Академический Документы
Профессиональный Документы
Культура Документы
#Reference:http://www.cisecurity.org/bench_linux.html
#Note:This tutorial is based on Fedora Core 4.Should be valid for a newer version
of Fedora too.The reader is advised to read the CIS Benchmark pdf after completing
all activities mentioned in this document.
# Hostname Setup
Reference:http://www.cpqlinux.com/hostname.html
# Please ensure that the correct hostname is setup in the following files.The
hostname should ideally match the PTR record of the system IP
/etc/hosts
/etc/sysconfig/network
# Use echo to set the hostname in the file below eg.
echo yourhostname > /proc/sys/kernel/hostname
/proc/sys/kernel/hostname
# Virtual IP Setup
cd /etc/sysconfig/network-scripts
ls ifcfg-*
#In most instances, you will see the files ifcfg-eth0 and ifcfg-lo. If you see
other files with any other names and are unfamiliar with configuring TCP/IP, you
may want to consult with your system administrator before proceeding.
cp -a ifcfg-eth0 ifcfg-eth0:0
cp -a ifcfg-eth0 ifcfg-eth0:1
# Ensure the following lines are configured as
vi icfg-eth0:0
DEVICE=eth0:0
IPADDR=<your_new_ip_address>
VLAN=yes
vi icfg-eth0:1
DEVICE=eth0:1
IPADDR=<your_new_ip_address>
VLAN=yes
#Disable IPV6
cp -a /etc/modprobe.conf /etc/modprobe_backup.conf
echo "alias net-pf-10 off" >> /etc/modprobe.conf
echo "alias ipv6 off" >> /etc/modprobe.conf
/etc/init.d/ip6tables stop
/sbin/chkconfig --level 35 ip6tables off
# Edit /etc/hosts and add a line for your new addresses and name such as:
127.0.0.1 localhost.localdomain localhost
x.x.x.x newhost1.yourdomain.com
x.x.x.x newhost2.yourdomain.com
# Disabling selinux
vi /etc/sysconfig/selinux
#check for the line SELINUX
SELINUX=disabled
Ref:http://www.linuxsa.org.au/tips/time.html
date monthdayhourminyear
# Configure Automatic Updates using yum.Fedora Core 6 or above will have yum-
updatesd instead of yum
/sbin/chkconfig yum on
/sbin/service yum start
# If you wish to disable autoupdation of some package, eg.firefox and cacti ,do
the following
cp -a /etc/yum.conf /etc/yum.conf.orig
vi /etc/yum.conf
# Add the following line
exclude=firefox cacti
#########
# Configure the entries as shown below
# automatically install updates
do_update = yes
# automatically download updates
do_download = yes
# automatically download deps of updates
do_download_deps = yes
#########
/sbin/chkconfig yum-updatesd on
/sbin/service yum-updatesd start
crontab -e
00 0 * * * yum -y update
# Configuring updatedb
cp -a /etc/updatedb.conf /etc/updatedb.conf.orig
vi /etc/updatedb.conf
#Configure the following values to yes
#DAILY_UPDATE=no
DAILY_UPDATE=yes
# Unalias cp and mv
unalias mv cp
Please install and configure shorewall ,psad and fail2ban by referring their
separate howtos
# Apache Installation
# Apache Hardening
cd /etc/httpd/conf/
cp -a httpd.conf httpd.conf.orig
vi /etc/httpd/conf/httpd.conf
#ServerTokens OS
ServerTokens Prod
#ServerSignature On
ServerSignature Off
#Ref:http://www.slac.stanford.edu/comp/unix/apache-security.html
#http://publib.boulder.ibm.com/httpserv/ihsdiag/http_trace.html
# Disabling Indexing
# Ref: http://www.ducea.com/2006/06/26/apache-tips-tricks-disable-directory-
indexes/
# In Main Server Configurations
Options -Indexes
For apache version 1.3.34 (or later 1.3.x versions), or apache 2.0.55 (or later),
in section 1, add the line
TraceEnable off
AllowOverride None
# Restart Apache
/etc/rc.d/init.d/httpd start
# MySQL Installation
# Check if MySQL is already installed
# If Mysqld Daemon is not installed proceed with the MySQL installation as follows
mysql_install_db
/etc/rc.d/init.d/mysqld start
#Note:In case you have issues starting Mysql server for the first time and you see
error messggaes saying that tmp files could not be created,please run bastille
configuration again and answer N to "Q: Would you like to install TMPDIR/TMP
scripts?" question reboot the system.Post reboot you can start Mysqld
/sbin/chkconfig mysqld on
#Mysql Hardening:
