RedHat_EX413 Notes - Google Docs
Short Description
RedHat_EX413...
Description
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 1 of 39
Testing Environment Virtualization HyperVisor Host Environment Guest Environment Post basic installation tasks Objective 1 Identify Red Hat Common Vulnerabilities and Exposures (CVEs) and Red Hat Security Advisories (RHSAs) and selectively update systems based on this information Objective 2 Verify package security and validity Objective 3 Identify and employ standardsbased practices for configuring file system security, create and use encrypted file systems, tune file system features, and use specific mount options to restrict access to file system volumes. Objective 4 Configure default permissions for users and use special file permissions, attributes, and access control lists (ACLs) to control access to files Objective 5 Install and use intrusion detection capabilities in Red Hat Enterprise Linux to monitor critical system files Objective 6 Manage user account security and user password security Objective 7 Manage system login security using pluggable authentication modules (PAM) Objective 8 Configure console security by disabling features that allow systems to be rebooted or powered off using bootloader passwords Objective 9 Configure systemwide acceptable use notifications Objective 10 Install, configure, and manage identity management services and configure identity management clients Objective 11 Configure remote system logging services, configure system logging, and manage system log files using mechanisms such as log rotation and compression Log Rotation journal is a component of systemd for logging Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 2 of 39
journalctl is used for viewing the journal log journal only logs in memory or a small ring file in /run/log/journal; to create persistent storage create the directory /var/log/journal Objective 12 Configure system auditing services and review audit reports Objective 13 Use network scanning tools to identify open network service ports and configure and troubleshoot system firewalling References
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 3 of 39
Testing Environment ● Virtualization HyperVisor ○ Virtual Box (Version 5.0.14 r 105127 as of this writing)
● Host Environment (I’m double dipping and working at home and at work)
○ Xubuntu 14.04LTS ○ CentOS 7.2
● Guest Environment ( These might seem a little odd, but I am using this image f or DISA STIG testing too)
○ CentOS 6.7 (As of 8March2016 the E X413 is done under v6 f or some strange r eason)
○ 2 vCPU ○ 1.5GB RAM ○ 18GB Hard drive (Something of an usual or non standard layout. T his is f rom the DISA STIG)
■ / ~10 GiB ■ /boot 250 MiB ■ /home 1 GiB ■ /tmp 500 MiB ■ /var 5 GiB ■ /var/log 500 MiB ■ /var/log/audit 275 MiB ■ swap 500 MiB ○ 2 Network Ports ■ Port 1) Vbox NAT ■ Port 2) Hostonly Adapter ○ Server with GUI installation ■ + DNS Name Server ■ + Email Server ■ + FTP Server ■ + File and Storage Server ■ + Hardware Monitoring Utilities ■ + Java Platform ■ + Network File System Client Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 4 of 39
■ + Performance Tools ■ + C ompatibility Libraries ■ + Security Tools
● Post basic installation tasks ○ Limit the number of kernels to keep to 2 for space reasons change installonly_limit=2 in /etc/yum.conf ○ Enable CentOS Plus Repo ○ Install/Enable EPEL repo ○ Install/Enable EL Repo ○ Install/Enable VAULT Repo’s This is because I started on purpose with an older version. Check http://vault.centos.org to match the version. I n this case it was 7.1.1503 run yum disablerepos “*” enablerepos “C7*” update to update to the latest versions within the r elease.
○ Install DKMS run yum disablerepos “*” enablerepos “C7*” update to update to the latest versions within the r elease.
