Skip to content

Simple checklist to help you deploying the most important areas of the GNU/Linux production systems - work in progress.

License

Notifications You must be signed in to change notification settings

trimstray/linux-hardening-checklist

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

84 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

Master


Pull Requests MIT License



Table of Contents

Introduction

In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle a single-function system is more secure than a multipurpose one. The main goal of systems hardening is to reduce security risk by eliminating potential attack vectors and condensing the system’s attack surface.

This list contains the most important hardening rules for GNU/Linux systems.

Status

Still work in progress... πŸ‘·

I also created another repository (in a more detailed way): the-practical-linux-hardening-guide.

Todo

  • Add rationale (e.g. url's, external resources)
  • Review levels of priority

Prologue

I'm not advocating throwing your existing hardening and deployment best practices out the door but I recommend is to always turn a feature from this checklist on in pre-production environments instead of jumping directly into production.

Levels of priority

All items in this checklist contains three levels of priority:

  • low means that the item has a low priority.
  • medium means that the item has a medium priority. You shouldn't avoid tackling that item.
  • high means that the item has a high priority. You can't avoid following that rule and implement the corrections recommended.

OpenSCAP

OpenSCAP

SCAP (Security Content Automation Protocol) provides a mechanism to check configurations, vulnerability management and evaluate policy compliance for a variety of systems. One of the most popular implementations of SCAP is OpenSCAP and it is very helpful for vulnerability assessment and also as hardening helper.

Some of the external audit tools use this standard. For example Nessus has functionality for authenticated SCAP scans.

I tried to make this list compatible with OpenSCAP standard and rules. However, there may be differences.

Partitioning

Separate partitions

  • low Ensure /boot located on separate partition.

  • low Ensure /home located on separate partition.

  • low Ensure /usr located on separate partition.

  • medium Ensure /var located on separate partition.

  • high Ensure /var/log and /var/log/audit located on separate partitions.

  • high Ensure /tmp and /var/tmp located on separate partitions.

Restrict mount options

  • low Restrict /usr partition mount options.

    Example:

    UUID=<...>  /usr  ext4  defaults,nodev,ro  0 2
  • low Restrict /var partition mount options.

    Example:

    UUID=<...>  /var  ext4  defaults,nosuid  0 2
  • low Restrict /var/log and /var/log/audit partitions mount options.

    Example:

    UUID=<...>  /var/log        ext4  defaults,nosuid,noexec,nodev  0 2
    UUID=<...>  /var/log/audit  ext4  defaults,nosuid,noexec,nodev  0 2
  • low Restrict /proc partition mount options.

    Example:

    proc  /proc  proc  defaults,hidepid=2  0 0
  • medium Restrict /boot partition mount options.

    Example:

    LABEL=/boot  /boot  ext2  defaults,nodev,nosuid,noexec,ro  1 2
  • medium Restrict /home partition mount options.

    Example:

    UUID=<...>  /home  ext4  defaults,nodev,nosuid  0 2
  • medium Restrict /var and /var/tmp partitions mount options.

    Example:

    mv /var/tmp /var/tmp.old
    ln -s /tmp /var/tmp
    cp -prf /var/tmp.old/* /tmp && rm -fr /var/tmp.old
    
    UUID=<...>  /tmp  ext4  defaults,nodev,nosuid,noexec  0 2
  • medium Restrict /dev/shm partition mount options.

    Example:

    tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,size=1024M,mode=1777 0 0

Polyinstantiated directories

  • medium Setting up polyinstantiated /var and /var/tmp directories.

    Example:

    # Create new directories:
    mkdir --mode 000 /tmp-inst
    mkdir --mode 000 /var/tmp/tmp-inst
    
    # Edit /etc/security/namespace.conf:
    /tmp      /tmp-inst/          level  root,adm
    /var/tmp  /var/tmp/tmp-inst/  level  root,adm
    
    # Set correct SELinux context:
    setsebool polyinstantiation_enabled=1
    chcon --reference=/tmp /tmp-inst
    chcon --reference=/var/tmp/ /var/tmp/tmp-inst

Shared memory

  • low Set group for /dev/shm.

