16 - הקשחת שרתי לינוקס - CentOS

8/10/2019 CentOS - הקשחת שרתי לינוקס - 16

http://slidepdf.com/reader/full/16-centos 1/23

CentOS Server Hardening

For

Version: 1.0

Date: 08 June 2010





— Confidential and Proprietary—

CentOS Server Hardening Page 3 of 23 Version 1.0

[1] Introduction and Basic Assumptions

The primary assumption of this hardening document is to install and run only systems that are clearly

required. Services and applications should be installed and started only if absolutely required according to

this document.

1.1. Pre-Hardening

This document describes major changes to the configuration of the operating system in order to provide a

better security level. Note section 2.1 for backup before hardening.

1.2. Root Privileges

The actions listed in this hardening document are written with the assumption that they will be executed by

the root user running the /bin/bash shell.

1.3. ActionsThe actions listed in this document are provided according to the assumption that they will be executed in

the order presented here. Some actions may need to be modified if the order is changed. Some actions are

written so that they may be copied directly from this document into a root shell window with a "cut-and-

paste" method.

1.4. Enabling / Disabling Services

Please note that during the hardening many of the "chkconfig" actions, which activate or deactivate

services, produce the message "error reading information on service <service>: No such file or directory."

These messages are quite normal and should not cause alarm – they simply indicate that the program being

referenced was not installed on your machine. As the OS installation allows a great deal of flexibility in what

software you choose to install, these messages are unavoidable.

1.5. Reboot is required

Rebooting the system is required after completing all of the actions below in order to complete the

reconfiguration of the system and verify that all services are up and running. In some cases, the changes

made in the following steps will not take effect until this reboot is performed.





1.6. Conventional Terms

Term Description

Must The definition is an absolute requirement of the specification.

Must not The definition is an absolute prohibition of the specification.

Should There may be a valid reason in particular circumstances to ignore a

particular definition, but the full implications must be understood

and carefully weighed before choosing a different course.

Should not There may be valid reasons in particular circumstances when the

particular behavior is acceptable or even useful, but the full

implications should be understood and the case carefully weighed

before implementing any behavior described with this label.

May The definition is recommended but it is not a must. If chosen to be

ignored the security of the operating system will still be satisfying.





[2] Prerequisites

2.1. Backup

Before performing the steps of this hardening guide, backup copies of critical configuration files that may bemodified by various hardening items MUST be created. (A full backed-up or mirror SHOULD be performed).

2.2. Patch

Keeping up-to- date with vendor patches is critical for the security and reliability of the system. Vendors

issue operating system updates when they become aware of security vulnerabilities and other serious

functionality issues, but it is up to their customers to actually download and install these patches.

All security patches SHOULD be applied on a test environment before being applied on a production

environment due to the option that a security patch will damage the installed application.

After testing, all security patches SHOULD be implemented on the production environment.

2.3. Installation

The system MUST be installed with the minimum needed components (minimum Packages during

the CentOS operating system installation).

SSH suite MUST be installed.

The operating system SHOULD be installed with the following partition table:

o /tmp

o /home

o /var

o /boot

In any case the following packages SHOULD NOT be installed:

Action

Parted

The parted package contains various utilities to create, destroy, resize, move and copy

hard disk partitions. Since the hard disk is configured during the installation process,

there is no need to change it.

NC

Netcat is a featured networking utility which reads and writes data across network

connections, It can be used as an arbitrary TCP and UDP connections and listening

utility.





[3] Hardening Procedures

3.1. User and Group accounts

The following user accounts MAY be removed:

User

uucp

news

ldap

postfix

ftp

games

mail

lp

The shell for the following account MUST be set to /dev/null:

User

daemon

bin

sys

nobody

noaccess

nobody4

The following groups MAY be removed:

Group

adm

dip

gopher

games

uucp

Check for more unused accounts and groups and carefully delete them. If the functionality of the account is

unknown, it is better to lock and set /dev/null shell then to delete it.

3.2. Account and Password Policy

The operating system enables configuring the account policy by defining different parameters. The

configurations defined by default on the servers usually provide a low level of information security. The

following steps are required in order to create a suitable policy.







