Differences

This shows you the differences between two versions of the page.

--- hardening [2019/02/07 17:28] – [Managing ACL's] admin
+++ hardening [2024/11/30 10:22] (current) – [Managing Accounts] dani
@@ Line 1: / Line 1: @@
-====== Hardening ======
+====== Hardening on CentOS ======
 ===== Updates =====
@@ Line 221: / Line 221: @@
 Usually the password and account ageing is configured in ''/etc/shadow''. Next picture describes the ''chage'' tool and the ''shadow'' file:
-{{:images/Hardening/users.png| User management}}
+{{:images:users.png?direct&600|User management}}
 === PAM Modules ===
@@ Line 376: / Line 376: @@
 <code xml>
-<html><schema></html> <html><key></html>/schemas/apps/gdm/simple-greeter/banner_message_enable<html></key></html> <html><applyto></html>/apps/gdm/simple-greeter/banner_message_enable<html></applyto></html> <html><owner></html>gdm-simple-greeter<html></owner></html> <html><type></html>bool<html></type></html>
+<schema>
-<HTML>
+<key>/schemas/apps/gdm/simple-greeter/banner_message_enable</key>
-<default>
+<applyto>/apps/gdm/simple-greeter/banner_message_enable</applyto>
-</HTML>
+<owner>gdm-simple-greeter</owner>
-false
+<type>bool</type>
-<HTML>
+<default>false</default>
-</default>
+<gettext_domain>gdm</gettext_domain>
-</HTML>
+<locale name="C">
-<html><gettext_domain></html>gdm<html></gettext_domain></html> <html><locale name="C"></html> <html><short></html>Enable showing the banner message<html></short></html> <html><long></html>Set to true to show the banner message text.<html></long></html> <html></locale></html> <html></schema></html>
+  <short>Enable showing the banner message</short>
+  <long>Set to true to show the banner message text.</long>
+</locale>
+</schema>
-<html><schema></html> <html><key></html>/schemas/apps/gdm/simple-greeter/banner_message_text<html></key></html> <html><applyto></html>/apps/gdm/simple-greeter/banner_message_text<html></applyto></html> <html><owner></html>gdm-simple-greeter<html></owner></html> <html><type></html>string<html></type></html>
+<schema>
-<HTML>
+<key>/schemas/apps/gdm/simple-greeter/banner_message_text</key>
-<default>
+<applyto>/apps/gdm/simple-greeter/banner_message_text</applyto>
-</default>
+<owner>gdm-simple-greeter</owner>
-</HTML>
+<type>string</type>
-<html><gettext_domain></html>gdm<html></gettext_domain></html> <html><locale name="C"></html> <html><short></html>Banner message text<html></short></html> <html><long></html>Text banner message to show on the login window.<html></long></html> <html></locale></html> <html></schema></html>
+<default></default>
+<gettext_domain>gdm</gettext_domain>
+<locale name="C">
+  <short>Banner message text</short>
+  <long>Text banner message to show on the login window.</long>
+</locale>
+</schema>
 </code>
@@ Line 421: / Line 430: @@
 <code shell>
-cp /etc/aide.conf /etc/aide.conf.orig   # delete unwanted entries in config!   aide --init   mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz   aide --check
+cp /etc/aide.conf /etc/aide.conf.orig
+# delete unwanted entries in config!
+aide --init   mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+aide --check
 </code>
@@ Line 432: / Line 444: @@
   * Prepare server for ''ipa-server'' package installation
-<code shell>
+<code bash>
-chkconfig NetworkManager off; service NetworkManager stop ... vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" BOOTPROTO="static" HWADDR="52:54:00:00:00:FA" IPV6INIT="yes" MTU="1500" NM_CONTROLLED="no" ONBOOT="yes" TYPE="Ethernet" UUID="383d9eaa-ac8a-43ff-96d9-fe76e9200877" IPADDR=192.168.0.101 NETMASK=255.255.255.0 GATEWAY=192.168.0.254 DNS1=192.168.0.254
+chkconfig NetworkManager off; service NetworkManager stop
+...
+vim /etc/sysconfig/network-scripts/ifcfg-eth0
+DEVICE="eth0"
+BOOTPROTO="static"
+HWADDR="52:54:00:00:00:FA"
+IPV6INIT="yes"
+MTU="1500"
+NM_CONTROLLED="no"
+ONBOOT="yes"
+TYPE="Ethernet"
+UUID="383d9eaa-ac8a-43ff-96d9-fe76e9200877"
+IPADDR=192.168.0.101
+NETMASK=255.255.255.0
+GATEWAY=192.168.0.254
+DNS1=192.168.0.254
-vim /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 192.168.0.X+100 serverX.example.com serverX
+vim /etc/hosts
+.0.0.1 localhost.localdomain localhost
+::1 localhost6.localdomain6 localhost6
+.168.0.X+100 serverX.example.com serverX
 chkconfig network on; service network restart
@@ Line 458: / Line 488: @@
 <code bash>
-kinit admin Password for admin@EXAMPLE.COM: redhat13
+kinit admin
+Password for admin@EXAMPLE.COM: redhat13
 ipa user-find admin
@@ Line 480: / Line 511: @@
 <code bash>
-getent passwd admin   getent group admins   kinit admin
+getent passwd admin
+getent group admins
+kinit admin
 </code>
@@ Line 486: / Line 519: @@
 <code bash>
-ipa user-add gpyle --first=Gomer --last=Pyle --password   ipa user-add cboyle --first=Charles --last=Boyle --password   ...
