Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 1 of 39
Testing Environment Virtualization HyperVisor Host Environment Guest Environment Post basic installation tasks Objective 1 Identify Red Hat Common Vulnerabilities and Exposures (CVEs) and Red Hat Security Advisories (RHSAs) and selectively update systems based on this information Objective 2 Verify package security and validity Objective 3 Identify and employ standardsbased practices for configuring file system security, create and use encrypted file systems, tune file system features, and use specific mount options to restrict access to file system volumes. Objective 4 Configure default permissions for users and use special file permissions, attributes, and access control lists (ACLs) to control access to files Objective 5 Install and use intrusion detection capabilities in Red Hat Enterprise Linux to monitor critical system files Objective 6 Manage user account security and user password security Objective 7 Manage system login security using pluggable authentication modules (PAM) Objective 8 Configure console security by disabling features that allow systems to be rebooted or powered off using bootloader passwords Objective 9 Configure systemwide acceptable use notifications Objective 10 Install, configure, and manage identity management services and configure identity management clients Objective 11 Configure remote system logging services, configure system logging, and manage system log files using mechanisms such as log rotation and compression Log Rotation journal is a component of systemd for logging Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 2 of 39
journalctl is used for viewing the journal log journal only logs in memory or a small ring file in /run/log/journal; to create persistent storage create the directory /var/log/journal Objective 12 Configure system auditing services and review audit reports Objective 13 Use network scanning tools to identify open network service ports and configure and troubleshoot system firewalling References
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 3 of 39
Testing Environment ● Virtualization HyperVisor ○ Virtual Box (Version 5.0.14 r 105127 as of this writing)
● Host Environment (I’m double dipping and working at home and at work)
○ Xubuntu 14.04LTS ○ CentOS 7.2
● Guest Environment ( These might seem a little odd, but I am using this image f or DISA STIG testing too)
○ CentOS 6.7 (As of 8March2016 the E X413 is done under v6 f or some strange r eason)
○ 2 vCPU ○ 1.5GB RAM ○ 18GB Hard drive (Something of an usual or non standard layout. T his is f rom the DISA STIG)
■ / ~10 GiB ■ /boot 250 MiB ■ /home 1 GiB ■ /tmp 500 MiB ■ /var 5 GiB ■ /var/log 500 MiB ■ /var/log/audit 275 MiB ■ swap 500 MiB ○ 2 Network Ports ■ Port 1) Vbox NAT ■ Port 2) Hostonly Adapter ○ Server with GUI installation ■ + DNS Name Server ■ + Email Server ■ + FTP Server ■ + File and Storage Server ■ + Hardware Monitoring Utilities ■ + Java Platform ■ + Network File System Client Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 4 of 39
■ + Performance Tools ■ + C ompatibility Libraries ■ + Security Tools
● Post basic installation tasks ○ Limit the number of kernels to keep to 2 for space reasons change installonly_limit=2 in /etc/yum.conf ○ Enable CentOS Plus Repo ○ Install/Enable EPEL repo ○ Install/Enable EL Repo ○ Install/Enable VAULT Repo’s This is because I started on purpose with an older version. Check http://vault.centos.org to match the version. I n this case it was 7.1.1503 run yum disablerepos “*” enablerepos “C7*” update to update to the latest versions within the r elease.
○ Install DKMS run yum disablerepos “*” enablerepos “C7*” update to update to the latest versions within the r elease.
○ Install Virtual Box guest additions MAKE A SNAPSHOT BEFORE YOU START MESSING AROUND WITH THINGS!! SINCE I ORIGINALLY STARTED THIS DOCUMENT UNDER THE INCORRECT ASSUMPTION THAT THIS TEST WOULD BE UNDER RHEL7 I WILL KEEP THE INFORMATION INTACT AND DENOTE THE DIFFERENCES
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 5 of 39
Objective 1 Identify Red Hat Common Vulnerabilities and Exposures (CVEs) and Red Hat Security Advisories (RHSAs) and selectively update systems based on this information ● Using y um to check if there are any packages that need security updates. # yum check-update --security Loaded plugins: langpacks, product-id, subscription-manager rhel-7-workstation-rpms/x86_64 | 3.4 kB 00:00:00 No packages needed for security; 0 packages available
● To update only security packages with yum # yum update --security
● To list all available erratas without installing them, run: # yum updateinfo list available
● To list all available security updates without installing them, run: # yum updateinfo list security all
or # yum updateinfo list sec
● To get a list of the c urrently installed security updates this command can be used: # yum updateinfo list security installed
● To list all available security updates with verbose descriptions of the issues they apply to: # yum info-sec
