{{tag>Debian Sécurité}}
= Notes hardening Debian
Voir :
* https://wiki.debian.org/Hardening
* https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html
* Center for Internet Security (CIS)
Vulnérabilités connues dans Debian :
* https://security-tracker.debian.org/tracker/status/release/stable
Voir aussi :
* debian-security-support
* SUID et droit des les fichiers.
* MAC (selinux, grsec, tomoyo, apparmor...?)
* /etc/security/access.conf
#+:root:ALL
# Deny root logins via the network:
-:root:ALL EXCEPT LOCAL
+:admin:ALL
-:ALL:ALL
The order of the rules matters. It will apply the **first** rule that matches.
== Notes
Désactiver le compte root (comme sur Ubuntu)
# Efface le MDP root
passwd -d root
# Lock le compte (en préfixant le hash du pass par "**!**")
passwd -l root
Scan paquets vulnérables
debsecan
debsecan --suite buster --format packages --only-fixed
== Debian 10
Voir https://www.debian.org/releases/buster/amd64/release-notes/ch-whats-new.fr.html
APT::Sandbox::Seccomp
APT::Sandbox::Seccomp::Trap
APT::Sandbox::Seccomp::Allow
== Diffing Debian 7
/etc/passwd
Shell set to /bin/false or /usr/sbin/nologin
/etc/timezone
> Europe/Amsterdam
/etc/profile.d/tmout.sh
> TMOUT=900
> readonly TMOUT
> export TMOUT
/etc/resolv.conf
DNS server conf
/etc/motd
Welcomme message
/etc/issue
idem
/etc/issue.net
Version
/etc/fstab
Partition /var/log et /tmp separées
partition /tmp noexec,nosuid,nodev,bind
/var/log nodev,nosuid
/home nodev,nosuid
/data nodev
/etc/shells
Restrict valid login shells
> /bin/sh
> /bin/dash
> /bin/bash
> /bin/rbash
# NO DONE
/etc/hosts.deny
/etc/hosts.allow
Empty
/etc/shadow
Only root et process user have valid password
# NO DONE
/etc/pam.d/common-auth
No nullok_secure
/etc/pam.d/common-password
Cracklib set
Fisrt lines :
> # here are the per-package modules (the "Primary" block)
> password required pam_cracklib.so retry=3 minlen=12 difok=3
> password [success=1 default=ignore] pam_unix.so obscure minlen=8 sha512 use_authok
/etc/pam.d/common-session
umask secured
last line :
session optional pam_umask.so umask=077
/etc/inittab
No ctrl alt del reboot
# What to do when CTRL-ALT-DEL is pressed.
< ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
> #ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
/etc/init.d/firewall
/etc/hostname
Hostname
/etc/hosts
127.0.0.1 localhost
127.0.1.1 HOSTNAME
?
/etc/ca-certificates.conf
/etc/security/opasswd
for pam_cracklib
touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd
/etc/rsyslog.d/bash.conf
> local6.* /var/log/commands.log
/etc/logrotate.d/rsyslog
> /var/log/commands.log
> {
> rotate 4
> weekly
> missingok
> notifempty
> compress
> delaycompress
> sharedscripts
> postrotate
> invoke-rc.d rsyslog rotate > /dev/null
> endscript
>}
?
/etc/nsswitch.conf
/etc/ssh/sshd_config
# Not default port
Port 22092
# Prevent root login
PermitRootLogin no
Match User UserWithUID0 Address 192.168.5.3
PermitRootLogin yes
# No password auth
PasswordAuthentication no
/etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet memmap=512M\\\$1024M
/etc/default/cpufrequtils
GOVERNOR="performance"
/etc/bash.bashrc
change default prompt
> export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'
/etc/grub.d/40_custom
password access for grub
> set superusers="root"
> password root P@ssw0rd
/etc/security/limits.conf
change limits for app and perf
> process soft core unlimited
> root soft core unlimited
?
/etc/pam.d/other
> auth required pam_securetty.so
> auth required pam_unix_auth.so
> auth required pam_warn.so
> auth required pam_deny.so
> account required pam_unix_acct.so
> account required pam_warn.so
> account required pam_deny.so
> password required pam_unix_passwd.so
> password required pam_warn.so
> password required pam_deny.so
> session required pam_unix_session.so
> session required pam_warn.so
> session required pam_deny.so
/etc/pam.d/login
Change the delay on failure per-application to 10 seconds
< auth optional pam_faildelay.so delay=3000000
> auth optional pam_faildelay.so delay=10000000
????
/etc/securetty
Restrict console access for root
NOTE : s/ttyW/ttyS/
> console
> tty1
> tty2
> tty3
> tty4
> tty5
> tty6
> ttyW0
> ttyW1
/etc/login.defs
su activity is log file
change default umask
> ULOG_FILE /var/log/sulog
> UMASK 077
/etc/ntp.conf
NTP serveur configured
/etc/sysctl.conf
Disable IPV6
Disable magic keys
Prevent routing packet
> net.ipv4.conf.default.rp_filter=0
> net.ipv4.conf.all.rp_filter=0
> net.ipv4.ip_forward=0
> net.ipv4.conf.all.send_redirects = 0
> kernel.sysrq=0
> net.ipv6.conf.all.disable_ipv6=1
> net.ipv6.conf.default.disable_ipv6=1
> net.ipv6.conf.lo.disable_ipv6=1
> net.ipv6.conf.eth0.disable_ipv6=1
> net.ipv6.conf.eth1.disable_ipv6=1
/etc/sudoers
root password needed for privilege elevation
> Defaults rootpw
/etc/passwd
shells /bin/false or /usr/sbin/nologin
/etc/pam.d/su
# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so
auth required pam_wheel.so
Notification erreur sudo
*** SECURITY information for vps123456 ***
root: moncompte
postalias
== Autres
Hardenning shell
Voir :
* [[https://wiki.deimos.fr/Lshell_:_limiter_les_possibilit%C3%A9s_du_shell.html|Lshell : limiter les possibilités du shell]]
* /etc/shells