Sean "Forty-Bot" Anderson's 0x539 Linux Checklist v1.0
If a command errors or fails, try it again with
sudo !! to save typing)
Google anything and everything. If you don't know or understand something, google it
When you see the syntax
$word, do not type it verbatim, but instead substitute the appropriate word (usually referenced in a previous command).
When the order of steps does not matter, bullet points have been used instead of ordinals.
To edit files, run
gedit, a graphical editor akin to notepad;
nano, a simple command-line editor; or
vim, a powerful but less intuitive command-line editor. Note that vim may need to be installed with
apt-get install vim.
Read the readme
Note down which ports/users are allowed.
Do Forensics Questions
You may destroy the requisite information if you work on the checklist!
Disable the guest user.
/etc/lightdm/lightdm.confand add the line
Then restart your session with
sudo restart lightdm. This will log you out, so make sure you are not executing anything important.
/etc/passwdand check which users
- Are uid 0
- Can login
- Are allowed in the readme
Delete unauthorized users:
sudo userdel -r $user
sudo groupdel $user
/etc/sudoers.dand make sure only members of group sudo can sudo.
/etc/groupand remove non-admins from sudo and admin groups.
Check user directories.
sudo ls -Ra *
- Look in any directories which show up for media files/tools and/or "hacking tools."
Enforce Password Requirements.
Add or change password expiration requirements to
PASS_MIN_DAYS 7 PASS_MAX_DAYS 90 PASS_WARN_AGE 14
Add a minimum password length, password history, and add complexity requirements.
minlen=8to the end of the line that has
remember=5to the end of the line that has
- Locate the line that has pam.cracklib.so in it. If you cannot find that line, install cracklib with
sudo apt-get install libpam-cracklib.
ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-to the end of that line.
Implement an account lockout policy.
deny=5 unlock_time=1800to the end of the line with
Change all passwords to satisfy these requirements.
chpasswdis very useful for this purpose.
Enable automatic updates
In the GUI set Update Manager->Settings->Updates->Check for updates:->Daily.
sudo ss -ln
- If a port has
127.0.0.1:$portin its line, that means it's connected to loopback and isn't exposed. Otherwise, there should only be ports which are specified in the readme open (but there probably will be tons more).
- For each open port which should be closed:
sudo lsof -i :$port
- Copy the program which is listening on the port.
- Copy where the program is (if there is more than one location, just copy the first one).
dpkg -S $location
- This shows which package provides the file (If there is no package, that means you can probably delete it with
rm $location; killall -9 $program).
sudo apt-get purge $package
- Check to make sure you aren't accidentally removing critical packages before hitting "y".
sudo ss -lto make sure the port actually closed.
Enable the firewall
sudo ufw enable
Enable syn cookie protection
sysctl -n net.ipv4.tcp_syncookies
Disable IPv6 (Potentially harmful)
echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
Disable IP Forwarding
echo 0 | sudo tee /proc/sys/net/ipv4/ip_forward
Prevent IP Spoofing
echo "nospoof on" | sudo tee -a /etc/host.conf
Start this before half-way.
Do general updates.
sudo apt-get update.
sudo apt-get upgrade.
Update services specified in readme.
- Google to find what the latest stable version is.
- Google "ubuntu install service version".
- Follow the instructions.
Ensure that you have points for upgrading the kernel, each service specified in the readme, and bash if it is vulnerable to shellshock.
Check service configuration files for required services. Usually a wrong setting in a config file for sql, apache, etc. will be a point.
Ensure all services are legitimate.
Check the installed packages for "hacking tools," such as password crackers.
Run other (more comprehensive) checklists. This is checklist designed to get most of the common points, but it may not catch everything.
- Netcat is installed by default in ubuntu. You will most likely not get points for removing this version.
- Some services (such as
ssh) may be required even if they are not mentioned in the readme. Others may be points even if they are explicitly mentioned in the readme
- Michael "MB" Bailey and Christopher "CJ" Gardner without whose checklists this would never have been possible.
- Alexander Dittman and Alistair Norton for being fellow linux buddies.
- My 2015-16 CP team: Quiana Dang, Sieun Lee, Jasper Woolley, and David Randazzo.
- In no particular order: Marcus Phoon, Joshua Hufnagel, Patrick Hufnagel, Michael-Andrew Keays, Christopher May, Garrett Brothers, Joseph Kelley, and Julian Vallyeason.
- And the CyberPatriot program.
This checklist is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.