○ Install Virtual Box guest additions MAKE A SNAPSHOT BEFORE YOU START MESSING AROUND WITH THINGS!! SINCE I ORIGINALLY STARTED THIS DOCUMENT UNDER THE INCORRECT ASSUMPTION THAT THIS TEST WOULD BE UNDER RHEL7 I WILL KEEP THE INFORMATION INTACT AND DENOTE THE DIFFERENCES
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 5 of 39
Objective 1 Identify Red Hat Common Vulnerabilities and Exposures (CVEs) and Red Hat Security Advisories (RHSAs) and selectively update systems based on this information ● Using y um to check if there are any packages that need security updates. # yum check-update --security Loaded plugins: langpacks, product-id, subscription-manager rhel-7-workstation-rpms/x86_64 | 3.4 kB 00:00:00 No packages needed for security; 0 packages available
● To update only security packages with yum # yum update --security
● To list all available erratas without installing them, run: # yum updateinfo list available
● To list all available security updates without installing them, run: # yum updateinfo list security all
or # yum updateinfo list sec
● To get a list of the c urrently installed security updates this command can be used: # yum updateinfo list security installed
● To list all available security updates with verbose descriptions of the issues they apply to: # yum info-sec
● Run the following command to download and a pply all available security updates from Red Hat Network hosted or Red Hat Network Satellite: # yum -y update --security NOTE: I t will install the last version available of any package with at least one security errata thus can install nonsecurity erratas if they provide a more updated version of the package. Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 6 of 39
● To only install the packages that have a security errata use # yum update-minimal --security -y
● yumsecurity also allows installing security updates based on the C VE reference of the issue. ○ To install a security update using a CVE reference run: # yum update --cve
For example: # yum update --cve CVE-2008-0947
○ Viewing available advisories by severities: # yum updateinfo list This system is receiving updates from RHN Classic or RHN Satellite. RHSA-2014:0159 Important/Sec. kernel-headers-2.6.32-431.5.1.el6.x86_64 RHSA-2014:0164 Moderate/Sec. mysql-5.1.73-3.el6_5.x86_64 RHSA-2014:0164 Moderate/Sec. mysql-devel-5.1.73-3.el6_5.x86_64 RHSA-2014:0164 Moderate/Sec. mysql-libs-5.1.73-3.el6_5.x86_64 RHSA-2014:0164 Moderate/Sec. mysql-server-5.1.73-3.el6_5.x86_64 RHBA-2014:0158 bugfix nss-sysinit-3.15.3-6.el6_5.x86_64 RHBA-2014:0158 bugfix nss-tools-3.15.3-6.el6_5.x86_64
○ If you want to apply only one specific advisory: # yum update --advisory=RHSA-2014:0159
○ However, if you would like to know more information about this advisory before to apply it: # yum updateinfo RHSA-2014:0159
○ For more commands consult the manual pages of y umsecurity with # man yum-security
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 7 of 39
Objective 2 Verify package security and validity ● The Yum package manager allows for an automatic verification of all packages it installs or upgrades. g pgcheck is enabled by default, localpkg_gpgcheck is NOT. To configure this option on your system, make sure the g pgcheck and l ocalpkg_gpgcheck configuration directives are set to 1 in the / etc/yum.conf configuration file. # grep gpgcheck /etc/yum.conf gpgcheck=1 localpkg_gpgcheck=1 **NOTE** T hese can be overridden in the /etc/repos.d/.conf f iles!!!
● Use the following command to manually verify package files on your filesystem: # rpmkeys --checksig package_file.rpm
● Check package scripts and triggers # rpm -qp --scripts /home/userx/Downloads/my-awesome-application-1.2.rpm
● Check GPG key signatures # rpm -K /home/userx/Downloads/my-awesome-application-1.1.rpm
# rpm -vvK /home/userx/Downloads/my-awesome-application-1.1.rpm
● To verify Red Hat packages, you must import the Red Hat GPG key. # rpm --import /usr/share/rhn/RPM-GPG-KEY
● To display a list of all keys installed for RPM verification # rpm -qa gpg-pubkey*
For the Red Hat key, the output includes: gpg-pubkey-db42a60e-37ea5438
● To display details about a specific key # rpm -qi gpg-pubkey-db42a60e-37ea5438
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 8 of 39
● Verify RPM’s ○ rpm qf can be used to determine what package a file belongs to # rpm -qf /etc/passwd setup-2.5.58-7.el5
○ rpm V will verify the settings # rpm -V setup-2.5.58-7.el5 .M...... c /etc/passwd S.5....T c /etc/printcap
○ Verify Code Matrix S M 5 D L U G T
File size di㈠㘱ers. File mode di㈠㘱ers (includes permissions and file type). The MD5 checksum di㈠㘱ers. The major and minor version numbers di㈠㘱er on a device file. A mismatch occurs in a link. The file ownership di㈠㘱ers. The file group owner di㈠㘱ers. The file time (mtime) di㈠㘱ers.
