Scribd
Upload
178 views

UCD Linux Security Checklist

The document provides a Linux hardening checklist with recommendations across several areas: 1. System installation and patching including using the latest OS version, separating partitions for /tmp, /var, and /home, and ensuring software updates can be received. 2. OS hardening such as restricting core dumps, removing legacy services, disabling unneeded services, and ensuring logging services are configured. 3. User access and passwords including creating accounts for each user, enforcing strong passwords, and using sudo to delegate admin access. 4. Network security and remote access such as limiting connections to authorized users via firewalls, disabling root SSH login, and deploying an intrusion prevention system.

Uploaded by

test
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
178 views

UCD Linux Security Checklist

The document provides a Linux hardening checklist with recommendations across several areas: 1. System installation and patching including using the latest OS version, separating partitions for /tmp, /var, and /home, and ensuring software updates can be received. 2. OS hardening such as restricting core dumps, removing legacy services, disabling unneeded services, and ensuring logging services are configured. 3. User access and passwords including creating accounts for each user, enforcing strong passwords, and using sudo to delegate admin access. 4. Network security and remote access such as limiting connections to authorized users via firewalls, disabling root SSH login, and deploying an intrusion prevention system.

Uploaded by

test
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

LinuxHardeningChecklist

SystemInstallation&Patching

1 Ifmachineisanewinstall,protectitfromhostilenetworktrafficuntiltheoperating

systemisinstalledandhardened .

2 UsethelatestversionoftheOperatingSystemifpossible

Refertothevendorsupportdocumentationtoconfirmthelifecycleoftheversion.Considerboththemajorand
minor(orservicepack)releasewhereavendorreleasesboth.

3 Createaseparatevolumewiththenodev,nosuid,andnoexecoptionssetfor/tmp.

Since/tmpisintendedtobeworldwritable,creatingaseparatepartitionforitcanpreventresource
exhaustion.Settingnodevpreventsusersfromcreatingorusingblockorspecialcharacterdevices.Setting
noexecpreventsusersfromrunningbinaryexecutablesfrom/tmp.Settingnosuidpreventsusersfrom
creatingsetuseridfilesin/tmp.

4 Createseparatevolumesfor/var,/var/log,and/home.

Anydirectorieswherenonadminusershavewriteaccessshouldbeseparatefromtherootvolumetolimitthe
impactofthosevolumesbeingfilled.

5 Setstickybitonallworldwritabledirectories.

Thestickybitstopsuserswithwriteaccesstothedirectorydeletingfilesownedbyotherusers.

6 Ensurethesystemisconfiguredtobeabletoreceivesoftwareupdates

ForRedHatEnterpriseLinux(RHEL)orSUSELinuxEnterpriseServer(SLES)thisrequiresasubscriptionto
beallocatedtothesystem.Formostothermajordistributionsthisisasimpleconfigurationchange.


OSHardening

1 Restrictcoredumps.

Coredumpsareintendedtohelpdeterminewhyaprogramaborted.Theymaycontainsensitiveor
confidentialdatafrommemory.Itisrecommendedthatcoredumpsbedisabledorrestricted.

2 Removelegacyservices

Servicesthatprovide/relyonunencryptedauthenticationshouldbedisabledunlesstherearegroundsforan
exception.Theseincludetelnetserverrsh,rlogin,rcpypserv,ypbindtftp,tftpservertalkandtalkserver.

3 Disableanyservicesandapplicationsstartedbyxinetdorinetdthatarenotbeing

utilized.Removexinetd,ifpossible

Theinetdorxinetdserviceallowsforprogramstoberanwhenaconnectionismadetoadesignatednetwork
port.Allunneededinetdapplicationsshouldbedisablediftherearenoapplicationsrequiredthendisable
(x)inetd.

4 Disableorremoveserverservicesthatarenotgoingtobeutilized

(e.g.,FTP,DNS,LDAP,SMB,DHCP,NFS,SNMP,etc.)

