Security Baseline   IT Security Management Create Date: 9 October, 2006    Last Update: 03 June, 2009    Version 1.2   Contact: ITSM 02 6852

Document Version History

 

Version No.

 

Date

 

Created By

 

Detail

 

Reviewed by

 

Authorized by

1.0 21/09/2007 Suthinan A. Initial release SMAD SMAD
1.1 28/07/2008 Naraongsak V Review ITSM ITSM
1.2 03/06/2009 Naraongsak V Review ITSM ITSM

Red Hat Enterprise Linux Security Baseline Checklist

Action Outcome and comments
Apply latest OS Patches
Validate your system before making changes
Configure SSH
Enable System Accounting
Remove unnecessary software package
Disable standard services
Disable telnet
Disable FTP
Disable rlogin/rsh/rcp
Disable TFTPServer
Disable IMAP
Disable POP
Set Daemon umask
Disable xinetd
Disable sendmail Server
Disable GUI Login
Disable X Font Server
Disable standard boot services
Disable SMB (Windows File Sharing) Processes
Disable NFS Server process
Disable NFS client processes
Disable NIS client processes
Disable NIS Server processes
Disable RPC Portmap process
Disable netfs script
Disable Printer Daemon
Disable Web Server processes
Disable SNMP
Disable DNS Server
Disable SQL Server processes
Disable Webmin
Disable Squid Cache Server.
Disable Kudzu Hardware Detection
Network Parameter Modifications
Additional Network Parameter Modifications
Capture messages send to syslog AUTHPRIV facility
Turn on additional logging for FTP daemon
Confirm permissions on system log files
Configure syslogd to send logs to a remote LogHost
Add ‘nodev’ option to appropriate partitions in  /etc/fstab

 

Add ‘nosuid’ and ‘nodev’ Option For Removable Media In /etc/fstab
Disable User-Mounted Removable File Systems
Verify passwd, shadow, and group File Permissions
World-Writable Directories Should Have Their Sticky Bit Set
Find Unauthorized World-Writable Files
Find Unauthorized SUID/SGID System Executables
Find All Unowned Files
Disable USB Devices (AKA Hotplugger)
Remove .rhosts Support In PAM Configuration Files
Create ftpusers Files
Prevent X Server From Listening On Port 6000/tcp
Restrict at/cron To Authorized Users
Restrict Permissions On crontab Files
Configure xinetd Access Control
Restrict Root Logins To System Console
Set LILO/GRUB Password
Require Authentication For Single-User Mode
Restrict NFS Client Requests To Privileged Ports
Only Enable syslog To Accept Messages If Absolutely Necessary
Block System Accounts
Verify That There Are No Accounts With Empty Password Fields
Set Account Expiration Parameters On Active Accounts
Verify No Legacy ‘+’ Entries Exist In passwd, shadow, And group Files
Verify That No UID 0 Accounts Exist Other Than Root
No ‘.’ or Group/World-Writable Directory In Root’s $PATH
User Home Directories Should Be Mode 750 or More Restrictive
No User Dot-Files Should Be World-Writable
Remove User .netrc Files
Set Default umask For Users
Disable Core Dumps
Limit Access To The Root Account From su
Create Warnings For Network And Physical Access Services
Create Warnings For GUI-Based Logins
Create “authorized only” Banners For vsftpd, If Applicable


R
ed Hat Enterprise Linux and Fedora Core 1, 2, 3 & 4

Recommendation

Before performing the following step it is strongly  recommended that administrators make backup copies of critical configuration files that may get modified.

Action:

Create the shell script for back up file as below:

 

#!/bin/sh

 

ext=`date ‘+%Y%m%d-%H:%M:%S’`

 