mysql
# Removing anonymous login:
mysql
drop database test;
cp -a /etc/my.cnf /etc/my.cnf.orig
vi /etc/my.cnf
[mysqld]
skip-networking
#Perl Installation
# Cpan configuration
# Before running cpan ensure that gcc is installed else some modules will throw
errors during compilation
cpan
cpan
install Bundle::CPAN
reload cpan
# Bastille Hardening
#Bastille Installation
cd /tmp
wget http://nchc.dl.sourceforge.net/sourceforge/bastille-linux/Bastille-3.2.1-
0.1.noarch.rpm
# Ref: http://www.bastille-linux.org/running_bastille_on.htm#top
cpan
install Curses
/usr/sbin/bastille -c
/usr/sbin/bastille --report
# ICMP Hardening
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.tcp_max_orphans = 256
net.ipv4.conf.all.log_martians = 1
OR
/sbin/iptables -A INPUT -j REJECT -p icmp --icmp-type 13
/sbin/iptables -A OUTPUT -j REJECT -p icmp --icmp-type 14
Ref: http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-
accounting.html
# Rootkit Hunter
Reference:http://www.rootkit.nl/
Installation:
# Running Rkhunter
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter -c --createlogfile --quiet
The report will be generated at /var/log/rkhunter.log
#Configure rkhunter for automatic update
crontab -e
00 0 * * * /usr/local/bin/rkhunter --update -q
# SSHD Hardening
cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
vi /etc/ssh/sshd_config
PermitRootLogin no
Banner /etc/issue
#Don't read the user's ~/.rhosts and ~/.shosts files uncomment IgnoreRhosts yes
IgnoreRhosts yes
# The following switch is not found in Fedora 4.Please check the switch to ensure
that it exists #before making this entry
RhostsAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
Restart sshd
/etc/rc.d/init.d/sshd restart
# Nessus Setup
# Read the Nessus How to file for installing and running Nessus
cd /root
chmod 755 do-backup.sh
./do-backup.sh
# Uninstalling xinetd
rpm -qa xinetd
rpm -e xinetd-versionnumber
# Incase you still want to use some services in xinetd ,please run the following
comands to stop these unnnecessary services.
cd /etc/xinetd.d
for FILE in chargen chargen-udp cups-lpd cups daytime \ daytime-udp echo echo-udp
eklogin ekrb5-telnet finger \ gssftp imap imaps ipop2 ipop3 krb5-telnet klogin
kshell \ ktalk ntalk pop3s rexec rlogin rsh rsync servers services \ sgi_fam talk
telnet tftp time time-udp vsftpd wu-ftpd do
# Disable GUI
sed -e 's/id:5:initdefault:/id:3:initdefault:/' \
< /etc/inittab-preCIS > /etc/inittab
chown root:root /etc/inittab
chmod 0600 /etc/inittab
diff /etc/inittab-preCIS /etc/inittab
vi disable_unwanted_services
########
for FILE in apmd avahi-daemon canna cups-config-daemon FreeWnn gpm hidd hpoj hplip
innd irda isdn kdcrotate lvs mars-nwe messagebus oki4daemon privoxy rstatd rusersd
rwalld rwhod wine; do
/sbin/service $FILE stop
/sbin/chkconfig $FILE off
done
for FILE in nfs nfslock autofs ypbind ypserv yppasswdd portmap smb netfs lpd tux
snmpd named postgresql webmin kudzu squid cups ip6tables pcmcia bluetooth
mDNSResponder; do
/sbin/service $FILE stop
/sbin/chkconfig $FILE off
done
########
chmod o-rwx boot.log* cron* dmesg ksyms* httpd/* maillog* messages* news/* pgsql
rpmpkgs* samba/* sa/* scrollkeeper.log secure* spooler* squid/* vbox/* wtmp
chmod o-rx boot.log* cron* maillog* messages* pgsql secure* spooler* squid/* sa/*
chmod g-w boot.log* cron* dmesg httpd/* ksyms* maillog* messages* pgsql rpmpkgs*
samba/* sa/* scrollkeeper.log secure* spooler*
cd /etc
chown root:root passwd shadow group
chmod 644 passwd group
chmod 400 shadow
cd /etc/
rm -f cron.deny at.deny
echo root > cron.allow
echo root > at.allow
chown root:root cron.allow at.allow
chmod 400 cron.allow at.allow
cd /root
vi lock_system_accounts
####
cd /etc
for NAME in `cut -d: -f1 /etc/passwd`; do
MyUID=`id -u $NAME`
if [ $MyUID -lt 500 -a $NAME != 'root' ]; then
/usr/sbin/usermod -L -s /dev/null $NAME
fi
done
###
./lock_system_accounts
rm -rf lock_system_accounts
cd /etc
awk '($1 ~ /^PASS_MAX_DAYS/) { $2="90" }
($1 ~ /^PASS_MIN_DAYS/) { $2="7" }
