hardening

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
hardening [2019/02/07 17:34] – [Client setup] adminhardening [2024/11/30 10:22] (current) – [Managing Accounts] dani
Line 1: Line 1:
-====== Hardening ======+====== Hardening on CentOS ======
  
 ===== Updates ===== ===== Updates =====
Line 221: Line 221:
 Usually the password and account ageing is configured in ''/etc/shadow''. Next picture describes the ''chage'' tool and the ''shadow'' file: Usually the password and account ageing is configured in ''/etc/shadow''. Next picture describes the ''chage'' tool and the ''shadow'' file:
  
-{{:images/Hardening/users.png| User management}}+{{:images:users.png?direct&600|User management}}
  
 === PAM Modules === === PAM Modules ===
Line 565: Line 565:
   * Create and change into directory (''ca'')   * Create and change into directory (''ca'')
  
-<code bash+<code shell
-mkdir ca   cd ca+mkdir ca    
 +cd ca
 </code> </code>
  
Line 600: Line 601:
 Common name: serverX.example.com Common name: serverX.example.com
  
-Is this a TLS web client certificate? (y/N): y Is this also a TLS web server certificate? (y/N): y+Is this a TLS web client certificate? (y/N): y  
 +Is this also a TLS web server certificate? (y/N): y
  
 </code> </code>
Line 607: Line 609:
  
 <code bash> <code bash>
-certtool --generate-certificate --load-request serverX-request.pem --outfile serverX-cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem+certtool --generate-certificate --load-request serverX-request.pem --outfile serverX-cert.pem 
 +--load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
  
 The certificate will expire in (days): 1000 The certificate will expire in (days): 1000
  
-Is this a TLS web client certificate? (y/N): y Is this also a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: serverX.example.com+Is this a TLS web client certificate? (y/N): y  
 +Is this also a TLS web server certificate? (y/N): y  
 +Enter a dnsName of the subject of the certificate: serverX.example.com
 </code> </code>
  
Line 619: Line 624:
  
 <code bash> <code bash>
-# make gtls driver the default $DefaultNetstreamDriver gtls+# make gtls driver the default  
 +$DefaultNetstreamDriver gtls
  
-# certificate files $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/serverX-cert.pem $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/serverX-key.pem+# certificate files  
 +$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem  
 +$DefaultNetstreamDriverCertFile /etc/rsyslog-keys/serverX-cert.pem  
 +$DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/serverX-key.pem
  
 $ModLoad imtcp # load TCP listener $ModLoad imtcp # load TCP listener
  
-$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode $InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated $InputTCPServerRun 6514 # listen on port 6514+$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode  
 +$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated  
 +$InputTCPServerRun 6514 # listen on port 6514
 </code> </code>
  
Line 631: Line 642:
  
 <code bash> <code bash>
-# certificate files - just CA for a client $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem+# certificate files - just CA for a client  
 +$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
  
-# set up the action $DefaultNetstreamDriver gtls  +# set up the action  
-# use gtls netstream driver $ActionSendStreamDriverMode 1  +$DefaultNetstreamDriver gtls # use gtls netstream driver  
-# require TLS for the connection $ActionSendStreamDriverAuthMode anon  +$ActionSendStreamDriverMode 1 # require TLS for the connection  
-# server is NOT authenticated //.// @@(o)serverX.example.com:6514 # send (all) messages+$ActionSendStreamDriverAuthMode anon # server is NOT authenticated  
 +*.@@(o)serverX.example.com:6514 # send (all) messages
 </code> </code>
  
Line 661: Line 674:
 The trace command is probably useful (Example for date): The trace command is probably useful (Example for date):
  
-<code>+<code bash>
 autrace /bin/date autrace /bin/date
 Waiting to execute: /bin/date Waiting to execute: /bin/date
Line 675: Line 688:
 Using ''--line-numbers'' option is useful, if you have to delete or add a rule on the proper position: Using ''--line-numbers'' option is useful, if you have to delete or add a rule on the proper position:
  
-<code>+<code bash>
 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 num   pkts bytes target     prot opt in     out     source               destination num   pkts bytes target     prot opt in     out     source               destination
Line 698: Line 711:
 A very basic example script to initialize ''iptables'': A very basic example script to initialize ''iptables'':
  
-<code>+<code bash>
 iptables -F iptables -F
 iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i lo -j ACCEPT
Line 710: Line 723:
 To delete a rule: To delete a rule:
  
-<code>+<code bash>
 iptables -D INPUT 11 iptables -D INPUT 11
 </code> </code>
Line 716: Line 729:
 To add a rule (insert): To add a rule (insert):
  
-<code>+<code bash>
 iptables -I INPUT 11 iptables -I INPUT 11
 </code> </code>
  
  • hardening.1549557241.txt.gz
  • Last modified: 2019/02/07 17:34
  • by admin