objective 7 Manage system login security using pluggable authentication modules (PAM) Objective 8 Configure console security by disabling features that allow systems to be rebooted or powered off using bootloader passwords Objective 9 Configure systemwide acceptable use notifications Objective 10 Install, configure, and manage identity management services and configure identity management clients Objective 11 Configure remote system logging services, configure system logging, and manage system log files using mechanisms such as log rotation and compression Log Rotation journal is a component of systemd for logging
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 2 of 39 journalctl is used for viewing the journal log journal only logs in memory or a small ring file in /run/log/journal; to create persistent storage create the directory /var/log/journal Objective 12 Configure system auditing services and review audit reports Objective 13 Use network scanning tools to identify open network service ports and configure and troubleshoot system firewalling References
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 3 of 39
Testing Environment
● Virtualization HyperVisor
○ Virtual Box (Version 5.0.14 r105127 as of this writing)● Host Environment
(I’m double dipping and working at home and at work) ○ Xubuntu 14.04LTS ○ CentOS 7.2● Guest Environment
(These might seem a little odd, but I am using this image for DISA STIG testing too) ○ CentOS 6.7 (As of 8March2016 the EX413 is done under v6 for some strange reason) ○ 2 vCPU ○ 1.5GB RAM ○ 18GB Hard drive (Something of an usual or non standard layout. This is from the DISA STIG) ■ / ~10 GiB ■ /boot 250 MiB ■ /home 1 GiB ■ /tmp 500 MiB ■ /var 5 GiB ■ /var/log 500 MiB ■ /var/log/audit 275 MiB ■ swap 500 MiB ○ 2 Network Ports ■ Port 1) Vbox NAT ■ Port 2) Hostonly Adapter ○ Server with GUI installation ■ + DNS Name Server ■ + Email Server ■ + FTP Server ■ + File and Storage Server ■ + Hardware Monitoring Utilities ■ + Java Platform ■ + Network File System ClientRed Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 4 of 39 ■ + Performance Tools ■ + Compatibility Libraries ■ + Security Tools
● Post basic installation tasks
○ Limit the number of kernels to keep to 2 for space reasons change installonly_limit=2 in /etc/yum.conf ○ Enable CentOS Plus Repo ○ Install/Enable EPEL repo ○ Install/Enable EL Repo ○ Install/Enable VAULT Repo’sThis is because I started on purpose with an older version. Check http://vault.centos.org to match the version. In this case it was 7.1.1503 run yum disablerepos “*” enablerepos “C7*” update to update to the latest versions within the release. ○ Install DKMS run yum disablerepos “*” enablerepos “C7*” update to update to the latest versions within the release. ○ Install Virtual Box guest additions MAKE A SNAPSHOT BEFORE YOU START MESSING AROUND WITH THINGS!! SINCE I ORIGINALLY STARTED THIS DOCUMENT UNDER THE INCORRECT ASSUMPTION THAT THIS TEST WOULD BE UNDER RHEL7 I WILL KEEP THE INFORMATION INTACT AND DENOTE THE DIFFERENCES
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 5 of 39
Objective 1
Identify Red Hat Common Vulnerabilities and Exposures (CVEs)
and Red Hat Security Advisories (RHSAs) and selectively update
systems based on this information
● Using yum to check if there are any packages that need security updates.# yum check-update --security
Loaded plugins: langpacks, product-id, subscription-manager rhel-7-workstation-rpms/x86_64 | 3.4 kB 00:00:00 No packages needed for security; 0 packages available
● To update only security packages with yum
# yum update --security
● To list all available erratas without installing them, run:
# yum updateinfo list available
● To list all available security updates without installing them, run:
# yum updateinfo list security all or
# yum updateinfo list sec
● To get a list of the currently installed security updates this command can be used:
# yum updateinfo list security installed
● To list all available security updates with verbose descriptions of the issues they apply to: # yum info-sec ● Run the following command to download and apply all available security updates from Red Hat Network hosted or Red Hat Network Satellite:
# yum -y update --security
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 6 of 39
● To only install the packages that have a security errata use
# yum update-minimal --security -y
● yumsecurity also allows installing security updates based on the CVE reference of the issue.
