-
Notifications
You must be signed in to change notification settings - Fork 0
/
1.x
125 lines (100 loc) · 3.21 KB
/
1.x
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#1.1.2a Setup Separate Partitions
# /tmp (rw,nosuid,nodev,noexec,relatime) World Writable
# /var (rw,relatime,data=ordered)
# /var/tmp (rw,nosuid,nodev,noexec,relatime) World Writable
# /var/log (rw,relatime,data=ordered)
# /var/log/audit (rw, relatime,data=ordered)
# /home (rw, nodev,relatime,data=ordered)
# /dev/shm, (rw,nosuid,nodev,noexec,relatime)
# mount -o remount, ^ {dir}
# set sticky bit on all world writable directories
# This will need follow-up snap directories appear world writable but are not?
// validate
// df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev
// -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null
// set
// df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev
// -type d -perm -0002 2>/dev/null | xargs chmod a+t
# AUDITD
# Setup Log Rotation & Log Compression Cronjob
# Configure Package Management Repo
# apt-cache policy
# Enable ASLR Page69
# Enable XD/NX Page67
# Uninstall Prelink dpkg -s prelink
# Setup AppArmor aa-status
# Make sure none are unconfined and all are in enforcing mode
# aa-enforce /etc/apparmor.d/<profile>
# aa-complain /etc/apparmor.d/<profile>
# permissions 644, root
# TODO
# Check for inetd services
# /etc/inetd.* (null return)
# Disable
# List:
# check for exist /etc/inetd.*|/etc/xinetd.conf|/etc/xinet.d/*
# if exist check grep -R "^chargen" /etc/inetd.* | /etc/xinetd.conf /etc/xinet.d/* chargen; disable = yes
# disable = yes in xinet; comment /etc/inetd.conf and /etc/inetd.d/*
# service list:
# chargen | daytime | discard | echo | time |
# rsh | rlogin | rexec | shell | login | exec
# talk | ntalk | telnet | tftp
#Check for enabled systemd services
#Configure
rsyslog ()
cron daemon
sshd
#Check configuration for services
#Install & Configure
#List:
-Rsyslogd
logging & log permissions(page 237)
remote logging
-Logrotate
-Systemd Cron Daemon (Configuration & Permissions) pg 260
-Restrict at/Cron to Authorized Users
-
#Server - No X Window System
# dpkg -l xserver-xorg*
# apt-get remove xserver-xorg*
# Postfix Local-Delivery Only? (Page 134)
#logs archived and digitally signed
# Ensure iptables is installed
# Setup Basic Firewall (Install Persist)
# Example
# #!/bin/bash
# Flush IPtables rules
iptables -F
# Ensure
iptables
iptables
iptables default deny firewall policy
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
# Ensure
iptables
iptables
iptables loopback traffic is configured
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 -j DROP
# Ensure
iptables
iptables
iptables
iptables
iptables
iptables outbound and established connections are configured
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
# Open inbound ssh(tcp port 22) connections
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Configure Logging (4.1.1)
# Set Max Log Filesize Change Default 4 copies
# Disable system when audit logs full (p198)
# Ensure audit logs are not automatically deleted (p199)