Differences

This shows you the differences between two versions of the page.

--- hardening [2019/02/07 17:31] – [Server setup] admin
+++ hardening [2024/11/30 10:22] (current) – [Managing Accounts] dani
@@ Line 1: / Line 1: @@
-====== Hardening ======
+====== Hardening on CentOS ======
 ===== Updates =====
@@ Line 221: / Line 221: @@
 Usually the password and account ageing is configured in ''/etc/shadow''. Next picture describes the ''chage'' tool and the ''shadow'' file:
-{{:images/Hardening/users.png| User management}}
+{{:images:users.png?direct&600|User management}}
 === PAM Modules ===
@@ Line 488: / Line 488: @@
 <code bash>
-kinit admin Password for admin@EXAMPLE.COM: redhat13
+kinit admin
+Password for admin@EXAMPLE.COM: redhat13
 ipa user-find admin
@@ Line 510: / Line 511: @@
 <code bash>
-getent passwd admin   getent group admins   kinit admin
+getent passwd admin
+getent group admins
+kinit admin
 </code>
@@ Line 516: / Line 519: @@
 <code bash>
-ipa user-add gpyle --first=Gomer --last=Pyle --password   ipa user-add cboyle --first=Charles --last=Boyle --password   ...
+ipa user-add gpyle --first=Gomer --last=Pyle --password
+ipa user-add cboyle --first=Charles --last=Boyle --password
+...
 </code>
@@ Line 534: / Line 539: @@
 <code bash>
-ipa sudocmd-add --desc "For displaying logs" /usr/bin/tail   ipa sudocmdgroup-add --desc "List logs" loglist   ipa sudocmdgroup-add-member --sudocmds "/usr/bin/tail" loglist   ipa sudorule-add --hostcat "all" loglist-attr   ipa sudorule-add-option loglist-attr   Sudo Option: !authenticate   ipa sudorule-add-user --groups marines loglist-attr   ipa sudorule-add-allow-command --sudocmdgroups loglist loglist-attr
+ipa sudocmd-add --desc "For displaying logs" /usr/bin/tail
+ipa sudocmdgroup-add --desc "List logs" loglist
+ipa sudocmdgroup-add-member --sudocmds "/usr/bin/tail" loglist
+ipa sudorule-add --hostcat "all" loglist-attr
+ipa sudorule-add-option loglist-attr   Sudo Option: !authenticate
+ipa sudorule-add-user --groups marines loglist-attr
+ipa sudorule-add-allow-command --sudocmdgroups loglist loglist-attr
 </code>
@@ Line 554: / Line 565: @@
   * Create and change into directory (''ca'')
-<code bash>
+<code shell>
-mkdir ca   cd ca
+mkdir ca
+cd ca
 </code>
@@ Line 589: / Line 601: @@
 Common name: serverX.example.com
-Is this a TLS web client certificate? (y/N): y Is this also a TLS web server certificate? (y/N): y
+Is this a TLS web client certificate? (y/N): y
+Is this also a TLS web server certificate? (y/N): y
 </code>
@@ Line 596: / Line 609: @@
 <code bash>
-certtool --generate-certificate --load-request serverX-request.pem --outfile serverX-cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
+certtool --generate-certificate --load-request serverX-request.pem --outfile serverX-cert.pem \
+--load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
 The certificate will expire in (days): 1000
-Is this a TLS web client certificate? (y/N): y Is this also a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: serverX.example.com
+Is this a TLS web client certificate? (y/N): y
+Is this also a TLS web server certificate? (y/N): y
+Enter a dnsName of the subject of the certificate: serverX.example.com
 </code>
@@ Line 608: / Line 624: @@
 <code bash>
-# make gtls driver the default $DefaultNetstreamDriver gtls
+# make gtls driver the default
+$DefaultNetstreamDriver gtls
-# certificate files $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/serverX-cert.pem $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/serverX-key.pem
+# certificate files
+$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
+$DefaultNetstreamDriverCertFile /etc/rsyslog-keys/serverX-cert.pem
+$DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/serverX-key.pem
 $ModLoad imtcp # load TCP listener
-$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode $InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated $InputTCPServerRun 6514 # listen on port 6514
+$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
+$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
+$InputTCPServerRun 6514 # listen on port 6514
 </code>
@@ Line 620: / Line 642: @@
 <code bash>
-# certificate files - just CA for a client $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
+# certificate files - just CA for a client
+$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
-# set up the action $DefaultNetstreamDriver gtls
+# set up the action
-# use gtls netstream driver $ActionSendStreamDriverMode 1
+$DefaultNetstreamDriver gtls # use gtls netstream driver
-# require TLS for the connection $ActionSendStreamDriverAuthMode anon
+$ActionSendStreamDriverMode 1 # require TLS for the connection
-# server is NOT authenticated //.// @@(o)serverX.example.com:6514 # send (all) messages
+$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
+*.* @@(o)serverX.example.com:6514 # send (all) messages
 </code>
@@ Line 650: / Line 674: @@
 The trace command is probably useful (Example for date):
-<code>
+<code bash>
 autrace /bin/date
 Waiting to execute: /bin/date
@@ Line 664: / Line 688: @@
 Using ''--line-numbers'' option is useful, if you have to delete or add a rule on the proper position:
-<code>
+<code bash>
 Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 num   pkts bytes target     prot opt in     out     source               destination
@@ Line 687: / Line 711: @@
 A very basic example script to initialize ''iptables'':
-<code>
+<code bash>
 iptables -F
 iptables -A INPUT -i lo -j ACCEPT
@@ Line 699: / Line 723: @@
 To delete a rule:
-<code>
+<code bash>
 iptables -D INPUT 11
 </code>
@@ Line 705: / Line 729: @@
 To add a rule (insert):
-<code>
+<code bash>
 iptables -I INPUT 11
 </code>