○ To install a security update using a CVE reference run:
# yum update --cve <CVE>
For example:
# yum update --cve CVE-2008-0947
○ Viewing available advisories by severities:
# yum updateinfo list
This system is receiving updates from RHN Classic or RHN Satellite. RHSA-2014:0159 Important/Sec. kernel-headers-2.6.32-431.5.1.el6.x86_64 RHSA-2014:0164 Moderate/Sec. mysql-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec. mysql-devel-5.1.73-3.el6_5.x86_64 RHSA-2014:0164 Moderate/Sec. mysql-libs-5.1.73-3.el6_5.x86_64 RHSA-2014:0164 Moderate/Sec. mysql-server-5.1.73-3.el6_5.x86_64 RHBA-2014:0158 bugfix nss-sysinit-3.15.3-6.el6_5.x86_64 RHBA-2014:0158 bugfix nss-tools-3.15.3-6.el6_5.x86_64
○ If you want to apply only one specific advisory:
# yum update --advisory=RHSA-2014:0159
○ However, if you would like to know more information about this advisory before to apply it:
# yum updateinfo RHSA-2014:0159
○ For more commands consult the manual pages of yumsecurity with
# man yum-security
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 7 of 39
Objective 2
Verify package security and validity
● The Yum package manager allows for an automatic verification of all packages it installs or upgrades. gpgcheck is enabled by default, localpkg_gpgcheck is NOT. To configure this option on your system, make sure the gpgcheck and localpkg_gpgcheck
configuration directives are set to 1 in the /etc/yum.conf configuration file. # grep gpgcheck /etc/yum.conf
gpgcheck=1
localpkg_gpgcheck=1
**NOTE** These can be overridden in the /etc/repos.d/<repo>.conf files!!!
● Use the following command to manually verify package files on your filesystem:
# rpmkeys --checksig package_file.rpm
● Check package scripts and triggers # rpm -qp --scripts /home/userx/Downloads/my-awesome-application-1.2.rpm ● Check GPG key signatures # rpm -K /home/userx/Downloads/my-awesome-application-1.1.rpm # rpm -vvK /home/userx/Downloads/my-awesome-application-1.1.rpm ● To verify Red Hat packages, you must import the Red Hat GPG key. # rpm --import /usr/share/rhn/RPM-GPG-KEY ● To display a list of all keys installed for RPM verification # rpm -qa gpg-pubkey* For the Red Hat key, the output includes: gpg-pubkey-db42a60e-37ea5438 ● To display details about a specific key # rpm -qi gpg-pubkey-db42a60e-37ea5438
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 8 of 39 ● Verify RPM’s ○ rpm qf can be used to determine what package a file belongs to # rpm -qf /etc/passwd setup-2.5.58-7.el5 ○ rpm V <package> will verify the settings # rpm -V setup-2.5.58-7.el5 .M... c /etc/passwd S.5....T c /etc/printcap ○ Verify Code Matrix
S File size di㈠㘱ers.
M File mode di㈠㘱ers (includes permissions and file type). 5 The MD5 checksum di㈠㘱ers.
D The major and minor version numbers di㈠㘱er on a device file. L A mismatch occurs in a link.
U The file ownership di㈠㘱ers. G The file group owner di㈠㘱ers. T The file time (mtime) di㈠㘱ers.
● Other yum tricks and tips
○ List packages and what repos they are part of:
# yum --showduplicates list httpd | expand Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: mirror.atlanticmetro.net * centosplus: mirror.atlanticmetro.net * elrepo: mirror.symnds.com * epel: mirror.cogentco.com * extras: mirror.rackspace.com * updates: mirror.symnds.com Installed Packages httpd.x86_64 2.4.6-40.el7.centos @base Available Packages httpd.x86_64 2.4.6-40.el7.centos base
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 9 of 39
○ To automatically remove unneeded dependencies when a package is removed, set this in the /etc/yum.conf: clean_requirements_on_remove to 1
# grep -i clean_requirements_on_remove /etc/yum.conf clean_requirements_on_remove=1
○ Limit the number of installonly package. Usually for limiting the number of kernels installed. Default is 3
# grep installonly_limit /etc/yum.conf installonly_limit=2
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 10 of 39
Objective 3
Identify and employ standardsbased practices for configuring file
system security, create and use encrypted file systems, tune file system
features, and use specific mount options to restrict access to file system
volumes.
