tech:notes_securite_os_gnu_linux_hardening
Table des matières
Notes sécurité OS GNU/Linux hardening
Voir :
Voir aussi :
- CIS (Center for Internet Security)
Vulnérabilités connues
apt-get install debsecan
debsecan
Mise à jour automatique
apt-get install unattended-upgrades
Scan intégrité fichiers
Find
Recherche de fichier SUID (4000) et SGID (2000)
find / -type f \( -perm -4000 -o -perm -2000 \) \ -not \( \ -wholename "/proc/*" \ -o -wholename "/var/lib/docker/aufs/*" \ -o -wholename /usr/bin/chage \ -o -wholename /usr/bin/newgrp \ -o -wholename /usr/bin/passwd \ -o -wholename /usr/bin/gpasswd \ -o -wholename /usr/bin/expiry \ -o -wholename /bin/su \ -o -wholename /bin/mount \ -o -wholename /bin/ping6 \ -o -wholename /bin/ping \ -o -wholename /bin/umount \ -o -wholename /sbin/unix_chkpwd \ -o -wholename /usr/bin/pumount \ -o -wholename /usr/bin/pmount \ -o -wholename /usr/bin/sudo \ -o -wholename /usr/bin/crontab \ -o -wholename /usr/bin/mlocate \ -o -wholename /sbin/mount.cifs \ -o -wholename /bin/fusermount \ -o -wholename /bin/ntfs-3g \ -o -wholename /usr/lib/dbus-1.0/dbus-daemon-launch-helper \ -o -wholename /usr/bin/at \ -o -wholename /usr/lib/eject/dmcrypt-get-device \ -o -wholename /usr/lib/utempter/utempter \ \) #-o -wholename /usr/bin/wall \ #-o -wholename /usr/bin/chsh \ #-o -wholename /usr/bin/ssh-agent \ #-o -wholename /usr/lib/openssh/ssh-keysign \ #-o -wholename /usr/bin/bsd-write \ #-o -wholename /usr/bin/udevil \ #-o -wholename /usr/bin/chfn \ #-o -wholename /usr/bin/dotlockfile \ #-o -wholename /usr/sbin/exim4 \ #-o -wholename /usr/bin/beep \
Supression du bit SUID
chmod u-s /usr/bin/chsh chmod u-s /usr/bin/chfn chmod u-s /usr/lib/openssh/ssh-keysign chmod u-s /usr/sbin/exim4
Supression du bit SGID
chmod g-s /usr/bin/dotlockfile chmod g-s /usr/bin/ssh-agent chmod g-s /usr/bin/wall
Worldreadable
find / \( -type d -o -type f \) -not \( -wholename "/proc/*" -o -wholename "/dev/*" -o -wholename "/var/lib/docker/aufs/*" \) -perm /o=w -not -perm /o=t -ls
Comptes
perl -a -F':' -ne '$HOMEUSER=$F[5] ; $CHAINE="$HOMEUSER/.ssh/authorized_keys\n" ; $CHAINE=~s|//|/| ; print $CHAINE unless /false$/ or /nologin$/' /etc/passwd
sysctl
Voir https://www.it-connect.fr/details-durcissement-sysctl-systeme-linux/
Interdire strace
echo 3 > /proc/sys/kernel/yama/ptrace_scope
Mot de passe
Lenteur à la connexion
man 3 crypt
- /etc/shadow
plop1:$6$rounds=656000$P7gp1PPaN9bdjMt/$M2xJFWCpmlTS8CkYCHOnjI1TqfhIabgkJhp4HNvHHsI3NkXYJ2vZ.OVSNpOtee3sXJQcCdcZhezlQfrHZm3fE1:18369:0:99999:7::: plop1:$6$LCJMGXiumcpyY7nP$8t/u6oewRH.GHk94QKmN/1pZyMFCIwG4Y/JzUF/qKSVU9/U.BhG1Vm6fpYIuUaZuIJq5b6omuGJVpD9XxFisM.:18369:0:99999:7:::
https://askubuntu.com/questions/894404/how-to-increase-the-number-of-hashing-rounds-for-etc-shadow
- /etc/pam.d/common-password
#password [success=1 default=ignore] pam_unix.so obscure sha512 password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=656000
Voir SHA_CRYPT_MIN_ROUNDS
man pam_unix sudo chpasswd -s 10000 000 -c SHA512 <<< username:password; history -c
- /etc/pam.d/common-password
password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=656000
auth required pam_tally2.so onerr=fail deny=3 unlock_time=900 root_unlock_time=900 file=/var/log/tallylog pam_tally2 --file /var/log/tallylog --reset --user root pam_faildelay.so faillock --user aaronkilik --reset faillock --user aaronkilik fail --reset #clears all authentication failure records
chown root:root /boot/grub2/grub.cfg chmod og-rwx /boot/grub2/grub.cfg
Set the following restrict parameters in /etc/ntp.conf or use /etc/systemd/timesyncd.conf (for Debian)
- /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery
Set the following restrict parameters in /etc/ntp.conf
- /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery
- /etc/ntp.conf
Also, make sure /etc/ntp.conf has an NTP server specified server <ntp-server>
Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf Modify active kernel parameters to match:
/sbin/sysctl -w net.ipv4.ip_forward=0 /sbin/sysctl -w net.ipv4.route.flush=1
chown root:root /etc/cron.d chmod og-rwx /etc/cron.d
rm /etc/at.deny touch /etc/at.allow chown root:root /etc/at.allow chmod og-rwx /etc/at.allow
Edit the /etc/bashrc and /etc/profile.d/cis.sh files (and the appropriate files for any other shell supported on your system) and add the or use PAM following the UMASK parameter as shown
umask 027
Pas de version dans les fichiers suivants
- /etc/motd
- /etc/issue
- /etc/issue.net
Service SystemD
/lib/systemd/system/wsl-pro.service
[Unit] Description=Bridge to Ubuntu Pro agent on Windows ConditionVirtualization=wsl [Service] Type=notify ExecStart=/usr/libexec/wsl-pro-service -vv Restart=always RestartSec=2s # Some daemon restrictions LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=true PrivateDevices=yes PrivateMounts=yes PrivateTmp=yes ProtectClock=yes ProtectControlGroups=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes SystemCallArchitectures=native # Only permit system calls used by common system services, excluding any special purpose calls SystemCallFilter=@system-service [Install] WantedBy=multi-user.target
Autre
apt-get install auditd
Partition dédiée pour
- /var/log
- /var/log/audit/
tech/notes_securite_os_gnu_linux_hardening.txt · Dernière modification : de Jean-Baptiste