for file in /etc/.login                /etc/X11/gdm/gdm.conf     \

/etc/cron.d/at.allow /etc/cron.d/at.deny              \

/etc/cron.d/cron.allow      /etc/cron.d/cron.deny     \

/etc/default/cron           /etc/default/inetinit     \

/etc/default/init           /etc/default/keyserv      \

/etc/default/login          /etc/default/passwd       \

/etc/default/syslogd                                 \

/etc/dt/config/*/Xresources                           \

/etc/dt/config/*/sys.resources                        \

/etc/dt/config/Xconfig                                \

/etc/dt/config/Xservers                               \

/etc/ftpd/banner.msg /etc/ftpd/ftpaccess              \

/etc/ftpd/ftpusers                                   \

/etc/hosts.allow            /etc/hosts.deny           \

/etc/init.d/netconfig /etc/issue                       \

/etc/mail/sendmail.cf /etc/motd                       \

/etc/pam.conf        /etc/passwd                     \

/etc/profile         /etc/rmmount.conf                \

/etc/security/audit_class                             \

/etc/security/audit_control                           \

/etc/security/audit_event                             \

/etc/security/audit_startup                           \

/etc/security/audit_user                              \

/etc/security/policy.conf                             \

/etc/shadow                                          \

/etc/ssh/ssh_config         /etc/ssh/sshd_config      \

/etc/syslog.conf            /etc/system               \

/usr/openwin/lib/app-defaults/XScreenSaver

do

done

[ -f $file ] && cp -p $file $file-preAIS-$ext

 

 

mkdir -p -m 0700 /var/spool/cron/crontabs-preAIS-$ext cd /var/spool/cron/crontabs

tar cf – * | (cd ../crontabs-preAIS-$ext; tar xfp -)

 

Red Hat Enterprise Linux Security Baseline detail

1.  Patches, Packages and Initial Lockdown

1.1. Apply latest OS Patches
1.2. Validate your system before making changes
1.3. Configure SSH

 

Action :

 

unalias cp rm mv cd /etc/ssh

cp ssh_config ssh_config.tmp

awk ‘/^#? *Protocol/ { print “Protocol 2”; next };

{ print }’ ssh_config.tmp > ssh_config

if [ “`egrep -l ^Protocol ssh_config`” == “” ]; then echo ‘Protocol 2’ >> ssh_config

fi

rm –f ssh_config.tmp

 

cp sshd_config sshd_config.tmp

awk ‘/^#? *Protocol/ { print “Protocol 2”; next };

/^#? *X11Forwarding/ \

{ print “X11Forwarding no”; next };

/^#? *IgnoreRhosts/ \

{ print “IgnoreRhosts yes”; next };

/^#? *RhostsAuthentication/ \

{ print ” RhostsAuthentication no”; next };

/^#? *RhostsRSAAuthentication/ \

{ print “RhostsRSAAuthentication no”; next };

/^#? *HostbasedAuthentication/ \

{ print “HostbasedAuthentication no”; next };

/^#? *PermitRootLogin/ \

{ print “PermitRootLogin no”; next };

/^#? *PermitEmptyPasswords/ \

{ print “PermitEmptyPasswords no”; next };

/^#? *Banner/ \

{ print “Banner /etc/issue.net”; next };

{print}’ sshd_config.tmp > sshd_config rm -f sshd_config.tmp

1.4. Enable System Accounting

Install Package sysstat

1.5. Remove unnecessary software package

Action :

Use chkconfig command


  1. Minimiz
    e xinetd network services

 

You will need to unalias the mv and cp commands as some commands overwrite files and you may be prompted numerous times about overwriting these files: unalias mv cp

2.1. Disable standard services

Note: Bastille configuration does not cover all of these services

Action:

cd /etc/xinetd.d

for FILE in chargen chargen-udp cups-lpd cups daytime \ daytime-udp echo echo-udp eklogin finger gssftp imap \ imaps ipop2 ipop3 krb5-telnet klogin kshell ktalk ntalk \ pop3s rexec rlogin rsh rsync servers services sgi_fam \ talk telnet tftp time time-udp vsftpd wu-ftpd; do

CHK=`chkconfig –list | grep -w ${FILE}`

if [ “$CHK” != “” ]; then chkconfig ${FILE} off

fi done

2.3. Disable telnet

Action : chkconfig telnet off

2.4. Disable FTP

chkconfig vsftpd off

2.5. Disable rlogin/rsh/rcp

Action:

chkconfig shell off chkconfig rsh off chkconfig login off chkconfig rlogin off

2.6. Disable TFTPServer

Action:

chkconfig tftp off

2.7. Disable IMAP

Action:

chkconfig imaps off

2.8. Disable POP

Action:

chkconfig pop3s off


  1. Minimiz
    e boot services
3.1. Set Daemon umask

Action:

cd /etc/init.d

cp -f functions functions-preAIS

awk ‘($1==”umask”) { if ($2 < “027”) { $2=”027″;} }; \

{ print }’ functions-preAIS > functions if [ `grep -c umask functions` -eq 0 ]; then

