🚀 This simple checklist is to help you deploying the most important areas of the GNU/Linux production systems - work in progress.
Branch: master
Clone or download
trimstray updated TOC; minor fixes
- signed-off-by: trimstray <trimstray@gmail.com>
Latest commit 74e6d88 Jan 26, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
doc/img renamed main preview Jan 25, 2019
lib init commit Jan 22, 2019
CODE_OF_CONDUCT.md init commit Jan 22, 2019
CONTRIBUTING.md init commit Jan 22, 2019
LICENSE.md init commit Jan 22, 2019
README.md updated TOC; minor fixes Jan 26, 2019

README.md

Master


Branch Pull Requests License

Created by trimstray and contributors


Table of Contents

Introduction

In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle a single-function system is more secure than a multipurpose one. The main goal of systems hardening is to reduce security risk by eliminating potential attack vectors and condensing the system’s attack surface.

This list contains the most important hardening rules for GNU/Linux systems.

Status

Still work in progress... 👷

I also created another repository (in a more detailed way): the-practical-linux-hardening-guide.

Todo

  • Add rationale (e.g. url's, external resources)
  • Review levels of priority

General disclaimer

I'm not advocating throwing your existing hardening and deployment best practices out the door but I recommend is to always turn a feature from this checklist on in pre-production environments instead of jumping directly into production.

Levels of priority

All items in this checklist contains three levels of priority:

  • low means that the item has a low priority.
  • medium means that the item has a medium priority. You shouldn't avoid tackling that item.
  • high means that the item has a high priority. You can't avoid following that rule and implement the corrections recommended.

OpenSCAP

OpenSCAP

SCAP (Security Content Automation Protocol) provides a mechanism to check configurations, vulnerability management and evaluate policy compliance for a variety of systems. One of the most popular implementations of SCAP is OpenSCAP and it is very helpful for vulnerability assessment and also as hardening helper.

Some of the external audit tools use this standard. For example Nessus has functionality for authenticated SCAP scans.

I tried to make this list compatible with OpenSCAP standard and rules. However, there may be differences.

Partitioning

Separate partitions

  • low Ensure /boot located on separate partition.

  • low Ensure /home located on separate partition.

  • low Ensure /usr located on separate partition.

  • medium Ensure /var located on separate partition.

  • high Ensure /var/log and /var/log/audit located on separate partitions.

  • high Ensure /tmp and /var/tmp located on separate partitions.

Restrict mount options

  • low Restrict /usr partition mount options.

    Example:

    UUID=<...>  /usr  ext4  defaults,nodev,ro  0 2
  • low Restrict /var partition mount options.

    Example:

    UUID=<...>  /var  ext4  defaults,nosuid  0 2
  • low Restrict /var/log and /var/log/audit partitions mount options.

    Example:

    UUID=<...>  /var/log        ext4  defaults,nosuid,noexec,nodev  0 2
    UUID=<...>  /var/log/audit  ext4  defaults,nosuid,noexec,nodev  0 2
  • low Restrict /proc partition mount options.

    Example:

    proc  /proc  proc  defaults,hidepid=2  0 0
  • medium Restrict /boot partition mount options.

    Example:

    LABEL=/boot  /boot  ext2  defaults,nodev,nosuid,noexec,ro  1 2
  • medium Restrict /home partition mount options.

    Example:

    UUID=<...>  /home  ext4  defaults,nodev,nosuid  0 2
  • medium Restrict /var and /var/tmp partitions mount options.

    Example:

    mv /var/tmp /var/tmp.old
    ln -s /tmp /var/tmp
    cp -prf /var/tmp.old/* /tmp && rm -fr /var/tmp.old
    
    UUID=<...>  /tmp  ext4  defaults,nodev,nosuid,noexec  0 2
  • medium Restrict /dev/shm partition mount options.

    Example:

    tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,size=1024M,mode=1777 0 0

Polyinstantiated directories

  • medium Setting up polyinstantiated /var and /var/tmp directories.