The following lines MUST be set to /etc/pam.d/system_auth :

Action

password: <other options as "nullok"> remember=5 minlen=8

The following lines MUST be set to /etc/pam.d/system_auth :

Action

password required pam_cracklib.so retry=3 debug ucredit=-1 dcredit=-1 ocredit=-

1 lcredit=-1

The following lines MUST be set to /etc/pam.d/ system_auth:

Action

auth required pam_tally.so onerr=fail no_magic_root

The following lines MUST be set to /etc/pam.d/system_auth:

Action

account required pam_tally.so deny=6 reset no_magic_root

3.3. Access Control

3.3.1. BIOS and Boot Loader

The boot loader MAY be configured with the following settings:

Action

/boot/grub/grub.conf need to be readable only for root.

/boot/grub/grub.conf file need to be configured with immutable bit.

3.3.2. R* Services and .rhosts Files

The r* services (rsh, rexec, etc.) are vulnerable to IP spoofing attacks and may allow an attacker the

ability to execute commands on the server by using their trust options (using ~.rhosts files).

The following settings MUST be set:

Action

Find and delete all .rhosts files.

/etc/securetty is owned by root user and group





Only root should be able to edit the /etc/securetty file

Set immutable bit to the /etc/securetty file

Disable of the shell/rsh/login/rlogin/rexec services is part of the xinetd.d session

3.3.3. FTP

FTP protocol is unencrypted, meaning passwords and other data transmitted during the session can be

captured by sniffing the network, and that the FTP session can be hijacked by an external attacker

Note: Any directory writable by an anonymous FTP server should probably have its own partition or

have a quota limitation. This helps prevent a compromised FTP server from filling a hard drive used by

other services.

Action

The /etc/ftpusers file MUST exist, if it does not exist - create it

The following users MUST exist on the /etc/ftpusers file:

root

daemon

bin

sys

adm

smmsp

gdm

webservd

nobody noaccess

nobody4

sshd

More users SHOULD be added to the /etc/ftpusers file if they should not use the FTP

service.

The root user MUST be the only user which is able to change /etc/ftpusers file

3.4. Services Configuration

3.4.1. SSH

OpenSSH is a popular free distribution of the standards-track SSH protocols which has become the

standard implementation on Linux distributions. For more information on OpenSSH, see

www.openssh.org. The settings in this section attempt to ensure safe defaults for both the client and

the server. Specifically, both the SSH and the SSHD server are configured to use only SSH protocol 2, as

security vulnerabilities have been found in the first SSH protocol.





Action

SSH latest updated package MUST be installed

Configure sshd_config with the following settings:

Port 22 MAY

Protocol 2 MUST

ServerKeyBits 1024 SHOULD

LoginGraceTime 600 SHOULD

KeyRegenerationInterval 3600 SHOULD

PermitRootLogin no MUST

IgnoreRhosts yes MUST

IgnoreUserKnownHosts yes MUST

StrictModes yes SHOULD

X11Forwarding no MAY

SyslogFacility AUTH SHOULD

LogLevel INFO SHOULD

RhostsAuthentication no MUST

RhostsRSAAuthentication no MUST

RSAAuthentication yes SHOULD

PasswordAuthentication yes SHOULD

PermitEmptyPasswords no MUST

PrintMotd yes SHOULD

AllowTcpForwarding no MUST

The file sshd_config MUST be owned by root:root

The file sshd_config MUST have 600 permissions

3.4.2. xinetd.d

On Linux, xinetd has outpaced inetd as the default network superserver. Most distributions have been

using xinetd for some time, there are still many servers that do run inetd.

After enabling SSH, it is possible to nearly disable all xinetd-based services, since SSH provides both a

secure login mechanism and a means of transferring files to and from the system. The actions below will

disable all standard services normally enabled in the xinetd configuration.Action

If all xinetd-based services are not needed xinetd SHOULD be completely disabled by

stopping the xinetd service.

The file xinetd.conf should have 600 permissions

Set immutable bit to the xinetd.conf file





permissions on /etc/rc.d/init.d/* need to be set without write permissions to ‘groups’

and ‘other’

All of the following services SHOULD be disabled. If for any reason one of the services is being used it

MUST be configured with a secured configuration.

