{{tag>Brouillon Sécurité Debian}}

= Notes sécurité OS GNU/Linux hardening

Voir :
* [[Notes sécurité OS GNU/Linux hardening - partitions - noexec]]
* https://www.ssi.gouv.fr/uploads/2016/01/linux_configuration-fr-v1.2.pdf
* https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-cis.html
* https://forum.tufin.com/support/kc/latest/Content/Suite/TufinOS_BenchmarkCIS.htm
* https://www.server-world.info/en/note?os=Debian_7.0&p=password
* https://github.com/openstack/ansible-hardening
* https://www.security-session.cz/2012/Martin_Cmelik-Hardening_Linux_Securix.pdf
* https://medium.com/thedevopsguy/wanna-harden-your-ubuntu-image-c9511f41a863
* https://github.com/florianutz/Debian9-CIS
* [[https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-anssi_bp28_minimal.html|Guide to the Secure Configuration of Red Hat Enterprise Linux 8 - ANSSI-BP-028]]

Voir aussi : 
* CIS (Center for Internet Security)
* https://www.cisa.gov/
* https://www.cert.ssi.gouv.fr


== Vulnérabilités connues

<code bash>
apt-get install debsecan
debsecan
</code>

== Mise à jour automatique

<code bash>
apt-get install unattended-upgrades
</code>

== Scan intégrité fichiers



=== Find

Recherche de fichier SUID (4000) et SGID (2000)
<code bash>
find / -type f \( -perm -4000 -o -perm -2000 \)         \
        -not \(                                         \
        -wholename "/proc/*"                            \
        -o -wholename "/var/lib/docker/aufs/*"          \
        -o -wholename /usr/bin/chage                    \
        -o -wholename /usr/bin/newgrp                   \
        -o -wholename /usr/bin/passwd                   \
        -o -wholename /usr/bin/gpasswd                  \
        -o -wholename /usr/bin/expiry                   \
        -o -wholename /bin/su                           \
        -o -wholename /bin/mount                        \
        -o -wholename /bin/ping6                        \
        -o -wholename /bin/ping                         \
        -o -wholename /bin/umount                       \
        -o -wholename /sbin/unix_chkpwd                 \
        -o -wholename /usr/bin/pumount                  \
        -o -wholename /usr/bin/pmount                   \
        -o -wholename /usr/bin/sudo                     \
        -o -wholename /usr/bin/crontab                  \
        -o -wholename /usr/bin/mlocate                  \
        -o -wholename /sbin/mount.cifs                  \
        -o -wholename /bin/fusermount                   \
        -o -wholename /bin/ntfs-3g                      \
        -o -wholename /usr/lib/dbus-1.0/dbus-daemon-launch-helper \
        -o -wholename /usr/bin/at                       \
        -o -wholename /usr/lib/eject/dmcrypt-get-device \
        -o -wholename /usr/lib/utempter/utempter        \
        \)

        #-o -wholename /usr/bin/wall                    \
        #-o -wholename /usr/bin/chsh                    \
        #-o -wholename /usr/bin/ssh-agent               \
        #-o -wholename /usr/lib/openssh/ssh-keysign     \
        #-o -wholename /usr/bin/bsd-write               \
        #-o -wholename /usr/bin/udevil                  \
        #-o -wholename /usr/bin/chfn                    \
        #-o -wholename /usr/bin/dotlockfile             \
        #-o -wholename /usr/sbin/exim4                  \
        #-o -wholename /usr/bin/beep                    \
</code>

Supression du bit SUID
<code bash>
chmod u-s /usr/bin/chsh
chmod u-s /usr/bin/chfn
chmod u-s /usr/lib/openssh/ssh-keysign
chmod u-s /usr/sbin/exim4
</code>

Supression du bit SGID
<code bash>
chmod g-s /usr/bin/dotlockfile
chmod g-s /usr/bin/ssh-agent
chmod g-s /usr/bin/wall
</code>

Worldreadable
<code bash>
find / \( -type d -o -type f \)  -not \( -wholename "/proc/*" -o -wholename "/dev/*" -o -wholename "/var/lib/docker/aufs/*" \) -perm /o=w -not -perm /o=t -ls
</code>

