Hardening - JA Smith

- security scanning - exterior `nmap` to scan for open ports - interior nessus vuln scan - secure boot - UEFI feature that checks digitally signed FW and kernel - only microsoft signs for secure boot purposes - microsoft has a special third-party key that it signs linux kernels with in a shim file - prevent access to GRUB - `grub-mkpasswd-pbkdf2` - block root access - replace root `bin/bash` login shell with `/usr/sbin/nologin`![[images/Pasted image 20250802195228.png]] - create empty `/etc/securetty` file - disables root to login form any physical tty console - system logging configs - able to log to a centralized server - check for SUID and SGID - to disable SUID on a partition remove SUID or default from fourth field of `/etc/fstab` entries - to disable execution of binaries and scripts remove exec or default from fourth field of `/etc/fstab` entries - setting default `umask` - `umask` sets the default set of permissions for files+folders either for system wide or on a per-user basis - part of PAM - `umask` shows current value in octal notation - subtracts umask value from 666 for files - subtracts umask value from 777 for directories - `umask -S` shows current value in symbolic notation - disabling/removing insecure/unused services - ftp, telnet - reduce attack vectors to the extent practical - enforcing password strength - complexity, length, min/max age, history, etc. - edit `/etc/login.defs` - `/etc/pam.d/common-password` - associated with the `pam_pwquality.so` module - limit password attempts - `pam_tally2.so` - `pam_faillock.so` - `fail2ban` - removing unused packages - reduce attack vectors to the extent practical - tuning kernel parameters - turn off un-needed kernel modules - securing service accounts - limit to associated service only so anyone cannot login as the service account - disable interactive abilities - configuring host FW - `iptables`, `firewalld`, or `ufw` - deny specific hosts - edit `/etc/hosts.deny` - for more control, create `/etc/hosts.allow` - SSH - disable rootlogin - disable password login and require pubkey - set a user's shell to `/bin/false` to disable interactive remote login - `sudo usermod -s /bin/false user_name` - use MFA - use AAA - Kerberos + LDAP (like Active Directory) - RADIUS - TACACS+ - setup SELinux or apparmor - set ACLs on files - `getfacl file_name` shows ACXL for file - `setfacl user:r file_name` to set ACL for file - set attributes on files - `lsattr file_name` to show attributes for file - `chattr file_name` to change attributes for file - restrict apps using `chroot` - use LUKS to encrypt partitions - impose fs quotas - add `usrquota` and `grpquota` to appropriate field in `/etc/fstab` - `quota -u user_name` to create quota files for user - `quotaedit` to edit quota files - `repquota -a` to show all quotas - impose memory constraints with `ulimit` - banners and messages - set `/etc/motd` - set `/etc/login.warn` - limit access to `at` and `cron` - insert users/groups into `/etc/at.allow` and `/etc/at.deny` - insert users/groups into `/etc/cron.allow` and `/etc/cron.deny` - restrict USB access - `echo "blacklist uas" >> /etc/modprobe.d/blacklist.conf && echo "blacklist usb:storage" >> /etc/modprobe.d/blacklist.conf` - enable `auditd` - set security rules to monitor and log - use `auditctl` to define temporary rules - add persistent rules to `/etc/audit/audit.rules`