● Run the following command to download and a pply all available security updates from Red Hat Network hosted or Red Hat Network Satellite: # yum -y update --security NOTE: I t will install the last version available of any package with at least one security errata thus can install nonsecurity erratas if they provide a more updated version of the package. Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 6 of 39
● To only install the packages that have a security errata use # yum update-minimal --security -y
● yumsecurity also allows installing security updates based on the C VE reference of the issue. ○ To install a security update using a CVE reference run: # yum update --cve
For example: # yum update --cve CVE-2008-0947
○ Viewing available advisories by severities: # yum updateinfo list This system is receiving updates from RHN Classic or RHN Satellite. RHSA-2014:0159 Important/Sec. kernel-headers-2.6.32-431.5.1.el6.x86_64 RHSA-2014:0164 Moderate/Sec. mysql-5.1.73-3.el6_5.x86_64 RHSA-2014:0164 Moderate/Sec. mysql-devel-5.1.73-3.el6_5.x86_64 RHSA-2014:0164 Moderate/Sec. mysql-libs-5.1.73-3.el6_5.x86_64 RHSA-2014:0164 Moderate/Sec. mysql-server-5.1.73-3.el6_5.x86_64 RHBA-2014:0158 bugfix nss-sysinit-3.15.3-6.el6_5.x86_64 RHBA-2014:0158 bugfix nss-tools-3.15.3-6.el6_5.x86_64
○ If you want to apply only one specific advisory: # yum update --advisory=RHSA-2014:0159
○ However, if you would like to know more information about this advisory before to apply it: # yum updateinfo RHSA-2014:0159
○ For more commands consult the manual pages of y umsecurity with # man yum-security
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 7 of 39
Objective 2 Verify package security and validity ● The Yum package manager allows for an automatic verification of all packages it installs or upgrades. g pgcheck is enabled by default, localpkg_gpgcheck is NOT. To configure this option on your system, make sure the g pgcheck and l ocalpkg_gpgcheck configuration directives are set to 1 in the / etc/yum.conf configuration file. # grep gpgcheck /etc/yum.conf gpgcheck=1 localpkg_gpgcheck=1 **NOTE** T hese can be overridden in the /etc/repos.d/.conf f iles!!!
● Use the following command to manually verify package files on your filesystem: # rpmkeys --checksig package_file.rpm
● Check package scripts and triggers # rpm -qp --scripts /home/userx/Downloads/my-awesome-application-1.2.rpm
● Check GPG key signatures # rpm -K /home/userx/Downloads/my-awesome-application-1.1.rpm
# rpm -vvK /home/userx/Downloads/my-awesome-application-1.1.rpm
● To verify Red Hat packages, you must import the Red Hat GPG key. # rpm --import /usr/share/rhn/RPM-GPG-KEY
● To display a list of all keys installed for RPM verification # rpm -qa gpg-pubkey*
For the Red Hat key, the output includes: gpg-pubkey-db42a60e-37ea5438
● To display details about a specific key # rpm -qi gpg-pubkey-db42a60e-37ea5438
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 8 of 39
● Verify RPM’s ○ rpm qf can be used to determine what package a file belongs to # rpm -qf /etc/passwd setup-2.5.58-7.el5
○ rpm V will verify the settings # rpm -V setup-2.5.58-7.el5 .M...... c /etc/passwd S.5....T c /etc/printcap
○ Verify Code Matrix S M 5 D L U G T
File size di㈠㘱ers. File mode di㈠㘱ers (includes permissions and file type). The MD5 checksum di㈠㘱ers. The major and minor version numbers di㈠㘱er on a device file. A mismatch occurs in a link. The file ownership di㈠㘱ers. The file group owner di㈠㘱ers. The file time (mtime) di㈠㘱ers.
● Other yum tricks and tips ○ List packages and what repos they are part of: # yum --showduplicates list httpd | expand Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: mirror.atlanticmetro.net * centosplus: mirror.atlanticmetro.net * elrepo: mirror.symnds.com * epel: mirror.cogentco.com * extras: mirror.rackspace.com * updates: mirror.symnds.com Installed Packages httpd.x86_64 2.4.6-40.el7.centos @base Available Packages httpd.x86_64 2.4.6-40.el7.centos base
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 9 of 39
○ To automatically remove unneeded dependencies when a package is removed, set this in the /etc/yum.conf: clean_requirements_on_remove to 1 # grep -i clean_requirements_on_remove /etc/yum.conf clean_requirements_on_remove=1
○ Limit the number of i nstallonly package. Usually for limiting the number of kernels installed. Default is 3 # grep installonly_limit /etc/yum.conf installonly_limit=2
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 10 of 39
Objective 3 Identify and employ standardsbased practices for configuring file system security, create and use encrypted file systems, tune file system features, and use specific mount options to restrict access to file system volumes. ● Multiple partitions ○ /tmp temporary storage for users. ■ should have 1777 permissions (world read/write/execute w/ Sticky Bit) ■ nodev, nosuid, & noexec mount options should be set in /etc/fstab # grep tmp /etc/fstab /dev/mapper/centos-tmp
/tmp
xfs
nodev,nosuid,noexec 1 2
○ /var temporary dynamic storage for system services ○ /var/tmp ■ should be bound to /tmp. Link is unbreakable and inherits security from /tmp and should prevent / var from filling up and causing issues # grep /tmp /etc/fstab | grep var /tmp /var/tmp none bind 0 0
