Professional Documents
Culture Documents
SystemInstallation&Patching
1 Ifmachineisanewinstall,protectitfromhostilenetworktrafficuntiltheoperating
systemisinstalledandhardened .
2 UsethelatestversionoftheOperatingSystemifpossible
Refertothevendorsupportdocumentationtoconfirmthelifecycleoftheversion.Considerboththemajorand
minor(orservicepack)releasewhereavendorreleasesboth.
3 Createaseparatevolumewiththenodev,nosuid,andnoexecoptionssetfor/tmp.
Since/tmpisintendedtobeworldwritable,creatingaseparatepartitionforitcanpreventresource
exhaustion.Settingnodevpreventsusersfromcreatingorusingblockorspecialcharacterdevices.Setting
noexecpreventsusersfromrunningbinaryexecutablesfrom/tmp.Settingnosuidpreventsusersfrom
creatingsetuseridfilesin/tmp.
4 Createseparatevolumesfor/var,/var/log,and/home.
Anydirectorieswherenonadminusershavewriteaccessshouldbeseparatefromtherootvolumetolimitthe
impactofthosevolumesbeingfilled.
5 Setstickybitonallworldwritabledirectories.
Thestickybitstopsuserswithwriteaccesstothedirectorydeletingfilesownedbyotherusers.
6 Ensurethesystemisconfiguredtobeabletoreceivesoftwareupdates
ForRedHatEnterpriseLinux(RHEL)orSUSELinuxEnterpriseServer(SLES)thisrequiresasubscriptionto
beallocatedtothesystem.Formostothermajordistributionsthisisasimpleconfigurationchange.
OSHardening
1 Restrictcoredumps.
Coredumpsareintendedtohelpdeterminewhyaprogramaborted.Theymaycontainsensitiveor
confidentialdatafrommemory.Itisrecommendedthatcoredumpsbedisabledorrestricted.
2 Removelegacyservices
Servicesthatprovide/relyonunencryptedauthenticationshouldbedisabledunlesstherearegroundsforan
exception.Theseincludetelnetserverrsh,rlogin,rcpypserv,ypbindtftp,tftpservertalkandtalkserver.
3 Disableanyservicesandapplicationsstartedbyxinetdorinetdthatarenotbeing
utilized.Removexinetd,ifpossible
Theinetdorxinetdserviceallowsforprogramstoberanwhenaconnectionismadetoadesignatednetwork
port.Allunneededinetdapplicationsshouldbedisablediftherearenoapplicationsrequiredthendisable
(x)inetd.
4 Disableorremoveserverservicesthatarenotgoingtobeutilized
(e.g.,FTP,DNS,LDAP,SMB,DHCP,NFS,SNMP,etc.)
5 Ensuresyslog(rsyslog,syslog,syslogng)serviceisrunning.
Thesyslogservicemanagesthelogsin/var/log/.Mostmodernsyslogimplementationsalsosupportremote
logforwarding.
6 EnableanNetworkTimeProtocol(NTP)servicetoensureclockaccuracy
Accuratetimekeepingfacilitatesanalysisofsystemlogswhenneeded
cron
7 Restricttheuseofthe at
and services.
Thesecanbeusedtoruncommandsonthesystemandshouldonlybeallowedtoaccountswhichneedthis
access
UserAccess&Passwords
1 Createanaccountforeachuserwhoshouldaccessthesystem
Avoidingsharedaccounts/passwordsmakesiteasiertokeepanaudittrailandremoveaccesswhenno
longerneeded.
2 Enforcetheuseofstrongpasswords
Passwordsecurityrulescanbesetin/etc/pam.d/passwordauth
3 Usesudotodelegateadminaccess
Thesudocommandallowsforfinegrainedcontrolofrightstoruncommandsasroot(orotheruserids).The
/etc/sudoers
configurationfile visudo
shouldbeeditedwiththe command.
NetworkSecurity&RemoteAccess
1 Limitconnectionstoservicesrunningonthehosttoauthorizedusersoftheservice
viafirewallsandotheraccesscontroltechnologies
.
Theiptablesfirewallisakernelcomponentcommontoalllinuxsystems,butthetoolsusetomanagefirewall
rulesdiffersignificantlybetweenvendorssocheckwiththeversionspecificconfigurationguide.
2 Disable:
IPforwarding.
sendpacketredirects.
sourceroutedpacketacceptance.
ICMPredirectacceptance.
Enable:
IgnoreBroadcastRequests.
BadErrorMessageProtection.
TCP/SYNcookies.
Thesekerneltuningparametersshouldbesetin/etc/sysctl.conf
3 IntheSSHserverconfigurationensurethat:
Protocolversionissetto2
LogLevelissettoINFO
PermitEmptyPasswordsissettoNo
Thesesettingsarethedefaultonmostplatforms,settingthemtoothervaluesimpactsthesecurityoftheSSH
server.
4 DisablerootloginoverSSH.
RootSSHwithpasswordshouldneverbeallowedusersshouldauthenticatewiththeirownaccountanduse
PermitRootSSH
suorsudoifneeded.Validvaluesfor no,
are withoutpassword
and
forcedcommandsonly dependingonwhetherkeybasedaccessisrequired.
5 DeployanIntrusionPreventionSystem(IPS)suchasfail2ban
fail2banusestheiptablesfirewalltoblockremotesystemsgeneratingmanyauthenticationfailuresasawayto
combatbruteforcepasswordattempts.
ApacheWebserver(HTTPD)
1 Alwaysrunapachewithadedicatednonadminaccount
Thesystemuseraccounttheapacheserverrunsinshouldhaveminimalpermissiononthesystemtolimitthe
potentialforthistobeexploited.ThisisthedefaultinallmajorLinuxdistributions.
2 Disableanymodulesnotrequired
Apacheismodularindesigneachmoduleprovidesdifferentfunctionalityandalmostallareoptionalforbasic
usecases.Inparticularlooktodisablewebdav,status,info,userdirandautoindexunlesstheseareknownto
berequired.
3 DisableHTTPTrace:
TraceEnableOff
Theinetdorxinetdserviceallowsforprogramstoberanwhenaconnectionismadetoadesignatednetwork
port.Allunneededinetdapplicationsshouldbedisablediftherearenoapplicationsrequiredthendisable
(x)inetd.
4 ConfigureSSLinlinewithbestpractice
Mozillaprovideresourcesforthis
https://wiki.mozilla.org/Security/Server_Side_TLS
5 ConfigureApachenottoadvertisethesoftware/OSversions
SetServerTokensProdandServerSignatureOfftolimitthesystemconfigurationinformationeasily
available.
6 Denyaccesstofilesbydefaultonlyallowaccesstodesignateddirectories.
Onlydirectoriescontainingapachecontentshouldbereadablebyremoteclients.