RedHat - EX413 Notes - Google Docs

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)

page 1 of 39
TestingEnvironment
VirtualizationHyperVisor
HostEnvironment
GuestEnvironment
Postbasicinstallationtasks
Objective1
IdentifyRedHatCommonVulnerabilitiesandExposures(CVEs)andRedHatSecurity
Advisories(RHSAs)andselectivelyupdatesystemsbasedonthisinformation
Objective2
Verifypackagesecurityandvalidity
Objective3
Identifyandemploystandardsbasedpracticesforconfiguringfilesystemsecurity,create
anduseencryptedfilesystems,tunefilesystemfeatures,andusespecificmountoptions
torestrictaccesstofilesystemvolumes.
Objective4
Configuredefaultpermissionsforusersandusespecialfilepermissions,attributes,and
accesscontrollists(ACLs)tocontrolaccesstofiles
Objective5
InstallanduseintrusiondetectioncapabilitiesinRedHatEnterpriseLinuxtomonitor
criticalsystemfiles
Objective6
Manageuseraccountsecurityanduserpasswordsecurity
Objective7
Managesystemloginsecurityusingpluggableauthenticationmodules(PAM)
Objective8
Configureconsolesecuritybydisablingfeaturesthatallowsystemstoberebootedor
poweredoffusingbootloaderpasswords
Objective9
Configuresystemwideacceptableusenotifications
Objective10
Install,configure,andmanageidentitymanagementservicesandconfigureidentity
managementclients
Objective11
Configureremotesystemloggingservices,configuresystemlogging,andmanagesystem
logfilesusingmechanismssuchaslogrotationandcompression
LogRotation
journalisacomponentofsystemdforlogging
Official Red Hat documentation on RHEL 7 can be f ound at:

https://access.redhat.com/documentation/en/redhatenterpriselinux/

page 2 of 39
journalctlisusedforviewingthejournallog
journalonlylogsinmemoryorasmallringfilein/run/log/journaltocreatepersistent
storagecreatethedirectory/var/log/journal
Objective12
Configuresystemauditingservicesandreviewauditreports
Objective13
Usenetworkscanningtoolstoidentifyopennetworkserviceportsandconfigureand
troubleshootsystemfirewalling
References


page 3 of 39
TestingEnvironment
VirtualizationHyperVisor
VirtualBox
(Version 5.0.14 r 105127 as of this writing)
HostEnvironment
(Im double dipping and working at home and at work)
Xubuntu14.04LTS
CentOS7.2
GuestEnvironment
( These might seem a little odd, but I am using this image f or DISA STIG testing too)
CentOS6.7
(As of 8March2016 the E X413 is done under v6 f or some strange r eason)
2vCPU
1.5GBRAM
18GBHarddrive
(Something of an usual or non standard layout. T his is f rom the DISA STIG)
/ ~10GiB
/boot 250MiB
/home 1GiB
/tmp 500MiB
/var 5GiB
/var/log 500MiB
/var/log/audit 275MiB
swap 500MiB
2NetworkPorts
Port1)VboxNAT
Port2)HostonlyAdapter
ServerwithGUIinstallation
+DNSNameServer
+EmailServer
+FTPServer
+FileandStorageServer
+HardwareMonitoringUtilities
+JavaPlatform
+NetworkFileSystemClient


page 4 of 39
+PerformanceTools
+C ompatibilityLibraries
+SecurityTools
Postbasicinstallationtasks
Limitthenumberofkernelstokeepto2forspacereasons
changeinstallonly_limit=2in/etc/yum.conf
EnableCentOSPlusRepo
Install/EnableEPELrepo
Install/EnableELRepo
Install/EnableVAULTRepos
This is because I started on purpose with an older version. Check http://vault.centos.org to match the version. I n this case
it was 7.1.1503
run yum disablerepos * enablerepos C7* update to update to the latest versions within the r elease.
InstallDKMS
run yum disablerepos * enablerepos C7* update to update to the latest versions within the r elease.

InstallVirtualBoxguestadditions
MAKEASNAPSHOTBEFOREYOUSTARTMESSINGAROUNDWITHTHINGS!!
SINCEIORIGINALLYSTARTEDTHISDOCUMENTUNDERTHEINCORRECT
ASSUMPTIONTHATTHISTESTWOULDBEUNDERRHEL7IWILLKEEPTHE
INFORMATIONINTACTANDDENOTETHEDIFFERENCES


page 5 of 39
Objective1
IdentifyRedHatCommonVulnerabilitiesandExposures(CVEs)
andRedHatSecurityAdvisories(RHSAs)andselectivelyupdate
systemsbasedonthisinformation
Usingy umtocheckifthereareanypackagesthatneedsecurityupdates.
# yum check-update --security
Loaded plugins: langpacks, product-id, subscription-manager
rhel-7-workstation-rpms/x86_64 | 3.4 kB 00:00:00
No packages needed for security; 0 packages available

Toupdateonlysecuritypackageswithyum
# yum update --security

Tolistallavailableerrataswithoutinstallingthem,run:
# yum updateinfo list available

Tolistallavailablesecurityupdateswithoutinstallingthem,run:
# yum updateinfo list security all
or
# yum updateinfo list sec
Togetalistofthec urrentlyinstalledsecurityupdatesthiscommandcanbeused:
# yum updateinfo list security installed

Tolistallavailablesecurityupdateswithverbosedescriptionsoftheissuestheyapply
to:
# yum info-sec

Runthefollowingcommandtodownloadanda pplyallavailablesecurityupdatesfrom
RedHatNetworkhostedorRedHatNetworkSatellite:
# yum -y update --security
NOTE: I t will install the last version available of any package with at least one security errata thus can install nonsecurity
erratas if they provide a more updated version of the package.