● Multiple partitions ○ /tmp temporary storage for users. ■ should have 1777 permissions (world read/write/execute w/ Sticky Bit) ■ nodev , nosuid , & noexec mount options should be set in /etc/fstab# grep tmp /etc/fstab /dev/mapper/centos-tmp /tmp xfs nodev,nosuid,noexec 1 2 ○ /var temporary dynamic storage for system services ○ /var/tmp ■ should be bound to /tmp . Link is unbreakable and inherits security from /tmp and should prevent /var from filling up and causing issues
# grep /tmp /etc/fstab | grep var /tmp /var/tmp none bind 0 0
○ /var/log system storage for log data
# grep /tmp /etc/fstab | grep var /tmp /var/tmp none bind 0 0
○ /var/log/audit system storage for audit log data
# grep /audit /etc/fstab
/dev/mapper/centos-var_log_audit /var/log/audit xfs defaults 0 0
○ /home storage for users
■ nodev mount option should also be set
# grep /audit /etc/fstab
/dev/mapper/centos-home /home xfs nodev 0 0
○ any removable media mount points should have noexec, nodev, nosuid options set
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 11 of 39
○ /dev/shm is a temporary filesystem stored in memory ■ noexec, nodev, nosuid options should be set
# grep shm /etc/fstab
tmpfs /dev/shm tmpfs size=6g,nodev,nosuid,noexec 0 0
● Useful /etc/fstab options
○ nosuid prevents files from being setuid or setgid
○ noexec prevents programs from being executed from the partition ○ nodev prevents partition from having special devices like block or character devices ○ rw read/write (default, implied) ○ ro read only To remount partitions on running systems
# mount -o remount,<options> <dir>
● Disable filesystem types that aren’t needed ○ cramfs Filesystem type is a compressed readonly Linux filesystem. ○ freevxfs Filesystem for Veritas. ○ j㈠㘱s2 Logstructured filesystem used in flash devices ○ hfs Mac OS filesystem ○ hfsplus Newer Mac OS filesystem ○ squashfs Similar to cramfs, a compressed Linux filesystem. ○ udf ISO/IEC 13346 and ECMA167 spec filesystem. ** NOTE** NEEDED TO SUPPORT WRITING DVDs and newer optical disc formats There are a few ways to disable these services. CIS suggests adding a config file to /etc/modprobe.d and adding the modules there: I used bad_fs.conf ○ Dry run of what would happen if the module was called # /sbin/modprobe -n -v udf insmod /lib/modules/3.10.0-229.20.1.el7.x86_64/kernel/lib/crc-itu-t.ko insmod /lib/modules/3.10.0-229.20.1.el7.x86_64/kernel/fs/udf/udf.ko ○ Check to see if the module is inserted
# lsmod | grep udf
○ Change the operation for loading the module to the file in /etc/modprobe.d/bad_fs.conf
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 12 of 39
install udf /bin/false
● Standardsbased file system security
○ Sticky bit should be set for all public directories : When a directory's sticky bit is set, the filesystem treats the files in such directories in a special way so only the file's owner, the directory's owner, or root user can rename or delete the file. Without the sticky bit set, any user with write and execute permissions for the directory can rename or delete contained files, regardless of the file's owner. Typically this is set on the /tmpdirectory to prevent ordinary users from deleting or moving other users' files.
To find directories that are world writeable without the sticky bit set:
# find / -type d -perm -002 ! -perm -1000 -exec ls -ld {} ;\
To set with chmod
# chmod 1777 <dir> [or] # chmod o+t <dir>
Determining if the sticky bit is set:
if the directory is not world executable (this directory is 1766) # ls -ld sticky-dir/
drwxrw-rwT, 2 root root 6 Feb 3 09:53 sticky-dir/
if the directory is world executable (this directory is 1777) # ls -ld sticky-dir/
drwxrwxrwt, 2 root root 6 Feb 3 09:53 sticky-dir/
○ SetUID files: (set User ID upon execution) are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner. SetUID permission on a directory is ignored.
To find setuid files and directories:
# find / -perm -4000 -exec ls -alL {} \;
○ SetGID files (set Group ID upon execution) attribute will allow for changing the groupbased privileges within a process. Setting the setgid permission on a directory causes new files and subdirectories created within it to inherit its group ID, rather than the primary group ID of the user who created the file (the owner
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 13 of 39
ID is never affected, only the group ID). Newly created subdirectories inherit the setgid bit.
To find setgid files and directories:
# find / -perm -2000 -exec ls -alL {} \; ○ Link Control To prevent malicious users from exploiting potential vulnerabilities caused by unprotected hard and symbolic links, Red Hat Enterprise Linux 7 includes a feature that only allows links to be created or followed provided certain conditions are met. ■ hard links, one of the following needs to be true: ● The user owns the file to which they link. ● The user already has read and write access to the file to which they link. ■ symbolic links, processes are only permitted to follow links when outside of worldwriteable directories with sticky bits, or one of the following needs to be true: ● The process following the symbolic link is the owner of the symbolic link. ● The owner of the directory is the same as the owner of the symbolic link. ■ This protection is turned on by default. It is controlled by the following options in the /usr/lib/sysctl.d/50-default.conf file
fs.protected_hardlinks = 1 fs.protected_symlinks = 1 To override the default settings and disable the protection, create a new configuration file called, for example, 51noprotectlinks.conf in the /etc/sysctl.d/ directory with the following content: fs.protected_hardlinks = 0 fs.protected_symlinks = 0 ○ Public Directories should be user and group ownership by root, a privileged system account, or application account The same command as above searches for world writeable directories and displays the permissions. The ownership is somewhat subjective based on the system, dir, etc
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 14 of 39
To find directories that are world writeable without the sticky bit set:
# find /root -type d -perm -002 ! -perm -1000 -exec ls -ld {} \; drwxrwxrw- 2 root root 6 Feb 3 09:53 /root/sticky-dir
○ Check and document all world writable files # find / -type f -perm 0777 -a -exec ls -ld {} \;
○ All files and directories should have valid owners, groups # find / -xdev \( -nouser -o -nogroup \) -ls
51812050 0 drwxr-xr-x 2 622 root 57 Feb 3 11:28 /root/bad-directory
51807907 4 -rw-r--r-- 1 622 root 3072 Feb 3 11:27 /root/bad-directory/bad_file_1 51193533 12 -rw-r--r-- 1 root 622 12288 Feb 3 11:28 /root/bad-directory/bad_file_2 51193534 8 -rw-r--r-- 1 622 622 5120 Feb 3 11:28 /root/bad-directory/bad_file_3
○ Use aide to provide cryptographic hashes
○ User home directories should have modes 0750 or less permissive ○ User home directories should be owned by the user ● Encrypted File Systems ○ shredding a partition will fill the partition with random data to ensure no unencrypted data exists