Action

Disable Telnet service (port 23)

Disable FTP service (port 21)

Disable amanda service (Port 10080)

Disable amandaidx service (Port 10082)

Disable cups service (Port 1179)

Disable dbskdkd-cdb service

Disable eklogin service (Port 2180)

Disable gssftp service (Port 21)

Disable vsftpd service (Port 21)

Disable wu-ftpd service (Port 21)

Disable imap service (Port 143)

Disable imaps service (Port 993)

Disable ipop3 service

Disable ipop2 service

Disable pop3s service

Disable tftp service (Port 69)

Disable rlogin service (Port 513)

Disable rsh service (Port 514)

Disable rexec service (Port 512)

Disable chargen/chargen-udp service (Port 19)

Disable daytime/daytime-udp service (Port 13)

Disable echo/echo-udp service (Port 7)

Disable finger service (Port 79)

Disable talk/ntalk service (Port 518)

Disable rsync service (Port 873)

Disable sgi_fam service

Disable time/time-udp service (Port 37)

Disable krb5-telnet service

Disable klogin service

Disable kshell service

Disable ktalk service





3.4.3. Boot Services

Every system daemon that does not have a clear and necessary purpose on the host MUST be

deactivated. This greatly reduces the chances that the machine will be running a vulnerable daemon

when the next vulnerability is discovered in its operating system.

It may be that services listed below will not exist on all installations – this is normal behavior.

All of the following services SHOULD be disabled. If for any reason one of the services is being used it

MUST be configured with a secured configuration.

Action

Stop apmd daemon

An APM monitoring daemon, works in conjunction with the APM BIOS driver in the OS

kernel. It can execute a command (normally a shell script) when certain events are

reported by the driver and certain changes in system power status. When the

available battery power becomes very low, it can alert all users on the system usingseveral methods

Stop canna daemon

Japanese input system

Stop freewnn daemon

FreeWnn is a client-server based input system for Japanese input system

Stop gpm daemon

A cut and paste utility and mouse server for virtual consoles.

Stop hpoj daemon

HP printer driver

Stop innd daemon

InterNetNews daemon

Stop irda daemon

Infrared support

Stop isdn daemon

Support for ISDN infrastructure

Stop kdcrotate daemon

A script which rotates the list of KDCs in /etc/krb5.conf.

Stop lvs daemon

A service for LVSM cluster

Stop mars-nwe daemon





A NetWare compatible file and printer server

Stop oki4daemon daemon

Printer service

Stop privoxy daemon

Privoxy is a web proxy with advanced filtering capabilities

Stop rstatd daemon

Server that returns performance statistics through RPC.

Stop ruserd daemon

Server that returns information about users currently logged in.

Stop rwalld daemon

Writes messages to users currently logged in. Uses RPC.Stop rwhod daemon

System-status server that maintains the database used by the rwho and ruptime

programs. Its operation is predicated on the ability to broadcast messages on a

network. As a producer of information, rwhod periodically queries the state of the

system and constructs status messages, which are broadcast on a network. As a

consumer of information, it listens for other rwhod servers' status messages, validates

them, then records them in a collection of files located in the directory

/var/spool/rwho. Messages received by the rwhod server are discarded unless they

originated at an rwhod server's port. Status messages are generated approximately

once every three minutes.

Stop spamassassin daemon

Anti-SPAM server

Stop nfs daemon

Network File Server, use to share files and directories. Use RPC.

Stop nfslock daemon

NFS Component

Stop autofs daemon

Autofs is a kernel-based automounter for Linux.

Stop ypbind daemon

NIS server process

Stop ypserv daemon

NIS server process

Stop yppasswdd daemon





NIS server process

Stop portmap daemon

RPC ServiceStop smb daemon

Samba Server

Stop netfs daemon

Mounts and un-mounts all Network File System (NFS), SMB (Lan Manager/Windows),

and NCP (NetWare) mount points.

Stop lpd daemon

Print Server

Stop apache daemon

Web Server

Stop httpd daemon

Web Server

Stop tux daemon

Kernel based HTTP server

Stop snmpd daemon

SNMP server

Stop named daemon

DNS Server

Stop postgresql daemon

Postgres SQL Server

Stop mysqld daemon

mySQL database server.

Stop webmin daemon

Web based system administration tool.

Stop kudzu daemon

Linux hardware probing tool. This is a hardware probing tool run at system boot time

to determine what hardware has been added or removed from the system.

Stop squid daemon

WEB proxy server





Stop hotplug daemon

Hot pluggable hardware daemon.

Stop cups daemon

A printing service

Stop sendmail daemon

Sendmail is an e-mail transfer agent.