page 6 of 39

Toonlyinstallthepackagesthathaveasecurityerratause
# yum update-minimal --security -y
yumsecurityalsoallowsinstallingsecurityupdatesbasedontheC
VEreferenceofthe
issue.
ToinstallasecurityupdateusingaCVEreferencerun:
# yum update --cve <CVE>
Forexample:
# yum update --cve CVE-2008-0947

Viewingavailableadvisoriesbyseverities:
# yum updateinfo list
This system is receiving updates from RHN Classic or RHN Satellite.
RHSA-2014:0159 Important/Sec. kernel-headers-2.6.32-431.5.1.el6.x86_64
RHSA-2014:0164 Moderate/Sec. mysql-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec. mysql-devel-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec. mysql-libs-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec. mysql-server-5.1.73-3.el6_5.x86_64
RHBA-2014:0158 bugfix nss-sysinit-3.15.3-6.el6_5.x86_64
RHBA-2014:0158 bugfix nss-tools-3.15.3-6.el6_5.x86_64

Ifyouwanttoapplyonlyonespecificadvisory:
# yum update --advisory=RHSA-2014:0159
However,ifyouwouldliketoknowmoreinformationaboutthisadvisorybefore
toapplyit:
# yum updateinfo RHSA-2014:0159

Formorecommandsconsultthemanualpagesofy umsecuritywith
# man yum-security


page 7 of 39
Objective2
Verifypackagesecurityandvalidity
TheYumpackagemanagerallowsforanautomaticverificationofallpackagesitinstalls
orupgrades.g pgcheckisenabledbydefault,localpkg_gpgcheckisNOT.Toconfigure
thisoptiononyoursystem,makesuretheg pgcheckandlocalpkg_gpgcheck
configurationdirectivesaresetto1inthe/ etc/yum.conf configurationfile.
# grep gpgcheck /etc/yum.conf
gpgcheck=1
localpkg_gpgcheck=1
**NOTE** T hese can be overridden in the /etc/repos.d/<repo>.conf f iles!!!

Usethefollowingcommandtomanuallyverifypackagefilesonyourfilesystem:
# rpmkeys --checksig package_file.rpm

Checkpackagescriptsandtriggers
# rpm -qp --scripts /home/userx/Downloads/my-awesome-application-1.2.rpm

CheckGPGkeysignatures
# rpm -K /home/userx/Downloads/my-awesome-application-1.1.rpm

# rpm -vvK /home/userx/Downloads/my-awesome-application-1.1.rpm

ToverifyRedHatpackages,youmustimporttheRedHatGPGkey.
# rpm --import /usr/share/rhn/RPM-GPG-KEY

TodisplayalistofallkeysinstalledforRPMverification
# rpm -qa gpg-pubkey*
FortheRedHatkey,theoutputincludes:
gpg-pubkey-db42a60e-37ea5438

Todisplaydetailsaboutaspecifickey
# rpm -qi gpg-pubkey-db42a60e-37ea5438


page 8 of 39

VerifyRPMs
rpmqfcanbeusedtodeterminewhatpackageafilebelongsto
# rpm -qf /etc/passwd
setup-2.5.58-7.el5
rpmV<package>willverifythesettings
# rpm -V setup-2.5.58-7.el5
.M...... c /etc/passwd
S.5....T c /etc/printcap
VerifyCodeMatrix
S File size diers.
M File mode diers (includes permissions and file type).
5 The MD5 checksum diers.
D The major and minor version numbers dier on a device file.
L A mismatch occurs in a link.
U The file ownership diers.
G The file group owner diers.
T The file time (mtime) diers.
Otheryumtricksandtips
Listpackagesandwhatrepostheyarepartof:
# yum --showduplicates list httpd | expand
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.atlanticmetro.net
* centosplus: mirror.atlanticmetro.net
* elrepo: mirror.symnds.com
* epel: mirror.cogentco.com
* extras: mirror.rackspace.com
* updates: mirror.symnds.com
Installed Packages
httpd.x86_64 2.4.6-40.el7.centos @base
Available Packages
httpd.x86_64 2.4.6-40.el7.centos base


page 9 of 39
Toautomaticallyremoveunneededdependencieswhenapackageisremoved,set
thisinthe/etc/yum.conf:clean_requirements_on_remove to1
# grep -i clean_requirements_on_remove /etc/yum.conf
clean_requirements_on_remove=1
Limitthenumberofinstallonlypackage.Usuallyforlimitingthenumberof
kernelsinstalled.Defaultis3
# grep installonly_limit /etc/yum.conf
installonly_limit=2


page 10 of 39
Objective3
Identifyandemploystandardsbasedpracticesforconfiguringfile
systemsecurity,createanduseencryptedfilesystems,tunefilesystem
features,andusespecificmountoptionstorestrictaccesstofilesystem
volumes.
Multiplepartitions
/tmptemporarystorageforusers.
shouldhave1777permissions(worldread/write/executew/StickyBit)
nodev,nosuid,&noexec mountoptionsshouldbesetin/etc/fstab
# grep tmp /etc/fstab
/dev/mapper/centos-tmp /tmp xfs nodev,nosuid,noexec 1 2
/vartemporarydynamicstorageforsystemservices
/var/tmp
shouldbeboundto/tmp.Linkisunbreakableandinheritssecurityfrom
/tmpandshouldprevent/ varfromfillingupandcausingissues
# grep /tmp /etc/fstab | grep var
/tmp /var/tmp none bind 0 0