echo “umask 027” >> functions fi

rm -f functions-preAIS

3.2. Disable xinetd

Action:

chkconfig –level 12345 xinetd off

3.3. Disable sendmail Server

Action:

cd /etc/sysconfig

if [ ` grep -ci “DAEMON=no” sendmail` = “0” ]; then echo DAEMON=no >> sendmail

echo QUEUE=1h >> sendmail fi

chown root:root sendmail chmod 644 sendmail chkconfig sendmail off

3.4. Disable GUI Login

Action:

cp -f  /etc/inittab /etc/inittab-preAIS

sed -e ‘s/id:5:initdefault:/id:3:initdefault:/’ \

< /etc/inittab-preAIS > /etc/inittab

chown root:root /etc/inittab chmod 0600 /etc/inittab

rm -f  /etc/inittab-preAIS

3.5. Disable X Font Server

Action:     

chkconfig xfs off

3.6. Disable standard boot services

Action:

for FILE in apmd canna FreeWnn gpm hpoj innd irda isdn \ kdcrotate lvs mars-nwe oki4daemon privoxy rstatd \ rusersd rwalld rwhod spamassassin wine; do

service $FILE stop chkconfig $FILE off

done

for FILE in nfs nfslock autofs ypbind ypserv yppasswdd \ portmap smb netfs lpd apache httpd tux snmpd \ named postgresql mysqld webmin kudzu squid cups \

ip6tables iptables pcmcia bluetooth mDNSResponder; do service $FILE stop

chkconfig $FILE off done

for USERID in rpc rpcuser lp apache http httpd named dns \ mysql postgres squid news netdump; do

usermod -L -s /sbin/nologin $USERID done

 

3.7. Disable SMB (Windows File Sharing) Processes

Action:

chkconfig smb off

3.8. Disable NFS Server process

Action:

chkconfig –level 345 nfs off

3.9. Disable NFS client processes

Action:

chkconfig –level 345 nfslock off chkconfig –level 345 autofs off

3.10. Disable NIS client processes

Action:

chkconfig ypbind off

3.11. Disable NIS Server processes

Action:

chkconfig ypserv off chkconfig yppasswdd off

3.12. Disable RPC Portmap process

Action:

chkconfig –level 345 portmap off

3.13. Disable netfs script

If this machine is not sharing files via the NFS, Novell Netware or Windows File Sharing protocols, then proceed with the actions below.

Action:    chkconfig –level 345 netfs off

 

3.14. Disable Printer Daemon

Action:

chkconfig cups off chkconfig hpoj off chkconfig lpd off

3.15. Disable Web Server processes

Action:

chkconfig apache off chkconfig httpd off chkconfig tux off

3.16. Disable SNMP

If hosts are not at this site remotely monitored by a tool (e.g., HP Open View, MRTG, Cricket) that relies on SNMP, then proceed with the actions below.

Action:

chkconfig snmpd off

3.17. Disable DNS Server

Action:

chkconfig named off

3.18. Disable SQL Server processes

Action:

chkconfig postgresql off chkconfig mysqld off

3.19. Disable Webmin

Action:

rpm -e webmin

3.20. Disable Squid Cache Server.

Action:

chkconfig squid off

3.21. Disable Kudzu Hardware Detection

Action:

chkconfig –level 345 kudzu off

 

 

  1. Kernel Tuning

 

  • Network Parameter Modifications Action:

cat /etc/sysctl.conf

net.ipv4.tcp_max_syn_backlog = 4096

net.ipv4.tcp_syncookies=1 net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

net.ipv4.icmp_echo_ignore_broadcasts = 1 END_SCRIPT

chown root:root /etc/sysctl.conf chmod 0600 /etc/sysctl.conf

4.2.  Additional Network Parameter Modifications Action:

cat /etc/sysctl.conf net.ipv4.ip_forward = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0 END_SCRIPT

chown root:root /etc/sysctl.conf chmod 0600 /etc/sysctl.conf

 

