I'm a System and Network Administrator. I post my ongoing research at blkcipher.pl.
Some of my blog posts [PL]
This guide details creating a secure Linux production system. OpenSCAP (C2S/CIS, STIG).
License: MIT License
I'm a System and Network Administrator. I post my ongoing research at blkcipher.pl.
Some of my blog posts [PL]
The filename specified in the solution of setting password hashing algorithm is incorrect.
https://github.com/trimstray/the-practical-linux-hardening-guide/wiki/PAM-Module#solution
Should be /etc/pam.d/system-auth
.
Hey,
Thanks for a good summary!
I'm core maintainer of dev-sec project, not sure if you already know this project. We provide hardening automation packages for ansible/puppet/chef including automated tests for inspec.
We covered almost all of the things in your guide, which can be automated(e.g. setting of grub password or enforcing the permissions of the common directories). Not sure if we missed something or if you have any other ideas. We would be happy to know them :)
Maybe its a good idea to provide somewhere a reference to dev-sec in your guide, so people can easily find the project if they are looking for some automated solutions around.
https://dev-sec.io
https://github.com/dev-sec/
Thank you!
Artem
I always think that checklists such as this -i.e. especially security-oriented ones- would be much more useful, as they would let you learn the why behind the how, if they provided authoritative references to their assertions.
Let's take a concrete example: https://github.com/trimstray/the-practical-linux-hardening-guide/blob/daf846aab98f0bdafd32acf398589b7468c42a74/README.md#eight_pointed_black_star-secure-proc-filesystem
The proc pseudo-filesystem /proc should be mounted with hidepid. When setting hidepid to 2, directories entries in /proc will hidden.
When I read this, I immediately have the following questions:
I'm not arguing you should provide an explicit answer to all of the above (it wouldn't be a checklist anymore...). I am just arguing such a checklist would become much more useful and credible if it at least included links to authoritative sources that justify[1] the items on the checklist.
Just my 2 cents, keep up the good work!
[1] at least for non-obvious points; e.g. I don't think you need to justify "forcing the use of strong passwords"
I'm fairly certain that there's a typo in this section https://github.com/trimstray/the-practical-linux-hardening-guide/wiki/OpenSSH#set-authentication-attempt-limit
MaxAuthTries tries
Shouldn't this configuration line be set to a numerical value? In the C2S/CIS: No-CCE (Medium) link they have set this line to 4.
The configuration parameter in Kernel_Layer.Network_stack.TCP_Syncookies is incorrect.
On the page https://github.com/trimstray/the-practical-linux-hardening-guide/wiki/Network-stack#tcp-syncookies, the configuration parameter is that of source-packet-routing and not tcp_syncookies, as mentioned in the OpenSCAP document.
Here there are two b32 arch rules instead of one for 32 and one for 64
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
Third rule down says 'exiu' instead of 'exit'
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
The action in this section provide guidance on some of unwanted applications and services which you might not needed but they are installed by default during OS installation and unknowingly start eating your system resources and also threats to the system security. If unused services is not enabled then it can not be exploited.
The Common Unix Print System (CUPS) provides the ability to print to both local and
network printers.If the system does not need to accept print jobs from other systems, it's recommended that CUPS be disabled to reduce the potential attack.
Run the following command to verify cups is not enabled:
# systemctl is-enabled cups
disabled
Run the following command to disable cups :
# systemctl disable cups
References: http://www.cups.org
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.