# shred -v --iterations=1 /dev/luks_vg/luks_lv shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...
shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...72MiB/2.0GiB 3% shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...138MiB/2.0GiB 6% <..snip..>
shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...1.9GiB/2.0GiB 95% shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...2.0GiB/2.0GiB 100% #
○ Initialize the partition
# cryptsetup --verbose --verify-passphrase luksFormat /dev/luks_vg/luks_lv
WARNING! ========
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 15 of 39
Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: Command successful. # ○ Open the encrypted device and assign its device name # cryptsetup luksOpen /dev/luks_vg/luks_lv luks_home Enter passphrase for /dev/luks_vg/luks_lv:
○ Check that it actually worked # ls -al /dev/mapper/
lrwxrwxrwx. 1 root root 7 Feb 8 13:55 luks_home -> ../dm-8 lrwxrwxrwx. 1 root root 7 Feb 8 13:55 luks_vg-luks_lv -> ../dm-7
○ Normal commands to add a partition: mkfs , mount , df , add to /etc/fstab # mkfs.xfs /dev/mapper/luks_home
# mount /dev/mapper/luks_home /luks_home
○ Add the partition to /etc/crypttab (this is what causes it to ask for the password) <name> <volume> <options>
luks_home /dev/mapper/luks_vg/luks_vg none
○ Add/Change Passphrase on Existing Device # cryptesetup luksAddKey /dev/luks_vg/luks_lv
○ Remove a Passphrase from an Existing Device #cryptsetup luksRemoveKey /dev/luks_vg/luks_lv
○ Verify or check for encrypted partitions: # lsblk -l
sda1 8:1 0 250M 0 part /boot
luks_home 253:8 0 2G 0 crypt /luks_home centos-home 253:7 0 1.5G 0 lvm /home
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 16 of 39 /dev/mapper/luks_home: UUID="48de524a-ba17-40b1-ac14-8a9f34421a50" TYPE="xfs" # blkid /dev/mapper/luks_vg-luks_lv /dev/mapper/luks_vg-luks_lv: UUID="ce54eeab-ea52-4273-acef-26a400901a98" TYPE="crypto_LUKS" **NOTE** primarily a manual process.. ○ Check partitions to determine if they are encrypted # more /etc/crypttab
Objective 4
Configure default permissions for users and use special file
permissions, attributes, and access control lists (ACLs) to control
access to files
● File system extended Access Control Lists (ACL) ○ If a default ACL is associated with a directory, the mode parameter to the functions creating file objects and the default ACL of the directory are used to determine the ACL of the new object: 1. The new object inherits the default ACL of the containing directory as its access ACL. 2. The access ACL entries corresponding to the file permission bits are modified so that they contain no permissions that are not contained in the permissions specified by the mode parameter. ○ If no default ACL is associated with a directory, the mode parameter to the functions creating file objects and the file creation mask (umask(2) are used to determine the ACL of the new object: 1. The new object is assigned an access ACL containing entries of tag types ACL_USER_OBJ, ACL_GROUP_OBJ, and ACL_OTHER. The permissions of these entries are set to the permissions specified by the file creation mask. 2. The access ACL entries corresponding to the file permission bits are modified so that they contain no permissions that are not contained in the permissions specified by the mode parameter. ■ ACL Text FormsRed Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 17 of 39 ● user A user ACL entry specifies the access granted to either the file owner (entry tag type ACL_USER_OBJ) or a specified user (entry tag type ACL_USER). ● group A group ACL entry specifies the access granted to either the file group (entry tag type ACL_GROUP_OBJ) or a specified group (entry tag type ACL_GROUP). ● mask A mask ACL entry specifies the maximum access which can be granted by any ACL entry except the user entry for the file owner and the other entry (entry tag type ACL_MASK). ● other An other ACL entry specifies the access granted to any process that does not match any user or group ACL entries (entry tag type ACL_OTHER). ■ to set: setfacl
Granting an additional user read access setfacl -m u:lisa:r file
Revoking write access from all groups and all named users (using the e㈠㘱ective rights mask)
setfacl -m m::rx file
Removing a named group entry from a file's ACL setfacl -x g:sta㈠㘱 file
Copying the ACL of one file to another getfacl file1 | setfacl --set-file=- file2
Copying the access ACL into the Default ACL getfacl --access dir | setfacl -d -M- dir
from the setfacl man page
■ to read: getfacl -aL
The output format of getfacl is as follows: 1: # file: somedir/
2: # owner: lisa 3: # group: sta㈠㘱 4: # flags: -s-