Stop ident daemon

Looks up TCP/IP connections and returns the username of the process user

identification daemon for Linux, which implements the Identification Protocol

(RFC1413). This protocol is used to identify active TCP connections.

Stop vncserver daemon

Starts a vnc server application.

Stop arpwatch daemon

Keeps track of Ethernet IP address.

Stop acpid daemon

ACPID is a completely flexible, totally extensible daemon for delivering ACPI events.

Stop anacron daemon

Anacron is a periodic command scheduler. It executes commands at intervals

specified in days. Unlike cron, it does not assume that the system is running

continuously.

Stop avahi-daemon

Avahi is a fully LGPL framework for Multicast DNS Service Discovery. It allows

programs to publish and discover services and hosts running on a local network with

no specific configuration. For example one can plug into a network and instantly find

printers to print to, files to look at and people to talk to.

Stop avahi-dnsconfd daemon

Same as avahi-daemon

Stop bluetooth daemon

Bluetooth support

Stop capi daemon

CAPI is a shortcut for Common-ISDN-API and defines an abstraction layer for different

ISDN protocols

Stop dhcp daemon





DHCP D-BUS daemon (dhcdbd) controls dhclient sessions with D-BUS

Stop conman daemon

Conman is a program for connecting to remote consoles being managed by conmand.

Stop cpuspeed daemon

Power management based CPU Speed control

Stop dc_client daemon

Distributed session cache client

Stop dc_server daemon

Distributed session cache server

Stop dovecot daemon

Secure IMAP and POP3 server.Stop dund daemon

BlueZ Bluetooth dial-up networking daemon

Stop haldaemon daemon

HAL is used for discovering storage, networking, digital cameras and printers

Stop hidd daemon

Bluetooth HID daemon

Stop kdump daemon

Kdump is a kexec based crash dumping mechanism for Linux.

Stop lisa daemon

LISA is a small daemon which is intended to run on end user systems. It provides

something like a "network neighborhood", but only relying on the TCP/IP protocol

stack.

Stop mcstrans daemon

mcstrans provides a translation daemon to translate SELinux categories from internal

representations to user defined representation.

Stop mdmonitor daemon

Manages software RAID

Stop mdmpd daemon

Used to monitor multi-path devices (RAID) devices

Stop messagebus daemon

D-BUS is first a library that provides one-to-one communication between any two





applications; dbus-daemon-1 is an application that uses this library to implement a

message bus daemon. Multiple programs connect to the message bus daemon and

can exchange messages with one another.

Stop netplugd daemon

netplugd is a daemon that responds to network link events from the Linux kernel,

such as a network interface losing or acquiring a carrier signal.

Stop nscd daemon

Nscd is a daemon that provides a cache for the most common name service requests.

Stop pand daemon

BlueTooth network tools

Stop pcscd daemon

pcscd is the daemon program for pcsc-lite and musclecard framework. It is a resourcemanager that coordinates communications with smart-card readers and smart cards

and cryptographic tokens that are connected to the system.

Stop psacct daemon

The psacct package contains several utilities for monitoring process activities.

Stop rdisc daemon

rdisc implements client side of the ICMP router discover protocol. rdisc is invoked at

boot time to populate the network routing tables with default routes.

Stop restorecond daemon

A daemon that watches for file creation and then sets the default SELinux file context

Stop saslauthd daemon

saslauthd is a daemon process that handles plaintext authentication requests on

behalf of the SASL library.

Stop setroubleshoot daemon

SELinux Module

Stop smartd daemon

Self-monitoring analysis and reporting technology system. Monitors the hard disk for

failures.

Stop winbind daemon

Winbind is an NSS switch module to map Windows NT Domain databases to Unix.

Stop postfix daemon

Mail Server





3.4.4. SNMP Service

The SNMP protocol is a management protocol that provides the ability to audit and manage network

devices remotely. A community name is the identification string used in this service.

Action

SNMP prior to version 3 SHOULD NOT be used because it is considered to be non-

secured in many ways.

The community strings which are being used for SNMP queries MUST NOT be the

default ("public")

The private (read-write) SNMP method SHOULD NOT be used.

ACL (Access List) MUST be set to the SNMP service in order to allow only the query

server to query the SNMP service.

3.4.5. Setuid/Gid Files

Setuid and setgid are short for "Set User ID" and "Set Group ID", respectively. Setuid and setgid are

access right flags that can be assigned to files and directories and mostly used to allow users on acomputer system to execute binary executable with temporarily elevated privileges in order to perform

a specific task.

