# Linux Hardening ###### tags: `Linux` `linux` `hardening` [OpenSCAP](http://static.open-scap.org/ssg-guides/ssg-ubuntu2004-guide-index.html) [GIT](https://github.com/florianutz/ubuntu2004_cis) ## 1.1.1 Disable unused filesystems * Удаление поддержки ненужных типов файловых систем уменьшает локальную поверхность атаки сервера. Если этот тип файловой системы не нужен, отключите его. ``` modprobe -n -v cramfs | grep -E '(cramfs|install)' # output install /bin/true lsmod | grep cramfs <No output> ``` * create ``` vim /etc/modprobe.d/cramfs.conf install cramfs /bin/true ``` ### 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled (Automated) * Удаление поддержки ненужных типов файловых систем уменьшает локальную поверхность атаки сервера. Если этот тип файловой системы не нужен, отключите его. ``` modprobe -n -v freevxfs | grep -E '(freevxfs|install)' # output install /bin/true # lsmod | grep freevxfs <No output> ``` * create ``` vi /etc/modprobe.d/freevxfs.conf install freevxfs /bin/true ``` ### 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled (Automated) * Удаление поддержки ненужных типов файловых систем уменьшает локальную поверхность атаки системы. Если этот тип файловой системы не нужен, отключите его. ``` # modprobe -n -v jffs2 | grep -E '(jffs2|install)' install /bin/true # lsmod | grep jffs2 <No output> ``` ``` vi /etc/modprobe.d/jffs2.conf install jffs2 /bin/true ``` ### 1.1.1.4 Ensure mounting of hfs filesystems is disabled (Automated) ``` # modprobe -n -v hfs | grep -E '(hfs|install)' install /bin/true # lsmod | grep hfs <No output> ``` ``` vi /etc/modprobe.d/hfs.conf install hfs /bin/true ``` ### 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled (Automated) ``` # modprobe -n -v hfsplus | grep -E '(hfsplus|install)' install /bin/true # lsmod | grep hfsplus <No output> ``` ``` vi /etc/modprobe.d/hfsplus.conf install hfsplus /bin/true ``` ### 1.1.1.7 Ensure mounting of udf filesystems is disabled (Automated) ``` # modprobe -n -v udf | grep -E '(udf|install)' install /bin/true # lsmod | grep udf <No output> ``` create ``` vi /etc/modprobe.d/udf.conf install udf /bin/true ``` ### 1.1.1.8 Ensure mounting of FAT filesystems is limited (Not Scored) ``` # modprobe -n -v vfat | grep -E '(vfat|install)' install /bin/true # lsmod | grep vfat <No output> ``` ``` vi /etc/modprobe.d/vfat.conf install vfat /bin/true ``` ## 1.1.2 Ensure /tmp is configured (Automated) check ``` # findmnt -n /tmp /tmp tmpfs tmpfs rw,nosuid,nodev,noexec ``` repair ``` cp -v /usr/share/systemd/tmp.mount /etc/systemd/system/ vi /etc/systemd/system/tmp.mount [Mount] What=tmpfs Where=/tmp Type=tmpfs Options=mode=1777,strictatime,nosuid,nodev,noexec ``` ``` systemctl daemon-reload systemctl --now enable tmp.mount ``` ## 1.1.3 Ensure nodev option set on /tmp partition (Automated) check - verify that nothing is returned `findmnt -n /tmp | grep -v nodev` repair ``` vi /etc/systemd/system/local-fs.target.wants/tmp.mount [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid :wq systemctl daemon-reload systemctl restart tmp.mount ``` ## 1.1.4 Ensure nosuid option set on /tmp partition (Automated) check - verify that nothing is returned `findmnt -n /tmp | grep -v nosuid` repair ``` nano /etc/systemd/system/local-fs.target.wants/tmp.mount [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid :wq mount -o remount,nosuid /tmp ``` ## 1.1.5 Ensure noexec option set on /tmp partition (Automated) verify that nothing is returned `findmnt -n /tmp | grep -v noexec` repair ``` nano /etc/systemd/system/local-fs.target.wants/tmp.mount [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid mount -o remount,noexec /tmp ``` ## 1.1.6 Ensure /dev/shm is configured (Automated) verify that nothing is returned ``` # findmnt -n /dev/shm /dev/shm tmpfs tmpfs rw,nosuid,nodev,noexec ``` ``` nano /etc/fstab tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid,seclabel 0 0 mount -o remount,noexec,nodev,nosuid /dev/shm ``` ## 1.1.7 Ensure nodev option set on /dev/shm partition (Automated) verify that nothing is returned `findmnt -n /dev/shm | grep -v nodev` ## 1.1.8 Ensure nosuid option set on /dev/shm partition (Automated) verify that nothing is returned `findnmt -n /dev/shm | grep -v nosuid` ## 1.1.9 Ensure noexec option set on /dev/shm partition (Automated) verify that nothing is returned `findmnt -n /dev/shm | grep -v noexec` ## 1.3 Filesystem Integrity Checking привенить для серверов понвышенной важности ### 1.3.1 Ensure AIDE is installed (Automated) ### 1.33.2 Ensure filesystem integrity is regularly checked (Automated) ## 1.4 Secure Boot Settings The recommendations in this section focus on securing the bootloader and settings involved in the boot process directly. ### 1.4.1 Ensure permissions on bootloader config are not overridden (Automated) - Описание: Разрешения на /boot/grub/grub.cfg изменяются на 444, когда gub.cfg обновляется командой update-grub. - Обоснование: Установка разрешений на чтение и запись только для root не позволяет пользователям без полномочий root видеть параметры загрузки или изменять их. Пользователи без полномочий root, которые читают параметры загрузки, могут определить слабые места в системе безопасности при загрузке и использовать их. - check ` grep -E '^\s*chmod\s+[0-7][0-7][0-7]\s+\$\{grub_cfg\}\.new' -A 1 -B1 /usr/sbin/grub-mkconfig` - output ``` if [ "x${grub_cfg}" != "x" ]; then chmod 400 ${grub_cfg}.new || true fi ``` **Remediation** `sed -ri 's/chmod\s+[0-7][0-7][0-7]\s+\$\{grub_cfg\}\.new/chmod 400 ${grub_cfg}.new/' /usr/sbin/grub-mkconfig` `sed -ri 's/ && ! grep "\^password" \$\{grub_cfg\}.new >\/dev\/null//' /usr/sbin/grub-mkconfig` ### 1.4.2 Ensure bootloader password is set (Automated) Описание: Однопользовательский режим используется для восстановления, когда система обнаруживает проблему во время загрузки или при ручном выборе в загрузчике. Обоснование: Требование аутентификации в однопользовательском режиме предотвращает перезагрузку системы неавторизованным пользователем в однопользовательском режиме для получения привилегий root без учетных данных. `grep -Eq '^root:\$[0-9]' /etc/shadow || echo "root is locked"` No results should be returned. `passwd root` ### 1.4.3 Ensure permissions on bootloader config are configured (Automated) Описание: Файл конфигурации grub содержит информацию о параметрах загрузки и пароли для разблокировки параметров загрузки. Обоснование: Установка разрешений на чтение и запись только для root не позволяет пользователям без полномочий root видеть параметры загрузки или изменять их. Пользователи без полномочий root, которые читают параметры загрузки, могут определить слабые места в системе безопасности при загрузке и использовать их. ``` stat /boot/grub/grub.cfg Access: (0400/-r--------) Uid: ( 0/ root) Gid: ( 0/ root) ``` to do ``` chown root:root /boot/grub/grub.cfg chmod u-wx,go-rwx /boot/grub/grub.cfg ``` ### 1.5.4 Ensure core dumps are restricted (Automated) ## 1.6.1 Configure AppArmor ### 1.6.1.1 Ensure AppArmor is installed (Automated) ``` dpkg -s apparmor | grep -E '(Status:|not installed)' Status: install ok installed ``` Install AppArmor. `apt install apparmor` :bulb: # НАЧАЛО для прода ## 1.1.1 Disable unused filesystems * Удаление поддержки ненужных типов файловых систем уменьшает локальную поверхность атаки сервера. Если этот тип файловой системы не нужен, отключите его. ``` modprobe -n -v cramfs | grep -E '(cramfs|install)' # output install /bin/true lsmod | grep cramfs <No output> ``` * create ``` vim /etc/modprobe.d/cramfs.conf install cramfs /bin/true ``` ### 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled (Automated) * Удаление поддержки ненужных типов файловых систем уменьшает локальную поверхность атаки сервера. Если этот тип файловой системы не нужен, отключите его. ``` modprobe -n -v freevxfs | grep -E '(freevxfs|install)' # output install /bin/true # lsmod | grep freevxfs <No output> ``` * create ``` vi /etc/modprobe.d/freevxfs.conf install freevxfs /bin/true ``` ### 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled (Automated) * Удаление поддержки ненужных типов файловых систем уменьшает локальную поверхность атаки системы. Если этот тип файловой системы не нужен, отключите его. ``` # modprobe -n -v jffs2 | grep -E '(jffs2|install)' install /bin/true # lsmod | grep jffs2 <No output> ``` ``` vi /etc/modprobe.d/jffs2.conf install jffs2 /bin/true ``` ### 1.1.1.4 Ensure mounting of hfs filesystems is disabled (Automated) ``` # modprobe -n -v hfs | grep -E '(hfs|install)' install /bin/true # lsmod | grep hfs <No output> ``` ``` vi /etc/modprobe.d/hfs.conf install hfs /bin/true ``` ### 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled (Automated) ``` # modprobe -n -v hfsplus | grep -E '(hfsplus|install)' install /bin/true # lsmod | grep hfsplus <No output> ``` ``` vi /etc/modprobe.d/hfsplus.conf install hfsplus /bin/true ``` ### 1.1.1.7 Ensure mounting of udf filesystems is disabled (Automated) ``` # modprobe -n -v udf | grep -E '(udf|install)' install /bin/true # lsmod | grep udf <No output> ``` create ``` vi /etc/modprobe.d/udf.conf install udf /bin/true ``` ### 1.1.1.8 Ensure mounting of FAT filesystems is limited (Not Scored) ``` # modprobe -n -v vfat | grep -E '(vfat|install)' install /bin/true # lsmod | grep vfat <No output> ``` ``` vi /etc/modprobe.d/vfat.conf install vfat /bin/true ``` ## 1.1.2 Ensure /tmp is configured (Automated) check ``` # findmnt -n /tmp /tmp tmpfs tmpfs rw,nosuid,nodev,noexec ``` repair ``` cp -v /usr/share/systemd/tmp.mount /etc/systemd/system/ nano /etc/systemd/system/tmp.mount [Mount] What=tmpfs Where=/tmp Type=tmpfs Options=mode=1777,strictatime,nosuid,nodev,noexec ``` ``` systemctl daemon-reload systemctl --now enable tmp.mount ``` ## 1.1.3 Ensure nodev option set on /tmp partition (Automated) check - verify that nothing is returned `findmnt -n /tmp | grep -v nodev` repair ``` vi /etc/systemd/system/local-fs.target.wants/tmp.mount [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid :wq systemctl daemon-reload systemctl restart tmp.mount ``` ## 1.1.4 Ensure nosuid option set on /tmp partition (Automated) check - verify that nothing is returned `findmnt -n /tmp | grep -v nosuid` repair ``` nano /etc/systemd/system/local-fs.target.wants/tmp.mount [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid ``` run ``` mount -o remount,nosuid /tmp ``` ## 1.1.5 Ensure noexec option set on /tmp partition (Automated) verify that nothing is returned `findmnt -n /tmp | grep -v noexec` repair ``` nano /etc/systemd/system/local-fs.target.wants/tmp.mount [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid ``` run `mount -o remount,noexec /tmp` ## 1.1.6 Ensure /dev/shm is configured (Automated) verify that nothing is returned ``` # findmnt -n /dev/shm /dev/shm tmpfs tmpfs rw,nosuid,nodev,noexec ``` ``` nano /etc/fstab tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid,seclabel 0 0 mount -o remount,noexec,nodev,nosuid /dev/shm ``` ## 1.1.7 Ensure nodev option set on /dev/shm partition (Automated) verify that nothing is returned `findmnt -n /dev/shm | grep -v nodev` ## 1.1.8 