linux-hardening-checklist icon indicating copy to clipboard operation
linux-hardening-checklist copied to clipboard

verified publisher icon trimstray

Metadata

Simple checklist to help you deploying the most important areas of the GNU/Linux production systems - work in progress.

Master


Pull Requests MIT License

Created by trimstray and contributors

Table of Contents

  • Introduction
    • Status
    • Todo
    • Prologue
    • Levels of priority
    • OpenSCAP
  • Partitioning
    • Separate partitions
    • Restrict mount options
    • Polyinstantiated directories
    • Shared memory
    • Encrypt partitions
    • Summary checklist
  • Physical Access
    • Password for Single User Mode
    • Summary checklist
  • Bootloader
    • Protect bootloader config files
    • Summary checklist
  • Linux Kernel
    • Kernel logs
    • Kernel pointers
    • ExecShield
    • Memory protection
    • Summary checklist
  • Logging
    • Syslog
  • Users and Groups
    • Passwords
    • Logon Access
    • Summary checklist
  • Filesystem
    • Hardlinks & Symlinks
    • Dynamic Mounting and Unmounting
    • Summary checklist
  • Permissions
  • SELinux & Auditd
    • SELinux Enforcing
    • Summary checklist
  • System Updates
  • Network
    • TCP/SYN
    • Routing
    • ICMP Protocol
    • Broadcast
    • Summary checklist
  • Services
  • Tools

Introduction

In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle a single-function system is more secure than a multipurpose one. The main goal of systems hardening is to reduce security risk by eliminating potential attack vectors and condensing the system’s attack surface.

This list contains the most important hardening rules for GNU/Linux systems.

Status

Still work in progress... :construction_worker:

I also created another repository (in a more detailed way): the-practical-linux-hardening-guide.

Todo

  • [ ] Add rationale (e.g. url's, external resources)
  • [ ] Review levels of priority

Prologue

I'm not advocating throwing your existing hardening and deployment best practices out the door but I recommend is to always turn a feature from this checklist on in pre-production environments instead of jumping directly into production.

Levels of priority

All items in this checklist contains three levels of priority:

  • low means that the item has a low priority.
  • medium means that the item has a medium priority. You shouldn't avoid tackling that item.
  • high means that the item has a high priority. You can't avoid following that rule and implement the corrections recommended.

OpenSCAP

OpenSCAP

SCAP (Security Content Automation Protocol) provides a mechanism to check configurations, vulnerability management and evaluate policy compliance for a variety of systems. One of the most popular implementations of SCAP is OpenSCAP and it is very helpful for vulnerability assessment and also as hardening helper.

Some of the external audit tools use this standard. For example Nessus has functionality for authenticated SCAP scans.

I tried to make this list compatible with OpenSCAP standard and rules. However, there may be differences.

Partitioning

Separate partitions

  • low Ensure /boot located on separate partition.

  • low Ensure /home located on separate partition.

  • low Ensure /usr located on separate partition.

  • medium Ensure /var located on separate partition.

  • high Ensure /var/log and /var/log/audit located on separate partitions.

  • high Ensure /tmp and /var/tmp located on separate partitions.

Restrict mount options

  • low Restrict /usr partition mount options.

    Example:

    UUID=<...>  /usr  ext4  defaults,nodev,ro  0 2

  • low Restrict /var partition mount options.

    Example:

    UUID=<...>  /var  ext4  defaults,nosuid  0 2

  • low Restrict /var/log and /var/log/audit partitions mount options.

    Example:

    UUID=<...>  /var/log        ext4  defaults,nosuid,noexec,nodev  0 2
UUID=<...>  /var/log/audit  ext4  defaults,nosuid,noexec,nodev  0 2

  • low Restrict /proc partition mount options.

    Example:

    proc  /proc  proc  defaults,hidepid=2  0 0

  • medium Restrict /boot partition mount options.

    Example:

    LABEL=/boot  /boot  ext2  defaults,nodev,nosuid,noexec,ro  1 2

  • medium Restrict /home partition mount options.

    Example:

    UUID=<...>  /home  ext4  defaults,nodev,nosuid  0 2

  • medium Restrict /var and /var/tmp partitions mount options.

    Example:

    mv /var/tmp /var/tmp.old
ln -s /tmp /var/tmp
cp -prf /var/tmp.old/* /tmp && rm -fr /var/tmp.old

UUID=<...>  /tmp  ext4  defaults,nodev,nosuid,noexec  0 2

  • medium Restrict /dev/shm partition mount options.

    Example:

    tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,size=1024M,mode=1777 0 0

Polyinstantiated directories

  • medium Setting up polyinstantiated /var and /var/tmp directories.