5.  Logging

5.1. Capture messages send to syslog AUTHPRIV facility

Action:

if [ `grep -v ‘^#’ /etc/syslog.conf | grep -c ‘authpriv’` -eq 0 ]; then echo -e “authpriv.*\t\t\t\t/var/log/secure” >> /etc/syslog.conf

fi

touch /var/log/secure

chown root:root /var/log/secure chmod 600 /var/log/secure

5.2. Turn on additional logging for FTP daemon

Action:

if [ -f /etc/vsftpd.conf ]; then FILE=”/etc/vsftpd.conf”

else FILE=”/etc/vsftpd/vsftpd.conf” fi

if [ -f $FILE ]; then

cp -f  $FILE $FILE-preAIS

awk ‘/^#?xferlog_std_format/ \

{ print “xferlog_std_format=NO”; next };

/^#?log_ftp_protocol/ \

{ print “log_ftp_protocol=YES”; next };

{ print }’ ${FILE}-preAIS > ${FILE}

if [ `egrep -c log_ftp_protocol ${FILE}` == 0 ]; then echo “log_ftp_protocol=YES” >> ${FILE}

rm -f $FILE-preAIS fi

chmod 0600 $FILE chown root:root $FILE fi

5.3. Confirm permissions on system log files

Action:

cd /var/log

chmod o-rwx boot.log* cron* dmesg ksyms* httpd/* \ maillog* messages* news/* pgsql rpmpkgs* samba/* sa/* \ scrollkeeper.log secure* spooler* squid/* vbox/* wtmp chmod o-rx boot.log* cron* maillog* messages* pgsql \ secure* spooler* squid/* sa/*

chmod g-w boot.log* cron* dmesg httpd/* ksyms* \ maillog* messages* pgsql rpmpkgs* samba/* sa/* \ scrollkeeper.log secure* spooler*

chmod g-rx boot.log* cron* maillog* messages* pgsql \ secure* spooler*

chmod o-w gdm/ httpd/ news/ samba/ squid/ sa/ vbox/ chmod o-rx httpd/ samba/ squid/ sa/

chmod g-w gdm/ httpd/ news/ samba/ squid/ sa/ vbox/

chmod g-rx httpd/ samba/ sa/ chmod u-x kernel syslog loginlog chown -R root:root .

chgrp utmp wtmp

[ -e news ] && chown -R news:news news

[ -e pgsql ] && chown postgres:postgres pgsql

 

chown -R squid:squid squid

5.4. Configure syslogd to send logs to a remote LogHost Action:

In the script below, replace loghost with the proper name (FQDN, if necessary) of your loghost.

kern.warning;*.err;authpriv.none\t@loghost\n\

*.info;mail.none;authpriv.none;cron.none\t@loghost\n\

*.emerg\t@loghost\n\ local7.*\t@loghost\n” >> /etc/syslog.conf

 

6.  File/Directory Permissions/Access

6.1. Add ‘nodev’ option to appropriate partitions in /etc/fstab

Action:

cp -p /etc/fstab /etc/fstab.tmp

awk ‘($3 ~ /^ext[23]$/ && $2 != “/”) \

{ $4 = $4 “,nodev” }; \

{ print }’ /etc/fstab.tmp > /etc/fstab chown root:root /etc/fstab

chmod 0644 /etc/fstab rm -f /etc/fstab.tmp

6.2. Add ‘nosuid’ and ‘nodev’ Option For Removable Media In

/etc/fstab

Action:

cp -p /etc/fstab /etc/fstab.tmp

awk ‘($2 ~ /^\/m.*\/(floppy|cdrom)$/) && \ ($4 !~ /,nodev,nosuid/) \

{ $4 = $4 “nodev,nosuid” }; \

{ print }’ /etc/fstab.tmp > /etc/fstab chown root:root /etc/fstab

chmod 0644 /etc/fstab rm -f /etc/fstab.tmp chattr +i /etc/fstab

6.3. Disable User-Mounted Removable File Systems

If there is not a mission-critical reason to allow unprivileged users to mount CD-ROMs and

floppy disk file systems on this system, then perform the action below.

Action:

cd /etc/security

cp -f  console.perms console.perms-preAIS awk ‘($1 == “<console>”) && ($3 !~ \

/sound|fb|kbd|joystick|v4l|mainboard|gpm|scanner/) \

{ $1 = “#<console>” }; \

{ print }’ console.perms-preAIS > console.perms rm -f console.perms-preAIS

chown root:root console.perms chmod 0600 console.perms

6.4. Verify passwd, shadow, and group File Permissions

Action:

cd /etc

chown root:root passwd shadow group chmod 644 passwd group

chmod 400 shadow

6.5. World-Writable Directories Should Have Their Sticky Bit Set

Action:

for PART in `awk ‘($3 == “ext2” || $3 == “ext3”) \

{ print $2 }’ /etc/fstab`; do find $PART -xdev -type d \

\( -perm -0002 -a ! -perm -1000 \) -print

done

There should be no entries returned.