○ /var/log system storage for log data # grep /tmp /etc/fstab | grep var /tmp /var/tmp none bind 0 0
○ /var/log/audit system storage for audit log data # grep /audit /etc/fstab /dev/mapper/centos-var_log_audit
/var/log/audit
xfs
defaults
0 0
○ /home storage for users ■ nodev mount option should also be set # grep /audit /etc/fstab /dev/mapper/centos-home
/home
xfs
nodev
0 0
○ any removable media mount points should have n oexec, nodev, nosuid options set # grep /etc/fstab Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 11 of 39
○ /dev/shm is a temporary filesystem stored in memory ■ noexec, nodev, nosuid options should be set # grep shm /etc/fstab tmpfs /dev/shm tmpfs size=6g,nodev,nosuid,noexec 0 0
● Useful /etc/fstab options ○ nosuid prevents files from being s etuid or setgid ○ noexec prevents programs from being executed from the partition ○ nodev prevents partition from having special devices like block or character devices ○ rw read/write (default, implied) ○ ro read only To remount partitions on running systems # mount -o remount,
● Disable filesystem types that aren’t needed ○ cramfs Filesystem type is a compressed readonly Linux filesystem. ○ freevxfs Filesystem for Veritas. ○ j㈠㘱s2 Logstructured filesystem used in flash devices ○ hfs Mac OS filesystem ○ hfsplus Newer Mac OS filesystem ○ squashfs Similar to cramfs, a compressed Linux filesystem. ○ udf ISO/IEC 13346 and ECMA167 spec filesystem. ** NOTE** NEEDED TO SUPPORT WRITING DVDs and newer optical disc f ormats
There are a few ways to disable these services. CIS suggests adding a config file to /etc/modprobe.d and adding the modules there: I used b ad_fs.conf ○ Dry run of what would happen if the module was called # /sbin/modprobe -n -v udf insmod /lib/modules/3.10.0-229.20.1.el7.x86_64/kernel/lib/crc-itu-t.ko insmod /lib/modules/3.10.0-229.20.1.el7.x86_64/kernel/fs/udf/udf.ko
○ Check to see if the module is inserted # lsmod | grep udf
○ Change the operation for loading the module to the file in /etc/modprobe.d/bad_fs.conf Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 12 of 39
install udf /bin/false
● Standardsbased file system security ○ Sticky bit should be set for all public directories : When a directory's sticky bit is set, the filesystem treats the files in such directories in a special way so only the file's owner, the directory's owner, or r oot user can rename or delete the file. Without the sticky bit set, any user with write and execute permissions for the directory can rename or delete contained files, regardless of the file's owner. Typically this is set on the / tmpdirectory to prevent ordinary users from deleting or moving other users' files. To find directories that are world writeable without the sticky bit set: # find / -type d -perm -002 ! -perm -1000 -exec ls -ld {} ;\
To set with chmod # chmod 1777
[or] # chmod o+t
Determining if the sticky bit is set: if the directory is not world executable (this directory is 1766) # ls -ld sticky-dir/ drwxrw-rwT, 2 root
root
6
Feb
3 09:53 sticky-dir/
if the directory is world executable (this directory is 1777) # ls -ld sticky-dir/ drwxrwxrwt, 2 root
root
6
Feb
3 09:53 sticky-dir/
○ SetUID files: (set User ID upon execution) are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner. SetUID permission on a directory is ignored. To find setuid files and directories: # find / -perm -4000 -exec ls -alL {} \;
○ SetGID files (set Group ID upon execution) a ttribute will allow for changing the groupbased privileges within a process. Setting the setgid permission on a directory causes new files and subdirectories created within it to inherit its group ID, rather than the primary group ID of the user who created the file (the owner Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 13 of 39
ID is never affected, only the group ID). Newly created subdirectories inherit the setgid bit. To find setgid files and directories: # find / -perm -2000 -exec ls -alL {} \;
○ Link Control To prevent malicious users from exploiting potential vulnerabilities caused by unprotected hard and symbolic links, Red Hat Enterprise Linux 7 includes a feature that only allows links to be created or followed provided certain conditions are met. ■ hard links, one of the following needs to be true: ● The user owns the file to which they link. ● The user already has read and write access to the file to which they link. ■ symbolic links, processes are only permitted to follow links when outside of worldwriteable directories with sticky bits, or one of the following needs to be true: ● The process following the symbolic link is the owner of the symbolic link. ● The owner of the directory is the same as the owner of the symbolic link. ■ This protection is turned on by default. It is controlled by the following options in the /usr/lib/sysctl.d/50-default.conf file fs.protected_hardlinks = 1 fs.protected_symlinks = 1
To override the default settings and disable the protection, create a new configuration file called, for example, 51noprotectlinks.conf in the /etc/sysctl.d/ directory with the following content: fs.protected_hardlinks = 0 fs.protected_symlinks = 0