● Other yum tricks and tips ○ List packages and what repos they are part of: # yum --showduplicates list httpd | expand Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: mirror.atlanticmetro.net * centosplus: mirror.atlanticmetro.net * elrepo: mirror.symnds.com * epel: mirror.cogentco.com * extras: mirror.rackspace.com * updates: mirror.symnds.com Installed Packages httpd.x86_64 2.4.6-40.el7.centos @base Available Packages httpd.x86_64 2.4.6-40.el7.centos base
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 9 of 39
○ To automatically remove unneeded dependencies when a package is removed, set this in the /etc/yum.conf: clean_requirements_on_remove to 1 # grep -i clean_requirements_on_remove /etc/yum.conf clean_requirements_on_remove=1
○ Limit the number of i nstallonly package. Usually for limiting the number of kernels installed. Default is 3 # grep installonly_limit /etc/yum.conf installonly_limit=2
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 10 of 39
Objective 3 Identify and employ standardsbased practices for configuring file system security, create and use encrypted file systems, tune file system features, and use specific mount options to restrict access to file system volumes. ● Multiple partitions ○ /tmp temporary storage for users. ■ should have 1777 permissions (world read/write/execute w/ Sticky Bit) ■ nodev, nosuid, & noexec mount options should be set in /etc/fstab # grep tmp /etc/fstab /dev/mapper/centos-tmp
/tmp
xfs
nodev,nosuid,noexec 1 2
○ /var temporary dynamic storage for system services ○ /var/tmp ■ should be bound to /tmp. Link is unbreakable and inherits security from /tmp and should prevent / var from filling up and causing issues # grep /tmp /etc/fstab | grep var /tmp /var/tmp none bind 0 0
○ /var/log system storage for log data # grep /tmp /etc/fstab | grep var /tmp /var/tmp none bind 0 0
○ /var/log/audit system storage for audit log data # grep /audit /etc/fstab /dev/mapper/centos-var_log_audit
/var/log/audit
xfs
defaults
0 0
○ /home storage for users ■ nodev mount option should also be set # grep /audit /etc/fstab /dev/mapper/centos-home
/home
xfs
nodev
0 0
○ any removable media mount points should have n oexec, nodev, nosuid options set # grep /etc/fstab Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 11 of 39
○ /dev/shm is a temporary filesystem stored in memory ■ noexec, nodev, nosuid options should be set # grep shm /etc/fstab tmpfs /dev/shm tmpfs size=6g,nodev,nosuid,noexec 0 0
● Useful /etc/fstab options ○ nosuid prevents files from being s etuid or setgid ○ noexec prevents programs from being executed from the partition ○ nodev prevents partition from having special devices like block or character devices ○ rw read/write (default, implied) ○ ro read only To remount partitions on running systems # mount -o remount,
● Disable filesystem types that aren’t needed ○ cramfs Filesystem type is a compressed readonly Linux filesystem. ○ freevxfs Filesystem for Veritas. ○ j㈠㘱s2 Logstructured filesystem used in flash devices ○ hfs Mac OS filesystem ○ hfsplus Newer Mac OS filesystem ○ squashfs Similar to cramfs, a compressed Linux filesystem. ○ udf ISO/IEC 13346 and ECMA167 spec filesystem. ** NOTE** NEEDED TO SUPPORT WRITING DVDs and newer optical disc f ormats
There are a few ways to disable these services. CIS suggests adding a config file to /etc/modprobe.d and adding the modules there: I used b ad_fs.conf ○ Dry run of what would happen if the module was called # /sbin/modprobe -n -v udf insmod /lib/modules/3.10.0-229.20.1.el7.x86_64/kernel/lib/crc-itu-t.ko insmod /lib/modules/3.10.0-229.20.1.el7.x86_64/kernel/fs/udf/udf.ko
○ Check to see if the module is inserted # lsmod | grep udf
○ Change the operation for loading the module to the file in /etc/modprobe.d/bad_fs.conf Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 12 of 39
install udf /bin/false
● Standardsbased file system security ○ Sticky bit should be set for all public directories : When a directory's sticky bit is set, the filesystem treats the files in such directories in a special way so only the file's owner, the directory's owner, or r oot user can rename or delete the file. Without the sticky bit set, any user with write and execute permissions for the directory can rename or delete contained files, regardless of the file's owner. Typically this is set on the / tmpdirectory to prevent ordinary users from deleting or moving other users' files. To find directories that are world writeable without the sticky bit set: # find / -type d -perm -002 ! -perm -1000 -exec ls -ld {} ;\
