hardening

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
hardening [2019/02/07 17:09] – [Filesystem encryption] adminhardening [2024/11/30 10:22] (current) – [Managing Accounts] dani
Line 1: Line 1:
-====== Hardening ======+====== Hardening on CentOS ======
  
 ===== Updates ===== ===== Updates =====
Line 52: Line 52:
  
 <code bash> <code bash>
-dd if=/dev/urandom of=<password file> bs=4096 count=1   chmod 0600 <password file>   cryptsetup luksAddKey /dev/<device> <password file>+dd if=/dev/urandom of=<password file> bs=4096 count=1    
 +chmod 0600 <password file>    
 +cryptsetup luksAddKey /dev/<device> <password file>
 </code> </code>
  
   * Add the encrypted partition into /etc/cryptab:   * Add the encrypted partition into /etc/cryptab:
  
-<file - /etc/cryptab>+<code bash>
 <name>       /dev/<device>         <password file> <name>       /dev/<device>         <password file>
 </code> </code>
Line 63: Line 65:
   * The /etc/fstab should contain a line like this:   * The /etc/fstab should contain a line like this:
  
-<file - /etc/fstab>+<code bash>
 /dev/<device>   /<mountpoint>       ext4    defaults        1 2 /dev/<device>   /<mountpoint>       ext4    defaults        1 2
 </code> </code>
Line 120: Line 122:
  
 <code bash> <code bash>
-setfacl -m u:dani:rwx /opt/test   getfacl test/   # file: opt/test/   # owner: root   # group: root   user::rwx   user:dani:rwx   group::r-x   mask::rwx   other::r-x+setfacl -m u:dani:rwx /opt/test    
 +getfacl test/    
 +# file: opt/test/    
 +# owner: root    
 +# group: root    
 +user::rwx    
 +user:dani:rwx    
 +group::r-x    
 +mask::rwx    
 +other::r-x 
 +</code> 
 + 
 +  * Grants read/execution permission to group users 
 +<code bash> 
 +setfacl -m g::rx /opt/test    
 +getfacl /opt/test/    
 +# file: opt/test/    
 +# owner: root    
 +# group: root    
 +user::rwx    
 +user:dani:rwx    
 +group::r-x    
 +mask::rwx    
 +other::r-x
 </code> </code>
  
-  * Grants read/execution permission to group users ''setfacl -m g::rx /opt/test   getfacl /opt/test/   # file: opt/test/   # owner: root   # group: root   user::rwx   user:dani:rwx   group::r-x   mask::rwx   other::r-x'' 
   * Grants read/execution permission to group wheel   * Grants read/execution permission to group wheel
  
 <code bash> <code bash>
-setfacl -m g:wheel:rx /opt/test   getfacl /opt/test/   # file: opt/test/   # owner: root   # group: root   user::rwx   user:dani:rwx   group::r-x   group:wheel:r-x   mask::rwx   other::r-x+setfacl -m g:wheel:rx /opt/test    
 +getfacl /opt/test/    
 +# file: opt/test/    
 +# owner: root    
 +# group: root    
 +user::rwx    
 +user:dani:rwx    
 +group::r-x    
 +group:wheel:r-x    
 +mask::rwx    
 +other::r-x
 </code> </code>
  
Line 187: Line 221:
 Usually the password and account ageing is configured in ''/etc/shadow''. Next picture describes the ''chage'' tool and the ''shadow'' file: Usually the password and account ageing is configured in ''/etc/shadow''. Next picture describes the ''chage'' tool and the ''shadow'' file:
  
-{{:images/Hardening/users.png| User management}}+{{:images:users.png?direct&600|User management}}
  
 === PAM Modules === === PAM Modules ===
Line 342: Line 376:
  
