This chapter indicates possible adjustments to Linux settings to increase the level of security. For the most part, these are settings that are not directly related to the D2000
Preventing information leakage through issue files
We recommend changing the "issue" and "issue.net" files to either not provide any relevant data or to provide misleading data. At the same time, we recommend including information on the authorized use of the system and possible penalties for unauthorized use of the system in these files. Example:
WARNING : Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your actions-
may be monitored if unauthorized usage is suspected.
Removing directories and files that are writable by all users.
We recommend changing access rights on files and directories that are writable by all users. Files writable by all users can be found with the command
find / -perm -2 -a -type f -eXec ls -ld {} ;
Removing the interactive command interpreter (shell) in the /etc/passwd file from system accounts. For most of them, it is not necessary to have an interactive command interpreter (shell) assigned. This shell can be exploited to compromise a given service or application so that an attacker will have access to this shell with the rights with which the given service was started. We recommend setting shell /bin/false for these accounts.
Example accounts: postgres and d2000
Note: on servers where the postgres account is used to run the PostgreSQL database within the clusterware (Corosync/Pacemaker) and to detect the database running, a shell for this account is necessary.
Creation of personalized accounts
We recommend the creation of personalized accounts for all users of the Linux server (by default only administrators are involved, as D2000 users do not need direct access to the application server by default).
Note: two other points are also related to this - disabling the direct login of the root user.
Disabling direct root login via SSH (only allow access from other accounts via sudo)
In the /etc/ssh/sshd_config file, set
PermitRootLogin = no
Note: before reconfiguration, it is necessary to add the selected administrators to the wheel group (usermod -aG wheel some_account) and verify that they can execute sudo
Disabling direct root login (disabling password)
In the /etc/shadow file, we recommend replacing the root password with an asterisk, as it is for other users (e.g. bin)
Example of a line with a changed password:
root:*:19408:0:99999:7:::
Note: before reconfiguration, it is necessary to add the selected administrators to the wheel group (usermod -aG wheel some_account) and verify that they can execute sudo
Changed UMASK in /etc/login.defs to 027
The UMASK variable determines the rights mask and therefore what access rights the newly created files have unless these rights are explicitly specified. With the value UMASK = 022, among other things, all users have the read right enabled. There is a risk that even a user who was not explicitly authorized to access sensitive information. This is especially dangerous when privileged users use such settings when creating files. In such a case, there is a risk that a local attacker will gain access to information that will allow him to elevate privileges. We recommend setting a more restrictive value of UMASK 027.
Reducing the number of SUID/SGID programs executable by any user
We recommend reducing the number of such programs to the necessary minimum.
Example reduction for RedHat 9.1:
chmod a-st /usr/bin/chage
chmod a-st /usr/bin/gpasswd
chmod a-st /usr/bin/newgrp
chmod a-st /usr/bin/fusermount3
chmod a-st /usr/bin/pkexec
chmod a-st /usr/bin/crontab
chmod a-st /usr/bin/chfn
chmod a-st/usr/bin/at
chmod a-st /usr/bin/chsh
chmod a-st /usr/bin/fusermount
chmod a-st /usr/bin/ksu
chmod a-st /usr/libexec/sssd/ldap_child
chmod a-st /usr/libexec/sssd/proxy_child
chmod a-st /usr/libexec/sssd/selinux_child
chmod a-st /usr/libexec/cockpit-session
chmod a-st /usr/lib/polkit-1/polkit-agent-helper-1
chmod a-st /usr/sbin/userhelper
chmod a-st /usr/sbin/unix_chkpwd
chmod a-st /usr/bin/locate
chmod a-st /usr/libexec/openssh/ssh-keysign
Checking open TCP and UDP ports and processes listening on them (with the command netstat -46npl ) and subsequent reduction of unnecessary ones. For example, on a particular server, the rpcbind.socket and rpcbind services, which were previously used to mount the NFS subsystem, were disabled.
Other recommendations (from Windows Hardening section)
Pridať komentár