5 Ensuresyslog(rsyslog,syslog,syslogng)serviceisrunning.

Thesyslogservicemanagesthelogsin/var/log/.Mostmodernsyslogimplementationsalsosupportremote
logforwarding.

6 EnableanNetworkTimeProtocol(NTP)servicetoensureclockaccuracy

Accuratetimekeepingfacilitatesanalysisofsystemlogswhenneeded


cron
7 Restricttheuseofthe at
and services.

Thesecanbeusedtoruncommandsonthesystemandshouldonlybeallowedtoaccountswhichneedthis
access


UserAccess&Passwords

1 Createanaccountforeachuserwhoshouldaccessthesystem

Avoidingsharedaccounts/passwordsmakesiteasiertokeepanaudittrailandremoveaccesswhenno
longerneeded.

2 Enforcetheuseofstrongpasswords

Passwordsecurityrulescanbesetin/etc/pam.d/passwordauth

3 Usesudotodelegateadminaccess

Thesudocommandallowsforfinegrainedcontrolofrightstoruncommandsasroot(orotheruserids).The
/etc/sudoers
configurationfile visudo
shouldbeeditedwiththe command.

NetworkSecurity&RemoteAccess

1 Limitconnectionstoservicesrunningonthehosttoauthorizedusersoftheservice

viafirewallsandotheraccesscontroltechnologies
.

Theiptablesfirewallisakernelcomponentcommontoalllinuxsystems,butthetoolsusetomanagefirewall
rulesdiffersignificantlybetweenvendorssocheckwiththeversionspecificconfigurationguide.

2 Disable:

IPforwarding.
sendpacketredirects.
sourceroutedpacketacceptance.
ICMPredirectacceptance.

Enable:
IgnoreBroadcastRequests.
BadErrorMessageProtection.
TCP/SYNcookies.

Thesekerneltuningparametersshouldbesetin/etc/sysctl.conf

3 IntheSSHserverconfigurationensurethat:

Protocolversionissetto2
LogLevelissettoINFO
PermitEmptyPasswordsissettoNo

Thesesettingsarethedefaultonmostplatforms,settingthemtoothervaluesimpactsthesecurityoftheSSH
server.

4 DisablerootloginoverSSH.

RootSSHwithpasswordshouldneverbeallowedusersshouldauthenticatewiththeirownaccountanduse
PermitRootSSH
suorsudoifneeded.Validvaluesfor no,
are withoutpassword
and
forcedcommandsonly dependingonwhetherkeybasedaccessisrequired.

5 DeployanIntrusionPreventionSystem(IPS)suchasfail2ban

fail2banusestheiptablesfirewalltoblockremotesystemsgeneratingmanyauthenticationfailuresasawayto
combatbruteforcepasswordattempts.

ApacheWebserver(HTTPD)

1 Alwaysrunapachewithadedicatednonadminaccount

Thesystemuseraccounttheapacheserverrunsinshouldhaveminimalpermissiononthesystemtolimitthe
potentialforthistobeexploited.ThisisthedefaultinallmajorLinuxdistributions.

2 Disableanymodulesnotrequired

Apacheismodularindesigneachmoduleprovidesdifferentfunctionalityandalmostallareoptionalforbasic
usecases.Inparticularlooktodisablewebdav,status,info,userdirandautoindexunlesstheseareknownto
berequired.

3 DisableHTTPTrace:
TraceEnableOff

Theinetdorxinetdserviceallowsforprogramstoberanwhenaconnectionismadetoadesignatednetwork
port.Allunneededinetdapplicationsshouldbedisablediftherearenoapplicationsrequiredthendisable
(x)inetd.

4 ConfigureSSLinlinewithbestpractice

Mozillaprovideresourcesforthis
https://wiki.mozilla.org/Security/Server_Side_TLS

5 ConfigureApachenottoadvertisethesoftware/OSversions

SetServerTokensProdandServerSignatureOfftolimitthesystemconfigurationinformationeasily
available.

6 Denyaccesstofilesbydefaultonlyallowaccesstodesignateddirectories.

Onlydirectoriescontainingapachecontentshouldbereadablebyremoteclients.

You might also like