 <code xml> <code xml>
-<html><schema></html> <html><key></html>/schemas/apps/gdm/simple-greeter/banner_message_enable<html></key></html> <html><applyto></html>/apps/gdm/simple-greeter/banner_message_enable<html></applyto></html> <html><owner></html>gdm-simple-greeter<html></owner></html> <html><type></html>bool<html></type></html> +<schema> 
-<HTML+<key>/schemas/apps/gdm/simple-greeter/banner_message_enable</key> 
-<default> +<applyto>/apps/gdm/simple-greeter/banner_message_enable</applyto> 
-</HTML> +<owner>gdm-simple-greeter</owner> 
-false +<type>bool</type> 
-<HTML> +<default>false</default> 
-</default> +<gettext_domain>gdm</gettext_domain> 
-</HTML> +<locale name="C"> 
-<html><gettext_domain></html>gdm<html></gettext_domain></html> <html><locale name="C"></html> <html><short></html>Enable showing the banner message<html></short></html> <html><long></html>Set to true to show the banner message text.<html></long></html> <html></locale></html> <html></schema></html>+  <short>Enable showing the banner message</short> 
 +  <long>Set to true to show the banner message text.</long> 
 +</locale> 
 +</schema>
  
-<html><schema></html> <html><key></html>/schemas/apps/gdm/simple-greeter/banner_message_text<html></key></html> <html><applyto></html>/apps/gdm/simple-greeter/banner_message_text<html></applyto></html> <html><owner></html>gdm-simple-greeter<html></owner></html> <html><type></html>string<html></type></html> +<schema> 
-<HTML+<key>/schemas/apps/gdm/simple-greeter/banner_message_text</key> 
-<default> +<applyto>/apps/gdm/simple-greeter/banner_message_text</applyto> 
-</default> +<owner>gdm-simple-greeter</owner> 
-</HTML> +<type>string</type> 
-<html><gettext_domain></html>gdm<html></gettext_domain></html> <html><locale name="C"></html> <html><short></html>Banner message text<html></short></html> <html><long></html>Text banner message to show on the login window.<html></long></html> <html></locale></html> <html></schema></html>+<default></default> 
 +<gettext_domain>gdm</gettext_domain> 
 +<locale name="C"> 
 +  <short>Banner message text</short> 
 +  <long>Text banner message to show on the login window.</long> 
 +</locale> 
 +</schema>
 </code> </code>
  
Line 387: Line 430:
  
 <code shell> <code shell>
-cp /etc/aide.conf /etc/aide.conf.orig   # delete unwanted entries in config!   aide --init   mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz   aide --check+cp /etc/aide.conf /etc/aide.conf.orig    
 +# delete unwanted entries in config!    
 +aide --init   mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz    
 +aide --check
 </code> </code>
  
Line 398: Line 444:
   * Prepare server for ''ipa-server'' package installation   * Prepare server for ''ipa-server'' package installation
  
-<code shell+<code bash
-chkconfig NetworkManager off; service NetworkManager stop ... vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" BOOTPROTO="static" HWADDR="52:54:00:00:00:FA" IPV6INIT="yes" MTU="1500" NM_CONTROLLED="no" ONBOOT="yes" TYPE="Ethernet" UUID="383d9eaa-ac8a-43ff-96d9-fe76e9200877" IPADDR=192.168.0.101 NETMASK=255.255.255.0 GATEWAY=192.168.0.254 DNS1=192.168.0.254+chkconfig NetworkManager off; service NetworkManager stop 
 +... 
 +vim /etc/sysconfig/network-scripts/ifcfg-eth0 
 +DEVICE="eth0" 
 +BOOTPROTO="static" 
 +HWADDR="52:54:00:00:00:FA" 
 +IPV6INIT="yes" 
 +MTU="1500" 
 +NM_CONTROLLED="no" 
 +ONBOOT="yes" 
 +TYPE="Ethernet" 
 +UUID="383d9eaa-ac8a-43ff-96d9-fe76e9200877" 
 +IPADDR=192.168.0.101 
 +NETMASK=255.255.255.0 
 +GATEWAY=192.168.0.254 
 +DNS1=192.168.0.254
  