== Comptes

<code bash>
perl -a -F':' -ne '$HOMEUSER=$F[5] ; $CHAINE="$HOMEUSER/.ssh/authorized_keys\n" ; $CHAINE=~s|//|/| ; print $CHAINE unless /false$/ or /nologin$/' /etc/passwd
</code>

== sysctl

Voir https://www.it-connect.fr/details-durcissement-sysctl-systeme-linux/

Interdire strace
<code bash>
echo 3 > /proc/sys/kernel/yama/ptrace_scope
</code>

== Mot de passe

Lenteur à la connexion

man 3 crypt


<code - /etc/shadow>
plop1:$6$rounds=656000$P7gp1PPaN9bdjMt/$M2xJFWCpmlTS8CkYCHOnjI1TqfhIabgkJhp4HNvHHsI3NkXYJ2vZ.OVSNpOtee3sXJQcCdcZhezlQfrHZm3fE1:18369:0:99999:7::: 

plop1:$6$LCJMGXiumcpyY7nP$8t/u6oewRH.GHk94QKmN/1pZyMFCIwG4Y/JzUF/qKSVU9/U.BhG1Vm6fpYIuUaZuIJq5b6omuGJVpD9XxFisM.:18369:0:99999:7:::
</code>

https://askubuntu.com/questions/894404/how-to-increase-the-number-of-hashing-rounds-for-etc-shadow

<code - /etc/pam.d/common-password>
#password       [success=1 default=ignore]      pam_unix.so obscure sha512
password        [success=1 default=ignore]      pam_unix.so obscure sha512 rounds=656000
</code>

Voir ''SHA_CRYPT_MIN_ROUNDS''

<code bash>
man pam_unix

sudo chpasswd -s 10000 000 -c SHA512 <<< username:password; history -c
</code>

<code - /etc/pam.d/common-password>
password        [success=1 default=ignore]      pam_unix.so obscure sha512 rounds=656000
</code>

<code ->
auth required pam_tally2.so onerr=fail deny=3 unlock_time=900 root_unlock_time=900 file=/var/log/tallylog

pam_tally2 --file /var/log/tallylog --reset --user root

pam_faildelay.so
faillock --user aaronkilik --reset 
faillock --user aaronkilik
fail --reset	#clears all authentication failure records
</code>


<code bash>
chown root:root /boot/grub2/grub.cfg
chmod og-rwx /boot/grub2/grub.cfg
</code>

Set the following restrict parameters in /etc/ntp.conf ** or use /etc/systemd/timesyncd.conf (for Debian) **
<code - /etc/ntp.conf>
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
</code>
 
Set the following restrict parameters in /etc/ntp.conf
<code - /etc/ntp.conf>
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
</code>

<code - /etc/ntp.conf>
Also, make sure /etc/ntp.conf has an NTP server specified
server <ntp-server>
</code>
 
Set the ''net.ipv4.ip_forward'' parameter to 0 in /etc/sysctl.conf
Modify active kernel parameters to match:
<code bash>
/sbin/sysctl -w net.ipv4.ip_forward=0
/sbin/sysctl -w net.ipv4.route.flush=1
</code>
 
<code bash>
chown root:root /etc/cron.d
chmod og-rwx /etc/cron.d
</code>

<code bash>
rm /etc/at.deny
touch /etc/at.allow
chown root:root /etc/at.allow
chmod og-rwx /etc/at.allow
</code>
 
Edit the /etc/bashrc and /etc/profile.d/cis.sh files (and the appropriate files for any other shell supported on your system) and add the ** or use PAM **
following the UMASK parameter as shown
<code ->
umask 027
</code>
 
Pas de version dans les fichiers suivants
* /etc/motd
* /etc/issue 
* /etc/issue.net


== Service SystemD

''/lib/systemd/system/wsl-pro.service''
<code ini>
[Unit]
Description=Bridge to Ubuntu Pro agent on Windows
ConditionVirtualization=wsl

[Service]
Type=notify
ExecStart=/usr/libexec/wsl-pro-service -vv
Restart=always
RestartSec=2s

# Some daemon restrictions
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=true
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native

# Only permit system calls used by common system services, excluding any special purpose calls
SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target
</code>

== Autre

<code bash>
apt-get install auditd
</code>

Partition dédiée pour 
* /var/log
* /var/log/audit/