○ Public Directories should be user and group ownership by root, a privileged system account, or application account The same command as above searches for world writeable directories and displays the permissions. The ownership is somewhat subjective based on the system, dir, etc Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 14 of 39
To find directories that are world writeable without the sticky bit set: # find /root -type d -perm -002 ! -perm -1000 -exec ls -ld {} \; drwxrwxrw- 2 root root 6 Feb 3 09:53 /root/sticky-dir
○ Check and document all world writable files # find / -type f -perm 0777 -a -exec ls -ld {} \;
○ All files and directories should have valid owners, groups # find / -xdev \( -nouser -o -nogroup \) -ls 51812050 0 drwxr-xr-x 2 622 root 57 Feb 3 11:28 /root/bad-directory 51807907 4 -rw-r--r-- 1 622 root 3072 Feb 3 11:27 /root/bad-directory/bad_file_1 51193533 12 -rw-r--r-- 1 root 622 12288 Feb 3 11:28 /root/bad-directory/bad_file_2 51193534 8 -rw-r--r-- 1 622 622 5120 Feb 3 11:28 /root/bad-directory/bad_file_3
○ Use a ide to provide cryptographic hashes ○ User home directories should have modes 0750 or less permissive ○ User home directories should be owned by the user ● Encrypted File Systems ○ shredding a partition will fill the partition with random data to ensure no unencrypted data exists # shred -v --iterations=1 /dev/luks_vg/luks_lv shred: /dev/luks_vg/luks_lv: pass 1/1 (random)... shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...72MiB/2.0GiB 3% shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...138MiB/2.0GiB 6% <..snip..> shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...1.9GiB/2.0GiB 95% shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...2.0GiB/2.0GiB 100% #
○ Initialize the partition # cryptsetup --verbose --verify-passphrase luksFormat /dev/luks_vg/luks_lv WARNING! ======== This will overwrite data on /dev/luks_vg/luks_lv irrevocably. Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 15 of 39
Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: Command successful. #
○ Open the encrypted device and assign its device name # cryptsetup luksOpen /dev/luks_vg/luks_lv luks_home Enter passphrase for /dev/luks_vg/luks_lv:
○ Check that it actually worked # ls -al /dev/mapper/ lrwxrwxrwx. 1 root root lrwxrwxrwx. 1 root root
7 Feb 8 13:55 luks_home -> ../dm-8 7 Feb 8 13:55 luks_vg-luks_lv -> ../dm-7
○ Normal commands to add a partition: mkfs, mount, df, add to /etc/fstab # mkfs.xfs /dev/mapper/luks_home # mount /dev/mapper/luks_home /luks_home
○ Add the partition to / etc/crypttab (this is what causes it to ask for the password) luks_home /dev/mapper/luks_vg/luks_vg none
○ Add/Change Passphrase on Existing Device # cryptesetup luksAddKey /dev/luks_vg/luks_lv
○ Remove a Passphrase from an Existing Device #cryptsetup luksRemoveKey /dev/luks_vg/luks_lv
○ Verify or check for encrypted partitions: # lsblk -l sda1 8:1 0 250M 0 part /boot luks_home 253:8 0 2G 0 crypt /luks_home centos-home 253:7 0 1.5G 0 lvm /home
# blkid /dev/mapper/luks_home Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 16 of 39
/dev/mapper/luks_home: UUID="48de524a-ba17-40b1-ac14-8a9f34421a50" TYPE="xfs" # blkid /dev/mapper/luks_vg-luks_lv /dev/mapper/luks_vg-luks_lv: UUID="ce54eeab-ea52-4273-acef-26a400901a98" TYPE="crypto_LUKS" **NOTE** primarily a manual process..
○ Check partitions to determine if they are encrypted # more /etc/crypttab
Objective 4 Configure default permissions for users and use special file permissions, attributes, and access control lists (ACLs) to control access to files ● File system extended Access Control Lists (ACL) ○ If a default ACL is associated with a directory, the mode parameter to the functions creating file objects and the default ACL of the directory are used to determine the ACL of the new object: 1. The new object inherits the default ACL of the containing directory as its access ACL. 2. The access ACL entries corresponding to the file permission bits are modified so that they contain no permissions that are not contained in the permissions specified by the mode parameter. ○ If no default ACL is associated with a directory, the mode parameter to the functions creating file objects and the file creation mask (umask(2) are used to determine the ACL of the new object: 1. The new object is assigned an access ACL containing entries of tag types ACL_USER_OBJ, ACL_GROUP_OBJ, and ACL_OTHER. The permissions of these entries are set to the permissions specified by the file creation mask. 2. The access ACL entries corresponding to the file permission bits are modified so that they contain no permissions that are not contained in the permissions specified by the mode parameter. ■ ACL Text Forms
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 17 of 39