To set with chmod # chmod 1777
[or] # chmod o+t
Determining if the sticky bit is set: if the directory is not world executable (this directory is 1766) # ls -ld sticky-dir/ drwxrw-rwT, 2 root
root
6
Feb
3 09:53 sticky-dir/
if the directory is world executable (this directory is 1777) # ls -ld sticky-dir/ drwxrwxrwt, 2 root
root
6
Feb
3 09:53 sticky-dir/
○ SetUID files: (set User ID upon execution) are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner. SetUID permission on a directory is ignored. To find setuid files and directories: # find / -perm -4000 -exec ls -alL {} \;
○ SetGID files (set Group ID upon execution) a ttribute will allow for changing the groupbased privileges within a process. Setting the setgid permission on a directory causes new files and subdirectories created within it to inherit its group ID, rather than the primary group ID of the user who created the file (the owner Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 13 of 39
ID is never affected, only the group ID). Newly created subdirectories inherit the setgid bit. To find setgid files and directories: # find / -perm -2000 -exec ls -alL {} \;
○ Link Control To prevent malicious users from exploiting potential vulnerabilities caused by unprotected hard and symbolic links, Red Hat Enterprise Linux 7 includes a feature that only allows links to be created or followed provided certain conditions are met. ■ hard links, one of the following needs to be true: ● The user owns the file to which they link. ● The user already has read and write access to the file to which they link. ■ symbolic links, processes are only permitted to follow links when outside of worldwriteable directories with sticky bits, or one of the following needs to be true: ● The process following the symbolic link is the owner of the symbolic link. ● The owner of the directory is the same as the owner of the symbolic link. ■ This protection is turned on by default. It is controlled by the following options in the /usr/lib/sysctl.d/50-default.conf file fs.protected_hardlinks = 1 fs.protected_symlinks = 1
To override the default settings and disable the protection, create a new configuration file called, for example, 51noprotectlinks.conf in the /etc/sysctl.d/ directory with the following content: fs.protected_hardlinks = 0 fs.protected_symlinks = 0
○ Public Directories should be user and group ownership by root, a privileged system account, or application account The same command as above searches for world writeable directories and displays the permissions. The ownership is somewhat subjective based on the system, dir, etc Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 14 of 39
To find directories that are world writeable without the sticky bit set: # find /root -type d -perm -002 ! -perm -1000 -exec ls -ld {} \; drwxrwxrw- 2 root root 6 Feb 3 09:53 /root/sticky-dir
○ Check and document all world writable files # find / -type f -perm 0777 -a -exec ls -ld {} \;
○ All files and directories should have valid owners, groups # find / -xdev \( -nouser -o -nogroup \) -ls 51812050 0 drwxr-xr-x 2 622 root 57 Feb 3 11:28 /root/bad-directory 51807907 4 -rw-r--r-- 1 622 root 3072 Feb 3 11:27 /root/bad-directory/bad_file_1 51193533 12 -rw-r--r-- 1 root 622 12288 Feb 3 11:28 /root/bad-directory/bad_file_2 51193534 8 -rw-r--r-- 1 622 622 5120 Feb 3 11:28 /root/bad-directory/bad_file_3
○ Use a ide to provide cryptographic hashes ○ User home directories should have modes 0750 or less permissive ○ User home directories should be owned by the user ● Encrypted File Systems ○ shredding a partition will fill the partition with random data to ensure no unencrypted data exists # shred -v --iterations=1 /dev/luks_vg/luks_lv shred: /dev/luks_vg/luks_lv: pass 1/1 (random)... shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...72MiB/2.0GiB 3% shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...138MiB/2.0GiB 6% shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...1.9GiB/2.0GiB 95% shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...2.0GiB/2.0GiB 100% #
