hardening

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
hardening [2019/02/07 17:26] – [Filesystem encryption] adminhardening [2024/11/30 10:22] (current) – [Managing Accounts] dani
Line 1: Line 1:
-====== Hardening ======+====== Hardening on CentOS ======
  
 ===== Updates ===== ===== Updates =====
Line 122: Line 122:
  
 <code bash> <code bash>
-setfacl -m u:dani:rwx /opt/test   getfacl test/   # file: opt/test/   # owner: root   # group: root   user::rwx   user:dani:rwx   group::r-x   mask::rwx   other::r-x+setfacl -m u:dani:rwx /opt/test    
 +getfacl test/    
 +# file: opt/test/    
 +# owner: root    
 +# group: root    
 +user::rwx    
 +user:dani:rwx    
 +group::r-x    
 +mask::rwx    
 +other::r-x 
 +</code> 
 + 
 +  * Grants read/execution permission to group users 
 +<code bash> 
 +setfacl -m g::rx /opt/test    
 +getfacl /opt/test/    
 +# file: opt/test/    
 +# owner: root    
 +# group: root    
 +user::rwx    
 +user:dani:rwx    
 +group::r-x    
 +mask::rwx    
 +other::r-x
 </code> </code>
  
-  * Grants read/execution permission to group users ''setfacl -m g::rx /opt/test   getfacl /opt/test/   # file: opt/test/   # owner: root   # group: root   user::rwx   user:dani:rwx   group::r-x   mask::rwx   other::r-x'' 
   * Grants read/execution permission to group wheel   * Grants read/execution permission to group wheel
  
 <code bash> <code bash>
-setfacl -m g:wheel:rx /opt/test   getfacl /opt/test/   # file: opt/test/   # owner: root   # group: root   user::rwx   user:dani:rwx   group::r-x   group:wheel:r-x   mask::rwx   other::r-x+setfacl -m g:wheel:rx /opt/test    
 +getfacl /opt/test/    
 +# file: opt/test/    
 +# owner: root    
 +# group: root    
 +user::rwx    
 +user:dani:rwx    
 +group::r-x    
 +group:wheel:r-x    
 +mask::rwx    
 +other::r-x
 </code> </code>
  
Line 189: Line 221:
 Usually the password and account ageing is configured in ''/etc/shadow''. Next picture describes the ''chage'' tool and the ''shadow'' file: Usually the password and account ageing is configured in ''/etc/shadow''. Next picture describes the ''chage'' tool and the ''shadow'' file:
  
-{{:images/Hardening/users.png| User management}}+{{:images:users.png?direct&600|User management}}
  
 === PAM Modules === === PAM Modules ===
Line 344: Line 376:
  
 <code xml> <code xml>
-<html><schema></html> <html><key></html>/schemas/apps/gdm/simple-greeter/banner_message_enable<html></key></html> <html><applyto></html>/apps/gdm/simple-greeter/banner_message_enable<html></applyto></html> <html><owner></html>gdm-simple-greeter<html></owner></html> <html><type></html>bool<html></type></html> +<schema> 
-<HTML+<key>/schemas/apps/gdm/simple-greeter/banner_message_enable</key> 
-<default> +<applyto>/apps/gdm/simple-greeter/banner_message_enable</applyto> 
-</HTML> +<owner>gdm-simple-greeter</owner> 
-false +<type>bool</type> 
-<HTML> +<default>false</default> 
-</default> +<gettext_domain>gdm</gettext_domain> 
-</HTML> +<locale name="C"> 
-<html><gettext_domain></html>gdm<html></gettext_domain></html> <html><locale name="C"></html> <html><short></html>Enable showing the banner message<html></short></html> <html><long></html>Set to true to show the banner message text.<html></long></html> <html></locale></html> <html></schema></html>+  <short>Enable showing the banner message</short> 
 +  <long>Set to true to show the banner message text.</long> 
 +</locale> 
 +</schema>
  