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 18 of 39 5: user::rwx 6: user:joe:rwx #e㈠㘱ective:r-x 7: group::rwx #e㈠㘱ective:r-x 8: group:cool:r-x 9: mask::r-x 10: other::r-x 11: default:user::rwx 12: default:user:joe:rwx #e㈠㘱ective:r-x 13: default:group::r-x 14: default:mask::r-x 15: default:other::--- ■ ○ Set/Verify default permissions for all authenticated users so they can only read and modify their own files
# grep -i umask /etc/login.defs UMASK 077
○ UMASK is usually in a few other places, like /etc/csh.cshrc, /etc/bashrc
# find /etc/ -type f -exec grep -i umask {} \; -print
○ And check users own dotfiles
# find /home/ -type f -exec grep -i umask {} \; -print
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 19 of 39
Objective 5
Install and use intrusion detection capabilities in Red Hat Enterprise
Linux to monitor critical system files
● Advanced Intrusion Detection Environment (AIDE) ○ check to see if it’s installed # rpm -q aidepackage aide is not installed # yum install aide
Installing:
aide x86_64 0.15.1-9.el7 base 129 k
○ Initialize AIDE
# /usr/sbin/aide --init -B ‘database_out=file:/var/lib/aide/aide.db.gz’ ○ Check file integrity against AIDE database # /usr/sbin/aide --check ○ Putting it in a cron job might be smart 0 5 * * * /usr/sbin/aide --check ○ Additional files to be checked can be added to /etc/aide.conf ● TCP Wrappers ○ check to see if they are installed # rpm -q tcp_wrappers tcp_wrappers-7.6-77.el7.x86_64 ○ /etc/hosts.allow varies by network configuration, setup, purpose, etc This limits connections to sshd just to my local subnet sshd: 192.168.56.0/255.255.255.0 This allows connections to anything from my local subnet all: 192.168.56.0/255.255.255.0
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 20 of 39 ○ /etc/hosts.deny deny everything everywhere that’s not explicitly listed in the allow file # cat /etc/hosts.deny ALL:ALL
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 21 of 39
Objective 6
Manage user account security and user password security
● Password quality is defined in /etc/security/pwquality.conf ● Shadow password suite configuration in /etc/login.defs **NOTE** Most of this has been moved to PAM ● shadow file fields ○ login name ○ encrypted password ○ date of last pw change ○ minimum passwd age ○ max passwd age ○ passwd warning period ○ passwd inactivity period ○ expiration date ○ reserved● to check /etc/shadow for password minimum change period (4th field)
# awk -F: ‘$4 >= 1 {print $1}’ /etc/shadow **NOTE** DoD STIG says 1 day minimum
● chage for modifying account password aging ● chage --list <user> will check password definitions
● /etc/default/useradd sets defaults for new account creation
○ INACTIVE should be set to something other than 1 (which is never) ○ updating user inactivity
● audit users for password inactivity, passwords, etc
# cut -d: -f1 /etc/passwd | xargs -n1 passwd -S
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 22 of 39
Objective 7
Manage system login security using pluggable authentication modules
(PAM)
● PAM Crash Course ○ each application should have its own PAM stack file ○ modules are run in the order they are listed and is important ○ stacks syntax iscontext(or type) control-flag module module options
○ context types ■ auth determines who the user is and if that user has a valid account ( authentication ) ■ account determine if the user is allowed access ( authorization ) ■ session sets session up ■ password any rules for changing password if the application is allowed to ○ controlflags ■ sufficient if a sufficient module passes, that’s enough. None of the other modules in that context are processed. Failing it does not fail the context though. ■ required all required controls in a context must pass. They are all tried so even if one fails to obscure the exact failure for security reasons. **NOTE** None of the required modules will be processed in a context is a sufficient module passes ■ requisite basically the same as required except processing stops as soon as a failure happens (think of it as fastfail required) ■ optional a success or failure really has no effect. Generally only used with session contexts. ○ modules are run in the order they are listed and is important ■ i.e. if a sufficient modules passes after a required failed, access will still be denied.
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 23 of 39
○ if an application can’t find its stack file, it falls back to /etc/pam.d/other
● Forcing strong passwords
○ set in /etc/pam.d/passwd file via the pam_pwquality module
○ /etc/security/pwquality.conf sets custom rules.