Ensure nosuid option set on /dev/shm partition (Automated) verify that nothing is returned `findnmt -n /dev/shm | grep -v nosuid` ## 1.1.9 Ensure noexec option set on /dev/shm partition (Automated) verify that nothing is returned `findmnt -n /dev/shm | grep -v noexec` ## 2.1 Special Purpose Services ### 2.1.1.1 Ensure time synchronization is in use (Automated) установить и настроить NTP `apt install ntp` `systemctl is-enabled systemd-timesyncd.service` ### 2.2.9 Ensure FTP Server is not installed (Automated) ### 2.1.2 Ensure X Window System is not installed (Automated) `apt purge xserver-xorg*` ### 2.1.3 Ensure Avahi Server is not installed (Automated) ``` systemctl stop avahi-daaemon.service systemctl stop avahi-daemon.socket apt purge avahi-daemon ``` ### 2.1.4 Ensure CUPS is not installed (Automated) `apt purge cups` ### 2.1.5 Ensure DHCP Server is not installed (Automated) `apt purge isc-dhcp-server` ### 2.1.6 Ensure LDAP server is not installed (Automated) `apt purge slapd` ### 2.1.7 Ensure NFS is not installed (Automated) `apt purge nfs-kernel-server` ### 2.1.8 Ensure DNS Server is not installed (Automated) `apt purge bind9` ### 2.1.9 Ensure FTP Server is not installed (Automated) `apt purge vsftpd` ### 2.1.10 Ensure HTTP server is not installed (Automated) `apt purge apache2` ### 2.1.11 Ensure IMAP and POP3 server are not installed (Automated) `apt purge dovecot-imapd dovecot-pop3d` ### 2.1.12 Ensure Samba is not installed (Automated) `apt purge samba` ### 2.1.13 Ensure HTTP Proxy Server is not installed (Automated) `apt purge squid` ### 2.1.14 Ensure SNMP Server is not installed (Automated) `apt purge snmpd` ### 2.1.15 Ensure mail transfer agent is configured for local-only mode (Automated) `ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|::1):25\s'` ``` nano /etc/exim4/update-exim4.conf.conf dc_eximconfig_configtype='local' dc_local_interfaces='127.0.0.1 ; ::1' dc_readhost='' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='' dc_smarthost='' dc_use_split_config='false' dc_hide_mailname='' dc_mailname_in_oh='true' dc_localdelivery='mail_spool' systemctl restart exim4 ``` ### 2.1.16 Ensure rsync service is not installed (Automated) `apt purge rsync` ### 2.1.17 Ensure NIS Server is not installed (Automated) `apt purge nis` ## 2.2 Service Clients ### 2.2.1 Ensure NIS Client is not installed (Automated) `apt purge nis` ### 2.2.2 Ensure rsh client is not installed (Automated) `apt purge rsh-client` ### 2.2.3 Ensure talk client is not installed (Automated) `apt purge talk` ### 2.2.4 Ensure telnet client is not installed (Automated) `apt purge telnet` ### 2.2.5 Ensure LDAP client is not installed (Automated) `apt purge ldap-utils` ### 2.2.6 Ensure RPC is not installed (Automated) `apt purge rpcbind` ## 3 Network Configuration ### 3.1.1 Disable IPv6 (Manual) ``` nano /etc/sysctl.conf net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 ``` ``` sysctl -w net.ipv6.conf.all.disable_ipv6=1 sysctl -w net.ipv6.conf.default.disable_ipv6=1 sysctl -w net.ipv6.route.flush=1 ``` ### 3.2.1 Ensure packet redirect sending is disabled (Automated) edit `/etc/sysctl.conf` or a `/etc/sysctl.d/*` ``` net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 ``` ``` sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv4.conf.default.send_redirects=0 sysctl -w net.ipv4.route.flush=1 ``` ### 3.2.2 Ensure IP forwarding is disabled (Automated) `nano /etc/sysctl.conf` `net.ipv4.ip_forward = 0` `sysctl net.ipv4.ip_forward` ### 3.3.1 Ensure source routed packets are not accepted (Automated) ``` # sysctl net.ipv4.conf.all.accept_source_route net.ipv4.conf.all.accept_source_route = 0 # sysctl net.ipv4.conf.default.accept_source_route