+ipa user-add gpyle --first=Gomer --last=Pyle --password
+ipa user-add cboyle --first=Charles --last=Boyle --password
+...
 </code>
@@ Line 504: / Line 539: @@
 <code bash>
-ipa sudocmd-add --desc "For displaying logs" /usr/bin/tail   ipa sudocmdgroup-add --desc "List logs" loglist   ipa sudocmdgroup-add-member --sudocmds "/usr/bin/tail" loglist   ipa sudorule-add --hostcat "all" loglist-attr   ipa sudorule-add-option loglist-attr   Sudo Option: !authenticate   ipa sudorule-add-user --groups marines loglist-attr   ipa sudorule-add-allow-command --sudocmdgroups loglist loglist-attr
+ipa sudocmd-add --desc "For displaying logs" /usr/bin/tail
+ipa sudocmdgroup-add --desc "List logs" loglist
+ipa sudocmdgroup-add-member --sudocmds "/usr/bin/tail" loglist
+ipa sudorule-add --hostcat "all" loglist-attr
+ipa sudorule-add-option loglist-attr   Sudo Option: !authenticate
+ipa sudorule-add-user --groups marines loglist-attr
+ipa sudorule-add-allow-command --sudocmdgroups loglist loglist-attr
 </code>
@@ Line 524: / Line 565: @@
   * Create and change into directory (''ca'')
-<code bash>
+<code shell>
-mkdir ca   cd ca
+mkdir ca
+cd ca
 </code>
@@ Line 559: / Line 601: @@
 Common name: serverX.example.com
-Is this a TLS web client certificate? (y/N): y Is this also a TLS web server certificate? (y/N): y
+Is this a TLS web client certificate? (y/N): y
+Is this also a TLS web server certificate? (y/N): y
 </code>
@@ Line 566: / Line 609: @@
 <code bash>
-certtool --generate-certificate --load-request serverX-request.pem --outfile serverX-cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
+certtool --generate-certificate --load-request serverX-request.pem --outfile serverX-cert.pem \
+--load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
 The certificate will expire in (days): 1000
-Is this a TLS web client certificate? (y/N): y Is this also a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: serverX.example.com
+Is this a TLS web client certificate? (y/N): y
+Is this also a TLS web server certificate? (y/N): y
+Enter a dnsName of the subject of the certificate: serverX.example.com
 </code>
@@ Line 578: / Line 624: @@
 <code bash>
-# make gtls driver the default $DefaultNetstreamDriver gtls
+# make gtls driver the default
+$DefaultNetstreamDriver gtls
-# certificate files $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/serverX-cert.pem $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/serverX-key.pem
+# certificate files
+$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
+$DefaultNetstreamDriverCertFile /etc/rsyslog-keys/serverX-cert.pem
+$DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/serverX-key.pem
 $ModLoad imtcp # load TCP listener
-$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode $InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated $InputTCPServerRun 6514 # listen on port 6514
+$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
+$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
+$InputTCPServerRun 6514 # listen on port 6514
 </code>
@@ Line 590: / Line 642: @@
 <code bash>
-# certificate files - just CA for a client $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
+# certificate files - just CA for a client
+$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
-# set up the action $DefaultNetstreamDriver gtls
+# set up the action
-# use gtls netstream driver $ActionSendStreamDriverMode 1
+$DefaultNetstreamDriver gtls # use gtls netstream driver
-# require TLS for the connection $ActionSendStreamDriverAuthMode anon
+$ActionSendStreamDriverMode 1 # require TLS for the connection
-# server is NOT authenticated //.// @@(o)serverX.example.com:6514 # send (all) messages
+$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
+*.* @@(o)serverX.example.com:6514 # send (all) messages
 </code>
@@ Line 620: / Line 674: @@
 The trace command is probably useful (Example for date):
-<code>
+<code bash>
 autrace /bin/date
 Waiting to execute: /bin/date
@@ Line 634: / Line 688: @@
 Using ''--line-numbers'' option is useful, if you have to delete or add a rule on the proper position:
-<code>
+<code bash>
 Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 num   pkts bytes target     prot opt in     out     source               destination
@@ Line 657: / Line 711: @@
 A very basic example script to initialize ''iptables'':
-<code>
+<code bash>
 iptables -F
 iptables -A INPUT -i lo -j ACCEPT
@@ Line 669: / Line 723: @@
 To delete a rule:
-<code>
+<code bash>
 iptables -D INPUT 11
 </code>
@@ Line 675: / Line 729: @@
 To add a rule (insert):
-<code>
+<code bash>
 iptables -I INPUT 11
 </code>