○ to enable, add to /etc/pam.d/passwd file
password required pam_pwquality.so retry=3
● Remembering passwords, add remember parameter in /etc/pam.d/system-auth
password su㈠㘱icient pam_unix.so remember=5
● Account Locking
○ pam_faillock module
○ /var/run/faillock contains logs of failures per user ○ to enable
○ add lines 2 and 5 to /etc/pam.d/system-auth and /etc/pam.d/password-auth
1 auth required pam_env.so
2 auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 3 auth su㈠㘱icient pam_fprintd.so
4 auth su㈠㘱icient pam_unix.so nullok try_first_pass
5 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 6 auth requisite pam_succeed_if.so uid >= 1000 quiet_success
7 auth required pam_deny.so
**NOTE** these will lock out a nonroot user after 3 tries for 10 minutes add before the first account entry on both files
account required pam_faillock.so
** to include the root user, add even_deny_root option to auth entries
2 auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 even_deny_root
5 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 even_deny_root
** to exclude users from the rule
auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2:user3
○ checking number of failed login attempts
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 24 of 39
user1:
When Type Source Valid
2013-03-05 11:44:14 TTY pts/0
○ resetting a users account
# faillock --user <username> --reset
● Limiting root (or other user) access with pam
**NOTE** ONLY WORKS ON PAM AWARE SERVICES (Which most are now)
○ /lib/security/pam_listfile.so is the module
○ add the module as a required auth to the service file in /etc/pam.d
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ <bad users file> \ onerr=succeed
● Limiting root via /etc/securetty
○ remove all entries except console
○ enable login managers to read /etc/securetty add the following line
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
to /etc/pam.d/{gdm, gdm-autologin, gdm-fingerprint,gdm-password,gdm-smartcard,kdm,kdm-np,xdm} ● Limit/Disable root from ssh ○ uncomment/add to /etc/ssh/sshd_config PermitRootLogin no ● Keeping Customer settings with AuthConfig ○ check to see if the auth files are links (default setup) # ls -l /etc/pam.d/{password,system}-auth
lrwxrwxrwx. 1 root root 16 Feb 1 11:13 /etc/pam.d/password-auth -> password-auth-ac lrwxrwxrwx. 1 root root 14 Feb 1 11:13 /etc/pam.d/system-auth -> system-auth-ac
○ if the auth files aren’t links move them
# mv system-auth system-auth-ac # mv password-auth password-auth-ac
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 25 of 39
○ create a custom local file, /etc/pam.d/system-auth-local which contains
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth include system-auth-ac
auth [default=die] pam_faillock.so authfail silent audit deny=3 unlock_time=600 account required pam_faillock.so
account include system-auth-ac password include system-auth-ac session include system-auth-ac
○ create a custom local file, /etc/pam.d/password-auth-local which contains
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth include password-auth-ac
auth [default=die] pam_faillock.so authfail silent audit deny=3 unlock_time=600 account required pam_faillock.so
account include password-auth-ac password include password-auth-ac session include password-auth-ac
○ create new links # ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth # ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 26 of 39
Objective 8
Configure console security by disabling features that allow systems to be
rebooted or powered off using bootloader passwords
● Bootloader passwords ○ Is it enabled already? ■ BIOS machines# grep -i password /boot/grub2/grub.cfg
■ UEFI machines
# grep -i password /boot/efi/EFI/redhat/grub.cfg
○ Adding users
■ Create /etc/grub.d/01_users file and add the following
cat <<EOF
set superuser="toor" password toor insecurert EOF
[to add more]
cat <<EOF
set superuser=”toor” password toor insecuretr password user1 insecure1 EOF **NOTE** This creates an UNENCRYPTED password and you should know better The better way, using encrypted passwords # grub2-mkpasswd-pbkdf2 Enter password: Reenter password:
PBKDF2 hash of your password is
grub.pbkdf2.sha512.10000.DCC9681CBF8FEDA5F4C9AA82BA09507CB6703A3773EC63805A25 D1C796C868B8D5ACD82843F7CB30059399633A2AB34070A231503B0180C9EF4D248FE12B5C D6.3D1A8BB7B08E645458E8564B647353D32D2A8A7E05676F61C375F6F0727A1514B4A87A14 E94CCBD291DBFD48E301F73553168845AF9817D98AC9A455EC122F41 then add to /etc/grub.d/01_users cat <<EOF set superusers="toor" password_pbkdf2 toor grub.pbkdf2.sha512.10000.DCC9681CBF8FEDA5F4C9AA82BA09507CB6703A3773EC63805A25