/var/logsystemstorageforlogdata
# grep /tmp /etc/fstab | grep var
/tmp /var/tmp none bind 0 0
/var/log/auditsystemstorageforauditlogdata
# grep /audit /etc/fstab
/dev/mapper/centos-var_log_audit /var/log/audit xfs defaults 0 0
/homestorageforusers
nodevmountoptionshouldalsobeset
# grep /audit /etc/fstab
/dev/mapper/centos-home /home xfs nodev 0 0
anyremovablemediamountpointsshouldhaven
oexec,nodev,nosuidoptions
set
# grep <mount point> /etc/fstab


page 11 of 39
/dev/shm isatemporaryfilesystemstoredinmemory
noexec,nodev,nosuidoptionsshouldbeset
# grep shm /etc/fstab
tmpfs /dev/shm tmpfs size=6g,nodev,nosuid,noexec 0 0

Useful/etc/fstab options
nosuidpreventsfilesfrombeings etuidorsetgid
noexecpreventsprogramsfrombeingexecutedfromthepartition
nodevpreventspartitionfromhavingspecialdeviceslikeblockorcharacter
devices
rwread/write(default,implied)
roreadonly
Toremountpartitionsonrunningsystems
# mount -o remount,<options> <dir>
Disablefilesystemtypesthatarentneeded
cramfs FilesystemtypeisacompressedreadonlyLinuxfilesystem.
freevxfs FilesystemforVeritas.
js2 Logstructuredfilesystemusedinflashdevices
hfs MacOSfilesystem
hfsplus NewerMacOSfilesystem
squashfs Similartocramfs,acompressedLinuxfilesystem.
udf ISO/IEC13346andECMA167specfilesystem.
** NOTE** NEEDED TO SUPPORT WRITING DVDs and newer optical disc f ormats
Thereareafewwaystodisabletheseservices.CISsuggestsaddingaconfigfileto
/etc/modprobe.dandaddingthemodulesthere:Iusedb ad_fs.conf
Dryrunofwhatwouldhappenifthemodulewascalled
# /sbin/modprobe -n -v udf
insmod /lib/modules/3.10.0-229.20.1.el7.x86_64/kernel/lib/crc-itu-t.ko
insmod /lib/modules/3.10.0-229.20.1.el7.x86_64/kernel/fs/udf/udf.ko

Checktoseeifthemoduleisinserted
# lsmod | grep udf
Changetheoperationforloadingthemoduletothefilein
/etc/modprobe.d/bad_fs.conf


page 12 of 39
install udf /bin/false
Standardsbasedfilesystemsecurity
Stickybitshouldbesetforallpublicdirectories:Whenadirectory'sstickybitis
set,thefilesystemtreatsthefilesinsuchdirectoriesinaspecialwaysoonlythe
file'sowner,thedirectory'sowner,orr ootusercanrenameordeletethefile.
Withoutthestickybitset,anyuserwithwriteandexecutepermissionsforthe
directorycanrenameordeletecontainedfiles,regardlessofthefile'sowner.
Typicallythisissetonthe/tmpdirectorytopreventordinaryusersfromdeleting
ormovingotherusers'files.

Tofinddirectoriesthatareworldwriteablewithoutthestickybitset:
# find / -type d -perm -002 ! -perm -1000 -exec ls -ld {} ;\

Tosetwithchmod
# chmod 1777 <dir> [or] # chmod o+t <dir>

Determiningifthestickybitisset:
ifthedirectoryisnotworldexecutable(thisdirectoryis1766)
# ls -ld sticky-dir/
drwxrw-rwT, 2 root root 6 Feb 3 09:53 sticky-dir/

ifthedirectoryisworldexecutable(thisdirectoryis1777)
# ls -ld sticky-dir/
drwxrwxrwt, 2 root root 6 Feb 3 09:53 sticky-dir/
SetUIDfiles:(setUserIDuponexecution)areUnixaccessrightsflagsthat
allowuserstorunanexecutablewiththepermissionsoftheexecutable'sowner.
SetUIDpermissiononadirectoryisignored.
Tofindsetuidfilesanddirectories:
# find / -perm -4000 -exec ls -alL {} \;
SetGIDfiles(setGroupIDuponexecution)a ttributewillallowforchangingthe
groupbasedprivilegeswithinaprocess.Settingthesetgidpermissionona
directorycausesnewfilesandsubdirectoriescreatedwithinittoinherititsgroup
ID,ratherthantheprimarygroupIDoftheuserwhocreatedthefile(theowner


page 13 of 39
IDisneveraffected,onlythegroupID).Newlycreatedsubdirectoriesinheritthe
setgidbit.
Tofindsetgidfilesanddirectories:
# find / -perm -2000 -exec ls -alL {} \;

LinkControl
Topreventmalicioususersfromexploitingpotentialvulnerabilitiescausedby
unprotectedhardandsymboliclinks,RedHatEnterpriseLinux7includesa
featurethatonlyallowslinkstobecreatedorfollowedprovidedcertain
conditionsaremet.
hardlinks,oneofthefollowingneedstobetrue:
Theuserownsthefiletowhichtheylink.
Theuseralreadyhasreadandwriteaccesstothefiletowhichthey
link.
symboliclinks,processesareonlypermittedtofollowlinkswhenoutside
ofworldwriteabledirectorieswithstickybits,oroneofthefollowing
needstobetrue:
Theprocessfollowingthesymboliclinkistheownerofthe
symboliclink.
Theownerofthedirectoryisthesameastheownerofthe
symboliclink.
Thisprotectionisturnedonbydefault.Itiscontrolledbythefollowing
optionsinthe/usr/lib/sysctl.d/50-default.conffile
fs.protected_hardlinks = 1
fs.protected_symlinks = 1