6.6. Find Unauthorized World-Writable Files

Action:

for PART in `grep -v ^# /etc/fstab | awk ‘($6 != “0”) { print $2 }’`; do

find $PART -xdev -type f \

\( -perm -0002 -a ! -perm -1000 \) -print Done

There should be no entries returned. If grub.conf shows up, its permissions will be adjusted in step 7 System Access, Authentication, and Authorization (Set LILO/GRUB Password)

6.7. Find Unauthorized SUID/SGID System Executables

Action:

Administrators who wish to obtain a list of the set-UID and set-GID programs currently

installed on the system may run the following commands:

 

for PART in `grep -v ^# /etc/fstab | awk ‘($6 != “0”) { print $2 }’`; do

find $PART \( -perm -04000 -o -perm -02000 \) \

-type f -xdev -print Done

6.8. Find All Unowned Files

Action:

for PART in `grep -v ^# /etc/fstab | awk ‘($6 != “0”) { print $2 }’`; do

find $PART -nouser -o -nogroup -print done

 

There should be no entries returned.

6.9. Disable USB Devices (AKA Hotplugger)

 

If there is not a mission-critical reason to allow use of PCMCIA or USB-based devices on this

System, then perform the action below.

 

Action:

rpm -e pcmcia-cs

rpm -e kernel-pcmcia-cs

 

 

 

# All versions except RHEL 4 and Fedora Core 4:

rpm -e hotplug

7.  System Access, Authentication, and Authorization

1. Remove .rhosts Support In PAM Configuration Files

Action:

for FILE in /etc/pam.d/*; do

grep -v rhosts_auth $FILE > ${FILE}.tmp mv -f ${FILE}.tmp $FILE

chown root:root $FILE chmod 644 $FILE

done

2. Create ftpusers Files

Action:

for NAME in `cut -d: -f1 /etc/passwd`; do  if [ `id -u $NAME` -lt 500 ]; then echo $NAME >> /etc/ftpusers

fi done

chown root:root /etc/ftpusers chmod 600 /etc/ftpusers

if [ -e /etc/vsftpd.conf ] || \

[ -e /etc/vsftpd/vsftpd.conf ]; then rm -f /etc/vsftpd.ftpusers

cp -fp /etc/ftpusers /etc/vsftpd.ftpusers fi

3. Prevent X Server From Listening On Port 6000/tcp

Action:

if [ -e /etc/X11/xdm/Xservers ]; then cd /etc/X11/xdm

cp -f  Xservers Xservers-preAIS

awk ‘($1 !~ /^#/ && $3 == “/usr/X11R6X”) \

{ $3 = $3 ” -nolisten tcp” };

{ print }’ Xservers-preAIS > Xservers rm –f Xservers-preAIS

chown root:root Xservers chmod 444 Xservers

fi

 

if [ -e /etc/X11/gdm/gdm.conf ]; then cd /etc/X11/gdm

cp -f  gdm.conf gdm.conf-preAIS awk -F= ‘($2 ~ /\/X$/) \

{ printf(“%s -nolisten tcp\n”, $0); next };

{ print }’ gdm.conf-preAIS > gdm.conf rm – fgdm.conf-preAIS

chown root:root gdm.conf chmod 644 gdm.conf

fi

 

if [ -d /etc/X11/xinit ]; then

cd /etc/X11/xinit

cp -f  xserverrc xserverrc-preAIS if [ -e xserverrc ]; then

awk ‘/X/ && !/^#/ \ { print $0 ” :0 -nolisten tcp \$@”; next }; \

{ print }’ xserverrc-preAIS > xserverrc

else

cat <<END > xserverrc

#!/bin/bash

exec X :0 -nolisten tcp \$@ END

fi

rm – fxserverrc-preAIS chown root:root xserverrc chmod 755 xserverrc

fi

 