    Example:

    # Create new directories:
    mkdir --mode 000 /tmp-inst
    mkdir --mode 000 /var/tmp/tmp-inst
    
    # Edit /etc/security/namespace.conf:
    /tmp      /tmp-inst/          level  root,adm
    /var/tmp  /var/tmp/tmp-inst/  level  root,adm
    
    # Set correct SELinux context:
    setsebool polyinstantiation_enabled=1
    chcon --reference=/tmp /tmp-inst
    chcon --reference=/var/tmp/ /var/tmp/tmp-inst

Shared memory

  • low Set group for /dev/shm.

    Example:

    tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,size=1024M,mode=1770,uid=root,gid=shm 0 0

Encrypt partitions

  • low Encrypt swap partition.

    Example:

    # Edit /etc/crypttab:
    sdb1_crypt /dev/sdb1 /dev/urandom cipher=aes-xts-plain64,size=256,swap,discard
    
    # Edit /etc/fstab:
    /dev/mapper/sdb1_crypt none swap sw 0 0

☑️ Summary checklist

Rule Priority Checkbox
Separate /boot low 🔲
Separate /home low 🔲
Separate /usr low 🔲
Separate /var medium 🔲
Separate /var/log and /var/log/audit high 🔲
Separate /tmp and /var/tmp high 🔲
Restrict /usr mount options low 🔲
Restrict /var mount options low 🔲
Restrict /var/log and /var/log/audit mount options low 🔲
Restrict /proc mount options low 🔲
Restrict /boot mount options medium 🔲
Restrict /home mount options medium 🔲
Restrict /tmp/ and /var/tmp mount options medium 🔲
Restrict /dev/shm mount options medium 🔲
Polyinstantiated /tmp and /var/tmp medium 🔲
Set group for /dev/shm low 🔲
Encrypt swap low 🔲

Physical Access

Password for Single User Mode

  • low Protect Single User Mode with root password.

    Example:

    # Edit /etc/sysconfig/init.
    SINGLE=/sbin/sulogin

☑️ Summary checklist

Rule Priority Checkbox
Protect Single User Mode. low 🔲

Bootloader

Protect bootloader config files

  • low Ensure bootloader config files are set properly permissions.

    Example:

    # Set the owner and group of /etc/grub.conf to the root user:
    chown root:root /etc/grub.conf
    chown -R root:root /etc/grub.d
    
    # Set permissions on the /etc/grub.conf or /etc/grub.d file to read and write for root only:
    chmod og-rwx /etc/grub.conf
    chmod -R og-rwx /etc/grub.d

☑️ Summary checklist

Rule Priority Checkbox
Protect bootloader config files low 🔲

Linux Kernel

Kernel logs

  • low Restricting access to kernel logs.

    Example:

    echo "kernel.dmesg_restrict = 1" > /etc/sysctl.d/50-dmesg-restrict.conf

Kernel pointers

  • low Restricting access to kernel pointers.

    Example:

    echo "kernel.kptr_restrict = 1" > /etc/sysctl.d/50-kptr-restrict.conf

ExecShield

  • low ExecShield protection.

    Example:

    echo "kernel.exec-shield = 2" > /etc/sysctl.d/50-exec-shield.conf

Memory protections

  • low Randomise memory space.

    echo "kernel.randomize_va_space=2" > /etc/sysctl.d/50-rand-va-space.conf

☑️ Summary checklist

Rule Priority Checkbox
Restricting access to kernel logs low 🔲
Restricting access to kernel pointers low 🔲
ExecShield protection low 🔲
Randomise memory space. low 🔲

Logging

Syslog

  • medium Ensure syslog service is enabled and running.

    Example:

    systemctl enable rsyslog
    systemctl start rsyslog
  • medium Send syslog data to external server.

    Example:

    # ELK
    # Logstash
    # Splunk
    # ...

☑️ Summary checklist

Rule Priority Checkbox
Ensure syslog service is enabled and running. medium 🔲
Ensure syslog service is enabled and running. medium 🔲

Users and Groups

Passwords

  • medium Update password policy (PAM).