● user A user ACL entry specifies the access granted to either the file owner (entry tag type ACL_USER_OBJ) or a specified user (entry tag type ACL_USER). ● group A group ACL entry specifies the access granted to either the file group (entry tag type ACL_GROUP_OBJ) or a specified group (entry tag type ACL_GROUP). ● mask A mask ACL entry specifies the maximum access which can be granted by any ACL entry except the user entry for the file owner and the other entry (entry tag type ACL_MASK). ● other An other ACL entry specifies the access granted to any process that does not match any user or group ACL entries (entry tag type ACL_OTHER). ■ to set: s etfacl Granting an additional user read access setfacl -m u:lisa:r file Revoking write access from all groups and all named users (using the e㈠㘱ective rights mask) setfacl -m m::rx file Removing a named group entry from a file's ACL setfacl -x g:sta㈠㘱 file Copying the ACL of one file to another getfacl file1 | setfacl --set-file=- file2 Copying the access ACL into the Default ACL getfacl --access dir | setfacl -d -M- dir from the setfacl man page
■ to read: getfacl -aL The output format of getfacl is as follows: 1: # file: somedir/ 2: # owner: lisa 3: # group: sta㈠㘱 4: # flags: -s- Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 18 of 39
5: user::rwx 6: user:joe:rwx #e㈠㘱ective:r-x 7: group::rwx #e㈠㘱ective:r-x 8: group:cool:r-x 9: mask::r-x 10: other::r-x 11: default:user::rwx 12: default:user:joe:rwx #e㈠㘱ective:r-x 13: default:group::r-x 14: default:mask::r-x 15: default:other::---
■ ○ Set/Verify default permissions for all authenticated users so they can only read and modify their own files # grep -i umask /etc/login.defs UMASK 077
○ UMASK is usually in a few other places, like /etc/csh.cshrc, /etc/bashrc # find /etc/ -type f -exec grep -i umask {} \; -print
○ And check users own dotfiles # find /home/ -type f -exec grep -i umask {} \; -print
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 19 of 39
Objective 5 Install and use intrusion detection capabilities in Red Hat Enterprise Linux to monitor critical system files ● Advanced Intrusion Detection Environment (AIDE) ○ check to see if it’s installed # rpm -q aide package aide is not installed # yum install aide Installing: aide x86_64
0.15.1-9.el7
base
129 k
○ Initialize AIDE # /usr/sbin/aide --init -B ‘database_out=file:/var/lib/aide/aide.db.gz’
○ Check file integrity against AIDE database # /usr/sbin/aide --check
○ Putting it in a cron job might be smart 0 5 * * * /usr/sbin/aide --check
○ Additional files to be checked can be added to /etc/aide.conf ● TCP Wrappers ○ check to see if they are installed # rpm -q tcp_wrappers tcp_wrappers-7.6-77.el7.x86_64
○ /etc/hosts.allow varies by network configuration, setup, purpose, etc This limits connections to sshd just to my local subnet sshd: 192.168.56.0/255.255.255.0
This allows connections to anything from my local subnet all: 192.168.56.0/255.255.255.0
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 20 of 39
○ /etc/hosts.deny deny everything everywhere that’s not explicitly listed in the allow file # cat /etc/hosts.deny ALL:ALL
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 21 of 39
Objective 6 Manage user account security and user password security ● Password quality is defined in / etc/security/pwquality.conf ● Shadow password suite configuration in / etc/login.defs **NOTE** Most of this has been moved to PAM
● shadow file fields ○ login name ○ encrypted password ○ date of last pw change ○ minimum passwd age ○ max passwd age ○ passwd warning period ○ passwd inactivity period ○ expiration date ○ reserved ● to check /etc/shadow for password minimum change period (4th field) # awk -F: ‘$4 >= 1 {print $1}’ /etc/shadow **NOTE** DoD STIG says 1 day minimum
● chage for modifying account password aging ● chage --list will check password definitions ● /etc/default/useradd sets defaults for new account creation ○ INACTIVE should be set to something other than 1 (which is never) ○ updating user inactivity ● audit users for password inactivity, passwords, etc # cut -d: -f1 /etc/passwd | xargs -n1 passwd -S
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 22 of 39
Objective 7 Manage system login security using pluggable authentication modules (PAM) ● PAM Crash Course ○ each application should have its own PAM s tack file ○ modules are run in the order they are listed and is important ○ stacks syntax is context(or type) control-flag module module options
○ context types ■ auth determines who the user is and if that user has a valid account ( authentication ) ■ account determine if the user is allowed access ( authorization ) ■ session sets session up ■ password any rules for changing password if the application is allowed to ○ controlflags ■ sufficient if a sufficient module passes, that’s enough. None of the other modules in that context are processed. Failing it does not fail the context though. ■ required all r equired controls in a context must pass. They are all tried so even if one fails to obscure the exact failure for security reasons. **NOTE** None of the required modules will be processed in a context is a sufficient module passes
■ requisite basically the same as r equired except processing stops as soon as a failure happens (think of it as fastfail required) ■ optional a success or failure really has no effect. Generally only used with session contexts. ○ modules are run in the order they are listed and is important ■ i.e. if a sufficient modules passes after a r equired failed, access will still be denied.