4. Restrict at/cron To Authorized Users

Action:

cd /etc/

rm -f cron.deny at.deny echo root > cron.allow echo root > at.allow

chown root:root cron.allow at.allow chmod 400 cron.allow at.allow

5. Restrict Permissions On crontab Files

Action:

chown root:root /etc/crontab chmod 400 /etc/crontab

chown -R root:root /var/spool/cron chmod -R go-rwx /var/spool/cron

cd /etc

ls | grep cron | xargs chown -R root:root

ls | grep cron | xargs chmod -R go-rwx

6. Configure xinetd Access Control

Action:

Insert the following line into the “defaults” block in

/etc/xinetd.conf:

only_from = <net>/<num_bits> <net>/<num_bits>

where each <net>/<num_bits> combination represents one network block in use by your

organization. For example:

only_from = 192.168.1.0/24

would restrict connections to only the 192.168.1.0/24 network, with

the netmask

255.255.255.0.

Note: There are two <TAB>’s between the only_from and the = in the

above lines.

7. Restrict Root Logins To System Console

Action:

for i in `seq 1 6`; do

echo tty$i >> /etc/securetty

done

for i in `seq 1 11`; do

echo vc/$i >> /etc/securetty

done

echo console >> /etc/securetty chown root:root /etc/securetty chmod 400 /etc/securetty

 

8. Set LILO/GRUB Password

Action: (if you have an /etc/lilo.conf file):

1.  Add the following lines to the beginning of /etc/lilo.conf

restricted password=<password>

Replace <password> with an appropriate password for your organization.

2.  Execute the following commands as root:

chown root:root /etc/lilo.conf chmod 600 /etc/lilo.conf

lilo

 

Action (if you have an /etc/grub.conf file):

1.  Add this line to /etc/grub.conf before the first uncommented line.

password <password>

Replace <password> with an appropriate password for your organization.

2.  Execute the following commands as root:

chown root:root /etc/grub.conf

chmod 600 /etc/grub.conf

9. Require Authentication For Single-User Mode

Action:

cd /etc

if [ “`grep -l sulogin inittab`” = “” ]; then

awk ‘{ print }; /^id:[0123456sS]:initdefault:/ \

{ print “~~:S:wait:/sbin/sulogin” }’ \ inittab > inittab.tmp

mv -f inittab.tmp inittab chown root:root inittab chmod 644 inittab

fi

10 Restrict NFS Client Requests To Privileged Ports

Action:

Add the secure option to all entries in the /etc/exports file. The following Perl code

will perform this action automatically.

if [ -s /etc/exports ]; then

perl -i.orig -pe \

‘next if (/^\s*#/ || /^\s*$/);

($res, @hst) = split(” “); foreach $ent (@hst) { undef(%set);

($optlist) = $ent =~ /\((.*?)\)/; foreach $opt (split(/,/, $optlist)) {

$set{$opt} = 1;

}

delete($set{“insecure”});

$set{“secure”} = 1;

$ent =~ s/\(.*?\)//;

$ent .= “(” . join(“,”, keys(%set)) . “)”;

}

$hst[0] = “(secure)” unless (@hst);

$_ = “$res\t” . join(” “, @hst) . “\n”;’ \

/etc/exports fi

 

 

 

11. Only Enable syslog To Accept Messages If Absolutely Necessary

If this machine is a log server, or does it need to receive Syslog messages via the network from other systems, then perform the action below.

Action:

Read syslog manpage for the -l, -r and -s options.

Edit /etc/init.d/syslog and look for the line that says:

SYSLOGD_OPTIONS=”-m 0″

and add the entries that are appropriate for your site. An example entry would look like this:

SYSLOGD=”-m 0 -l loghost -r -s mydomain.com”

8.  User Accounts and Environment

1. Block System Accounts

Action:

for NAME in `cut -d: -f1 /etc/passwd`; do MyUID=`id -u $NAME`

if [ $MyUID -lt 500 -a $NAME != ‘root’ ]; then usermod -L -s /sbin/nologin $NAME

fi done

2. Verify That There Are No Accounts With Empty Password Fields

Action:

The command:

awk -F: ‘($2 == “”) { print $1 }’ /etc/shadow

should return no lines of output.