○ Initialize the partition # cryptsetup --verbose --verify-passphrase luksFormat /dev/luks_vg/luks_lv WARNING! ======== This will overwrite data on /dev/luks_vg/luks_lv irrevocably. Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 15 of 39
Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: Command successful. #
○ Open the encrypted device and assign its device name # cryptsetup luksOpen /dev/luks_vg/luks_lv luks_home Enter passphrase for /dev/luks_vg/luks_lv:
○ Check that it actually worked # ls -al /dev/mapper/ lrwxrwxrwx. 1 root root lrwxrwxrwx. 1 root root
7 Feb 8 13:55 luks_home -> ../dm-8 7 Feb 8 13:55 luks_vg-luks_lv -> ../dm-7
○ Normal commands to add a partition: mkfs, mount, df, add to /etc/fstab # mkfs.xfs /dev/mapper/luks_home # mount /dev/mapper/luks_home /luks_home
○ Add the partition to / etc/crypttab (this is what causes it to ask for the password) luks_home /dev/mapper/luks_vg/luks_vg none
○ Add/Change Passphrase on Existing Device # cryptesetup luksAddKey /dev/luks_vg/luks_lv
○ Remove a Passphrase from an Existing Device #cryptsetup luksRemoveKey /dev/luks_vg/luks_lv
○ Verify or check for encrypted partitions: # lsblk -l sda1 8:1 0 250M 0 part /boot luks_home 253:8 0 2G 0 crypt /luks_home centos-home 253:7 0 1.5G 0 lvm /home
# blkid /dev/mapper/luks_home Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 16 of 39
/dev/mapper/luks_home: UUID="48de524a-ba17-40b1-ac14-8a9f34421a50" TYPE="xfs" # blkid /dev/mapper/luks_vg-luks_lv /dev/mapper/luks_vg-luks_lv: UUID="ce54eeab-ea52-4273-acef-26a400901a98" TYPE="crypto_LUKS" **NOTE** primarily a manual process..
○ Check partitions to determine if they are encrypted # more /etc/crypttab
Objective 4 Configure default permissions for users and use special file permissions, attributes, and access control lists (ACLs) to control access to files ● File system extended Access Control Lists (ACL) ○ If a default ACL is associated with a directory, the mode parameter to the functions creating file objects and the default ACL of the directory are used to determine the ACL of the new object: 1. The new object inherits the default ACL of the containing directory as its access ACL. 2. The access ACL entries corresponding to the file permission bits are modified so that they contain no permissions that are not contained in the permissions specified by the mode parameter. ○ If no default ACL is associated with a directory, the mode parameter to the functions creating file objects and the file creation mask (umask(2) are used to determine the ACL of the new object: 1. The new object is assigned an access ACL containing entries of tag types ACL_USER_OBJ, ACL_GROUP_OBJ, and ACL_OTHER. The permissions of these entries are set to the permissions specified by the file creation mask. 2. The access ACL entries corresponding to the file permission bits are modified so that they contain no permissions that are not contained in the permissions specified by the mode parameter. ■ ACL Text Forms
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 17 of 39
● user A user ACL entry specifies the access granted to either the file owner (entry tag type ACL_USER_OBJ) or a specified user (entry tag type ACL_USER). ● group A group ACL entry specifies the access granted to either the file group (entry tag type ACL_GROUP_OBJ) or a specified group (entry tag type ACL_GROUP). ● mask A mask ACL entry specifies the maximum access which can be granted by any ACL entry except the user entry for the file owner and the other entry (entry tag type ACL_MASK). ● other An other ACL entry specifies the access granted to any process that does not match any user or group ACL entries (entry tag type ACL_OTHER). ■ to set: s etfacl Granting an additional user read access setfacl -m u:lisa:r file Revoking write access from all groups and all named users (using the e㈠㘱ective rights mask) setfacl -m m::rx file Removing a named group entry from a file's ACL setfacl -x g:sta㈠㘱 file Copying the ACL of one file to another getfacl file1 | setfacl --set-file=- file2 Copying the access ACL into the Default ACL getfacl --access dir | setfacl -d -M- dir from the setfacl man page
■ to read: getfacl -aL The output format of getfacl is as follows: 1: # file: somedir/ 2: # owner: lisa 3: # group: sta㈠㘱 4: # flags: -s- Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 18 of 39
