The filename specified in the solution of setting password hashing algorithm is incorrect.

https://github.com/trimstray/the-practical-linux-hardening-guide/wiki/PAM-Module#solution

Should be /etc/pam.d/system-auth.

Disable TCP SACK

Hey,

Thanks for a good summary!

I'm core maintainer of dev-sec project, not sure if you already know this project. We provide hardening automation packages for ansible/puppet/chef including automated tests for inspec.

We covered almost all of the things in your guide, which can be automated(e.g. setting of grub password or enforcing the permissions of the common directories). Not sure if we missed something or if you have any other ideas. We would be happy to know them :)

Maybe its a good idea to provide somewhere a reference to dev-sec in your guide, so people can easily find the project if they are looking for some automated solutions around.

https://dev-sec.io
https://github.com/dev-sec/

Thank you!
Artem

I always think that checklists such as this -i.e. especially security-oriented ones- would be much more useful, as they would let you learn the why behind the how, if they provided authoritative references to their assertions.

Let's take a concrete example: https://github.com/trimstray/the-practical-linux-hardening-guide/blob/daf846aab98f0bdafd32acf398589b7468c42a74/README.md#eight_pointed_black_star-secure-proc-filesystem

The proc pseudo-filesystem /proc should be mounted with hidepid. When setting hidepid to 2, directories entries in /proc will hidden.

When I read this, I immediately have the following questions:

• Why should I do this? (I guess in this case the question could be phrased "Why is it important to hide the directory entries in /proc?")
• Is there a consensus in the Linux community that this is a sane thing to do? If there's a consensus, why it's not the default?
• What can happen if I don't?
• What happens if I do? Do I gain/lose functionality (or performance, or what have you)?
• What's the meaning of the parameter 2? Are there other possible values? Why should you choose 2 specifically instead of a different value (w.r.t. to the goal stated in the first point)?

I'm not arguing you should provide an explicit answer to all of the above (it wouldn't be a checklist anymore...). I am just arguing such a checklist would become much more useful and credible if it at least included links to authoritative sources that justify[1] the items on the checklist.

Just my 2 cents, keep up the good work!

[1] at least for non-obvious points; e.g. I don't think you need to justify "forcing the use of strong passwords"

I'm fairly certain that there's a typo in this section https://github.com/trimstray/the-practical-linux-hardening-guide/wiki/OpenSSH#set-authentication-attempt-limit

MaxAuthTries tries

Shouldn't this configuration line be set to a numerical value? In the C2S/CIS: No-CCE (Medium) link they have set this line to 4.

The configuration parameter in Kernel_Layer.Network_stack.TCP_Syncookies is incorrect.

On the page https://github.com/trimstray/the-practical-linux-hardening-guide/wiki/Network-stack#tcp-syncookies, the configuration parameter is that of source-packet-routing and not tcp_syncookies, as mentioned in the OpenSCAP document.

Link: https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-C2S.html#xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies

• https://static.open-scap.org/ssg-guides/ssg-centos7-guide-pci-dss.html
• https://www.open-scap.org/resources/documentation/make-a-rhel7-server-compliant-with-pci-dss/

Auditd lremovexattr has duplicate rules because there are two 32 bit rules instead of one 32 and one 64

Record events that modify the system's discretionary access controls

lremovexattr

Here there are two b32 arch rules instead of one for 32 and one for 64

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

Typo in ftruncate rule

Record unauthorized access attempts to files

ftruncate

Third rule down says 'exiu' instead of 'exit'

-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Disable all unnecessary services

The action in this section provide guidance on some of unwanted applications and services which you might not needed but they are installed by default during OS installation and unknowingly start eating your system resources and also threats to the system security. If unused services is not enabled then it can not be exploited.

✴️ Common Unix Print System

The Common Unix Print System (CUPS) provides the ability to print to both local and
network printers.If the system does not need to accept print jobs from other systems, it's recommended that CUPS be disabled to reduce the potential attack.

Run the following command to verify cups is not enabled:

# systemctl is-enabled cups
disabled

Run the following command to disable cups :

# systemctl disable cups

References: http://www.cups.org