3. Set Account Expiration Parameters On Active Accounts

Action:

cd /etc

cp -f  login.defs login.defs-preAIS

awk ‘($1 ~ /^PASS_MAX_DAYS/) { $2=”90″ }  ($1 ~ /^PASS_MIN_DAYS/) { $2=”7″ }

($1 ~ /^PASS_WARN_AGE/) { $2=”28″ } ($1 ~ /^PASS_MIN_LEN/) { $2=”6″ }

{ print } ‘ login.defs-preAIS > login.defs chown root:root login.defs

chmod 640 login.defs

rm -f login.defs-preAIS useradd -D -f 7

 

for NAME in `cut -d: -f1 /etc/passwd`; do uid=`id -u $NAME`

if [ $uid -ge 500 -a $uid != 65534 ]; then chage -m 7 -M 90 -W 28 -I 7 $NAME

fi done

4. Verify No Legacy ‘+’ Entries Exist In passwd, shadow, And group Files

Action:

The command:

grep ^+: /etc/passwd /etc/shadow /etc/group

should return no lines of output.

5. Verify That No UID 0 Accounts Exist Other Than Root

Action:

The command:

awk -F: ‘($3 == 0) { print $1 }’ /etc/passwd

should return only the word “root”.

 

6. No ‘.’ or Group/World-Writable Directory In Root’s $PATH

Action:

The automated testing tool supplied with this baseline will alert the administrator if

action is required. To find ‘.’ in $PATH:

echo $PATH | egrep ‘(^|:)(\.|:|$)’

To find group- or world-writable directories in $PATH:

find `echo $PATH | tr ‘:’ ‘ ‘` -type d \

\( -perm -002 -o -perm -020 \) -ls

These commands should produce no output.

7. User Home Directories Should Be Mode 750 or More Restrictive

Action:

for DIR in \

`awk -F: ‘($3 >= 500) { print $6 }’ /etc/passwd`; do chmod g-w $DIR

chmod o-rwx $DIR done

8. No User Dot-Files Should Be World-Writable

Action:

for DIR in \

`awk -F: ‘($3 >= 500) { print $6 }’ /etc/passwd`; do for FILE in $DIR/.[A-Za-z0-9]*; do

if [ ! -h “$FILE” -a -f “$FILE” ]; then chmod go-w “$FILE”

fi done

done

9. Remove User .netrc Files

Action:

find / -name .netrc

for DIR in `cut -f6 -d: /etc/passwd`; do if [ -e $DIR/.netrc ]; then

echo “Removing $DIR/.netrc” rm -f $DIR/.netrc

fi done

 

Remarks:

.netrc files may contain unencrypted passwords which may be used to

attack other systems. While the above modifications are relatively

benign, making global modifications to user home directories without

alerting the user community can result in unexpected outages and

unhappy users. If the first command returns any results, carefully evaluate the ramifications of removing those files before executing the remaining commands as you may end up impacting an application that has not had time to revise its architecture to a more secure design.

 

10. Set Default umask For Users

Action:

cd /etc

for FILE in profile csh.login csh.cshrc bashrc; do

if ! egrep -q ‘umask.*77’ $FILE ; then echo “umask 077” >> $FILE

fi

chown root:root $FILE chmod 444 $FILE

done

 

cd /root

for FILE in .bash_profile .bashrc .cshrc .tcshrc; do if ! egrep -q ‘umask.*77’ $FILE ; then

echo “umask 077” >> $FILE # See description fi

chown root:root $FILE

 

done

11. Disable Core Dumps

If you don’t have developers who need to debug crashed programs or send low-level debugging

information to software developers/vendors, then perform the action below.

Action:

cd /etc/security

cat <<END_ENTRIES >> limits.conf

*  soft core 0

*  hard core 0 END_ENTRIES

12. Limit Access To The Root Account From su

Action:

WARNING: If you do not have immediate physical access to the server, ensure you have a user in the wheel group before running the below script. Failure to do so will prevent you from using su to become root.

 

cd /etc/pam.d/

cp -f  su /etc/pam.d-preAIS/su

awk ‘($1==”#auth” && $2==”required” && \

$3==”/lib/security/$ISA/pam_wheel.so”) \

{ print “auth required

/lib/security/$ISA/pam_wheel.so use_uid”; next };

{ print }’ /etc/pam.d-preAIS/su > su rm -f /etc/pam.d-preAIS/su

 

9.  Warning Banners

  • Create Warnings For Network And Physical Access Services Action:

1.1  Edit the banner currently in /etc/issue – this was created by Bastille and may need to be hanged for your Enterprise. Leave the words “its owner” as this will be replaced in the next step with the name of your organization.