net.ipv4.conf.default.accept_source_route = 0 # grep "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.all.accept_source_route= 0 # grep "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.default.accept_source_route= 0 ``` for ipv6 ``` # sysctl net.ipv6.conf.all.accept_source_route net.ipv6.conf.all.accept_source_route = 0 # sysctl net.ipv6.conf.default.accept_source_route net.ipv6.conf.default.accept_source_route = 0 # grep "net\.ipv6\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.all.accept_source_route= 0 # grep "net\.ipv6\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* net.ipv6.conf.default.accept_source_route= 0 ``` Remediation: Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: ``` net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 ``` Run the following commands to set the active kernel parameters: ``` sysctl -w net.ipv4.conf.all.accept_source_route=0 sysctl -w net.ipv4.conf.default.accept_source_route=0 sysctl -w net.ipv4.route.flush=1 ``` ### 3.3.2 Ensure ICMP redirects are not accepted (Automated) - Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: ``` net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 ``` - Run the following commands to set the active kernel parameters: ``` sysctl -w net.ipv4.conf.all.accept_redirects=0 sysctl -w net.ipv4.conf.default.accept_redirects=0 sysctl -w net.ipv4.route.flush=1 ``` ### 3.3.3 Ensure secure ICMP redirects are not accepted (Automated) - Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: ``` net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 ``` - Run the following commands to set the active kernel parameters: ``` sysctl -w net.ipv4.conf.all.secure_redirects=0 sysctl -w net.ipv4.conf.default.secure_redirects=0 sysctl -w net.ipv4.route.flush=1 ``` ### 3.3.4 Ensure suspicious packets are logged (Automated) - Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: ``` net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 ``` - Run the following commands to set the active kernel parameters: ``` sysctl -w net.ipv4.conf.all.log_martians=1 sysctl -w net.ipv4.conf.default.log_martians=1 sysctl -w net.ipv4.route.flush=1 ``` ### 3.3.5 Ensure broadcast ICMP requests are ignored (Automated) - Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: `net.ipv4.icmp_echo_ignore_broadcasts = 1` - Run the following commands to set the active kernel parameters: ``` sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 sysctl -w net.ipv4.route.flush=1 ``` ### 3.3.6 Ensure bogus ICMP responses are ignored (Automated) - Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: `net.ipv4.icmp_ignore_bogus_error_responses = 1` - Run the following commands to set the active kernel parameters: ``` sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 sysctl -w net.ipv4.route.flush=1 ``` ### 3.3.7 Ensure Reverse Path Filtering is enabled (Automated) - Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: ``` net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 ``` - Run the following commands to set the active kernel parameters: ``` sysctl -w net.ipv4.conf.all.rp_filter=1 sysctl -w net.ipv4.conf.default.rp_filter=1 sysctl -w net.ipv4.route.flush=1 ``` ### 3.3.8 Ensure TCP SYN Cookies is enabled (Automated) - Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: `net.ipv4.tcp_syncookies = 1` - Run the following commands to set the active kernel parameters: ``` sysctl -w net.ipv4.tcp_syncookies=1 sysctl -w net.ipv4.route.flush=1 ``` ### 3.3.9 Ensure IPv6 router advertisements are not accepted (Automated) - IF IPv6 is enabled: Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: ``` net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 ``` - Run the following commands