5: user::rwx 6: user:joe:rwx #e㈠㘱ective:r-x 7: group::rwx #e㈠㘱ective:r-x 8: group:cool:r-x 9: mask::r-x 10: other::r-x 11: default:user::rwx 12: default:user:joe:rwx #e㈠㘱ective:r-x 13: default:group::r-x 14: default:mask::r-x 15: default:other::---
■ ○ Set/Verify default permissions for all authenticated users so they can only read and modify their own files # grep -i umask /etc/login.defs UMASK 077
○ UMASK is usually in a few other places, like /etc/csh.cshrc, /etc/bashrc # find /etc/ -type f -exec grep -i umask {} \; -print
○ And check users own dotfiles # find /home/ -type f -exec grep -i umask {} \; -print
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 19 of 39
Objective 5 Install and use intrusion detection capabilities in Red Hat Enterprise Linux to monitor critical system files ● Advanced Intrusion Detection Environment (AIDE) ○ check to see if it’s installed # rpm -q aide package aide is not installed # yum install aide Installing: aide x86_64
0.15.1-9.el7
base
129 k
○ Initialize AIDE # /usr/sbin/aide --init -B ‘database_out=file:/var/lib/aide/aide.db.gz’
○ Check file integrity against AIDE database # /usr/sbin/aide --check
○ Putting it in a cron job might be smart 0 5 * * * /usr/sbin/aide --check
○ Additional files to be checked can be added to /etc/aide.conf ● TCP Wrappers ○ check to see if they are installed # rpm -q tcp_wrappers tcp_wrappers-7.6-77.el7.x86_64
○ /etc/hosts.allow varies by network configuration, setup, purpose, etc This limits connections to sshd just to my local subnet sshd: 192.168.56.0/255.255.255.0
This allows connections to anything from my local subnet all: 192.168.56.0/255.255.255.0
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 20 of 39
○ /etc/hosts.deny deny everything everywhere that’s not explicitly listed in the allow file # cat /etc/hosts.deny ALL:ALL
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 21 of 39
Objective 6 Manage user account security and user password security ● Password quality is defined in / etc/security/pwquality.conf ● Shadow password suite configuration in / etc/login.defs **NOTE** Most of this has been moved to PAM
● shadow file fields ○ login name ○ encrypted password ○ date of last pw change ○ minimum passwd age ○ max passwd age ○ passwd warning period ○ passwd inactivity period ○ expiration date ○ reserved ● to check /etc/shadow for password minimum change period (4th field) # awk -F: ‘$4 >= 1 {print $1}’ /etc/shadow **NOTE** DoD STIG says 1 day minimum
● chage for modifying account password aging ● chage --list will check password definitions ● /etc/default/useradd sets defaults for new account creation ○ INACTIVE should be set to something other than 1 (which is never) ○ updating user inactivity ● audit users for password inactivity, passwords, etc # cut -d: -f1 /etc/passwd | xargs -n1 passwd -S
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 22 of 39
Objective 7 Manage system login security using pluggable authentication modules (PAM) ● PAM Crash Course ○ each application should have its own PAM s tack file ○ modules are run in the order they are listed and is important ○ stacks syntax is context(or type) control-flag module module options
○ context types ■ auth determines who the user is and if that user has a valid account ( authentication ) ■ account determine if the user is allowed access ( authorization ) ■ session sets session up ■ password any rules for changing password if the application is allowed to ○ controlflags ■ sufficient if a sufficient module passes, that’s enough. None of the other modules in that context are processed. Failing it does not fail the context though. ■ required all r equired controls in a context must pass. They are all tried so even if one fails to obscure the exact failure for security reasons. **NOTE** None of the required modules will be processed in a context is a sufficient module passes
■ requisite basically the same as r equired except processing stops as soon as a failure happens (think of it as fastfail required) ■ optional a success or failure really has no effect. Generally only used with session contexts. ○ modules are run in the order they are listed and is important ■ i.e. if a sufficient modules passes after a r equired failed, access will still be denied.