-<html><schema></html> <html><key></html>/schemas/apps/gdm/simple-greeter/banner_message_text<html></key></html> <html><applyto></html>/apps/gdm/simple-greeter/banner_message_text<html></applyto></html> <html><owner></html>gdm-simple-greeter<html></owner></html> <html><type></html>string<html></type></html> +<schema> 
-<HTML+<key>/schemas/apps/gdm/simple-greeter/banner_message_text</key> 
-<default> +<applyto>/apps/gdm/simple-greeter/banner_message_text</applyto> 
-</default> +<owner>gdm-simple-greeter</owner> 
-</HTML> +<type>string</type> 
-<html><gettext_domain></html>gdm<html></gettext_domain></html> <html><locale name="C"></html> <html><short></html>Banner message text<html></short></html> <html><long></html>Text banner message to show on the login window.<html></long></html> <html></locale></html> <html></schema></html>+<default></default> 
 +<gettext_domain>gdm</gettext_domain> 
 +<locale name="C"> 
 +  <short>Banner message text</short> 
 +  <long>Text banner message to show on the login window.</long> 
 +</locale> 
 +</schema>
 </code> </code>
  
Line 389: Line 430:
  
 <code shell> <code shell>
-cp /etc/aide.conf /etc/aide.conf.orig   # delete unwanted entries in config!   aide --init   mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz   aide --check+cp /etc/aide.conf /etc/aide.conf.orig    
 +# delete unwanted entries in config!    
 +aide --init   mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz    
 +aide --check
 </code> </code>
  
Line 400: Line 444:
   * Prepare server for ''ipa-server'' package installation   * Prepare server for ''ipa-server'' package installation
  
-<code shell+<code bash
-chkconfig NetworkManager off; service NetworkManager stop ... vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" BOOTPROTO="static" HWADDR="52:54:00:00:00:FA" IPV6INIT="yes" MTU="1500" NM_CONTROLLED="no" ONBOOT="yes" TYPE="Ethernet" UUID="383d9eaa-ac8a-43ff-96d9-fe76e9200877" IPADDR=192.168.0.101 NETMASK=255.255.255.0 GATEWAY=192.168.0.254 DNS1=192.168.0.254+chkconfig NetworkManager off; service NetworkManager stop 
 +... 
 +vim /etc/sysconfig/network-scripts/ifcfg-eth0 
 +DEVICE="eth0" 
 +BOOTPROTO="static" 
 +HWADDR="52:54:00:00:00:FA" 
 +IPV6INIT="yes" 
 +MTU="1500" 
 +NM_CONTROLLED="no" 
 +ONBOOT="yes" 
 +TYPE="Ethernet" 
 +UUID="383d9eaa-ac8a-43ff-96d9-fe76e9200877" 
 +IPADDR=192.168.0.101 
 +NETMASK=255.255.255.0 
 +GATEWAY=192.168.0.254 
 +DNS1=192.168.0.254
  
-vim /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 192.168.0.X+100 serverX.example.com serverX+vim /etc/hosts 
 +127.0.0.1 localhost.localdomain localhost 
 +::1 localhost6.localdomain6 localhost6 
 +192.168.0.X+100 serverX.example.com serverX
  
 chkconfig network on; service network restart chkconfig network on; service network restart
Line 426: Line 488:
  
 <code bash> <code bash>
-kinit admin Password for admin@EXAMPLE.COM: redhat13+kinit admin  
 +Password for admin@EXAMPLE.COM: redhat13
  
 ipa user-find admin ipa user-find admin
Line 448: Line 511:
  
 <code bash> <code bash>
-getent passwd admin   getent group admins   kinit admin+getent passwd admin    
 +getent group admins    
 +kinit admin
 </code> </code>
  
Line 454: Line 519:
  
 <code bash> <code bash>
-ipa user-add gpyle --first=Gomer --last=Pyle --password   ipa user-add cboyle --first=Charles --last=Boyle --password   ...+ipa user-add gpyle --first=Gomer --last=Pyle --password    
 +ipa user-add cboyle --first=Charles --last=Boyle --password    
 +...
 </code> </code>
  
Line 472: Line 539:
  
 <code bash> <code bash>
-ipa sudocmd-add --desc "For displaying logs" /usr/bin/tail   ipa sudocmdgroup-add --desc "List logs" loglist   ipa sudocmdgroup-add-member --sudocmds "/usr/bin/tail" loglist   ipa sudorule-add --hostcat "all" loglist-attr   ipa sudorule-add-option loglist-attr   Sudo Option: !authenticate   ipa sudorule-add-user --groups marines loglist-attr   ipa sudorule-add-allow-command --sudocmdgroups loglist loglist-attr+ipa sudocmd-add --desc "For displaying logs" /usr/bin/tail    
 +ipa sudocmdgroup-add --desc "List logs" loglist    
 +ipa sudocmdgroup-add-member --sudocmds "/usr/bin/tail" loglist    
 +ipa sudorule-add --hostcat "all" loglist-attr    
 +ipa sudorule-add-option loglist-attr   Sudo Option: !authenticate    
 +ipa sudorule-add-user --groups marines loglist-attr    
 +ipa sudorule-add-allow-command --sudocmdgroups loglist loglist-attr
 </code> </code>
  