    Example:

    # Create new directories:
mkdir --mode 000 /tmp-inst
mkdir --mode 000 /var/tmp/tmp-inst

# Edit /etc/security/namespace.conf:
/tmp      /tmp-inst/          level  root,adm
/var/tmp  /var/tmp/tmp-inst/  level  root,adm

# Set correct SELinux context:
setsebool polyinstantiation_enabled=1
chcon --reference=/tmp /tmp-inst
chcon --reference=/var/tmp/ /var/tmp/tmp-inst

Shared memory

  • low Set group for /dev/shm.

    Example:

    tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,size=1024M,mode=1770,uid=root,gid=shm 0 0

Encrypt partitions

  • low Encrypt swap partition.

    Example:

    # Edit /etc/crypttab:
sdb1_crypt /dev/sdb1 /dev/urandom cipher=aes-xts-plain64,size=256,swap,discard

# Edit /etc/fstab:
/dev/mapper/sdb1_crypt none swap sw 0 0

:ballot_box_with_check: Summary checklist

Rule Priority Checkbox
Separate /boot low :black_square_button:
Separate /home low :black_square_button:
Separate /usr low :black_square_button:
Separate /var medium :black_square_button:
Separate /var/log and /var/log/audit high :black_square_button:
Separate /tmp and /var/tmp high :black_square_button:
Restrict /usr mount options low :black_square_button:
Restrict /var mount options low :black_square_button:
Restrict /var/log and /var/log/audit mount options low :black_square_button:
Restrict /proc mount options low :black_square_button:
Restrict /boot mount options medium :black_square_button:
Restrict /home mount options medium :black_square_button:
Restrict /tmp/ and /var/tmp mount options medium :black_square_button:
Restrict /dev/shm mount options medium :black_square_button:
Polyinstantiated /tmp and /var/tmp medium :black_square_button:
Set group for /dev/shm low :black_square_button:
Encrypt swap low :black_square_button:

Physical Access

Password for Single User Mode

  • low Protect Single User Mode with root password.

    Example:

    # Edit /etc/sysconfig/init.
SINGLE=/sbin/sulogin

:ballot_box_with_check: Summary checklist

Rule Priority Checkbox
Protect Single User Mode. low :black_square_button:

Bootloader

Protect bootloader config files

  • low Ensure bootloader config files are set properly permissions.

    Example:

    # Set the owner and group of /etc/grub.conf to the root user:
chown root:root /etc/grub.conf
chown -R root:root /etc/grub.d

# Set permissions on the /etc/grub.conf or /etc/grub.d file to read and write for root only:
chmod og-rwx /etc/grub.conf
chmod -R og-rwx /etc/grub.d

:ballot_box_with_check: Summary checklist

Rule Priority Checkbox
Protect bootloader config files low :black_square_button:

Linux Kernel

Kernel logs

  • low Restricting access to kernel logs.

    Example:

    echo "kernel.dmesg_restrict = 1" > /etc/sysctl.d/50-dmesg-restrict.conf

Kernel pointers

  • low Restricting access to kernel pointers.

    Example:

    echo "kernel.kptr_restrict = 1" > /etc/sysctl.d/50-kptr-restrict.conf

ExecShield

  • low ExecShield protection.

    Example:

    echo "kernel.exec-shield = 2" > /etc/sysctl.d/50-exec-shield.conf

Memory protections

  • low Randomise memory space.

    echo "kernel.randomize_va_space=2" > /etc/sysctl.d/50-rand-va-space.conf

:ballot_box_with_check: Summary checklist

Rule Priority Checkbox
Restricting access to kernel logs low :black_square_button:
Restricting access to kernel pointers low :black_square_button:
ExecShield protection low :black_square_button:
Randomise memory space. low :black_square_button:

Logging

Syslog

  • medium Ensure syslog service is enabled and running.

    Example:

    systemctl enable rsyslog
systemctl start rsyslog

  • medium Send syslog data to external server.

    Example:

    # ELK
# Logstash
# Splunk
# ...

:ballot_box_with_check: Summary checklist

Rule Priority Checkbox
Ensure syslog service is enabled and running. medium :black_square_button:
Ensure syslog service is enabled and running. medium :black_square_button:

Users and Groups

Passwords

  • medium Update password policy (PAM).

    Example:

    authconfig --passalgo=sha512 \
--passminlen=14 \
--passminclass=4 \
--passmaxrepeat=2 \
--passmaxclassrepeat=2 \
--enablereqlower \
--enablerequpper \
--enablereqdigit \
--enablereqother \
--update

  • medium Limit password reuse (PAM).

