Voir :
Voir aussi :
apt-get install debsecan
debsecan
apt-get install unattended-upgrades
Recherche de fichier SUID (4000) et SGID (2000)
find / -type f \( -perm -4000 -o -perm -2000 \) \ -not \( \ -wholename "/proc/*" \ -o -wholename "/var/lib/docker/aufs/*" \ -o -wholename /usr/bin/chage \ -o -wholename /usr/bin/newgrp \ -o -wholename /usr/bin/passwd \ -o -wholename /usr/bin/gpasswd \ -o -wholename /usr/bin/expiry \ -o -wholename /bin/su \ -o -wholename /bin/mount \ -o -wholename /bin/ping6 \ -o -wholename /bin/ping \ -o -wholename /bin/umount \ -o -wholename /sbin/unix_chkpwd \ -o -wholename /usr/bin/pumount \ -o -wholename /usr/bin/pmount \ -o -wholename /usr/bin/sudo \ -o -wholename /usr/bin/crontab \ -o -wholename /usr/bin/mlocate \ -o -wholename /sbin/mount.cifs \ -o -wholename /bin/fusermount \ -o -wholename /bin/ntfs-3g \ -o -wholename /usr/lib/dbus-1.0/dbus-daemon-launch-helper \ -o -wholename /usr/bin/at \ -o -wholename /usr/lib/eject/dmcrypt-get-device \ -o -wholename /usr/lib/utempter/utempter \ \) #-o -wholename /usr/bin/wall \ #-o -wholename /usr/bin/chsh \ #-o -wholename /usr/bin/ssh-agent \ #-o -wholename /usr/lib/openssh/ssh-keysign \ #-o -wholename /usr/bin/bsd-write \ #-o -wholename /usr/bin/udevil \ #-o -wholename /usr/bin/chfn \ #-o -wholename /usr/bin/dotlockfile \ #-o -wholename /usr/sbin/exim4 \ #-o -wholename /usr/bin/beep \
Supression du bit SUID
chmod u-s /usr/bin/chsh chmod u-s /usr/bin/chfn chmod u-s /usr/lib/openssh/ssh-keysign chmod u-s /usr/sbin/exim4
Supression du bit SGID
chmod g-s /usr/bin/dotlockfile chmod g-s /usr/bin/ssh-agent chmod g-s /usr/bin/wall
Worldreadable
find / \( -type d -o -type f \) -not \( -wholename "/proc/*" -o -wholename "/dev/*" -o -wholename "/var/lib/docker/aufs/*" \) -perm /o=w -not -perm /o=t -ls
perl -a -F':' -ne '$HOMEUSER=$F[5] ; $CHAINE="$HOMEUSER/.ssh/authorized_keys\n" ; $CHAINE=~s|//|/| ; print $CHAINE unless /false$/ or /nologin$/' /etc/passwd
Voir https://www.it-connect.fr/details-durcissement-sysctl-systeme-linux/
Interdire strace
echo 3 > /proc/sys/kernel/yama/ptrace_scope
Lenteur à la connexion
man 3 crypt
plop1:$6$rounds=656000$P7gp1PPaN9bdjMt/$M2xJFWCpmlTS8CkYCHOnjI1TqfhIabgkJhp4HNvHHsI3NkXYJ2vZ.OVSNpOtee3sXJQcCdcZhezlQfrHZm3fE1:18369:0:99999:7::: plop1:$6$LCJMGXiumcpyY7nP$8t/u6oewRH.GHk94QKmN/1pZyMFCIwG4Y/JzUF/qKSVU9/U.BhG1Vm6fpYIuUaZuIJq5b6omuGJVpD9XxFisM.:18369:0:99999:7:::
https://askubuntu.com/questions/894404/how-to-increase-the-number-of-hashing-rounds-for-etc-shadow
#password [success=1 default=ignore] pam_unix.so obscure sha512 password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=656000
Voir SHA_CRYPT_MIN_ROUNDS
man pam_unix sudo chpasswd -s 10000 000 -c SHA512 <<< username:password; history -c
password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=656000
auth required pam_tally2.so onerr=fail deny=3 unlock_time=900 root_unlock_time=900 file=/var/log/tallylog pam_tally2 --file /var/log/tallylog --reset --user root pam_faildelay.so faillock --user aaronkilik --reset faillock --user aaronkilik fail --reset #clears all authentication failure records
chown root:root /boot/grub2/grub.cfg chmod og-rwx /boot/grub2/grub.cfg
Set the following restrict parameters in /etc/ntp.conf or use /etc/systemd/timesyncd.conf (for Debian)
restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery
Set the following restrict parameters in /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery
Also, make sure /etc/ntp.conf has an NTP server specified server <ntp-server>
Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf Modify active kernel parameters to match:
/sbin/sysctl -w net.ipv4.ip_forward=0 /sbin/sysctl -w net.ipv4.route.flush=1
chown root:root /etc/cron.d chmod og-rwx /etc/cron.d
rm /etc/at.deny touch /etc/at.allow chown root:root /etc/at.allow chmod og-rwx /etc/at.allow
Edit the /etc/bashrc and /etc/profile.d/cis.sh files (and the appropriate files for any other shell supported on your system) and add the or use PAM following the UMASK parameter as shown
umask 027
Pas de version dans les fichiers suivants
/lib/systemd/system/wsl-pro.service
[Unit] Description=Bridge to Ubuntu Pro agent on Windows ConditionVirtualization=wsl [Service] Type=notify ExecStart=/usr/libexec/wsl-pro-service -vv Restart=always RestartSec=2s # Some daemon restrictions LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=true PrivateDevices=yes PrivateMounts=yes PrivateTmp=yes ProtectClock=yes ProtectControlGroups=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes SystemCallArchitectures=native # Only permit system calls used by common system services, excluding any special purpose calls SystemCallFilter=@system-service [Install] WantedBy=multi-user.target
apt-get install auditd
Partition dédiée pour