to set the active kernel parameters: ``` sysctl -w net.ipv6.conf.all.accept_ra=0 sysctl -w net.ipv6.conf.default.accept_ra=0 sysctl -w net.ipv6.route.flush=1 ``` ## 3.4 Uncommon Network Protocols ### 3.4.1 Ensure DCCP is disabled (Automated) ### 3.4.2 Ensure SCTP is disabled (Automated) ### 3.4.3 Ensure RDS is disabled (Automated) ### 3.4.4 Ensure TIPC is disabled (Automated) ## 3.5 Firewall Configuration ### 3.5.1 Configure UncomplicatedFirewall ### 3.5.1.1 Ensure Uncomplicated Firewall is installed (Automated) ### 3.5.1.2 Ensure iptables-persistent is not installed (Automated) ### 3.5.1.4 Ensure loopback traffic is configured (Automated) ### 3.5.1.5 Ensure outbound connections are configured (Manual) ### 3.5.1.6 Ensure firewall rules exist for all open ports (Manual) ### 3.5.1.7 Ensure default deny firewall policy (Automated) ## 5 Access, Authentication and Authorization ### 5.3 Configure SSH Server ### 5.3.1 Ensure permissions on /etc/ssh/sshd_config are configured (Automated) ``` stat /etc/ssh/sshd_config Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) ``` - Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: ``` chown root:root /etc/ssh/sshd_config chmod og-rwx /etc/ssh/sshd_config ``` ### 5.3.2 Ensure permissions on SSH private host key files are configured (Automated) - Run the following commands to set permissions, ownership, and group on the private SSH host key files: ``` find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:root {} \; find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod u-x,go-rwx {} \; ``` ### 5.3.3 Ensure permissions on SSH public host key files are configured (Automated) - Run the following commands to set permissions and ownership on the SSH host public key files ``` find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod u-x,go- wx {} \; find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \; ``` ## Edit /etc/ssh/sshd_config file 'vi /etc/ssh/sshd_config' * uncomment or change: ### 5.3.5 Ensure SSH LogLevel is appropriate (Automated) LogLevel INFO ### 5.3.6 Ensure SSH X11 forwarding is disabled (Automated) X11Forwarding no ### 5.3.7 Ensure SSH MaxAuthTries is set to 4 or less (Automated) MaxAuthTries 4 ### 5.3.8 Ensure SSH IgnoreRhosts is enabled (Automated) IgnoreRhosts yes ### 5.3.9 Ensure SSH HostbasedAuthentication is disabled (Automated) HostbasedAuthentication no ### 5.3.10 Ensure SSH root login is disabled (Automated) PermitRootLogin no ### 5.3.11 Ensure SSH PermitEmptyPasswords is disabled (Automated) PermitEmptyPasswords no ### 5.3.12 Ensure SSH PermitUserEnvironment is disabled (Automated) PermitUserEnvironment no ### 5.3.13 Ensure only strong Ciphers are used (Automated) Ciphers aes128-ctr,aes192-ctr,aes256-ctr ### 5.3.14 Ensure only strong MAC algorithms are used (Automated) MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256 ### 5.3.15 Ensure only strong Key Exchange algorithms are used (Automated) KexAlgorithms diffie-hellman-group-exchange-sha256 or KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman- group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18- sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie- hellman-group-exchange-sha256 ### 5.3.16 Ensure SSH Idle Timeout Interval is configured (Automated) ClientAliveInterval 300 ClientAliveCountMax 3 ### 5.3.17 Ensure SSH LoginGraceTime is set to one minute or less LoginGraceTime 60 ### 5.3.18 Ensure SSH warning banner is configured (Automated) :bulb: [link](https://manytools.org/hacker-tools/ascii-banner/) `Banner /etc/issue.net` ``` nano /etc/pam.d/sshd comment #session optional pam_motd.so motd=/run/motd.dynamic ``` ``` nano /etc/motd nano /etc/issue.net #ANSI Shadow ███████╗██████╗ ███████╗██████╗ ██████╗ █████╗ ███╗ ███╗███████╗███████╗ ██╔════╝██╔══██╗██╔════╝██╔══██╗██╔════╝ ██╔══██╗████╗ ████║██╔════╝██╔════╝ ███████╗██████╔╝█████╗ ██████╔╝██║ ███╗███████║██╔████╔██║█████╗ ███████╗ ╚════██║██╔══██╗██╔══╝ ██╔══██╗██║ ██║██╔══██║██║╚██╔╝██║██╔══╝ ╚════██║ ███████║██████╔╝███████╗██║ ██║╚██████╔╝██║ ██║██║ ╚═╝ ██║███████╗███████║ ╚══════╝╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚══════╝ ``` ### 5.3.19 Ensure SSH PAM is enabled (Automated) UsePAM yes ### 5.3.20 Ensure SSH AllowTcpForwarding is disabled (Automated) AllowTcpForwarding no ### 5.3.21 Ensure SSH MaxStartups is configured (Automated) MaxStartups 10:30:60 ### 5.3.22 Ensure SSH MaxSessions is limited (Automated) MaxSessions 10 ### Enable PubkeyAuthentication PubkeyAuthentication yes ### Disable PasswordAuthentication PasswordAuthentication no ## 5.4 Configure PAM ### 5.4.1 Ensure password creation requirements are configured (Automated) ### 5.4.2 Ensure lockout for failed password attempts is configured (Automated) `/etc/pam.d/common-auth` add ``` auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 ``` ### 5.4.3 Ensure password reuse is limited (Automated) `nano /etc/pam.d/common-password` add ``` # Ensure password reuse is limited password required pam_pwhistory.so remember=5 ``` ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Automated) `nano /etc/pam.d/common-password` add ``` # Ensure password hashing algorithm is SHA-512 password [success=1 default=ignore] pam_unix.so sha512 ``` ### 5.5.1.1 Ensure minimum days between password changes is configured (Automated) `nano /etc/login.defs` PASS_MIN_DAYS 1 ### 5.5.1.2 Ensure password expiration is 365 days or less (Automated) `nano /etc/login.defs` PASS_MAX_DAYS 365 ### 5.5.1.3 Ensure password expiration warning days is 7 or more `nano /etc/login.defs` PASS_WARN_AGE 14 ### 5.5.1.4 Ensure inactive password lock is 30 days or less (Automated) `useradd -D -f 30` ### 5.5.3 Ensure default group for the root account is GID 0 (Automated) `usermod -g 0 root` ### 5.5.4 Ensure default user umask is 027 or more restrictive (Automated) ### 5.5.5 Ensure default user shell timeout is 900 seconds or less (Automated) ### 5.6 Ensure root login is restricted to system console (Manual) ## 6 System Maintenance ### 6.1.2 Ensure permissions on /etc/passwd are configured (Automated) ``` chown root:root /etc/passwd chmod u-x,go-wx /etc/passwd ``` ### 6.1.3 Ensure permissions on /etc/passwd- are configured (Automated) ``` chown root:root /etc/passwd- chmod u-x,go-wx /etc/passwd- ``` ### 6.1.4 Ensure permissions on /etc/group are configured (Automated) ``` # chown root:root /etc/group # chmod u-x,go-wx /etc/group ``` ### 6.1.5 Ensure permissions on /etc/group- are configured (Automated) ``` # chown root:root /etc/group- # chmod u-x,go-wx /etc/group- ``` ### 6.1.6 Ensure permissions on /etc/shadow are configured (Automated) ``` chown root:root /etc/shadow chown root:shadow /etc/shadow ``` - remove excess permissions form /etc/shadow: `chmod u-x,g-wx,o-rwx /etc/shadow` ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Automated) ``` chown root:root /etc/shadow- chown root:shadow /etc/shadow- ``` - remove excess permissions form /etc/shadow-: `chmod u-x,g-wx,o-rwx /etc/shadow-` ### 6.1.8 Ensure permissions on /etc/gshadow are configured (Automated) ``` chown root:root /etc/gshadow chown root:shadow /etc/gshadow ``` - remove excess permissions form /etc/gshadow `chmod u-x,g-wx,o-rwx /etc/gshadow` ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Automated) ``` chown root:root /etc/gshadow- chown root:shadow /etc/gshadow- ``` - remove excess permissions form /etc/gshadow- `chmod u-x,g-wx,o-rwx /etc/gshadow-`