Tooverridethedefaultsettingsanddisabletheprotection,createanew
configurationfilecalled,forexample,51noprotectlinks.confinthe
/etc/sysctl.d/directorywiththefollowingcontent:
fs.protected_hardlinks = 0
fs.protected_symlinks = 0
PublicDirectoriesshouldbeuserandgroupownershipbyroot,aprivileged
systemaccount,orapplicationaccount
Thesamecommandasabovesearchesforworldwriteabledirectoriesand
displaysthepermissions.Theownershipissomewhatsubjectivebasedonthe
system,dir,etc


page 14 of 39
Tofinddirectoriesthatareworldwriteablewithoutthestickybitset:
# find /root -type d -perm -002 ! -perm -1000 -exec ls -ld {} \;
drwxrwxrw- 2 root root 6 Feb 3 09:53 /root/sticky-dir

Checkanddocumentallworldwritablefiles
# find / -type f -perm 0777 -a -exec ls -ld {} \;
Allfilesanddirectoriesshouldhavevalidowners,groups
# find / -xdev $ -nouser -o -nogroup $ -ls
51812050 0 drwxr-xr-x 2 622 root 57 Feb 3 11:28 /root/bad-directory
51807907 4 -rw-r--r-- 1 622 root 3072 Feb 3 11:27 /root/bad-directory/bad_file_1
51193533 12 -rw-r--r-- 1 root 622 12288 Feb 3 11:28 /root/bad-directory/bad_file_2
51193534 8 -rw-r--r-- 1 622 622 5120 Feb 3 11:28 /root/bad-directory/bad_file_3
Usea
idetoprovidecryptographichashes

Userhomedirectoriesshouldhavemodes0750orlesspermissive

Userhomedirectoriesshouldbeownedbytheuser
EncryptedFileSystems
shreddingapartitionwillfillthepartitionwithrandomdatatoensureno
unencrypteddataexists
# shred -v --iterations=1 /dev/luks_vg/luks_lv
shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...
shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...72MiB/2.0GiB 3%
shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...138MiB/2.0GiB 6%
<..snip..>
shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...1.9GiB/2.0GiB 95%
shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...2.0GiB/2.0GiB 100%
#
Initializethepartition
# cryptsetup --verbose --verify-passphrase luksFormat /dev/luks_vg/luks_lv

WARNING!
========
This will overwrite data on /dev/luks_vg/luks_lv irrevocably.


page 15 of 39

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
Command successful.
#
Opentheencrypteddeviceandassignitsdevicename
# cryptsetup luksOpen /dev/luks_vg/luks_lv luks_home
Enter passphrase for /dev/luks_vg/luks_lv:
Checkthatitactuallyworked
# ls -al /dev/mapper/
lrwxrwxrwx. 1 root root 7 Feb 8 13:55 luks_home -> ../dm-8
lrwxrwxrwx. 1 root root 7 Feb 8 13:55 luks_vg-luks_lv -> ../dm-7
Normalcommandstoaddapartition:mkfs,mount,df,addto/etc/fstab
# mkfs.xfs /dev/mapper/luks_home
# mount /dev/mapper/luks_home /luks_home
Addthepartitionto/ etc/crypttab(thisiswhatcausesittoaskforthepassword)
<name> <volume> <options>
luks_home /dev/mapper/luks_vg/luks_vg none
Add/ChangePassphraseonExistingDevice
# cryptesetup luksAddKey /dev/luks_vg/luks_lv
RemoveaPassphrasefromanExistingDevice
#cryptsetup luksRemoveKey /dev/luks_vg/luks_lv
Verifyorcheckforencryptedpartitions:
# lsblk -l
sda1 8:1 0 250M 0 part /boot
luks_home 253:8 0 2G 0 crypt /luks_home
centos-home 253:7 0 1.5G 0 lvm /home

# blkid /dev/mapper/luks_home


page 16 of 39
/dev/mapper/luks_home: UUID="48de524a-ba17-40b1-ac14-8a9f34421a50" TYPE="xfs"

# blkid /dev/mapper/luks_vg-luks_lv
/dev/mapper/luks_vg-luks_lv: UUID="ce54eeab-ea52-4273-acef-26a400901a98"
TYPE="crypto_LUKS"
**NOTE**primarilyamanualprocess..

Checkpartitionstodetermineiftheyareencrypted
# more /etc/crypttab
Objective4
Configuredefaultpermissionsforusersandusespecialfile
permissions,attributes,andaccesscontrollists(ACLs)tocontrol
accesstofiles
FilesystemextendedAccessControlLists(ACL)
IfadefaultACLisassociatedwithadirectory,themodeparametertothe
functionscreatingfileobjectsandthedefaultACLofthedirectoryareusedto
determinetheACLofthenewobject:
1. ThenewobjectinheritsthedefaultACLofthecontaining
directoryasitsaccessACL.
2. TheaccessACLentriescorrespondingtothefilepermissionbits
aremodifiedsothattheycontainnopermissionsthatarenot
containedinthepermissionsspecifiedbythemodeparameter.
IfnodefaultACLisassociatedwithadirectory,themodeparametertothe
functionscreatingfileobjectsandthefilecreationmask(umask(2)areusedto
determinetheACLofthenewobject:
1. ThenewobjectisassignedanaccessACLcontainingentriesoftag
typesACL_USER_OBJ,ACL_GROUP_OBJ,andACL_OTHER.
Thepermissionsoftheseentriesaresettothepermissions
specifiedbythefilecreationmask.
2. TheaccessACLentriescorrespondingtothefilepermissionbits
aremodifiedsothattheycontainnopermissionsthatarenot
containedinthepermissionsspecifiedbythemodeparameter.

