LinuxHardening

GeneralChecklist
CreatedJune2012
UpdatedJuly2012
Authors:
PaulLoftness
SimeonBlatchley

Overview
Thisdocumentisageneralchecklistforhardeningalinuxsystem.Itiscomprisedoftwoother
typesofdocumentswhichwillberefferedtoatvarioustimesthroughtoutthisgeneral
checklist.Theyare,AdvancedChecklistsandConfigurationChecklists(seedescription
below).Botharefortheadvancedhardeningofyoursystem,andrequiremoreknowledge,
skillandalsohavemoreofthepotentialtobreaksomething.Theimportantthingtoremember
isthatthereisno100%rightchecklist.Thereareboundtobevariablesthatmustbe
changed,andallthisdocumentisintendingondoing,istoallowtheLinuxusertofollowthe
stepsandsuccessfullysecureanytypeofsystemwithoutneedingmuchknowledge.
However,theywillstillhavetheabilitytofurthertheirsecuritywiththemoreadvanced
checklists.Ofcoursewiththemoreadvancedchecklists,thereismoreofachanceof
breakingsomething,andthusallstepsmustberesearchedforyourspecificdistro/system.
Asingleuser'ssecuritysettingswillbevastlydifferentfromamultiusersystem.
Note:Allcommandslistedwillneedtoberunasroot.Youcanswitchtorootbyrunning
eithersudoIorsu.
Note:Whereweuseviasthecommandlineeditor,youcanreplaceitforgeditoragui
editor.
Note:Whereuseaptgetyoucaninsertyourdistroversionofpackagemanagement.Orif
necessaryyoucandownloadthebinariesandcompilethem(asomewhateasyprocessof
./configure,make,makeinstall,etc).
Note:Shadedareasareterminalcommands,youcancutandpastethese,althoughone
shouldbecarefulandknowwhatthecommandactuallydoes.
AdvancedChecklists:Thesearechecklsitsthatgointomoredetailofvarioussecurity
aspects,andarenottobenecessarilystrictlyfollowed.Asthetestingenvironmentmaydiffer
fromyoursystem.However,whendeployedproperlytheycangreatlyimprovethesystem
security.
ConfigurationChecklists:Theseareprettyselfexplanatory.Theyarejustwhatweare
suggestingastheconfigurationofcertainsecuritypackages,scripts,etc.(likeAppArmorand
Bastille).Essentially,whentherearevariablesthatneedtobeinputtedandwhatyouputmay
greatlyeffectthesecurity,thesechecklistswillhelpyoubetterdecidewhatoptionsto
choose/use.Remember:Althoughwemaysaychooseoptions'X',thatisstrictlyaguideline,
anditisyourjobtoknowwhatoptionswillworkforyoursystem.Wewilltrytonote,whereare
optionswillnotworkoncertainsystems

Maintenance:
1.UpdatetheOperatingSystem:
Debian/Ubuntu/etc
aptgetupdate
aptgetupgrade
Redhat,YellowDog,CentOS,ScientificLinux,Fedora,etc.

Suse

yumlistupdates
yumupdate
zypperref (Refreshtherepos)
zypperdup (Normalupdateandinstall)

HardentheSystem
1.InstallBastille.
Thereareafewoptionsaroundtohardenalinuxsystem,butwehave
testedBastilleinreallifescenariosandfoundittobethemostresilient.Itis
rathercustomizableforvarioustypesofconfigurations.

safe

aptgetinstallbastille
Chooseyeswhenitasksifyouwanttocontinue.Onceitisdone
installing,run:
bastillec
Thiswillstartthecommandlineinterface,toallowyoutoconfigureBastille.
Fromthere,you'llaccepttheirtermsofagreement,andbeonyourway.Itis
tosaythatyoucanjustacceptthedefaultvalues,howeveryoushouldalsoread
aboutthem.PleaseseeourBastilleConfigurationfileforamoredetailedlookat
Bastille.It'ssafetoignore mosterrorsitthrowsattheendandbeginningofthe
configuration.
2.InstallApparmor.
Somepackageswillinstalltheirownenforcedprofiles.Activeprofilesfor
LAMServer:
usr.sbin.mysqld
usr.sbin.apache2
Allactivitywillbeloggedbyauditdandsavedto
/var/log/audit/audit.log
aptgetinstallapparmorprofiles
apparmor_status(toseecurrentprofilesandassociatedmodes)
manapparmor(formoredetailsofwhattodowiththatinformation)

