======================================= Notes on rhel6 secure configuration doc ======================================= 01/03/14: Going to read through the doc located at on `redhat's site`_ Get some CPEs out of it as well. Starting at 0820. .. _redhat's site: http://people.redhat.com/swells/scap-security-guide/RHEL6/output/rhel6-guide.html Nice list of principles: ======================== * Encrypt data whenever possible * Minimize installed s/w * Run different network services on different systems * Security tools: * iptables * selinux * auditing * Forgot HIDS - rhel uses AIDE_ - see below. AIDE is an integrity checker not a full blow intrusion detection suite. * Leaset privilege System settings: ================ A lot of stuff in this section might make it to my hardening checklist. * Separate filesystems for: * /tmp * /var * /var/log * /var/log/audit * encrypt partitions: * Not overly crazy about doing that for in-house systems. * Cloud systems, definitely. * as part of kickstart: :: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE * Suggests patching your systems. Wow, who'd-a-thunk? .. _AIDE: * AIDE: Integrity checker for rhel * Stands for Advanced Intrusion Detection Environment * Disable prelinking as it can mess w/binaries * mount options: * nodev for non-root partitions, removable media, and /dev/shm. * nexec,nosuid option for removable media, /dev/shm, and to /tmp, situationally dependent. Doc states: :: Allowing users to execute binaries from world-writable directories such as /tmp should never be necessary in normal operation and can expose the system to potential compromise. While it's an understandable security stance, it doesn't take into account that /tmp is the generic place to extract files which are then executed for installation. That's not to say that /tmp can't be remounted exec for the installation, then remounted noexec when done. One client had their puppet CM tool handling the remount daily. * Whole heartedy agree w/the nosuid for /tmp, though. * Interesting: bind mount /var/tmp to /tmp: :: # grep /tmp /etc/fstab /tmp /var/tmp none rw,nodev,noexec,nosuid,bind 0 0 * Disable modprobe loading of usb storage * By users: :: echo 'install usb-storage /bin/false' > /etc/modprobe.d/usb-storage.conf * By everyone: add *nousb* to end of kernel boot line. Realize that usb keyboards, mice, and printers won't work either. * By gnome: :: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nautilus/preferences/media_automount false # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nautilus/preferences/media_autorun_never true * Protect bios: * password protect changes * prevent booting from usb * Numerous filesystem type kernel mod preventions. Not sure that's a good idea: *install ${fs} /bin/false* in */etc/modprobe.d/${fs}.conf* * File/directory perms/ownership: * All world writable dirs have sticky bit and owned by a system account. * **No** world writable files? Ensure that's valid before changing willy nilly * Verify all SGID/SUID files. * Standard owner/group perms restrictions on other files/directories, including share libraries * Kernel: * kernel.dmesg_restrict=1 : prevents unprivileged users from running dmesg. * fs.suid_dumpable=0 : disabled core dumps for suid programs. Understand the reason; but, I'm not really sure I'm comfortable w/disabling core dumps by default. * kernel.exec-shield=1 : enables kernel protections against memory corruption and buffer overflow attacks. * kernel.randomize_va_space=2 : Enables *Address Space Layout Randomization* (ASLR) which makes buffer overflow attacks much more entertaining. * net.ipv4.conf.default.send_redirects=0 : disabled ICMP redirects * net.ipv4.conf.all.send_redirects=0 : disables ICMP redirects on all interfaces * net.ipv4.ip_forward=0 : Disable IP fwding if apprpopriate (iptables and routers need it) * net.ipv4.conf.all.accept_source_route=0 : disable source routed packets * net.ipv4.conf.all.secure_redirects=0 : disable secure redirects for all interfaces (?) * net.ipv4.conf.all.log_martians=1 : logs martians - impossible addresses * net.ipv4.icmp_echo_ignore_broadcasts=1 : ignore ICMP broadcast echo requests * net.ipv4.icmp_ignore_bogus_error_responses=1 : ignore bogus icmp error responses. * net.ipv4.tcp_syncookies=1 : use syncookies, a method of circumventing syn flood attacks. * net.ipv4.conf.all.rp_filter=1 : drops packets with source addresses received on interfaces that should have proven impossible. * net.ipv4.conf.default.rp_filter=1 : same as above but default instead of all interfaces. * Disable core dumps: ``* hard core 0`` in */etc/security/limits.conf* * selinux: suggests making selinux enforcing on all systems. * Ensure no unconfined daemons: ``ps -eZ | grep initrc`` # no output is good. * Ensure no unlabled device files: ``find /dev -type b -o -type c -print | xargs -i ls -dZ {} | \ grep -i unlabel`` * Accounts and access control * Doc talks about weakness of password based authentication then says access to root and other administrative commands should be done by password. * Also talks about restricting root even on the console. I **way** disagree with that one. * Non-interactive system accounts' shells set to /sbin/nologin * password restrictions * mostly /etc/login.defs (how does this interact w/ldap?) * password length = 14??? dod req, apparently. * Inactivity: * /etc/default/useradd* * Expire temporary accounts. * pam * Ensure null passwords disabled from pam: :: # grep -i nullok system-auth-ac auth sufficient pam_unix.so nullok try_first_pass password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok # perl -i -ple 's/\bnullok\b//g' system-auth-ac * last login notification in system-auth[-ac]: ``session required pam_lastlog.so showfailed`` * use pam_cracklib or pam_passwdqc (all on one line): :: password required pam_cracklib.so try_first_pass retry=3 \ maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 * Lock out users for 15 minutes for 3xfailed pwd attempts. :: auth required pam_faillock.so authsucc deny=3 \ unlock_time=900 fail_interval=300 * *remember=#* sets password history on *password sufficient pam_unix.so* line. DOD wants 24. They **really** hate their users. * hash algorith (sha512 suggested) can be set: * /etc/pam.d/system-auth[-ac] * /etc/login.defs * /etgc/libuser.conf * Standard on root path * Disable : Alter */etc/init/control-alt-delete.conf* to read: :: exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed" * Disable wireless and bluetooth servcies: :: ifconfig wlan0 rm /etc/sysconfig/network-scripts/ifcfg-wlan0 chkconfig bluetooth off install net-pf-31 /bin/false >> /etc/modprobe.d/${file} install bluetooth /bin/false >> /etc/modprobe.d/${file} * Doc suggests openswan vs openvpn * Auditing: * Brief overview of an AVC denial message * Turning auditing on. in addtition to ``chkconfig auditd on`` can also add *adit=1* to end of kernel boot line. * Configuration: * /etc/audit/auditd.conf: * num_logs: number of logs to retain * max_log_file: size at which to rotate in megs * space_left_action: what to do when filesystem fills up. * Others as makes sense. * /etc/audit/audit.rules: * Group changes: :: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes * network changes: :: # audit_network_modifications -a always,exit -F arch=ARCH -S sethostname -S setdomainname \ -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa \ -k audit_network_modifications * selinux changes: :: -w /etc/selinux/ -p wa -k MAC-policy * Attempts to alter login/logout logs: :: -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins * Attempts to alter process/session info: :: -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session * Unuathorized/unsuccessful file access attempts: :: -a always,exit -F arch=b64 -S creat -S open -S openat \ -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 \ -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat \ -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 \ -F auid!=4294967295 -k access * Privileged command execution - one line for each suid/sgid program: :: -a always,exit -F path=${absolute_path_to_command} \ -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged * Audit data leakage: :: -a always,exit -F arch=b64 -S mount -F auid>=500 \ -F auid!=4294967295 -k export * sudo actions: :: -w /etc/sudoers -p wa -k actions * Kernel module (un)loading: :: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module \ -S delete_module -k modules * Add *-e 2* to make changes to the rules require a reboot. Seems overly drastic to me... * Changing DAC: :: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat \ -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat \ -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr \ -S fsetxattr -S removexattr -S lremovexattr \ -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod * Logs at 0640 or harder. Services: ========= Doc breaks out services into obsolete and base ones. Obsolete are the services typically provided by (x)inetd. Skim through the obsolete ones - they're not installed unless specifically requested on rhel. * tftp: used by pxe boot, if I remember correctly. * Base services: * Disable: * abrtd: automatic bug reporting tool. * acpid: useful on laptops/desktops, but useless and potential DOS for servers and virtuals. * certmonger: if system doesn't have anything to do w/pki certs. * cgconfig: control groups - allows SA to allocate resources to defined groups of processes. * cgred: Control group rules engine * cpuspeed: conserves heat by reducing clock speed of cpu based on current processing load. * haldaemon: hardware abstraction layer daemon: useful on laptops/ desktops using removable media; but shouldn't be run on servers or virtuals. * kdump: kernel dump analyzer * mdmonitor: software raid array monitor * netconsole: loads kernel mod which logs kernel printk messages to a syslog server. * oddjobd: basically, sudo for tasks run via the message bus. * qpidd: apache Qpid. listens for advanced message queuing protocol messages on port 5672. Disable if installed and not using AMQP. * quota_nld: Disable if not using quotas. * rdisc: Server serve, routers, route. Servers shouldn't be routers disable the routing daemon. * saslauthd: if not using kerberos or ldap. * Enable: * irqbalance: balances h/w interrupts across multiple processes. Enable if server and have more than one processor. * psacct: process accounting. Doc suggest limited usefulness. Investigate. * sshd: * ClientAliveInterval ${seconds}: After which the user is logged out. * ClientAliveCountMax 0: user is logged out immediately after aliveinterval is reached. * IgnoreRhosts yes: should be the default. * Turn off or configure miscellaneous services: * avahi * cups * dhcp * ntpd * SMTP software. postfix is more selinux friendly, apparently. * ldap: * *ssl start_tls* in */etc/pam_ldap.conf* * tls_cacertfile ${file} : the file for the CA? * ldap certificates: * NFS and RPC: * If NFS is disabled, also disable: * nfslock * rpcgssd * rpcidmapd * Securely configure nfs otherwise. Doc has good suggestiions; but, I would imagine a more detailed analysis of NFS is required. * httpd, samba: whole books written on securing those puppies.