    Example:

    authconfig --passalgo=sha512 \
    --passminlen=14 \
    --passminclass=4 \
    --passmaxrepeat=2 \
    --passmaxclassrepeat=2 \
    --enablereqlower \
    --enablerequpper \
    --enablereqdigit \
    --enablereqother \
    --update
  • medium Limit password reuse (PAM).

    Example:

    # Edit /etc/pam.d/system-auth
    
    # For the pam_unix.so case:
    password sufficient pam_unix.so ... remember=5
    
    # For the pam_pwhistory.so case:
    password requisite pam_pwhistory.so ... remember=5
  • medium Secure /etc/login.defs password policy.

    Example:

    # Edit /etc/login.defs
    PASS_MIN_LEN 14
    PASS_MIN_DAYS 1
    PASS_MAX_DAYS 60
    PASS_WARN_AGE 14

Logon Access

  • low Set auto logout inactive users.

    Example:

    echo "readonly TMOUT=900" >> /etc/profile.d/idle-users.sh
    echo "readonly HISTFILE" >> /etc/profile.d/idle-users.sh
    chmod +x /etc/profile.d/idle-users.sh
  • low Set last logon/access notification.

    Example:

    # Edit /etc/pam.d/system-auth
    session required pam_lastlog.so showfailed
  • medium Lock out accounts after a number of incorrect login (PAM).

    Example:

    # Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth
    
    # Add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny=3 unlock_time=never fail_interval=900
    
    # Add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never fail_interval=900
    
    # Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so

☑️ Summary checklist

Rule Priority Checkbox
Update password policy medium 🔲
Limit password reuse medium 🔲
Secure /etc/login.defs password policy medium 🔲
Set auto logout inactive users. low 🔲
Set last logon/access notification low 🔲
Lock out accounts after a number of incorrect login medium 🔲

Filesystem

Hardlinks & Symlinks

  • low Enable hard/soft link protection.

    Example:

    echo "fs.protected_hardlinks = 1" > /etc/sysctl.d/50-fs-hardening.conf
    echo "fs.protected_symlinks = 1" >> /etc/sysctl.d/50-fs-hardening.conf

Dynamic Mounting and Unmounting

  • medium Disable uncommon filesystems.

    Example:

    echo "install cramfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install freevxfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install jffs2 /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install hfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install hfsplus /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install squashfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install udf /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install fat /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install vfat /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install nfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install nfsv3 /bin/false" > /etc/modprobe.d/uncommon-fs.conf
    echo "install gfs2 /bin/false" > /etc/modprobe.d/uncommon-fs.conf

☑️ Summary checklist

Rule Priority Checkbox
Enable hard/soft link protection. low 🔲
Disable uncommon filesystems. medium 🔲

Permissions

SELinux & Auditd

SELinux Enforcing

  • high Set SELinux Enforcing mode.

    Example:

    # Edit /etc/selinux/config.
    SELINUXTYPE=enforcing

☑️ Summary checklist

Rule Priority Checkbox
Set SELinux Enforcing mode. high 🔲

System Updates

Network

TCP/SYN

  • medium Enable TCP SYN Cookie protection.

    Example:

    echo "net.ipv4.tcp_syncookies = 1" > /etc/sysctl.d/50-net-stack.conf

Routing

  • medium Disable IP source routing.

    Example:

    echo "net.ipv4.conf.all.accept_source_route = 0" > /etc/sysctl.d/50-net-stack.conf

ICMP Protocol

  • medium Disable ICMP redirect acceptance.

    Example:

    echo "net.ipv4.conf.all.accept_redirects = 0" > /etc/sysctl.d/50-net-stack.conf
  • medium Enable ignoring to ICMP requests.

    Example:

    echo "net.ipv4.icmp_echo_ignore_all = 1" > /etc/sysctl.d/50-net-stack.conf

Broadcast

  • medium Enable ignoring broadcasts request.

    Example:

    echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/50-net-stack.conf

☑️ Summary checklist

Rule Priority Checkbox
Enable TCP SYN Cookie protection. medium 🔲
Disable IP source routing. medium 🔲
Disable ICMP redirect acceptance. medium 🔲
Enable ignoring to ICMP requests. medium 🔲
Enable ignoring broadcasts request. medium 🔲

Services

Tools