ACLTextForms


page 17 of 39
user
AuserACLentryspecifiestheaccessgrantedtoeitherthefile
owner(entrytagtypeACL_USER_OBJ)oraspecifieduser(entry
tagtypeACL_USER).
group
AgroupACLentryspecifiestheaccessgrantedtoeitherthefile
group(entrytagtypeACL_GROUP_OBJ)oraspecifiedgroup
(entrytagtypeACL_GROUP).
mask
AmaskACLentryspecifiesthemaximumaccesswhichcanbe
grantedbyanyACLentryexcepttheuserentryforthefileowner
andtheotherentry(entrytagtypeACL_MASK).
other
AnotherACLentryspecifiestheaccessgrantedtoanyprocess
thatdoesnotmatchanyuserorgroupACLentries(entrytagtype
ACL_OTHER).

toset:s etfacl
Granting an additional user read access
setfacl -m u:lisa:r file

Revoking write access from all groups and all named users (using the eective rights
mask)
setfacl -m m::rx file

Removing a named group entry from a file's ACL
setfacl -x g:sta file

Copying the ACL of one file to another
getfacl file1 | setfacl --set-file=- file2

Copying the access ACL into the Default ACL
getfacl --access dir | setfacl -d -M- dir
from the setfacl man page

toread:getfacl -aL
The output format of getfacl is as follows:
1: # file: somedir/
2: # owner: lisa
3: # group: sta
4: # flags: -s-


page 18 of 39
5: user::rwx
6: user:joe:rwx #eective:r-x
7: group::rwx #eective:r-x
8: group:cool:r-x
9: mask::r-x
10: other::r-x
11: default:user::rwx
12: default:user:joe:rwx #eective:r-x
13: default:group::r-x
14: default:mask::r-x
15: default:other::---

Set/Verifydefaultpermissionsforallauthenticateduserssotheycanonlyread
andmodifytheirownfiles
# grep -i umask /etc/login.defs
UMASK 077
UMASKisusuallyinafewotherplaces,like/etc/csh.cshrc,/etc/bashrc
# find /etc/ -type f -exec grep -i umask {} \; -print
Andcheckusersowndotfiles
# find /home/ -type f -exec grep -i umask {} \; -print


page 19 of 39
Objective5
InstallanduseintrusiondetectioncapabilitiesinRedHatEnterprise
Linuxtomonitorcriticalsystemfiles
AdvancedIntrusionDetectionEnvironment(AIDE)
checktoseeifitsinstalled
# rpm -q aide
package aide is not installed
# yum install aide
Installing:
aide x86_64 0.15.1-9.el7 base 129 k
InitializeAIDE
# /usr/sbin/aide --init -B database_out=file:/var/lib/aide/aide.db.gz
CheckfileintegrityagainstAIDEdatabase
# /usr/sbin/aide --check
Puttingitinacronjobmightbesmart
0 5 * * * /usr/sbin/aide --check
Additionalfilestobecheckedcanbeaddedto/etc/aide.conf
TCPWrappers
checktoseeiftheyareinstalled
# rpm -q tcp_wrappers
tcp_wrappers-7.6-77.el7.x86_64
/etc/hosts.allowvariesbynetworkconfiguration,setup,purpose,etc
Thislimitsconnectionstosshdjusttomylocalsubnet
sshd: 192.168.56.0/255.255.255.0
Thisallowsconnectionstoanythingfrommylocalsubnet
all: 192.168.56.0/255.255.255.0


page 20 of 39
/etc/hosts.deny denyeverythingeverywherethatsnotexplicitlylistedinthe
allowfile
# cat /etc/hosts.deny
ALL:ALL


page 21 of 39
Objective6
Manageuseraccountsecurityanduserpasswordsecurity
Passwordqualityisdefinedin/ etc/security/pwquality.conf
Shadowpasswordsuiteconfigurationin/ etc/login.defs
**NOTE**MostofthishasbeenmovedtoPAM
shadowfilefields
loginname
encryptedpassword
dateoflastpwchange
minimumpasswdage
maxpasswdage
passwdwarningperiod
passwdinactivityperiod
expirationdate
reserved
tocheck/etc/shadowforpasswordminimumchangeperiod(4thfield)
# awk -F: $4 >= 1 {print $1} /etc/shadow
**NOTE**DoDSTIGsays1dayminimum
chageformodifyingaccountpasswordaging
chage --list <user>willcheckpassworddefinitions
/etc/default/useraddsetsdefaultsfornewaccountcreation
INACTIVEshouldbesettosomethingotherthan1(whichisnever)
updatinguserinactivity
auditusersforpasswordinactivity,passwords,etc
# cut -d: -f1 /etc/passwd | xargs -n1 passwd -S


page 22 of 39
Objective7
Managesystemloginsecurityusingpluggableauthenticationmodules
(PAM)
PAMCrashCourse
eachapplicationshouldhaveitsownPAMs tackfile
modulesarerunintheordertheyarelistedandisimportant
stackssyntaxis
context(or type) control-flag module module options
contexttypes
auth
determineswhotheuserisandifthatuserhasavalidaccount
(authentication)
account
determineiftheuserisallowedaccess(authorization)
session
setssessionup
password
anyrulesforchangingpasswordiftheapplicationisallowedto
controlflags
sufficient
ifasufficientmodulepasses,thatsenough.Noneoftheothermodulesin
thatcontextareprocessed.Failingitdoesnotfailthecontextthough.
required
allr equiredcontrolsinacontextmustpass.Theyarealltriedsoevenif
onefailstoobscuretheexactfailureforsecurityreasons.
**NOTE** None of the required modules will be processed in a context is a sufficient module passes
requisite
basicallythesameasr equiredexceptprocessingstopsassoonasafailure
happens(thinkofitasfastfailrequired)
optional
asuccessorfailurereallyhasnoeffect.Generallyonlyusedwithsession
contexts.
modulesarerunintheordertheyarelistedandisimportant
i.e.ifasufficientmodulespassesafterar equiredfailed,accesswillstillbe
denied.