    Example:

    # Edit /etc/pam.d/system-auth

# For the pam_unix.so case:
password sufficient pam_unix.so ... remember=5

# For the pam_pwhistory.so case:
password requisite pam_pwhistory.so ... remember=5

  • medium Secure /etc/login.defs password policy.

    Example:

    # Edit /etc/login.defs
PASS_MIN_LEN 14
PASS_MIN_DAYS 1
PASS_MAX_DAYS 60
PASS_WARN_AGE 14

Logon Access

  • low Set auto logout inactive users.

    Example:

    echo "readonly TMOUT=900" >> /etc/profile.d/idle-users.sh
echo "readonly HISTFILE" >> /etc/profile.d/idle-users.sh
chmod +x /etc/profile.d/idle-users.sh

  • low Set last logon/access notification.

    Example:

    # Edit /etc/pam.d/system-auth
session required pam_lastlog.so showfailed

  • medium Lock out accounts after a number of incorrect login (PAM).

    Example:

    # Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth

# Add the following line immediately before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny=3 unlock_time=never fail_interval=900

# Add the following line immediately after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never fail_interval=900

# Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.so

:ballot_box_with_check: Summary checklist

Rule Priority Checkbox
Update password policy medium :black_square_button:
Limit password reuse medium :black_square_button:
Secure /etc/login.defs password policy medium :black_square_button:
Set auto logout inactive users. low :black_square_button:
Set last logon/access notification low :black_square_button:
Lock out accounts after a number of incorrect login medium :black_square_button:

Filesystem

Hardlinks & Symlinks

  • low Enable hard/soft link protection.

    Example:

    echo "fs.protected_hardlinks = 1" > /etc/sysctl.d/50-fs-hardening.conf
echo "fs.protected_symlinks = 1" >> /etc/sysctl.d/50-fs-hardening.conf

Dynamic Mounting and Unmounting

  • medium Disable uncommon filesystems.

    Example:

    echo "install cramfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
echo "install freevxfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
echo "install jffs2 /bin/false" > /etc/modprobe.d/uncommon-fs.conf
echo "install hfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
echo "install hfsplus /bin/false" > /etc/modprobe.d/uncommon-fs.conf
echo "install squashfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
echo "install udf /bin/false" > /etc/modprobe.d/uncommon-fs.conf
echo "install fat /bin/false" > /etc/modprobe.d/uncommon-fs.conf
echo "install vfat /bin/false" > /etc/modprobe.d/uncommon-fs.conf
echo "install nfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
echo "install nfsv3 /bin/false" > /etc/modprobe.d/uncommon-fs.conf
echo "install gfs2 /bin/false" > /etc/modprobe.d/uncommon-fs.conf

:ballot_box_with_check: Summary checklist

Rule Priority Checkbox
Enable hard/soft link protection. low :black_square_button:
Disable uncommon filesystems. medium :black_square_button:

Permissions

SELinux & Auditd

SELinux Enforcing

  • high Set SELinux Enforcing mode.

    Example:

    # Edit /etc/selinux/config.
SELINUXTYPE=enforcing

:ballot_box_with_check: Summary checklist

Rule Priority Checkbox
Set SELinux Enforcing mode. high :black_square_button:

System Updates

Network

TCP/SYN

  • medium Enable TCP SYN Cookie protection.

    Example:

    echo "net.ipv4.tcp_syncookies = 1" > /etc/sysctl.d/50-net-stack.conf

Routing

  • medium Disable IP source routing.

    Example:

    echo "net.ipv4.conf.all.accept_source_route = 0" > /etc/sysctl.d/50-net-stack.conf

ICMP Protocol

  • medium Disable ICMP redirect acceptance.

    Example:

    echo "net.ipv4.conf.all.accept_redirects = 0" > /etc/sysctl.d/50-net-stack.conf

  • medium Enable ignoring to ICMP requests.

    Example:

    echo "net.ipv4.icmp_echo_ignore_all = 1" > /etc/sysctl.d/50-net-stack.conf

Broadcast

  • medium Enable ignoring broadcasts request.

    Example:

    echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/50-net-stack.conf

:ballot_box_with_check: Summary checklist

Rule Priority Checkbox
Enable TCP SYN Cookie protection. medium :black_square_button:
Disable IP source routing. medium :black_square_button:
Disable ICMP redirect acceptance. medium :black_square_button:
Enable ignoring to ICMP requests. medium :black_square_button:
Enable ignoring broadcasts request. medium :black_square_button:

Services

Tools

Metadata

1.2k
Stars
173
Forks
Watchers

Owner

verified publisher icon trimstray

Metadata

Simple checklist to help you deploying the most important areas of the GNU/Linux production systems - work in progress.

Back