3.ConfigureandUseSELinux
AsthisismorecomplicatedandadvancedalternativetoApparmor,thereisa
detailedchecklistspecificallyforcompletingthebelowactions:
a)Installationvariesgreatly.Pleaselookuptheprocessforyourdistribution.
b)activate
Temporarily:setenforce0|1
0activatespermissive(monitoring)mode.
1activespermissionenforcement.
c)ServiceProfiles
UsingSELinuxonaservice:
ListavailableSELinuxserviceprofiles:
mank_selinux
Toexploreaspecificprofile:manhttpd_selinux.
ThiswillprovidethecommandstoengageSELinuxfortheservicefor
yourdistribution.
d)ServiceSettings
SELinuxprovidesanumberofboolean(onoroff)settingsforeach
service.
semanagebooleanl
Liststhecurrentstatus,permanentstatus,andanexplanationofeach
boolean
Toturnabooleanon:
setseboolexample_booleanon
Pmakesthechangepermanent
4.ConfigureandusePAMauthenticationdaemon
TheinstructionsbelowareassumingthatyoudonothaveSELinuxinstalled.
TheseconfigurationsmaychangewiththeinstallationofSELinux.Theywillbe
coveredintheSELinuxdetailedchecklist.AlsoforfurtherPAMinfo,refertothe
PAMConfigurationschecklist.
vi/etc/pam.d/commonpassword
change:
passwordrequisitepam_unix.sonullokobscuresha512
to:

passwordrequisitepam_unix.sonullokobscuresha512min=8
Changemin=8withwhateverpasswordpolicylength.
ShadowFilePasswordPolicy
Changeminimumandmaximumpasswordages(mostlikelysetto0:99999in
thefile)Isuggestchangingthoseto1:60forallentries..Hereisa goodexampleof
changingpasswordagingfromthetheshadowfile.
http://www.cyberciti.biz/faq/understandingetcshadowfile/

5.Shutdownunnecessaryservices
netstatanp|grepLISTEN|grepvSTREAM
Analyzetheservicesandtheprocessid/processname.Determinewhich
servicestoterminate.
cd/etc
find.print|grepXXX(whereXXXispartofthenameoftheprogram)
Forthoseentriesinthe"/etc/rc#.d"directory,deletethem(rm)
Somesuggestionstodisable:
a.Removeordisablethe"r"commands
Thisincludesrlogind,rshd,rcmd,rexecd,rbootd,rquotad,rstatd,rusersd,
rwalldandrexd.Theseservicesareinadequatelyauthenticated.Itis
bettertoremovetheseanduseSSHandscpinstead.
b.Removeordisablefingerd
Removeordisablefingerdifpresent.Apartfromthepossibilityofa
softwarevulnerability,fingerdallowsanattackertoenumerateusernames
onthesystemandtodeterminethetimingandfrequencyofsystem
administratorlogins.
c.Removeordisabletftpd
Tftpdisunauthenticatedandnotprotectedagainstbruteforceattacks
seekingtoenumerateanddownloadfiles.Donotusetftpd(trivialfile
transferprotocol)unlessunavoidable.
d.Removeordisabletelnet
Telnetsendscommandsunencryptedoverthewire.Thisenablesthe
sniffingofpasswordsandotherinformationaswellasmaninthemiddle
attacks.ReplacewithSSH.
e.DisableSNMPdaemon
Ifpresentbydefault,disableanySNMPdaemonunlessthisisreally

requiredfor theroleofthecomputer.
6.Disableunnecessarybootservices.
Someservicesareneededbutnotallthetime.Intheinterestsofspeedand
securitytheyshouldbedisabledwhennotinuse.We'vecreatedasimplescript
forthis.Itcanbeeasilyeditedandmustberunasroot.Pleaseseefoldertitled
ScriptsandlookfortheDisableBootServicesscript.
cd/etc/initor/etc/xinit(shouldmatch/etc/init.d)
cd/etc/init.d(examinethetwotomakesuretheymatch)
cd/etc
findrc*.d|xargslsl
Allentriesshouldbelinkstothe../init.ddirectory.Investigatethosethat
aren't.
cd/etc/initor/etc/xinit(shouldmatch/etc/init.d)
cd/etc/init.d(examinethetwotomakesuretheymatch)
cd/etc
findrc*.d|xargslsl
Allentriesshouldbelinkstothe../init.ddirectory.Investigatethosethat
aren't.

Startupscripts(00755isthenorm,but00700isokhereaswell)
rc.*(asrc.16orrc16.d)and/init.d/*files
chmod0700/etc/rc*
chmod0700/etc/init.d*
Here'sagoodarticleaboutservices,andrunlevels:
https://www.linux.com/news/enterprise/systemsmanagement/8116anintroductionto

servicesrunlevelsandrcdscripts/
LockdownuserUserSessions:
1.Secureterminals:
Therelevantconfigurationfilemaybecalled/etc/ttys,/etc/default/login,
/etc/securityor/etc/securettydependingonthesystem.Seethemanualpages
forfileformatandusageinformation.Checkthatthesecureoptionisremoved
fromanylocalentriesthatdon'tneedrootlogincapabilities.Thesecureoption
shouldberemovedfromconsoleifyoudonotwantuserstobeabletorebootin
singleusermode.[Note:Thisdoesnotaffectusabilityofthesu
command.]
Ifitisnotalreadythedefault,considerusingaspecialgroup(such
asthe
wheelgrouponBSDsystems)torestrictwhichuserscanusesuto
becomeroot.