page 23 of 39
ifanapplicationcantfinditsstackfile,itfallsbackto/ etc/pam.d/other

Forcingstrongpasswords
setin/etc/pam.d/passwdfileviathep am_pwqualitymodule
/etc/security/pwquality.confsetscustomrules.
toenable,addto/ etc/pam.d/passwdfile
password required pam_pwquality.so retry=3
Rememberingpasswords,addrememberparameterin/ etc/pam.d/system-auth
password suicient pam_unix.so remember=5
AccountLocking
pam_faillockmodule
/var/run/faillockcontainslogsoffailuresperuser
toenable
addlines2and5to/ etc/pam.d/system-authand/ etc/pam.d/password-auth
1 auth required pam_env.so
2 auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
3 auth suicient pam_fprintd.so
4 auth suicient pam_unix.so nullok try_first_pass
5 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
6 auth requisite pam_succeed_if.so uid >= 1000 quiet_success
7 auth required pam_deny.so
**NOTE** these will lock out a nonroot user after 3 tries f or 10 minutes
addbeforethefirstaccountentryonbothfiles
account required pam_faillock.so
**toincludetherootuser,adde ven_deny_rootoptiontoa uthentries

2 auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
even_deny_root
5 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
even_deny_root
**toexcludeusersfromtherule
auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2:user3
checkingnumberoffailedloginattempts
# faillock


page 24 of 39
user1:
When Type Source
Valid
2013-03-05 11:44:14 TTY pts/0
resettingausersaccount
# faillock --user <username> --reset
Limitingroot(orotheruser)accesswithpam
**NOTE** ONLY WORKS ON PAM AWARE SERVICES ( Which most are now)
/lib/security/pam_listfile.soisthemodule
addthemoduleasarequireda uthtotheservicefilein/etc/pam.d
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/<bad users file> \
onerr=succeed
Limitingrootvia/ etc/securetty
removeallentriesexceptc onsole
enableloginmanagerstoread/etc/securetty addthefollowingline
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
to /etc/pam.d/{gdm, gdm-autologin,
gdm-fingerprint,gdm-password,gdm-smartcard,kdm,kdm-np,xdm}

Limit/Disablerootfromssh
uncomment/addto/etc/ssh/sshd_config
PermitRootLogin no

KeepingCustomersettingswithAuthConfig
checktoseeiftheauthfilesarelinks(defaultsetup)
# ls -l /etc/pam.d/{password,system}-auth
lrwxrwxrwx. 1 root root 16 Feb 1 11:13 /etc/pam.d/password-auth -> password-auth-ac
lrwxrwxrwx. 1 root root 14 Feb 1 11:13 /etc/pam.d/system-auth -> system-auth-ac
iftheauthfilesarentlinksmovethem
# mv system-auth system-auth-ac
# mv password-auth password-auth-ac


page 25 of 39
createacustomlocalfile,/ etc/pam.d/system-auth-local whichcontains

auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth include system-auth-ac
auth [default=die] pam_faillock.so authfail silent audit deny=3 unlock_time=600
account include system-auth-ac
password include system-auth-ac
session include system-auth-ac
createacustomlocalfile,/ etc/pam.d/password-auth-local whichcontains

auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth include password-auth-ac
auth [default=die] pam_faillock.so authfail silent audit deny=3 unlock_time=600
account include password-auth-ac
password include password-auth-ac
session include password-auth-ac
createnewlinks
# ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth
# ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth


page 26 of 39
Objective8
Configureconsolesecuritybydisablingfeaturesthatallowsystemstobe
rebootedorpoweredoffusingbootloaderpasswords
Bootloaderpasswords
Isitenabledalready?
BIOSmachines
# grep -i password /boot/grub2/grub.cfg
UEFImachines
# grep -i password /boot/efi/EFI/redhat/grub.cfg
Addingusers
Create/etc/grub.d/01_usersfileandaddthefollowing
cat <<EOF
set superuser="toor"
password toor insecurert
EOF
[to add more]
cat <<EOF
set superuser=toor
password toor insecuretr
password user1 insecure1
EOF
**NOTE** T his creates an UNENCRYPTED password and you should know better

Thebetterway,usingencryptedpasswords
# grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is
grub.pbkdf2.sha512.10000.DCC9681CBF8FEDA5F4C9AA82BA09507CB6703A3773EC63805A25
D1C796C868B8D5ACD82843F7CB30059399633A2AB34070A231503B0180C9EF4D248FE12B5C
D6.3D1A8BB7B08E645458E8564B647353D32D2A8A7E05676F61C375F6F0727A1514B4A87A14
E94CCBD291DBFD48E301F73553168845AF9817D98AC9A455EC122F41
thenaddto/ etc/grub.d/01_users
cat <<EOF
set superusers="toor"
password_pbkdf2 toor


page 27 of 39
EOF

ALTERNATIVELYyoucanjustaddthedatatotheENDofthe
/etc/grub.d/40_customfilewithoutanyofthecatstuff.
set superusers="toor"
password_pbkdf2 toor