    Example:

    tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,size=1024M,mode=1770,uid=root,gid=shm 0 0

Encrypt partitions

  • low Encrypt swap partition.

    Example:

    # Edit /etc/crypttab:
    sdb1_crypt /dev/sdb1 /dev/urandom cipher=aes-xts-plain64,size=256,swap,discard
    
    # Edit /etc/fstab:
    /dev/mapper/sdb1_crypt none swap sw 0 0

β˜‘οΈ Summary checklist

Rule Priority Checkbox
Separate /boot low πŸ”²
Separate /home low πŸ”²
Separate /usr low πŸ”²
Separate /var medium πŸ”²
Separate /var/log and /var/log/audit high πŸ”²
Separate /tmp and /var/tmp high πŸ”²
Restrict /usr mount options low πŸ”²
Restrict /var mount options low πŸ”²
Restrict /var/log and /var/log/audit mount options low πŸ”²
Restrict /proc mount options low πŸ”²
Restrict /boot mount options medium πŸ”²
Restrict /home mount options medium πŸ”²
Restrict /tmp/ and /var/tmp mount options medium πŸ”²
Restrict /dev/shm mount options medium πŸ”²
Polyinstantiated /tmp and /var/tmp medium πŸ”²
Set group for /dev/shm low πŸ”²
Encrypt swap low πŸ”²

Physical Access

Password for Single User Mode

  • low Protect Single User Mode with root password.

    Example:

    # Edit /etc/sysconfig/init.
    SINGLE=/sbin/sulogin

β˜‘οΈ Summary checklist

Rule Priority Checkbox
Protect Single User Mode. low πŸ”²

Bootloader

Protect bootloader config files

  • low Ensure bootloader config files are set properly permissions.

    Example:

    # Set the owner and group of /etc/grub.conf to the root user:
    chown root:root /etc/grub.conf
    chown -R root:root /etc/grub.d
    
    # Set permissions on the /etc/grub.conf or /etc/grub.d file to read and write for root only:
    chmod og-rwx /etc/grub.conf
    chmod -R og-rwx /etc/grub.d

β˜‘οΈ Summary checklist

Rule Priority Checkbox
Protect bootloader config files low πŸ”²

Linux Kernel

Kernel logs

  • low Restricting access to kernel logs.

    Example:

    echo "kernel.dmesg_restrict = 1" > /etc/sysctl.d/50-dmesg-restrict.conf

Kernel pointers

  • low Restricting access to kernel pointers.

    Example:

    echo "kernel.kptr_restrict = 1" > /etc/sysctl.d/50-kptr-restrict.conf

ExecShield

  • low ExecShield protection.

    Example:

    echo "kernel.exec-shield = 2" > /etc/sysctl.d/50-exec-shield.conf

Memory protections

  • low Randomise memory space.

    echo "kernel.randomize_va_space=2" > /etc/sysctl.d/50-rand-va-space.conf

β˜‘οΈ Summary checklist

Rule Priority Checkbox
Restricting access to kernel logs low πŸ”²
Restricting access to kernel pointers low πŸ”²
ExecShield protection low πŸ”²
Randomise memory space. low πŸ”²

Logging

Syslog

  • medium Ensure syslog service is enabled and running.

    Example:

    systemctl enable rsyslog
    systemctl start rsyslog
  • medium Send syslog data to external server.

    Example:

    # ELK
    # Logstash
    # Splunk
    # ...

β˜‘οΈ Summary checklist

Rule Priority Checkbox
Ensure syslog service is enabled and running. medium πŸ”²
Ensure syslog service is enabled and running. medium πŸ”²

Users and Groups

Passwords

  • medium Update password policy (PAM).

    Example:

    authconfig --passalgo=sha512 \
    --passminlen=14 \
    --passminclass=4 \
    --passmaxrepeat=2 \
    --passmaxclassrepeat=2 \
    --enablereqlower \
    --enablerequpper \
    --enablereqdigit \
    --enablereqother \
    --update
  • medium Limit password reuse (PAM).