not

2.PATHadvice
Checkthatthecurrentdirectory"."isnotinthePATH.Notethatanemptystring
isinterpretedtomeanthesameas"."soalsomakesurethePATHdoes
containanyemptystrings.Forexample,thefollowingPATHisinsecure:
/sbin:/bin:/usr/sbin::/usr/bin
ThisPATHadviceisespeciallyimportantfortherootaccount.Including.inthe
PATHvariablecanbeusedbyanattackertofoolarootuserintorunninga
maliciousbinarybysubstituting./lsinsteadof/bin/lsforexample.
3.Configureuserloginsessionstotimeoutautomatically.
Afteracertainperiodofinactivity,inparticularfortherootuser.Todothis,set
theappropriatevariableinyourshell'sstartupfiles.
typesetrTMOUT=900(15minutes=900seconds)
4.SecuringHistory
chattr+a.bash_history(append)
chattr+I.bash_history
Usershistoryisbeinglockedandtheywillhavetoagreebeforethey
useyourservices.

LockdownConfigfilesContents:
1.AnalyzeDNSlookingforrogueentries
vi/etc/resolv.conf
EssentiallyhereyoushouldjustseetheDNSserverthatthe
router/modempassedontoyourcomputer,andwhateveryouhave
added.Otherentriescanbeconsideredtoberouge(remembertoscroll
down).However,beforeyougoanddeleteyourwholefile,besureand
lookupthelistedserveranddoyourresearch.
HereisagoodlinkforsomebasicDNSfindinginfo:
http://www.cyberciti.biz/faq/howtofindoutdnsforrouter/
2.Analyzehostfiles
vi/etc/hosts
3.Analyzecontentsofpermissionfiles

Ifyouarerunning,rootshouldhave*asthepassword.Ifyouarerunning
su,itwillhaveapassword.Nobodyelseasidefromyouandknownusersshould
haveapassword(thebiglonghash).Iftheydo,makesuretheyshouldn'tbe
there,anddeletethatline.Makesuresystemusershave/bin/nullsetastheir
shell.Checkforrogueusers.
vi/etc/passwd

vi/etc/shadow
Setpermissionsonsensitivefiles:
1. ConfigurationFiles
a. Firewall
chmod0700/etc/profile
chmod0700/etc/hosts.allow

chmod0700/etc/mtab,

chmod0700/etc/utmp

chmod0700/var/adm/wtmp(or/var/log/wtmp),

chmod0700/etc/syslog.pid(or/var/run/syslog.pid)
b. Kernel
/etc/sysctl.conf
/etc/inittab
c. Users
Makesuretheowner&grouparesettoroot.rootandthe
permissionsaresetto0644(excepton the/etc/shadowfilewhich
shouldbe400).Hereisagoodlinkforpermissionchangingin
Linux:
http://articles.slicehost.com/2010/7/17/checkinglinuxfilepermissionswithls
lsla/etc/fstab
Verify:root.rootandrwrr(644)
lsla/etc/passwd
Verify:root.rootandrwrr(644)
lsla/etc/shadow
Verify:root.rootandrwr(400)
lsla/etc/group
Verify:root.rootandrwrr(644)
lsla/etc/sudoers
Verify:root.rootandrwrr(644)
2. LogFiles
(usuallylocatedin/var/log/,/var/adm,orvar/tmp)areonlywritablebyroot.
3. AnyWorldWritableFiles
Ensurethattherearenounexpectedworldwritablefilesordirectoriesonyour
system.Usethefindcommandtolocatethese:
find/typedperm+2ls
chmod750

rm
5.Setpermissionsonsensitivebinaries
Anothergoodsecuritypracticeistosetthepermissionsoncertaincommands.
However,itisveryimportanttorememberthatwhatyouchangeheredepends
onwhatsystemyourusing.Also,thelocationofbinarieswilldifferbaseduponthe
system(forinstance/bin,/usr/bin,and/usr/sbin).Forinstanceaserverusedfor
developmentwould
needthemakecommandtobeabletoberunbyanyuser.
Whereas,onaproductionserveritwouldnotbeneeded.Someexamples(you'llneed
toruntheseasroot):
Setuid:
i/su
find/\(perm2000\)
chownroot:admin/bin/example
chmod02750/bin/example
find/\(perm4000\)
chownroot:admin/bin/example
chmod04750/bin/su
SomeSuggestions:
PrivelegeEscalation
chmod02750/bin/su
chmod02750/bin/sudo
Networksettings:
chmod02750/bin/ping
chmod02750/sbin/ifconfig
UsersOn:
chmod02750/usr/bin/w
chmod02750/usr/bin/who
SystemConfiguration
chmod02750/usr/bin/locate
chmod02750/usr/bin/whereis
2. KernelModules
Ensurethatthefilesholdingthekernelandanykernelmodulesareownedby
root,havegroupownershipsettogroupid0andpermissionsthatpreventthem
beingwrittentobyanynonrootusers.
Tolistcurrentmoduledirectory:
echo"Modulesdir:/lib/modules/$(unamer)forkernelversion$(unamer)"
Tolistcontents/permissionsofthatdirectory:
lsl/lib/modules/$(unamer)