Rebuildgrub
OnBIOSsystems
# grub2-mkconfig -o /boot/grub2/grub.cfg
OnUEFIbasedsystems
# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
Disablegrubinteractivemode
# grep -i prompt /etc/sysconfig/init
PROMPT=no
DisableenteringSingleUserModewithoutrootpassword
# echo SINGLE=/sbin/sulogin >> /etc/sysconfig/init
DisableCTRLALTDELcombinationontheconsoleforrebooting
# systemctl mask ctrl-alt-del.target
# systemctl daemon-reload
or
# ln -s /dev/null /etc/systemd/system/ctrl-alt-del.target
Thisworksifnooneisloggedin,however,iftheuserisloggedinitworks.Thepower
buttonwillobviouslystillwork
TodisablethepowerbuttonsontheGDMloginscreen:
editorcreate/etc/dconf/db/gdm.d/00-login-screenandadd


page 28 of 39
[org/gnome/login-screen]
disable-restart-buttons=true
thenrebuildthedconfdatabase
#dconfupdate
**NOTE**W hileyouarethere,mightaswelladddisable-user-list=true so the login wont list the
users


page 29 of 39
Objective9
Configuresystemwideacceptableusenotifications
Textloginbanners
/etc/motd
theMessageOfTheDay.Thisisdisplayedafterasuccessfulloginbefore
theprompt
/etc/issue and/etc/issue.net
showntoconnectionsbeforetheloginprompt./ etc/issueisshownif
/etc/issue.netismissing.
Noneofthemshouldhavethisinformation,oranythingotherthananAcceptable
UseNotification.
\m machinearchitecture(u name -m)
\r operatingsystemrelease(u
name -r)
\s operatingsystemname
\v operatingsystemversion(uname -v)
All3shouldhavetheownedr oot:rootandmode0 644
Itsacceptabletolinkall3together.
# ls -la |grep issue.net
lrwxrwxrwx. 1 root root 9 Feb 5 11:03 issue -> issue.net
-rw-r--r--. 1 root root 67 Feb 5 11:02 issue.net
lrwxrwxrwx. 1 root root 9 Feb 5 11:03 motd -> issue.net
Configuresshdtodisplaytheacceptableusenotifications
addB anner/etc/issue.netto/ etc/ssh/sshd_configandrestartsshd
# grep ^Banner /etc/ssh/sshd_config
Banner /etc/issue.net
# systemctl restart sshd.service
**NOTE** the default sshd_config f ile has a commented out B anner entry


page 30 of 39
ConfigureabannerfortheGUIlogin
edit/create/etc/dconf/db/gdm.dandaddthefollowing
[org/gnome/login-screen]
banner-message-enable=true
banner-message-text=Authorized use only! All unauthorized users will be beaten
rebuildthedconfdbandrestartgdm
# dconf update
# systemctl restart sshd.service
IfforsomebizarrereasonyouarerunningVSFTP
Addftpd_banner=<something>to/ etc/vspd/vspd.conf
ORinsteadaddbanner_file=<file>to/ etc/vspd/vspd.conf


page 31 of 39
Objective10
Install,configure,andmanageidentitymanagementservicesand
configureidentitymanagementclients


page 32 of 39
Objective11
Configureremotesystemloggingservices,configuresystemlogging,and
managesystemlogfilesusingmechanismssuchaslogrotationand
compression
Syslogcrashcourse
syntax
FACILITY.PRIORITY
facilities
kern (0),user (1), mai l (2), daemon (3), auth (4), syslog (5), lpr (6), news (7),
uucp (8), cron (9), authpriv (10), p (11), and local0 through local7 (16 - 23)
Priorities
debug (7), info (6), notice (5), warning(4), err (3), crit (2), alert (1), and emerg (0)
SpecialcasesforbothFacilityandPriority
*isall
noneisnone
commaisusedtostack
SpecialcasesforPriority
whenaPriorityisselected,allmessagesofthatPriorityandgreaterare
logged
=beforePrioritymeanso nlythatpriorityislogged
!beforePrioritymeansthatpriorityisignored
Makesurer syslogisenabledandrunning
# systemctl is-enabled rsyslog
enabled
[if not]
# systemctl enable rsyslog
Logfilemustexistbeforer syslogcanwritetoit.
Logfilesshouldhavepermissionsof0600orlessandownedr oot:roottopreventnon
privilegedusersfrompossiblyseeingPIIorothersensitiveinformation.Check
/etc/rsyslog.confforconfiguredsystemlogfiles.


page 33 of 39
Tosendlogfilesoffsitetoaloghostaddtothe/etc/rsyslog.conf
*.* @@loghost.mysite.com
**NOTE** double @s denotes to use T CP and not UDP to send logs
TLSEncryptionforremotelogging,addto/ etc/rsyslog.conf
# certificate files - just CA for a client
$DefaultNetstreamDriverCAFile /path/to/contrib/gnutls/ca.pem

# set up the action
# use gtls netstream driver
$DefaultNetstreamDriver gtls

# require TLS for the connection
$ActionSendStreamDriverMode 1

# server is NOT authenticated
$ActionSendStreamDriverAuthMode anon

# send (all) messages
*.* @@(o)server.example.net:6514 # send (all) messages
Toreceiveremotesyslogmessages
$ModLoad imtcp.so
$InputTCPServerRun 6514
Toreceiveandsortincomingsyslogmessages
forUDP
# Define templates before the rules that use them
### Per-Host Templates for Remote Systems ###
$template TmplAuthpriv,
"/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
$template TmplMsg,
"/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
forTCP
# Provides TCP syslog reception
$ModLoad imtcp

# Adding this ruleset to process remote messages


page 34 of 39
$RuleSet remote1
authpriv.* ?TmplAuthpriv
*.info;mail.none;authpriv.none;cron.none ?TmplMsg
$RuleSet RSYSLOG_DefaultRuleset

#End the rule set byswitching back to the default rule set
$InputTCPServerBindRuleset remote1