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 23 of 39
○ if an application can’t find its stack file, it falls back to / etc/pam.d/other ● Forcing strong passwords ○ set in /etc/pam.d/passwd file via the p am_pwquality module ○ /etc/security/pwquality.conf sets custom rules. ○ to enable, add to / etc/pam.d/passwd file password
required
pam_pwquality.so retry=3
● Remembering passwords, add remember parameter in / etc/pam.d/system-auth password su㈠㘱icient pam_unix.so remember=5
● Account Locking ○ pam_faillock module ○ /var/run/faillock contains logs of failures per user ○ to enable ○ add lines 2 and 5 to / etc/pam.d/system-auth and / etc/pam.d/password-auth 1 2 3 4 5 6 7
auth auth auth auth auth auth auth
required pam_env.so required pam_faillock.so preauth silent audit deny=3 unlock_time=600 su㈠㘱icient pam_fprintd.so su㈠㘱icient pam_unix.so nullok try_first_pass [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 requisite pam_succeed_if.so uid >= 1000 quiet_success required pam_deny.so
**NOTE** these will lock out a nonroot user after 3 tries f or 10 minutes
add before the first account entry on both files account
required
pam_faillock.so
** to include the root user, add e ven_deny_root option to a uth entries 2 auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 even_deny_root 5 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 even_deny_root
** to exclude users from the rule auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2:user3
○ checking number of failed login attempts # faillock Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 24 of 39
user1: When Type Source Valid 2013-03-05 11:44:14 TTY pts/0
○ resetting a users account # faillock --user --reset
● Limiting root (or other user) access with pam **NOTE** ONLY WORKS ON PAM AWARE SERVICES ( Which most are now)
○ /lib/security/pam_listfile.so is the module ○ add the module as a required a uth to the service file in /etc/pam.d auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ \ onerr=succeed
● Limiting root via / etc/securetty ○ remove all entries except c onsole ○ enable login managers to read /etc/securetty add the following line auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
to /etc/pam.d/{gdm, gdm-autologin, gdm-fingerprint,gdm-password,gdm-smartcard,kdm,kdm-np,xdm} ● Limit/Disable root from ssh ○ uncomment/add to /etc/ssh/sshd_config PermitRootLogin no
● Keeping Customer settings with AuthConfig ○ check to see if the auth files are links (default setup) # ls -l /etc/pam.d/{password,system}-auth lrwxrwxrwx. 1 root root 16 Feb 1 11:13 /etc/pam.d/password-auth -> password-auth-ac lrwxrwxrwx. 1 root root 14 Feb 1 11:13 /etc/pam.d/system-auth -> system-auth-ac
○ if the auth files aren’t links move them # mv system-auth system-auth-ac # mv password-auth password-auth-ac
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 25 of 39
○ create a custom local file, / etc/pam.d/system-auth-local which contains auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth include system-auth-ac auth [default=die] pam_faillock.so authfail silent audit deny=3 unlock_time=600 account required pam_faillock.so account include system-auth-ac password include system-auth-ac session include system-auth-ac
○ create a custom local file, / etc/pam.d/password-auth-local which contains auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth include password-auth-ac auth [default=die] pam_faillock.so authfail silent audit deny=3 unlock_time=600 account required pam_faillock.so account include password-auth-ac password include password-auth-ac session include password-auth-ac
○ create new links # ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth # ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 26 of 39
Objective 8 Configure console security by disabling features that allow systems to be rebooted or powered off using bootloader passwords ● Bootloader passwords ○ Is it enabled already? ■ BIOS machines # grep -i password /boot/grub2/grub.cfg
■ UEFI machines # grep -i password /boot/efi/EFI/redhat/grub.cfg
○ Adding users ■ Create /etc/grub.d/01_users file and add the following cat
View more...
Comments