    Example:

    # Edit /etc/pam.d/system-auth
    
    # For the pam_unix.so case:
    password sufficient pam_unix.so ... remember=5
    
    # For the pam_pwhistory.so case:
    password requisite pam_pwhistory.so ... remember=5
  • medium Secure /etc/login.defs password policy.

    Example:

    # Edit /etc/login.defs
    PASS_MIN_LEN 14
    PASS_MIN_DAYS 1
    PASS_MAX_DAYS 60
    PASS_WARN_AGE 14

Logon Access

  • low Set auto logout inactive users.

    Example:

    echo "readonly TMOUT=900" >> /etc/profile.d/idle-users.sh
    echo "readonly HISTFILE" >> /etc/profile.d/idle-users.sh
    chmod +x /etc/profile.d/idle-users.sh
  • low Set last logon/access notification.

    Example:

    # Edit /etc/pam.d/system-auth
    session required pam_lastlog.so showfailed
  • medium Lock out accounts after a number of incorrect login (PAM).

    Example:

    # Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth
    
    # Add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny=3 unlock_time=never fail_interval=900
    
    # Add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never fail_interval=900
    
    # Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so

β˜‘οΈ Summary checklist

Rule Priority Checkbox
Update password policy medium πŸ”²
Limit password reuse medium πŸ”²
Secure /etc/login.defs password policy medium πŸ”²
Set auto logout inactive users. low πŸ”²
Set last logon/access notification low πŸ”²
Lock out accounts after a number of incorrect login medium πŸ”²

Filesystem

Hardlinks & Symlinks

  • low Enable hard/soft link protection.

    Example:

    echo "fs.protected_hardlinks = 1" > /etc/sysctl.d/50-fs-hardening.conf
    echo "fs.protected_symlinks = 1" >> /etc/sysctl.d/50-fs-hardening.conf

Dynamic Mounting and Unmounting

  • medium Disable uncommon filesystems.

    Example:

    echo "install cramfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install freevxfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install jffs2 /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install hfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install hfsplus /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install squashfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install udf /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install fat /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install vfat /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install nfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install nfsv3 /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install gfs2 /bin/false" > /etc/modprobe.d/uncommon-fs.conf

β˜‘οΈ Summary checklist

Rule Priority Checkbox
Enable hard/soft link protection. low πŸ”²
Disable uncommon filesystems. medium πŸ”²

Permissions

SELinux & Auditd

SELinux Enforcing

  • high Set SELinux Enforcing mode.

    Example:

    # Edit /etc/selinux/config.
    SELINUXTYPE=enforcing

β˜‘οΈ Summary checklist

Rule Priority Checkbox
Set SELinux Enforcing mode. high πŸ”²

System Updates

Network

TCP/SYN

  • medium Enable TCP SYN Cookie protection.

    Example:

    echo "net.ipv4.tcp_syncookies = 1" > /etc/sysctl.d/50-net-stack.conf

Routing

  • medium Disable IP source routing.

    Example:

    echo "net.ipv4.conf.all.accept_source_route = 0" > /etc/sysctl.d/50-net-stack.conf

ICMP Protocol

  • medium Disable ICMP redirect acceptance.

    Example:

    echo "net.ipv4.conf.all.accept_redirects = 0" > /etc/sysctl.d/50-net-stack.conf
  • medium Enable ignoring to ICMP requests.

    Example:

    echo "net.ipv4.icmp_echo_ignore_all = 1" > /etc/sysctl.d/50-net-stack.conf

Broadcast

  • medium Enable ignoring broadcasts request.

    Example:

    echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/50-net-stack.conf

β˜‘οΈ Summary checklist

Rule Priority Checkbox
Enable TCP SYN Cookie protection. medium πŸ”²
Disable IP source routing. medium πŸ”²
Disable ICMP redirect acceptance. medium πŸ”²
Enable ignoring to ICMP requests. medium πŸ”²
Enable ignoring broadcasts request. medium πŸ”²

Services

Tools

About

Simple checklist to help you deploying the most important areas of the GNU/Linux production systems - work in progress.

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published