top of page
Search
Writer's pictureRex Andrew
Jul 11, 2020

Hardening OS - Checklist


Here the detailed Linux Hardening OS Checklist.



  • Create Separate Partition for /tmp

  • Set nodev option for /tmp Partition

  • Set nosuid option for /tmp Partition

  • Set noexec option for /tmp Partition

  • Create Separate Partition for /var

  • Bind Mount the /var/tmp directory to /tmp

  • Create Separate Partition for /var/log

  • Create Separate Partition for /var/log/audit

  • Create Separate Partition for /home

  • Add nodev Option to /home

  • Add nodev Option to /dev/shm Partition

  • Add nosuid Option to /dev/shm Partition

  • Add noexec Option to /dev/shm Partition

  • Set Sticky Bit on All World-Writable Directories

  • Verify CentOS GPG Key is Installed

  • Verify that gpgcheck is Globally Activated

  • Set User/Group Owner on /etc/grub.conf

  • Set Permissions on /etc/grub.conf

  • Set Boot Loader Password

  • Require Authentication for Single-User Mode

  • Disable Interactive Boot

  • Restrict Core Dumps

  • Configure ExecShield

  • Enable Randomized Virtual Memory Region Placement

  • Remove telnet-server

  • Remove telnet Clients

  • Remove rsh-server

  • Remove rsh

  • Remove NIS Client

  • Remove NIS Server

  • Remove tftp

  • Remove tftp-server

  • Remove talk

  • Remove talk-server

  • Disable chargen-dgram

  • Disable chargen-stream

  • Disable daytime-dgram

  • Disable daytime-stream

  • Disable echo-dgram

  • Disable echo-stream

  • Disable tcpmux-server

  • Set Daemon umask

  • Remove X Windows

  • Disable Avahi Server

  • Disable Print Server - CUPS

  • Remove DHCP Server

  • Configure Network Time Protocol (NTP)

  • Remove LDAP

  • Disable NFS and RPC

  • Remove DNS Server

  • Remove FTP Server

  • Remove HTTP Server

  • Remove Dovecot (IMAP and POP3 services)

  • Remove Samba

  • Remove HTTP Proxy Server

  • Configure Mail Transfer Agent for Local-Only Mode

  • Install the rsyslog package

  • Activate the rsyslog Service

  • Create and Set Permissions on rsyslog Log Files

  • Configure rsyslog to Send Logs to a Remote Log Host

  • Configure logrotate

  • Disable IP Forwarding

  • Disable Send Packet Redirects

  • Disable Source Routed Packet Acceptance

  • Disable ICMP Redirect Acceptance

  • Log Suspicious Packets

  • Enable Ignore Broadcast Requests

  • Enable Bad Error Message Protection

  • Enable TCP SYN Cookies

  • Deactivate Wireless Interfaces

  • Disable IPv6 Router Advertisements

  • Disable IPv6 Redirect Acceptance

  • Verify Permissions on /etc/hosts.allow

  • Verify Permissions on /etc/hosts.deny

  • Enable IPtables

  • Enable anacron Daemon

  • Enable crond Daemon

  • Set User/Group Owner and Permission on /etc/anacrontab

  • Set User/Group Owner and Permission on /etc/crontab

  • Set User/Group Owner and Permission on /etc/cron.hourly

  • Set User/Group Owner and Permission on /etc/cron.daily

  • Set User/Group Owner and Permission on /etc/cron.weekly

  • Set User/Group Owner and Permission on /etc/cron.monthly

  • Set User/Group Owner and Permission on /etc/cron.d

  • Restrict at Daemon

  • Restrict at/cron to Authorized Users

  • Set SSH Protocol to 2

  • Set LogLevel to INFO

  • Set Permissions on /etc/ssh/sshd_config

  • Disable SSH X11 Forwarding

  • Set SSH MaxAuthTries to 4 or Less

  • Set SSH IgnoreRhosts to Yes

  • Set SSH HostbasedAuthentication to No

  • Disable SSH Root Login

  • Set SSH PermitEmptyPasswords to No

  • Do Not Allow Users to Set Environment Options

  • Use Only Approved Cipher in Counter Mode

  • Set Idle Timeout Interval for User Login

  • Limit Access via SSH

  • Set SSH Banner

  • Upgrade Password Hashing Algorithm to SHA-512

  • Set Password Creation Requirement Parameters Using pam_cracklib

  • Set Lockout for Failed Password Attempts

  • Limit Password Reuse

  • Restrict Access to the su Command

  • Set Password Expiration Days

  • Set Password Change Minimum Number of Days

  • Set Password Expiring Warning Days

  • Disable System Accounts

  • Set Default Group for root Account

  • Set Default umask for Users

  • Lock Inactive User Accounts

  • Set Warning Banner for Standard Login Services

  • Remove OS Information from Login Warning Banners

  • Set GNOME Warning Banner

  • Verify Permissions on /etc/passwd

  • Verify Permissions on /etc/shadow

  • Verify Permissions on /etc/gshadow

  • Verify Permissions on /etc/group

  • Verify User/Group Ownership on /etc/passwd

  • Verify User/Group Ownership on /etc/shadow

  • Verify User/Group Ownership on /etc/gshadow

  • Verify User/Group Ownership on /etc/group

  • Find Un-owned Files and Directories

  • Find Un-grouped Files and Directories

  • Find SUID System Executables

  • Find SGID System Executables

  • Ensure Password Fields are Not Empty

  • Verify No Legacy + Entries Exist in /etc/passwd File

  • Verify No Legacy + Entries Exist in /etc/shadow File

  • Verify No Legacy + Entries Exist in /etc/group File

  • Verify No UID 0 Accounts Exist Other Than root

  • Ensure root PATH Integrity

  • Check Permissions on User Home Directories

  • Check User Dot File Permissions

  • Check Permissions on User .netrc Files

  • Check for Presence of User .rhosts Files

  • Check Groups in /etc/passwd

  • Check That Users Are Assigned Valid Home Directories

  • Check User Home Directory Ownership

  • Check for Duplicate UIDs

  • Check for Duplicate GIDs

  • Check for Duplicate User Names

  • Check for Duplicate Group Names

  • Check for Presence of User .netrc Files

  • Check for Presence of User .forward Files


The below file has all solutions for the hardening for centos OS .



Source : CIS SECURITY BENCHMARKS

Kubernetes Cheat Sheet

This page contains a list of commonly used kubectl commands and flags. Kubectl apply - Creating objects # create resource(s) kubectl...

Comments

bottom of page