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 27 of 39 D1C796C868B8D5ACD82843F7CB30059399633A2AB34070A231503B0180C9EF4D248FE12B5C D6.3D1A8BB7B08E645458E8564B647353D32D2A8A7E05676F61C375F6F0727A1514B4A87A14 E94CCBD291DBFD48E301F73553168845AF9817D98AC9A455EC122F41 EOF ALTERNATIVELY you can just add the data to the END of the /etc/grub.d/40_custom file without any of the cat stuff. set superusers="toor" password_pbkdf2 toor grub.pbkdf2.sha512.10000.DCC9681CBF8FEDA5F4C9AA82BA09507CB6703A3773EC63805A25 D1C796C868B8D5ACD82843F7CB30059399633A2AB34070A231503B0180C9EF4D248FE12B5C D6.3D1A8BB7B08E645458E8564B647353D32D2A8A7E05676F61C375F6F0727A1514B4A87A14 E94CCBD291DBFD48E301F73553168845AF9817D98AC9A455EC122F41 ○ Rebuild grub ■ On BIOS systems # grub2-mkconfig -o /boot/grub2/grub.cfg ■ On UEFIbased systems # grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg ● Disable grub interactive mode
# grep -i prompt /etc/sysconfig/init PROMPT=no
● Disable entering Single User Mode without root password
# echo “SINGLE=/sbin/sulogin” >> /etc/sysconfig/init
● Disable CTRLALTDEL combination on the console for rebooting
# systemctl mask ctrl-alt-del.target # systemctl daemon-reload or # ln -s /dev/null /etc/systemd/system/ctrl-alt-del.target This works if no one is logged in, however, if the user is logged in it works. The power button will obviously still work ● To disable the power buttons on the GDM login screen: edit or create /etc/dconf/db/gdm.d/00-login-screen and add
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 28 of 39
[ org/gnome/login-screen] disable-restart-buttons=true
then rebuild the dconf database
# dconf update
**NOTE** While you are there, might as well add disable-user-list=true so the login won’t list the users
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 29 of 39
Objective 9
Configure systemwide acceptable use notifications
● Text login banners ○ /etc/motd ■ the Message Of The Day. This is displayed after a successful login before the prompt○ /etc/issue and /etc/issue.net
■ shown to connections before the login prompt. /etc/issue is shown if /etc/issue.net is missing. ○ None of them should have this information, or anything other than an Acceptable Use Notification. ■ \m machine architecture ( uname -m ) ■ \r operating system release ( uname -r ) ■ \s operating system name ■ \v operating system version ( uname -v )
○ All 3 should have the owned root:root and mode 0644
○ It’s acceptable to link all 3 together.
# ls -la |grep issue.net
lrwxrwxrwx. 1 root root 9 Feb 5 11:03 issue -> issue.net -rw-r--r--. 1 root root 67 Feb 5 11:02 issue.net
lrwxrwxrwx. 1 root root 9 Feb 5 11:03 motd -> issue.net
● Configure sshd to display the acceptable use notifications
○ add Banner /etc/issue.net to /etc/ssh/sshd_config and restart sshd
# grep ^Banner /etc/ssh/sshd_config Banner /etc/issue.net
# systemctl restart sshd.service
**NOTE** the default sshd_config file has a commented out Banner entry
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 30 of 39
● Configure a banner for the GUI login
○ edit/create /etc/dconf/db/gdm.d and add the following
[org/gnome/login-screen] banner-message-enable=true
banner-message-text=’Authorized use only! All unauthorized users will be beaten’
○ rebuild the dconf db and restart gdm
# dconf update
# systemctl restart sshd.service
● If for some bizarre reason you are running VSFTP ○ Add ftpd_banner=<something> to /etc/vs‵㘶pd/vs‵㘶pd.conf ○ OR instead add banner_file=<file> to /etc/vs‵㘶pd/vs‵㘶pd.conf
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 31 of 39
Objective 10
Install, configure, and manage identity management services and
configure identity management clients
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 32 of 39
Objective 11
Configure remote system logging services, configure system logging, and
manage system log files using mechanisms such as log rotation and
compression
● Syslog crash course ○ syntax FACILITY.PRIORITY ○ facilitieskern (0),user (1), mai l (2), daemon (3), auth (4), syslog (5), lpr (6), news (7), uucp (8), cron (9), authpriv (10), ‵㘶p (11), and local0 through local7 (16 - 23)
○ Priorities
debug (7), info (6), notice (5), warning(4), err (3), crit (2), alert (1), and emerg (0)
○ Special cases for both Facility and Priority ■ * is all ■ none is none ■ comma is used to stack ○ Special cases for Priority ■ when a Priority is selected, all messages of that Priority and greater are logged ■ = before Priority means only that priority is logged ■ ! before Priority means that priority is ignored
● Make sure rsyslog is enabled and running
# systemctl is-enabled rsyslog enabled
[if not]
# systemctl enable rsyslog
● Log file must exist before rsyslog can write to it.
● Log files should have permissions of 0600 or less and owned root:root to prevent non privileged users from possibly seeing PII or other sensitive information. Check /etc/rsyslog.conf for configured system log files.