Line 492: Line 565:
   * Create and change into directory (''ca'')   * Create and change into directory (''ca'')
  
-<code bash+<code shell
-mkdir ca   cd ca+mkdir ca    
 +cd ca
 </code> </code>
  
Line 527: Line 601:
 Common name: serverX.example.com Common name: serverX.example.com
  
-Is this a TLS web client certificate? (y/N): y Is this also a TLS web server certificate? (y/N): y+Is this a TLS web client certificate? (y/N): y  
 +Is this also a TLS web server certificate? (y/N): y
  
 </code> </code>
Line 534: Line 609:
  
 <code bash> <code bash>
-certtool --generate-certificate --load-request serverX-request.pem --outfile serverX-cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem+certtool --generate-certificate --load-request serverX-request.pem --outfile serverX-cert.pem 
 +--load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
  
 The certificate will expire in (days): 1000 The certificate will expire in (days): 1000
  
-Is this a TLS web client certificate? (y/N): y Is this also a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: serverX.example.com+Is this a TLS web client certificate? (y/N): y  
 +Is this also a TLS web server certificate? (y/N): y  
 +Enter a dnsName of the subject of the certificate: serverX.example.com
 </code> </code>
  
Line 546: Line 624:
  
 <code bash> <code bash>
-# make gtls driver the default $DefaultNetstreamDriver gtls+# make gtls driver the default  
 +$DefaultNetstreamDriver gtls
  
-# certificate files $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/serverX-cert.pem $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/serverX-key.pem+# certificate files  
 +$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem  
 +$DefaultNetstreamDriverCertFile /etc/rsyslog-keys/serverX-cert.pem  
 +$DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/serverX-key.pem
  
 $ModLoad imtcp # load TCP listener $ModLoad imtcp # load TCP listener
  
-$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode $InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated $InputTCPServerRun 6514 # listen on port 6514+$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode  
 +$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated  
 +$InputTCPServerRun 6514 # listen on port 6514
 </code> </code>
  
Line 558: Line 642:
  
 <code bash> <code bash>
-# certificate files - just CA for a client $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem+# certificate files - just CA for a client  
 +$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
  
-# set up the action $DefaultNetstreamDriver gtls  +# set up the action  
-# use gtls netstream driver $ActionSendStreamDriverMode 1  +$DefaultNetstreamDriver gtls # use gtls netstream driver  
-# require TLS for the connection $ActionSendStreamDriverAuthMode anon  +$ActionSendStreamDriverMode 1 # require TLS for the connection  
-# server is NOT authenticated //.// @@(o)serverX.example.com:6514 # send (all) messages+$ActionSendStreamDriverAuthMode anon # server is NOT authenticated  
 +*.@@(o)serverX.example.com:6514 # send (all) messages
 </code> </code>
  
Line 588: Line 674:
 The trace command is probably useful (Example for date): The trace command is probably useful (Example for date):
  
-<code>+<code bash>
 autrace /bin/date autrace /bin/date
 Waiting to execute: /bin/date Waiting to execute: /bin/date
Line 602: Line 688:
 Using ''--line-numbers'' option is useful, if you have to delete or add a rule on the proper position: Using ''--line-numbers'' option is useful, if you have to delete or add a rule on the proper position:
  
-<code>+<code bash>
 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 num   pkts bytes target     prot opt in     out     source               destination num   pkts bytes target     prot opt in     out     source               destination
Line 625: Line 711:
 A very basic example script to initialize ''iptables'': A very basic example script to initialize ''iptables'':
  
-<code>+<code bash>
 iptables -F iptables -F
 iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i lo -j ACCEPT
Line 637: Line 723:
 To delete a rule: To delete a rule:
  
-<code>+<code bash>
 iptables -D INPUT 11 iptables -D INPUT 11
 </code> </code>
Line 643: Line 729:
 To add a rule (insert): To add a rule (insert):
  
-<code>+<code bash>
 iptables -I INPUT 11 iptables -I INPUT 11
 </code> </code>
  
  • hardening.1549556763.txt.gz
  • Last modified: 2019/02/07 17:26
  • by admin