  • Create banners for console access:

unalias cp mv cd /etc

# Remove OS indicators from banners for FILE in issue motd; do

cp -f ${FILE} ${FILE}.tmp

egrep -vi “redhat|kernel|fedora” ${FILE}.tmp > ${FILE} rm -f ${FILE}.tmp

done

 

COMPANYNAME=”AIS”

cp -f issue issue.tmp

sed -e “s/its owner/${ COMPANYNAME }/g” issue.tmp > issue rm -f issue.tmp

 

if [ “`grep -i authorized /etc/issue`” == “” ]; then

echo ” Any access to the AIS computer system or data must be authorized and shall comply with the AIS policies, regulations, criteria and/or memorandum regarding IT Security (\“IT Rules\”). Any breach of IT Rules will be punished and is subject to criminal prosecution. AIS may monitor, intercept, record, read, copy, or capture and disclose any use of the computer system or data stored in any type of media by the users.” >> /etc/issue

fi

 

if [ “`grep -i authorized /etc/motd`” == “” ]; then

echo ” Any access to the AIS computer system or data must be

authorized and shall comply with the AIS policies, regulations,

criteria and/or memorandum regarding IT Security (\“IT Rules\”). Any

breach of IT Rules will be punished and is subject to criminal prosecution. AIS may monitor, intercept, record, read, copy, or capture and disclose any use of the computer system or data stored in any type of media by the users.” >> /etc/motd

fi

 

1.3  Create banners for network access:

cp -fp /etc/issue /etc/issue.net

if [ “`grep -i authorized /etc/issue.net`” == “” ]; then

echo ” Any access to the AIS computer system or data must be

authorized and shall comply with the AIS policies, regulations,

criteria and/or memorandum regarding IT Security (\“IT Rules\”). Any breach of IT Rules will be punished and is subject to criminal prosecution. AIS may monitor, intercept, record, read, copy, or capture and disclose any use of the computer system or data stored in any type of media by the users.” >> /etc/issue.net

fi

 

1.4 Protect banner:

chown root:root /etc/motd /etc/issue /etc/issue.net chmod 644 /etc/motd /etc/issue /etc/issue.net

2. Create Warnings For GUI-Based Logins

Action:

if [ -e /etc/X11/xdm/Xresources ]; then cd /etc/X11/xdm

cp -f  Xresources Xresources-preAIS awk ‘/xlogin*greeting:/ \

{ print “xlogin*greeting: Authorized uses only”; next };

{ print }’ Xresources-preAIS > Xresources rm -f Xresources-preAIS

chown root:root Xresources chmod 644 Xresources

fi

 

if [ -e /etc/X11/xdm/kdmrc ]; then cd /etc/X11/xdm

cp -f  kdmrc kdmrc-preAIS awk ‘/GreetString=/ \

{ print “GreetString=Authorized uses only”; next };

{ print }’ kdmrc-preAIS > kdmrc rm -f kdmrc-preAIS

chown root:root kdmrc chmod 644 kdmrc

fi

 

if [ -e /etc/X11/gdm/gdm.conf ]; then cd /etc/X11/gdm

cp -pf gdm.conf gdm.conf.tmp

awk ‘/^Greeter=/ && /gdmgreeter/ \

{ printf(“#%s\n”, $0); next };

/^#Greeter=/ && /gdmlogin/ \

{ $1 = “Greeter=gdmlogin” }; /Welcome=/ \

{ print “Welcome=Authorized uses only”; next };

{ print }’ gdm.conf.tmp > gdm.conf rm -f gdm.conf.tmp

chown root:root gdm.conf chmod 644 gdm.conf

fi

3. Create “authorized only” Banners For vsftpd, If Applicable

Action:

cd /etc

if [ -d vsftpd ]; then

cd vsftpd fi

 

if [ -e vsftpd.conf ]; then

echo “ftpd_banner= Any access to the AIS computer system or

data must be authorized and shall comply with the AIS policies,

regulations, criteria and/or memorandum regarding IT Security (\“IT

Rules\”). Any breach of IT Rules will be punished and is subject to criminal prosecution. AIS may monitor, intercept, record, read, copy, or capture and disclose any use of the computer system or data stored in any type of media by the users.

” >> vsftpd.conf

fi

 

  1. 4. Reboot Action: init 6

发表评论

电子邮件地址不会被公开。 必填项已用*标注