Notes on rhel6 secure configuration doc¶
01/03/14: Going to read through the doc located at on redhat’s site Get some CPEs out of it as well. Starting at 0820.
Nice list of principles:¶
Encrypt data whenever possible
Minimize installed s/w
Run different network services on different systems
Security tools:
iptables
selinux
auditing
Forgot HIDS - rhel uses AIDE - see below. AIDE is an integrity checker not a full blow intrusion detection suite.
Leaset privilege
System settings:¶
A lot of stuff in this section might make it to my hardening checklist.
Separate filesystems for:
/tmp
/var
/var/log
/var/log/audit
encrypt partitions:
Not overly crazy about doing that for in-house systems.
Cloud systems, definitely.
as part of kickstart:
part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Suggests patching your systems. Wow, who’d-a-thunk?
AIDE: Integrity checker for rhel
Stands for Advanced Intrusion Detection Environment
Disable prelinking as it can mess w/binaries
mount options:
nodev for non-root partitions, removable media, and /dev/shm.
nexec,nosuid option for removable media, /dev/shm, and to /tmp, situationally dependent. Doc states:
Allowing users to execute binaries from world-writable directories such as /tmp should never be necessary in normal operation and can expose the system to potential compromise.
While it’s an understandable security stance, it doesn’t take into account that /tmp is the generic place to extract files which are then executed for installation.
That’s not to say that /tmp can’t be remounted exec for the installation, then remounted noexec when done. One client had their puppet CM tool handling the remount daily.
Whole heartedy agree w/the nosuid for /tmp, though.
Interesting: bind mount /var/tmp to /tmp:
# grep /tmp /etc/fstab /tmp /var/tmp none rw,nodev,noexec,nosuid,bind 0 0
Disable modprobe loading of usb storage
By users:
echo 'install usb-storage /bin/false' > /etc/modprobe.d/usb-storage.conf
By everyone: add nousb to end of kernel boot line. Realize that usb keyboards, mice, and printers won’t work either.
By gnome:
# gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nautilus/preferences/media_automount false # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nautilus/preferences/media_autorun_never true
Protect bios:
password protect changes
prevent booting from usb
Numerous filesystem type kernel mod preventions. Not sure that’s a good idea: install ${fs} /bin/false in /etc/modprobe.d/${fs}.conf
File/directory perms/ownership:
All world writable dirs have sticky bit and owned by a system account.
No world writable files? Ensure that’s valid before changing willy nilly
Verify all SGID/SUID files.
Standard owner/group perms restrictions on other files/directories, including share libraries
Kernel:
kernel.dmesg_restrict=1 : prevents unprivileged users from running dmesg.
fs.suid_dumpable=0 : disabled core dumps for suid programs. Understand the reason; but, I’m not really sure I’m comfortable w/disabling core dumps by default.
kernel.exec-shield=1 : enables kernel protections against memory corruption and buffer overflow attacks.
kernel.randomize_va_space=2 : Enables Address Space Layout Randomization (ASLR) which makes buffer overflow attacks much more entertaining.
net.ipv4.conf.default.send_redirects=0 : disabled ICMP redirects
net.ipv4.conf.all.send_redirects=0 : disables ICMP redirects on all interfaces
net.ipv4.ip_forward=0 : Disable IP fwding if apprpopriate (iptables and routers need it)
net.ipv4.conf.all.accept_source_route=0 : disable source routed packets
net.ipv4.conf.all.secure_redirects=0 : disable secure redirects for all interfaces (?)
net.ipv4.conf.all.log_martians=1 : logs martians - impossible addresses
net.ipv4.icmp_echo_ignore_broadcasts=1 : ignore ICMP broadcast echo requests
net.ipv4.icmp_ignore_bogus_error_responses=1 : ignore bogus icmp error responses.
net.ipv4.tcp_syncookies=1 : use syncookies, a method of circumventing syn flood attacks.
net.ipv4.conf.all.rp_filter=1 : drops packets with source addresses received on interfaces that should have proven impossible.
net.ipv4.conf.default.rp_filter=1 : same as above but default instead of all interfaces.
Disable core dumps:
* hard core 0
in /etc/security/limits.confselinux: suggests making selinux enforcing on all systems.
Ensure no unconfined daemons:
ps -eZ | grep initrc
# no output is good.Ensure no unlabled device files:
find /dev -type b -o -type c -print | xargs -i ls -dZ {} | \ grep -i unlabel
Accounts and access control
Doc talks about weakness of password based authentication then says access to root and other administrative commands should be done by password.
Also talks about restricting root even on the console. I way disagree with that one.
Non-interactive system accounts’ shells set to /sbin/nologin
password restrictions
mostly /etc/login.defs (how does this interact w/ldap?)
password length = 14??? dod req, apparently.