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 23 of 39
○ if an application can’t find its stack file, it falls back to / etc/pam.d/other ● Forcing strong passwords ○ set in /etc/pam.d/passwd file via the p am_pwquality module ○ /etc/security/pwquality.conf sets custom rules. ○ to enable, add to / etc/pam.d/passwd file password
required
pam_pwquality.so retry=3
● Remembering passwords, add remember parameter in / etc/pam.d/system-auth password su㈠㘱icient pam_unix.so remember=5
● Account Locking ○ pam_faillock module ○ /var/run/faillock contains logs of failures per user ○ to enable ○ add lines 2 and 5 to / etc/pam.d/system-auth and / etc/pam.d/password-auth 1 2 3 4 5 6 7
auth auth auth auth auth auth auth
required pam_env.so required pam_faillock.so preauth silent audit deny=3 unlock_time=600 su㈠㘱icient pam_fprintd.so su㈠㘱icient pam_unix.so nullok try_first_pass [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 requisite pam_succeed_if.so uid >= 1000 quiet_success required pam_deny.so
**NOTE** these will lock out a nonroot user after 3 tries f or 10 minutes
add before the first account entry on both files account
required
pam_faillock.so
** to include the root user, add e ven_deny_root option to a uth entries 2 auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 even_deny_root 5 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 even_deny_root
** to exclude users from the rule auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2:user3
○ checking number of failed login attempts # faillock Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 24 of 39
user1: When Type Source Valid 2013-03-05 11:44:14 TTY pts/0
○ resetting a users account # faillock --user --reset
● Limiting root (or other user) access with pam **NOTE** ONLY WORKS ON PAM AWARE SERVICES ( Which most are now)
○ /lib/security/pam_listfile.so is the module ○ add the module as a required a uth to the service file in /etc/pam.d auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ \ onerr=succeed
● Limiting root via / etc/securetty ○ remove all entries except c onsole ○ enable login managers to read /etc/securetty add the following line auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
to /etc/pam.d/{gdm, gdm-autologin, gdm-fingerprint,gdm-password,gdm-smartcard,kdm,kdm-np,xdm} ● Limit/Disable root from ssh ○ uncomment/add to /etc/ssh/sshd_config PermitRootLogin no
● Keeping Customer settings with AuthConfig ○ check to see if the auth files are links (default setup) # ls -l /etc/pam.d/{password,system}-auth lrwxrwxrwx. 1 root root 16 Feb 1 11:13 /etc/pam.d/password-auth -> password-auth-ac lrwxrwxrwx. 1 root root 14 Feb 1 11:13 /etc/pam.d/system-auth -> system-auth-ac
○ if the auth files aren’t links move them # mv system-auth system-auth-ac # mv password-auth password-auth-ac
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 25 of 39
○ create a custom local file, / etc/pam.d/system-auth-local which contains auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth include system-auth-ac auth [default=die] pam_faillock.so authfail silent audit deny=3 unlock_time=600 account required pam_faillock.so account include system-auth-ac password include system-auth-ac session include system-auth-ac
○ create a custom local file, / etc/pam.d/password-auth-local which contains auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth include password-auth-ac auth [default=die] pam_faillock.so authfail silent audit deny=3 unlock_time=600 account required pam_faillock.so account include password-auth-ac password include password-auth-ac session include password-auth-ac
○ create new links # ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth # ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 26 of 39
Objective 8 Configure console security by disabling features that allow systems to be rebooted or powered off using bootloader passwords ● Bootloader passwords ○ Is it enabled already? ■ BIOS machines # grep -i password /boot/grub2/grub.cfg
■ UEFI machines # grep -i password /boot/efi/EFI/redhat/grub.cfg
○ Adding users ■ Create /etc/grub.d/01_users file and add the following cat <
The better way, using encrypted passwords # grub2-mkpasswd-pbkdf2 Enter password: Reenter password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.DCC9681CBF8FEDA5F4C9AA82BA09507CB6703A3773EC63805A25 D1C796C868B8D5ACD82843F7CB30059399633A2AB34070A231503B0180C9EF4D248FE12B5C D6.3D1A8BB7B08E645458E8564B647353D32D2A8A7E05676F61C375F6F0727A1514B4A87A14 E94CCBD291DBFD48E301F73553168845AF9817D98AC9A455EC122F41
then add to / etc/grub.d/01_users cat <
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 27 of 39
D1C796C868B8D5ACD82843F7CB30059399633A2AB34070A231503B0180C9EF4D248FE12B5C D6.3D1A8BB7B08E645458E8564B647353D32D2A8A7E05676F61C375F6F0727A1514B4A87A14 E94CCBD291DBFD48E301F73553168845AF9817D98AC9A455EC122F41 EOF
ALTERNATIVELY you can just add the data to the END of the /etc/grub.d/40_custom file without any of the cat stuff. set superusers="toor" password_pbkdf2 toor grub.pbkdf2.sha512.10000.DCC9681CBF8FEDA5F4C9AA82BA09507CB6703A3773EC63805A25 D1C796C868B8D5ACD82843F7CB30059399633A2AB34070A231503B0180C9EF4D248FE12B5C D6.3D1A8BB7B08E645458E8564B647353D32D2A8A7E05676F61C375F6F0727A1514B4A87A14 E94CCBD291DBFD48E301F73553168845AF9817D98AC9A455EC122F41