#Define a new input and bind it to the "remote1" rule set
$InputTCPServerRun 6514
SpecialNotes/Troubleshooting
ThedefaultprotocolandportforsyslogtrafficisUDPand514,aslistedinthe
/etc/servicesfile.However,rsyslogdefaultstousingTCPonport514.Inthe
configurationfile,/etc/rsyslog.conf,TCPisindicatedby@@.
SELinuxisonlyconfiguredtoallowsendingandreceivingonthefollowingports
bydefault
# semanage port -l | grep syslog
syslogd_port_t tcp 6514, 601
syslogd_port_t udp 514, 6514, 601
Checkthatr syslogisrunningandenabled.Restartafterallchanges
# systemctl start rsyslog
# systemctl enable rsyslog
Asalways,checkthefirewall
LogRotation
/etc/logrotate.confisglobalfile
/etc/logrotate.d/islogspecificrotationfiles(andoverrideglobal)
generalconfigurationoptions
timeframe:dailyweeklymonthlyyearly
compres/nocompress
compresscmd/uncompressmd
compressext
delaycompress
rotate<#>numberofrotationsbeforelogisdeletedormailed
mail<address>emailsrotatedlog


page 35 of 39
journalisacomponentofsystemdforlogging
journalctlisusedforviewingthejournallog
journalonlylogsinmemoryorasmallringfilein/ run/log/journaltocreatepersistent
storagecreatethedirectory/ var/log/journal
configfileis/etc/systemd/journald.conf


page 36 of 39
Objective12
Configuresystemauditingservicesandreviewauditreports
packageisaudit
configurationfile/etc/audit/auditd.conf
rulesfile/etc/audit/audit.rules
Auditsystemstatus
# auditctl -s
enabled 1
flag 1
pid 667
rate_limit 0
backlog_limit 320
lost 0
backlog 0
loginuid_immutable 0 unlocked
listcurrentlyloadedrules
# auditctl -l
LIST_RULES: exit,always watch=/etc/localtime perm=wa key=time-change
LIST_RULES: exit,always watch=/etc/group perm=wa key=identity
LIST_RULES: exit,always watch=/etc/passwd perm=wa key=identity
LIST_RULES: exit,always watch=/etc/gshadow perm=wa key=identity
...
deleteallrules
# auditctl -D
No rules


page 37 of 39
defineafilesystemrule
# auditctl -w path-to-file -p permissions -k key-name
permissions
rreadaccesstoafileordirectory
wwriteaccesstoafileordirectory
xexecuteaccesstoafileordirectory
achangeinafileordirectorysattribute
keyname
optionalforhelpingtoidentifywhichruleorrulesetsgeneratedthelog
defineasystemcall
# auditctl -a action,filter -S system_call -F field=value -k key_name
action,filteriswhentheeventislogged
action
alwaysornever
filter
task
exit
user
exclude
systemcallisthesystemcallthattriggers,canbemultipleS
/usr/include/asm/unistd_64.hliststhecalls
field=value
optionalruletofilterbasedonarchitecture,gID,pID,etc
key_name
optionalforhelpingitidentifywhatruleorrulesetsgeneratedthelog

predefinedrulesetsarein/ usr/share/doc/audit-version/
tosearchauditlogs
# ausearch --start yesterday --end now -m SYSCALL -sv no -i
this r ule searches f or all f ailed system calls f rom yesterday to present
tocreateanauditreport
# aureport --login --summary -i
this generates a summary r eport of all f ailed login attempts per each system user


page 38 of 39
Objective13
Usenetworkscanningtoolstoidentifyopennetworkserviceportsand
configureandtroubleshootsystemfirewalling
listprocesseswithopenports:netstatnatp
scanTCPportsonahostnmapsT0<ipaddress>
firewalld
/etc/fiewalld
/usr/lib/firewalld/
firewallconfig(gui)
firewallcmd
permanent:doesnotimplementuntilreload,butispersistent
direct:immediateimplementation,butnotpersistent
addinterface:onlyforinterfacesnotmanagedbyNetworkManager
reload:nondisruptivereload
completereload:dropsallconnectionsandreloads
/etc/firewalld/firewalld.conf
setdefaultzones
Lockdown=yestopreventservices,ornonwhitelistservicesfrom
adding/removingrules

NetworkZones
drop
block
public
external
dmz
work
home
internal
trusted


page 39 of 39
References
RedHatSecurityGuideRHEL6
RedHatIdentityManagementGuideRHEL6
RedHatDeploymentGuideRHEL6
RedHatVirtualizationGettingStartedGuideRHEL6
DISARHEL6STIGVer1Rel10

DISARHEL7STIGDRAFT


RedHat - EX413 Notes - Google Docs

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RedHat - EX413 Notes - Google Docs

Uploaded by

Copyright:

Available Formats

Red Hat Certificate of Expertise in Server

Hardening Notes (EX413)

Official Red Hat documentation on RHEL 7 can be f ound at:

Red Hat Certificate of Expertise in Server

Official Red Hat documentation on RHEL 7 can be f ound at:

Red Hat Certificate of Expertise in Server

Official Red Hat documentation on RHEL 7 can be f ound at:

Red Hat Certificate of Expertise in Server

Official Red Hat documentation on RHEL 7 can be f ound at:

Red Hat Certificate of Expertise in Server

install udf /bin/false

/dev/mapper/luks_home: UUID="48de524a-ba17-40b1-ac14-8a9f34421a50" TYPE="xfs"

Official Red Hat documentation on RHEL 7 can be f ound at:

Red Hat Certificate of Expertise in Server

Official Red Hat documentation on RHEL 7 can be f ound at:

Red Hat Certificate of Expertise in Server

**toincludetherootuser,adde ven_deny_rootoptiontoa uthentries

createacustomlocalfile,/ etc/pam.d/system-auth-local whichcontains

createacustomlocalfile,/ etc/pam.d/password-auth-local whichcontains

Official Red Hat documentation on RHEL 7 can be f ound at:

Red Hat Certificate of Expertise in Server

All3shouldhavetheownedr oot:rootandmode0 644

Official Red Hat documentation on RHEL 7 can be f ound at:

Red Hat Certificate of Expertise in Server

You might also like