Inactivity: * /etc/default/useradd*
Expire temporary accounts.
pam
Ensure null passwords disabled from pam:
# grep -i nullok system-auth-ac auth sufficient pam_unix.so nullok try_first_pass password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok # perl -i -ple 's/\bnullok\b//g' system-auth-ac
last login notification in system-auth[-ac]:
session required pam_lastlog.so showfailed
use pam_cracklib or pam_passwdqc (all on one line):
password required pam_cracklib.so try_first_pass retry=3 \ maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1
Lock out users for 15 minutes for 3xfailed pwd attempts.
auth required pam_faillock.so authsucc deny=3 \ unlock_time=900 fail_interval=300
remember=# sets password history on password sufficient pam_unix.so line. DOD wants 24. They really hate their users.
hash algorith (sha512 suggested) can be set:
/etc/pam.d/system-auth[-ac]
/etc/login.defs
/etgc/libuser.conf
Standard on root path
Disable <ctrl><alt><del>: Alter /etc/init/control-alt-delete.conf to read:
exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"
Disable wireless and bluetooth servcies:
ifconfig wlan0 rm /etc/sysconfig/network-scripts/ifcfg-wlan0 chkconfig bluetooth off install net-pf-31 /bin/false >> /etc/modprobe.d/${file} install bluetooth /bin/false >> /etc/modprobe.d/${file}
Doc suggests openswan vs openvpn
Auditing:
Brief overview of an AVC denial message
Turning auditing on. in addtition to
chkconfig auditd on
can also add adit=1 to end of kernel boot line.Configuration:
/etc/audit/auditd.conf:
num_logs: number of logs to retain
max_log_file: size at which to rotate in megs
space_left_action: what to do when filesystem fills up.
Others as makes sense.
/etc/audit/audit.rules:
Group changes:
# audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
network changes:
# audit_network_modifications -a always,exit -F arch=ARCH -S sethostname -S setdomainname \ -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa \ -k audit_network_modifications
selinux changes:
-w /etc/selinux/ -p wa -k MAC-policy
Attempts to alter login/logout logs:
-w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins
Attempts to alter process/session info:
-w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session
Unuathorized/unsuccessful file access attempts:
-a always,exit -F arch=b64 -S creat -S open -S openat \ -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 \ -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat \ -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 \ -F auid!=4294967295 -k access
Privileged command execution - one line for each suid/sgid program:
-a always,exit -F path=${absolute_path_to_command} \ -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
Audit data leakage:
-a always,exit -F arch=b64 -S mount -F auid>=500 \ -F auid!=4294967295 -k export
sudo actions:
-w /etc/sudoers -p wa -k actions
Kernel module (un)loading:
-w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module \ -S delete_module -k modules
Add -e 2 to make changes to the rules require a reboot. Seems overly drastic to me…
Changing DAC:
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat \ -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat \ -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr \ -S fsetxattr -S removexattr -S lremovexattr \ -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod
Logs at 0640 or harder.
Services:¶
Doc breaks out services into obsolete and base ones. Obsolete are the services typically provided by (x)inetd. Skim through the obsolete ones - they’re not installed unless specifically requested on rhel.
tftp: used by pxe boot, if I remember correctly.
Base services:
Disable:
abrtd: automatic bug reporting tool.
acpid: useful on laptops/desktops, but useless and potential DOS for servers and virtuals.
certmonger: if system doesn’t have anything to do w/pki certs.
cgconfig: control groups - allows SA to allocate resources to defined groups of processes.
cgred: Control group rules engine
cpuspeed: conserves heat by reducing clock speed of cpu based on current processing load.
haldaemon: hardware abstraction layer daemon: useful on laptops/ desktops using removable media; but shouldn’t be run on servers or virtuals.
kdump: kernel dump analyzer
mdmonitor: software raid array monitor
netconsole: loads kernel mod which logs kernel printk messages to a syslog server.
oddjobd: basically, sudo for tasks run via the message bus.
qpidd: apache Qpid. listens for advanced message queuing protocol messages on port 5672. Disable if installed and not using AMQP.
quota_nld: Disable if not using quotas.
rdisc: Server serve, routers, route. Servers shouldn’t be routers disable the routing daemon.
saslauthd: if not using kerberos or ldap.
Enable:
irqbalance: balances h/w interrupts across multiple processes. Enable if server and have more than one processor.
psacct: process accounting. Doc suggest limited usefulness. Investigate.
sshd:
ClientAliveInterval ${seconds}: After which the user is logged out.
ClientAliveCountMax 0: user is logged out immediately after aliveinterval is reached.
IgnoreRhosts yes: should be the default.
Turn off or configure miscellaneous services:
avahi
cups
dhcp
ntpd
SMTP software. postfix is more selinux friendly, apparently.
ldap:
ssl start_tls in /etc/pam_ldap.conf
tls_cacertfile ${file} : the file for the CA?
ldap certificates:
NFS and RPC:
If NFS is disabled, also disable:
nfslock
rpcgssd
rpcidmapd
Securely configure nfs otherwise. Doc has good suggestiions; but, I would imagine a more detailed analysis of NFS is required.
httpd, samba: whole books written on securing those puppies.