○ Rebuild grub ■ On BIOS systems # grub2-mkconfig -o /boot/grub2/grub.cfg
■ On UEFIbased systems # grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
● Disable grub interactive mode # grep -i prompt /etc/sysconfig/init PROMPT=no
● Disable entering Single User Mode without root password # echo “SINGLE=/sbin/sulogin” >> /etc/sysconfig/init
● Disable CTRLALTDEL combination on the console for rebooting # systemctl mask ctrl-alt-del.target # systemctl daemon-reload
or # ln -s /dev/null /etc/systemd/system/ctrl-alt-del.target
This works if no one is logged in, however, if the user is logged in it works. The power button will obviously still work ● To disable the power buttons on the GDM login screen: edit or create /etc/dconf/db/gdm.d/00-login-screen and add Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 28 of 39
[org/gnome/login-screen] disable-restart-buttons=true
then rebuild the dconf database # dconf update **NOTE** W hile you are there, might as well add disable-user-list=true so the login won’t list the users
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 29 of 39
Objective 9 Configure systemwide acceptable use notifications ● Text login banners ○ /etc/motd ■ the Message Of The Day. This is displayed after a successful login before the prompt ○ /etc/issue and /etc/issue.net ■ shown to connections before the login prompt. / etc/issue is shown if /etc/issue.net is missing. ○ None of them should have this information, or anything other than an Acceptable Use Notification. ■ \m machine architecture (u name -m) ■ \r operating system release (u name -r) ■ \s operating system name ■ \v operating system version ( uname -v) ○ All 3 should have the owned r oot:root and mode 0 644 ○ It’s acceptable to link all 3 together. # ls -la |grep issue.net lrwxrwxrwx. 1 root root -rw-r--r--. 1 root root lrwxrwxrwx. 1 root root
9 Feb 5 11:03 issue -> issue.net 67 Feb 5 11:02 issue.net 9 Feb 5 11:03 motd -> issue.net
● Configure sshd to display the acceptable use notifications ○ add B anner /etc/issue.net to / etc/ssh/sshd_config and restart sshd # grep ^Banner /etc/ssh/sshd_config Banner /etc/issue.net # systemctl restart sshd.service **NOTE** the default sshd_config f ile has a commented out B anner entry
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 30 of 39
● Configure a banner for the GUI login ○ edit/create /etc/dconf/db/gdm.d and add the following [org/gnome/login-screen] banner-message-enable=true banner-message-text=’Authorized use only! All unauthorized users will be beaten’
○ rebuild the dconf db and restart gdm # dconf update # systemctl restart sshd.service
● If for some bizarre reason you are running VSFTP ○ Add f tpd_banner= to / etc/vs‵㘶pd/vs‵㘶pd.conf ○ OR instead add banner_file= to / etc/vs‵㘶pd/vs‵㘶pd.conf
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 31 of 39
Objective 10 Install, configure, and manage identity management services and configure identity management clients
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 32 of 39
Objective 11 Configure remote system logging services, configure system logging, and manage system log files using mechanisms such as log rotation and compression ● Syslog crash course ○ syntax FACILITY.PRIORITY
○ facilities kern (0),user (1), mai l (2), daemon (3), auth (4), syslog (5), lpr (6), news (7), uucp (8), cron (9), authpriv (10), ‵㘶p (11), and local0 through local7 (16 - 23)
○ Priorities debug (7), info (6), notice (5), warning(4), err (3), crit (2), alert (1), and emerg (0)
○ Special cases for both Facility and Priority ■ * is all ■ none is none ■ comma is used to stack ○ Special cases for Priority ■ when a Priority is selected, all messages of that Priority and greater are logged ■ = before Priority means o nly that priority is logged ■ ! before Priority means that priority is ignored ● Make sure r syslog is enabled and running # systemctl is-enabled rsyslog enabled [if not] # systemctl enable rsyslog
● Log file must exist before r syslog can write to it. ● Log files should have permissions of 0600 or less and owned r oot:root to prevent non privileged users from possibly seeing PII or other sensitive information. Check /etc/rsyslog.conf for configured system log files. Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 33 of 39
● To send log files off site to a loghost add to the /etc/rsyslog.conf *.* @@loghost.mysite.com **NOTE** double @’s denotes to use T CP and not UDP to send logs
● TLS Encryption for remote logging, add to / etc/rsyslog.conf # certificate files - just CA for a client $DefaultNetstreamDriverCAFile /path/to/contrib/gnutls/ca.pem # set up the action # use gtls netstream driver $DefaultNetstreamDriver gtls # require TLS for the connection $ActionSendStreamDriverMode 1 # server is NOT authenticated $ActionSendStreamDriverAuthMode anon # send (all) messages *.* @@(o)server.example.net:6514 # send (all) messages
● To receive remote syslog messages $ModLoad imtcp.so $InputTCPServerRun 6514
● To receive and sort incoming syslog messages ○ for UDP # Define templates before the rules that use them ### Per-Host Templates for Remote Systems ### $template TmplAuthpriv, "/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log" $template TmplMsg, "/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