-vim /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 192.168.0.X+100 serverX.example.com serverX+vim /etc/hosts 
 +127.0.0.1 localhost.localdomain localhost 
 +::1 localhost6.localdomain6 localhost6 
 +192.168.0.X+100 serverX.example.com serverX
  
 chkconfig network on; service network restart chkconfig network on; service network restart
Line 424: Line 488:
  
 <code bash> <code bash>
-kinit admin Password for admin@EXAMPLE.COM: redhat13+kinit admin  
 +Password for admin@EXAMPLE.COM: redhat13
  
 ipa user-find admin ipa user-find admin
Line 446: Line 511:
  
 <code bash> <code bash>
-getent passwd admin   getent group admins   kinit admin+getent passwd admin    
 +getent group admins    
 +kinit admin
 </code> </code>
  
Line 452: Line 519:
  
 <code bash> <code bash>
-ipa user-add gpyle --first=Gomer --last=Pyle --password   ipa user-add cboyle --first=Charles --last=Boyle --password   ...+ipa user-add gpyle --first=Gomer --last=Pyle --password    
 +ipa user-add cboyle --first=Charles --last=Boyle --password    
 +...
 </code> </code>
  
Line 470: Line 539:
  
 <code bash> <code bash>
-ipa sudocmd-add --desc "For displaying logs" /usr/bin/tail   ipa sudocmdgroup-add --desc "List logs" loglist   ipa sudocmdgroup-add-member --sudocmds "/usr/bin/tail" loglist   ipa sudorule-add --hostcat "all" loglist-attr   ipa sudorule-add-option loglist-attr   Sudo Option: !authenticate   ipa sudorule-add-user --groups marines loglist-attr   ipa sudorule-add-allow-command --sudocmdgroups loglist loglist-attr+ipa sudocmd-add --desc "For displaying logs" /usr/bin/tail    
 +ipa sudocmdgroup-add --desc "List logs" loglist    
 +ipa sudocmdgroup-add-member --sudocmds "/usr/bin/tail" loglist    
 +ipa sudorule-add --hostcat "all" loglist-attr    
 +ipa sudorule-add-option loglist-attr   Sudo Option: !authenticate    
 +ipa sudorule-add-user --groups marines loglist-attr    
 +ipa sudorule-add-allow-command --sudocmdgroups loglist loglist-attr
 </code> </code>
  
Line 485: Line 560:
 </code> </code>
  
-## Rsyslog+===== Rsyslog =====
  
   * Make sure the NTP time is working fine on all invoked systems!   * Make sure the NTP time is working fine on all invoked systems!
   * Create and change into directory (''ca'')   * Create and change into directory (''ca'')
  
-<code bash+<code shell
-mkdir ca   cd ca+mkdir ca    
 +cd ca
 </code> </code>
  
Line 525: Line 601:
 Common name: serverX.example.com Common name: serverX.example.com
  
-Is this a TLS web client certificate? (y/N): y Is this also a TLS web server certificate? (y/N): y+Is this a TLS web client certificate? (y/N): y  
 +Is this also a TLS web server certificate? (y/N): y
  
 </code> </code>
Line 532: Line 609:
  
 <code bash> <code bash>
-certtool --generate-certificate --load-request serverX-request.pem --outfile serverX-cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem+certtool --generate-certificate --load-request serverX-request.pem --outfile serverX-cert.pem 
 +--load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
  
 The certificate will expire in (days): 1000 The certificate will expire in (days): 1000
  
-Is this a TLS web client certificate? (y/N): y Is this also a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: serverX.example.com+Is this a TLS web client certificate? (y/N): y  
 +Is this also a TLS web server certificate? (y/N): y  
 +Enter a dnsName of the subject of the certificate: serverX.example.com
 </code> </code>
  
Line 544: Line 624:
  
 <code bash> <code bash>
-# make gtls driver the default $DefaultNetstreamDriver gtls+# make gtls driver the default  
 +$DefaultNetstreamDriver gtls
  