When a binary executable file has been given the setuid attribute, normal users on the system can

execute this file and gain the privileges of the user who owns the file (commonly root) within the

created process. When root privileges are gained within the process, the application can then perform

tasks on the system that regular users normally would be restricted from doing.

While the setuid feature is very useful in many cases, it can pose a security risk if the setuid attribute is

assigned to executable programs that are not carefully designed. Users can exploit vulnerabilities in

flawed programs to gain permanent elevated privileges, or unintentionally execute a Trojan Horse

program.Action

The SUID bit SHOULD be removed from all files under /bin /usr/bin except the

following files:

/usr/bin/passwd

/usr/bin/sudo

/bin/ping

/usr/bin/crontab

/bin/su

/usr/bin/agent_ctrl

/usr/bin/wall

/usr/bin/rcp

/bin/ping

/bin/mount

/bin/traceroute

Executable files SHOULD NOT be set with suid/sgid bit.

Find and remove suid/sgid bit from all other files on the file system:





find / -perm –4000 –print

find / -perm –2000 –print

Before removing suid/sgid bit make sure the permission is not needed by the

application.Only Read-Only permission MAY be set to the mount point by using "ro" option.

3.4.6. Crontab

The following configuration settings with enable scheduling jobs with CRON / AT only to users which are

listed in cron.allow and at.allow (white list approach) – add users to the files in order to permit CRON /

AT use.

Action

The /etc/cron.d/cron.allow file MUST be exist and owned by root (600)The /etc/cron.d/cron.deny file MUST be exist and owned by root (600)

The /etc/cron.d/at.allow file MUST be exist and owned by root (600)

The /etc/cron.d/at.deny file MUST be exist and owned by root (600)

If one of the above files does not exist, 'touch' the relevant file )make sure "root" is

allowed to schedule crons by adding him to the .allow files)

3.4.7. Other File System Security Requirements

Action

Only root SHOULD have permissions to the /root directory.

The system SHOULD prevent SUID and device files on removable media via vfstab file

using the "nosuid" option.

The /tmp partition SHOULD be mounted with the 'nosuid' and acl option set.

The user's home directories partition SHOULD be mounted with the 'nosuid' option

set.

The /home partition SHOULD be mounted with the 'nosuid' and acl option set.

The /var partition SHOULD be mounted with the ‘nosuid’ and option set.

Executable files under /bin and /usr/bin MUST NOT have write permissions.

The following files MUST NOT be writable for group and for other.

/etc/passwd

/etc/shadow

/etc/group

/etc/gshadow

The /etc/services file SHOULD be immutable

File /usr/sbin/tcpdump MUST have permissions only for the root user.

File /etc/syslog.conf permissions MUST be set without ‘other’ permissions.

Non root users MUST NOT be able to run the following applications:









3.6. General Requirements

3.6.1. General Subjects

Action

NTP service MUST be enabled.

Note: NTP should be configured according to the company policy. This is a crucial

service regarding security investigations.

motd/issue files SHOULD be set with a warning banner. See Appendix A for a

suggestion.

An auto idle console logout time for 15 minutes SHOULD be set by editing the

/etc/profile file with the following line:

TMOUT=900

Restricting system reboots through the console:

The system MAY prevent the option to reboot the system through the console without

being logged in to the system:

Verify the following line exist at /etc/inittab:

ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now




CentOS Server Hardening Page 23 of 23

Appendix A

The Following Text is a suggestion for /etc/issue and /etc/motd:

This computer system, including all related equipment, networks and network devices (specifically including

Internet access), is provided only for authorized use.

The computer systems may be monitored for all lawfull purposes, including to ensure that their use is

authorized, for management of the system, to facilitate protection against unauthorized access and to verify

security procedures, survivability and operational security.

Monitoring includes active attacks by authorized entities to test or verify the security of this system.

During monitoring, information may be examined, recorded, copied and used for authorized purposes.

All information, including personal information, placed on or sent over this system may be monitored. Use of

this computer system, authorized or unauthorized, constitutes consent to the monitoring of this system.

Unauthorized use may subject you to criminal prosecution.

Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or

adverse action.

Use of this system constitutes consent to monitoring for these purposes.

Documents

16 - הקשחת שרתי לינוקס - CentOS