○ for TCP # Provides TCP syslog reception $ModLoad imtcp # Adding this ruleset to process remote messages Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 34 of 39
$RuleSet remote1 authpriv.* ?TmplAuthpriv *.info;mail.none;authpriv.none;cron.none ?TmplMsg $RuleSet RSYSLOG_DefaultRuleset #End the rule set byswitching back to the default rule set $InputTCPServerBindRuleset remote1 #Define a new input and bind it to the "remote1" rule set $InputTCPServerRun 6514
● Special Notes/Troubleshooting ○ The default protocol and port for syslog traffic is UDP and 514 , as listed in the /etc/services file. However, rsyslog defaults to using TCP on port 514 . In the configuration file, /etc/rsyslog.conf, TCP is indicated by @@ . ○ SELinux is only configured to allow sending and receiving on the following ports by default # semanage port -l | grep syslog syslogd_port_t tcp 6514, 601 syslogd_port_t udp 514, 6514, 601
○ Check that r syslog is running and enabled. Restart after all changes # systemctl start rsyslog # systemctl enable rsyslog
○ As always, check the firewall ● Log Rotation ○ /etc/logrotate.conf is global file ○ /etc/logrotate.d/ is log specific rotation files (and override global) ○ general configuration options ■ time frame:daily weekly monthly yearly ■ compres/nocompress ■ compresscmd/uncompressmd ■ compressext ■ delaycompress ■ rotate <#> number of rotations before log is deleted or mailed ■ mail emails rotated log Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 35 of 39
● journal is a component of systemd for logging ● journalctl is used for viewing the journal log ● journal only logs in memory or a small ring file in / run/log/journal; to create persistent storage create the directory / var/log/journal ● config file is /etc/systemd/journald.conf
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 36 of 39
Objective 12 Configure system auditing services and review audit reports ● ● ● ●
package is audit configuration file /etc/audit/auditd.conf rules file /etc/audit/audit.rules Audit system status # auditctl -s enabled 1 flag 1 pid 667 rate_limit 0 backlog_limit 320 lost 0 backlog 0 loginuid_immutable 0 unlocked
● list currently loaded rules # auditctl -l LIST_RULES: exit,always watch=/etc/localtime perm=wa key=time-change LIST_RULES: exit,always watch=/etc/group perm=wa key=identity LIST_RULES: exit,always watch=/etc/passwd perm=wa key=identity LIST_RULES: exit,always watch=/etc/gshadow perm=wa key=identity ...
● delete all rules # auditctl -D No rules
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 37 of 39
● define a file system rule # auditctl -w path-to-file -p permissions -k key-name
○ permissions ■ r read access to a file or directory ■ w write access to a file or directory ■ x execute access to a file or directory ■ a change in a file or directory’s attribute ○ keyname ■ optional for helping to identify which rule or rule sets generated the log ● define a system call # auditctl -a action,filter -S system_call -F field=value -k key_name
○ action,filter is when the event is logged ■ action ● always or never ■ filter ● task ● exit ● user ● exclude ○ systemcall is the system call that triggers, can be multiple S ■ /usr/include/asm/unistd_64.h lists the calls ○ field=value ■ optional rule to filter based on architecture, gID, pID, etc ○ key_name ■ optional for helping it identify what rule or rule sets generated the log ○ ● predefined rule sets are in / usr/share/doc/audit-version/ ● to search audit logs # ausearch --start yesterday --end now -m SYSCALL -sv no -i this r ule searches f or all f ailed system calls f rom yesterday to present
● to create an audit report # aureport --login --summary -i this generates a summary r eport of all f ailed login attempts per each system user
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 38 of 39
Objective 13 Use network scanning tools to identify open network service ports and configure and troubleshoot system firewalling ● list processes with open ports: netstat natp ● scan TCP ports on a host nmap sT 0 ● firewalld ○ /etc/fiewalld ○ /usr/lib/firewalld/ ○ firewallconfig (gui) ○ firewallcmd ■ permanent : does not implement until reload, but is persistent ■ direct : immediate implementation, but not persistent ■ addinterface : only for interfaces not managed by NetworkManager ■ reload : nondisruptive reload ■ completereload : drops all connections and reloads ○ /etc/firewalld/firewalld.conf ■ set default zones ■ Lockdown=yes to prevent services, or non whitelist services from adding/removing rules ○ Network Zones ■ drop ■ block ■ public ■ external ■ dmz ■ work ■ home ■ internal ■ trusted
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/
Red Hat Certificate of Expertise in Server Hardening Notes (EX413) page 39 of 39
References Red Hat Security Guide RHEL 6 Red Hat Identity Management Guide RHEL 6 Red Hat Deployment Guide RHEL 6 Red Hat Virtualization Getting Started Guide RHEL 6 DISA RHEL 6 STIG Ver 1 Rel 10 DISA RHEL 7 STIG DRAFT
Official Red Hat documentation on RHEL 7 can be f ound at: https://access.redhat.com/documentation/en/redhatenterpriselinux/