10/16/2018

Sponsored by
Top 10 Steps to
Hardening Linux
Systems

© 2018 Monterey Technology Group Inc.

 Made possible by

Thanks to

1
 10/16/2018

 In scope
 File systems
 Boot security
 Firewall
 Services
 Time synch
Preview of Key  File perms
Points 

Accounts and authentication
Ssh
 Out of scope for today
 Audtd and logging in general
 Selinux and mandatory access control
 File integrity monitoring
 Sudo
 Patching

 https://www.cisecurity.org/cis-benchmarks/

Best resources  https://www.tecmint.com/security-and-hardening-centos-7-guide/

 https://nvd.nist.gov/ncp/checklist/811
 https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-
123.pdf

2
 10/16/2018

 Separate partitions for

 /tmp
 World writable, temp storage
 Mount options nodev, nosuid, noex
 /var
 used by daemons and other system services to temporarily store
Configure dynamic data, could be world writable
 /var/tmp
separate and  Mount options nodev, nosuid, noex
secure  /var/log
 /var/log/audit
partitions  /home
 If the system is intended to support local users
 /dev/shm
 Shared memory
 Mount options nodev, nosuid, noex

 Get a list of mounted partitions

 Run findmnt
 Or look at fstab

 Ensure bootloader password is set

 grub2
 https://access.redhat.com/documentation/en-
us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-
Boot security protecting_grub_2_with_a_password

 Require pw for single-user mode

 https://www.tecmint.com/password-protect-single-user-mode-in-centos-
7/
 Permissions on bootloader file
 Disable PROMPT_FOR_CONFIRM

3
 10/16/2018

Host-based
 What does your distro and version support?
Firewall  Ipchains
 Iptables
 firewalld

Overwhelmed? At least
checkout using TCP
Wrappers

Disable  How do daemons run on your distro and version?

unneeded  Sysvinit
 https://wiki.debian.org/Daemon#Daemon_management_with_sysvinit
services  Systemd and services
 systemctl list-units –all
 Older versions use service command

4
 10/16/2018

 For any kind of security monitoring, log correlation or forensics you

need accurate and consistent time stamps
 ntp
 https://www.server-world.info/en/note?os=CentOS_7&p=ntp&f=2
Time Sync  https://www.hugeserver.com/kb/config-time-date-centos-7-ntp/
 chrony
 Which method?
 https://www.thegeekdiary.com/centos-rhel-7-chrony-vs-ntp-differences-
between-ntpd-and-chronyd/
 https://chrony.tuxfamily.org/comparison.html

 Key security files

 Uid and Gid are both 0/root and access is 644
 /etc/passwd
 /etc/group
File system  /etc/passwd-

permissions  /etc/group-
 Uid and Gid are both 0/root and access is 640 or more restrictive
 /etc/shadow
 /etc/gshadow
 /etc/gshadow-
 stat /etc/passwd
 Use chown to fix owner
 Use chmod to fix perms

5
 10/16/2018

 Bootloader file
 /boot/grub/menu.lst
 /boot/grub2
File system  Additional checks
permissions  No world writable files
 df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm
-0002
 No unowned files or directories
 df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser
 No ungrouped files or directories
 df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup
 Check SUID files
 df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm
-4000

 Which services and applications being used on this system

File system  Where are the config files?
 Secured?
permissions  Examples
 Cron
 /etc/cron*
 Ssh
 /etc/ssh

6
 10/16/2018

 Pluggable Authentication Modules / pam.d

 Where and how does your distro/version configure password quality?
 https://access.redhat.com/documentation/en-
us/red_hat_enterprise_linux/7/html/security_guide/chap-
hardening_your_system_with_tools_and_services
Accounts and  4.1.1.2.
 Libraries typically used
authentication  pam_cracklib.so
 pam_pwquality.so
 Check /etc/pam.d/system-auth for which
 Centos
 authconfig –test
 Things to check
 Password quality, change requirements, lockout
 Best is to test
 Actual password change
 pwscore

 Review user accounts in general

 /etc/passwd
 Review group membership
 /etc/group
 Members of a group
Accounts and  members or lid command
authentication  lid –g wheel
 System / application accounts
 Make sure interactive login disabled by testing
 usermod -s /sbin/nologin <user>
 Root
 Limit root logon to system console
 Try to ssh as root
 User and Group Settings 6.2 of CIS Distribution Independent Linux

7
 10/16/2018

 Hardening Secure Shell

 /etc/ssh/sshd_config
 Don’t permit root login
 PermitRootLogin
 Limit logon attempts
 MaxAuthTries

Secure Shell 

Disable v1 of protocol
Don’t allow forwarding
(ssh)  Limit network accessibility via firewall
 Disable host based authentication
 HostbasedAuthentication
 PermitEmptyPasswords no
 PermitUserEnvironment no
 SSH Idle Timeout Interval
 ClientAliveInterval, ClientAliveCountMax
 LoginGraceTime
 Which users?
 AllowUsers, AllowGroups, DenyGroups

 It’s a hard truth, you’ll never be able to fully secure every system in
your environment. You need to focus on fixing what attackers are
actually taking advantage of in the wild. And that’s where our sponsor,
Rapid7, comes in. Justin Buchanan will briefly show you how InsightVM
Bottom line helps you gain complete visibility of all of your Linux systems (Do you
know all of the Linux systems in your environment?), prioritize the
vulnerabilities to focus on, and break down the silos between your
security team and IT team to drive remediation.
 So here’s what you need to do
 Even know all your *nix systems, what distro, version?

2018 Monterey Technology Group Inc.

8
 10/16/2018

THE RAPID7
INSIGHT
PLATFORM

Vulnerability Assessment

9
 10/16/2018

vv

COLLECT PRIORITIZE REMEDIATE

Data Across Your Using Attacker Analytics With SecOps Agility
Ecosystem

COLLECT
Continuously identify and assess
risk across your cloud, virtual,
remote, local, and containerized
infrastructure.

10
 10/16/2018

PRIORITIZE
Leverage unparalleled attacker
analytics to prioritize vulns more
precisely with a Real Risk score
that goes beyond just CVSS.

REMEDIATE
Break down the silos between IT,
security, and development by
automating remediation and
containment.

11
 10/16/2018

Accomplish More with

InsightVM

• Use attacker-based analytics to prioritize

risk

• Get visibility into your dynamic network

• Unify endpoint assessment

• Break down the silos of IT, security,

and development

• Accelerate remediation with Automation-

Assisted Patching

• Implement compensating controls with

Automated Containment

12