($1 ~ /^PASS_WARN_AGE/) { $2="28" }
($1 ~ /^PASS_MIN_LEN/) { $2="6" }
{ print } ' login.defs-preCIS > login.defs
diff login.defs-preCIS login.defs
chown root:root login.defs
chmod 640 login.defs
diff login.defs-preCIS login.defs
useradd -D -f 7
diff /etc/default/useradd-preCIS /etc/default/useradd
for NAME in `cut -d: -f1 /etc/passwd`; do
uid=`id -u $NAME`
if [ $uid -ge 500 -a $uid != 65534 ]; then
chage -m 7 -M 90 -W 28 -I 7 $NAME
fi
done
diff shadow-preCIS shadow
# Verify No Legacy '+' Entries Exist In passwd, shadow, And group Files
vi user_directories_permission
###############
for DIR in `awk -F: '($3 >= 500) { print $6 }' /etc/passwd`; do
chmod g-w $DIR
chmod o-rwx $DIR
done
##############
vi user_dot_files_non_worldwritable
#############
for DIR in `awk -F: '($3 >= 500) { print $6 }' /etc/passwd`; do
for FILE in $DIR/.[A-Za-z0-9]*; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
chmod go-w "$FILE"
fi
done
done
#########
# If any .netrc file is found then run the following script to remove
vi remove_netrc
###############
for DIR in `cut -f6 -d: /etc/passwd`; do
if [ -e $DIR/.netrc ]; then
echo "Removing $DIR/.netrc"
rm -f $DIR/.netrc fi
done
###############
vi set_default_umask
#########
cd /etc
for FILE in profile csh.login csh.cshrc bashrc; do
if ! egrep -q 'umask.*77' $FILE ; then
echo "umask 077" >> $FILE
fi
chown root:root $FILE
chmod 444 $FILE
diff ${FILE}-preCIS $FILE
done
cd /root
for FILE in .bash_profile .bashrc .cshrc .tcshrc; do
if ! egrep -q 'umask.*77' $FILE ; then
echo "umask 077" >> $FILE # See description
fi
chown root:root $FILE
diff ${FILE}-preCIS $FILE
done
###########
cp -a /etc/security/limits.conf /etc/security/limits.conf.orig
vi /etc/security/limits.conf
#Add the following two lines.In future you can enable core dumps for invidual
users if required.
* soft core 0
* hard core 0
####
# In case you want to create a new account and add it to the wheel group, then run
this command
/usr/sbin/useradd -G wheel <new_account>
cd /etc/pam.d/
cp -a su su_backup_18_dec_2006
vi su
##Uncommenting this line allows only the users in the wheel group to become root
by using the su command and entering the root password.All other users get the
message Incorrect Password
# Banners
# Note:/etc/issue banner should have already been created by BastilleIf you havent
run Bastille please create an appropriate banner file /etc/issue as follows
***************************************************************************
NOTICE TO USERS
This computer system is the private property of <Your company name>, whether
individual, corporate or government. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.
Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.
****************************************************************************
cp -a issue.net issue_backup_todays_date.net
cp -a issue issue.net
# Contents of /etc/motd are displayed after a user logins in so its not neccessary
to create a #banner in that file
# Verify the softwares that are listed here.Remove all unnecesaasy packages as
show below.
# For eg. if you see bluetooth and you want to identify what package it represnts,
do the following
rpm -qf bluetooth
bluez-utils-2.15-7
yum remove bluez-utils-2.15-7
#Firewall Configuration
/bin/netstat -ltunp
# The above command will show you list of processes running on specific
ports.Please ensure that unnecassary services are disabled and uninstalled as
shown in the above point.
# Open required ports in iptables using Shorewall (Please refer the separate
Howto)
/usr/sbin/lokkit
#The following command will help you identify the packages installed on your
system
rpm -qa | egrep "^gcc|java|bin86|dev86|nasm"
#Identify the package and remove the ones you dont need
#should return only the word "root", unless additional uid 0 accounts have been
specifically authorized. Having #multiple uid 0 accounts are acceptable if the
accounts are authorized, but not recommended for some situations