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 33 of 39 ● To send log files off site to a loghost add to the /etc/rsyslog.conf *.* @@loghost.mysite.com **NOTE** double @’s denotes to use TCP and not UDP to send logs ● TLS Encryption for remote logging, add to /etc/rsyslog.conf
# certificate files - just CA for a client
$DefaultNetstreamDriverCAFile /path/to/contrib/gnutls/ca.pem
# set up the action # use gtls netstream driver $DefaultNetstreamDriver gtls
# require TLS for the connection $ActionSendStreamDriverMode 1
# server is NOT authenticated
$ActionSendStreamDriverAuthMode anon
# send (all) messages
*.* @@(o)server.example.net:6514 # send (all) messages
● To receive remote syslog messages $ModLoad imtcp.so $InputTCPServerRun 6514 ● To receive and sort incoming syslog messages ○ for UDP
# Define templates before the rules that use them ### Per-Host Templates for Remote Systems ### $template TmplAuthpriv, "/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log" $template TmplMsg, "/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log" ○ for TCP
# Provides TCP syslog reception $ModLoad imtcp
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 34 of 39 $RuleSet remote1 authpriv.* ?TmplAuthpriv *.info;mail.none;authpriv.none;cron.none ?TmplMsg $RuleSet RSYSLOG_DefaultRuleset
#End the rule set byswitching back to the default rule set $InputTCPServerBindRuleset remote1
#Define a new input and bind it to the "remote1" rule set $InputTCPServerRun 6514
● Special Notes/Troubleshooting
○ The default protocol and port for syslog traffic is UDP and 514 , as listed in the /etc/services file. However, rsyslog defaults to using TCP on port 514 . In the configuration file, /etc/rsyslog.conf , TCP is indicated by @@ .
○ SELinux is only configured to allow sending and receiving on the following ports by default
# semanage port -l | grep syslog syslogd_port_t tcp 6514, 601 syslogd_port_t udp 514, 6514, 601
○ Check that rsyslog is running and enabled. Restart after all changes
# systemctl start rsyslog # systemctl enable rsyslog
○ As always, check the firewall ● Log Rotation ○ /etc/logrotate.conf is global file ○ /etc/logrotate.d/ is log specific rotation files (and override global) ○ general configuration options ■ time frame:daily weekly monthly yearly ■ compres/nocompress ■ compresscmd/uncompressmd ■ compressext ■ delaycompress ■ rotate <#> number of rotations before log is deleted or mailed ■ mail <address> emails rotated log
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 35 of 39 ● journal is a component of systemd for logging
● journalctl is used for viewing the journal log
● journal only logs in memory or a small ring file in /run/log/journal ; to create persistent storage create the directory /var/log/journal ● config file is /etc/systemd/journald.conf
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 36 of 39
Objective 12
Configure system auditing services and review audit reports
● package is audit ● configuration file /etc/audit/auditd.conf ● rules file /etc/audit/audit.rules ● Audit system status # auditctl -s enabled 1 flag 1 pid 667 rate_limit 0 backlog_limit 320 lost 0 backlog 0 loginuid_immutable 0 unlocked ● list currently loaded rules # auditctl -lLIST_RULES: exit,always watch=/etc/localtime perm=wa key=time-change LIST_RULES: exit,always watch=/etc/group perm=wa key=identity
LIST_RULES: exit,always watch=/etc/passwd perm=wa key=identity LIST_RULES: exit,always watch=/etc/gshadow perm=wa key=identity ... ● delete all rules # auditctl -D No rules
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 37 of 39
● define a file system rule
# auditctl -w path-to-file -p permissions -k key-name
○ permissions ■ r read access to a file or directory ■ w write access to a file or directory ■ x execute access to a file or directory ■ a change in a file or directory’s attribute ○ keyname ■ optional for helping to identify which rule or rule sets generated the log ● define a system call
# auditctl -a action,filter -S system_call -F field=value -k key_name
○ action , filter is when the event is logged ■ action ● always or never ■ filter ● task ● exit ● user ● exclude ○ systemcall is the system call that triggers, can be multiple S ■ /usr/include/asm/unistd_64.h lists the calls ○ field=value ■ optional rule to filter based on architecture, gID, pID, etc ○ key_name ■ optional for helping it identify what rule or rule sets generated the log ○
● predefined rule sets are in /usr/share/doc/audit- version/ ● to search audit logs
# ausearch --start yesterday --end now -m SYSCALL -sv no -i
this rule searches for all failed system calls from yesterday to present ● to create an audit report
# aureport --login --summary -i
this generates a summary report of all failed login attempts per each system user
Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 38 of 39
Objective 13
Use network scanning tools to identify open network service ports and
configure and troubleshoot system firewalling
● list processes with open ports: netstat natp ● scan TCP ports on a host nmap sT 0 <ip address> ● firewalld ○ /etc/fiewalld ○ /usr/lib/firewalld/ ○ firewallconfig (gui) ○ firewallcmd ■ permanent : does not implement until reload, but is persistent ■ direct : immediate implementation, but not persistent ■ addinterface : only for interfaces not managed by NetworkManager ■ reload : nondisruptive reload ■ completereload : drops all connections and reloads ○ /etc/firewalld/firewalld.conf ■ set default zones ■ Lockdown=yes to prevent services, or non whitelist services from adding/removing rules ○ Network Zones ■ drop ■ block ■ public ■ external ■ dmz ■ work ■ home ■ internal ■ trustedRed Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 39 of 39
