Transcript CIS 290 LINUX Security

CIS 290
LINUX Security
User security
Network Security
User Security
•
ALWAYS use /etc/shadow (pwconv command)
•
Password aging:
get: chage -l userid
set: chage -M 60 -m 7 -W 7 userid
•
Lock/unlock and account
passwd –l userid
passwd –u userid
•
Limit password reuse:
vi /etc/pam.d/system-auth (RHEL/Fedora)
vi /etc/pam.d/common-password (Ubuntu)
Add: password sufficient pam_unix.so use_authtok md5 shadow remember=10
•
Verify root ID’s: awk -F: '($3 == "0") {print}' /etc/passwd
•
Verify no password ID’s: awk -F: '($2 == "") {print $1 }' /etc/shadow | grep /etc/passwd
Make sure they are /bin/nologin
•
No ROOT LOGIN, use su or sudo.
•
Disable ROOT login under FTP., SSH, GUI (procedures vary)
•
Configure pam_cracklib.so to enforce the password policy.
•
See defaults in /etc/login.defs for /etc/shadow values.
sysctl.conf
For network:
•
# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1
•
# Disable IP source routing
net.ipv4.conf.all.accept_source_route=0
•
# Ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1
•
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1
•
# disable IPv6
net.ipv6.conf.all.disable_ipv6=1
Kernel isolation (test carefully on test system):
•
Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
Network services
•
Determine open services:
netstat –tulpn -ORnmap -sT -O localhost
•
Disable with chkconfig. And/or remove software.
•
Use TCP_WRAPPERS (xinetd)
•
Configure iptables
•
Remove Xwindows:
yum groupremove "X Window System“
•
Set initdefault to runlevel 3
•
No cleartext services HTTP, TELNET, FTP, rcmd, (see gov’t requirements) - use SSH, SSL, SFTP.
Restrict NFS/CIFS to local networks only.