-# certificate files $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/serverX-cert.pem $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/serverX-key.pem+# certificate files  
 +$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem  
 +$DefaultNetstreamDriverCertFile /etc/rsyslog-keys/serverX-cert.pem  
 +$DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/serverX-key.pem
  
 $ModLoad imtcp # load TCP listener $ModLoad imtcp # load TCP listener
  
-$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode $InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated $InputTCPServerRun 6514 # listen on port 6514+$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode  
 +$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated  
 +$InputTCPServerRun 6514 # listen on port 6514
 </code> </code>
  
Line 556: Line 642:
  
 <code bash> <code bash>
-# certificate files - just CA for a client $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem+# certificate files - just CA for a client  
 +$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
  
-# set up the action $DefaultNetstreamDriver gtls # use gtls netstream driver $ActionSendStreamDriverMode 1 # require TLS for the connection $ActionSendStreamDriverAuthMode anon # server is NOT authenticated //.// @@(o)serverX.example.com:6514 # send (all) messages+# set up the action  
 +$DefaultNetstreamDriver gtls # use gtls netstream driver  
 +$ActionSendStreamDriverMode 1 # require TLS for the connection  
 +$ActionSendStreamDriverAuthMode anon # server is NOT authenticated  
 +*.@@(o)serverX.example.com:6514 # send (all) messages
 </code> </code>
  
   * Create ''/var/log/remote'' directory   * Create ''/var/log/remote'' directory
-  * Add following lines into ''/etc/rsyslog.d/remote.conf'' (you have a template here: ''curl file:///usr/share/doc/rsyslog-5.8.10/multi_ruleset.html |grep fromhost''):+  * Add following lines into ''/etc/rsyslog.d/remote.conf''you have a template here: 
  
 <code bash> <code bash>
-# process  remote messages   :fromhost-ip, !isequal, "127.0.0.1"     /var/log/remote/messages   # then discard them   :fromhost-ip, !isequal, "127.0.0.1"     ~+curl file:///usr/share/doc/rsyslog-5.8.10/multi_ruleset.html |grep fromhost 
 +</code> 
 + 
 +<code bash> 
 +# process  remote messages    
 +:fromhost-ip, !isequal, "127.0.0.1"     /var/log/remote/messages    
 +# then discard them    
 +:fromhost-ip, !isequal, "127.0.0.1"     ~
 </code> </code>
  
Line 576: Line 674:
 The trace command is probably useful (Example for date): The trace command is probably useful (Example for date):
  
-<code>+<code bash>
 autrace /bin/date autrace /bin/date
 Waiting to execute: /bin/date Waiting to execute: /bin/date
Line 585: Line 683:
 ausearch --raw -p 26572 | aureport --file -i ausearch --raw -p 26572 | aureport --file -i
 </code> </code>
 +
 ===== Iptables ===== ===== Iptables =====
  
 Using ''--line-numbers'' option is useful, if you have to delete or add a rule on the proper position: Using ''--line-numbers'' option is useful, if you have to delete or add a rule on the proper position:
  
-<code>+<code bash>
 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 num   pkts bytes target     prot opt in     out     source               destination num   pkts bytes target     prot opt in     out     source               destination
Line 612: Line 711:
 A very basic example script to initialize ''iptables'': A very basic example script to initialize ''iptables'':
  
-<code>+<code bash>
 iptables -F iptables -F
 iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i lo -j ACCEPT
Line 624: Line 723:
 To delete a rule: To delete a rule:
  
-<code>+<code bash>
 iptables -D INPUT 11 iptables -D INPUT 11
 </code> </code>
Line 630: Line 729:
 To add a rule (insert): To add a rule (insert):
  
-<code>+<code bash>
 iptables -I INPUT 11 iptables -I INPUT 11
 </code> </code>
  
  • hardening.1549555784.txt.gz
  • Last modified: 2019/02/07 17:09
  • by admin