Ceci est une ancienne révision du document !

Table des matières

Notes sécurité OS GNU/Linux hardening

Notes sécurité OS GNU/Linux hardening

Voir :

Voir aussi :

CIS (Center for Internet Security)
https://www.cisa.gov/
https://www.cert.ssi.gouv.fr

Vulnérabilités connues

apt-get install debsecan
debsecan

Mise à jour automatique

apt-get install unattended-upgrades

Scan intégrité fichiers

Find

Recherche de fichier SUID (4000) et SGID (2000)

find / -type f \( -perm -4000 -o -perm -2000 \)         \
        -not \(                                         \
        -wholename "/proc/*"                            \
        -o -wholename "/var/lib/docker/aufs/*"          \
        -o -wholename /usr/bin/chage                    \
        -o -wholename /usr/bin/newgrp                   \
        -o -wholename /usr/bin/passwd                   \
        -o -wholename /usr/bin/gpasswd                  \
        -o -wholename /usr/bin/expiry                   \
        -o -wholename /bin/su                           \
        -o -wholename /bin/mount                        \
        -o -wholename /bin/ping6                        \
        -o -wholename /bin/ping                         \
        -o -wholename /bin/umount                       \
        -o -wholename /sbin/unix_chkpwd                 \
        -o -wholename /usr/bin/pumount                  \
        -o -wholename /usr/bin/pmount                   \
        -o -wholename /usr/bin/sudo                     \
        -o -wholename /usr/bin/crontab                  \
        -o -wholename /usr/bin/mlocate                  \
        -o -wholename /sbin/mount.cifs                  \
        -o -wholename /bin/fusermount                   \
        -o -wholename /bin/ntfs-3g                      \
        -o -wholename /usr/lib/dbus-1.0/dbus-daemon-launch-helper \
        -o -wholename /usr/bin/at                       \
        -o -wholename /usr/lib/eject/dmcrypt-get-device \
        -o -wholename /usr/lib/utempter/utempter        \
        \)
 
        #-o -wholename /usr/bin/wall                    \
        #-o -wholename /usr/bin/chsh                    \
        #-o -wholename /usr/bin/ssh-agent               \
        #-o -wholename /usr/lib/openssh/ssh-keysign     \
        #-o -wholename /usr/bin/bsd-write               \
        #-o -wholename /usr/bin/udevil                  \
        #-o -wholename /usr/bin/chfn                    \
        #-o -wholename /usr/bin/dotlockfile             \
        #-o -wholename /usr/sbin/exim4                  \
        #-o -wholename /usr/bin/beep                    \

Supression du bit SUID

chmod u-s /usr/bin/chsh
chmod u-s /usr/bin/chfn
chmod u-s /usr/lib/openssh/ssh-keysign
chmod u-s /usr/sbin/exim4

Supression du bit SGID

chmod g-s /usr/bin/dotlockfile
chmod g-s /usr/bin/ssh-agent
chmod g-s /usr/bin/wall

Worldreadable

find / \( -type d -o -type f \)  -not \( -wholename "/proc/*" -o -wholename "/dev/*" -o -wholename "/var/lib/docker/aufs/*" \) -perm /o=w -not -perm /o=t -ls

Comptes

perl -a -F':' -ne '$HOMEUSER=$F[5] ; $CHAINE="$HOMEUSER/.ssh/authorized_keys\n" ; $CHAINE=~s|//|/| ; print $CHAINE unless /false$/ or /nologin$/' /etc/passwd

sysctl

Voir https://www.it-connect.fr/details-durcissement-sysctl-systeme-linux/

Interdire strace

echo 3 > /proc/sys/kernel/yama/ptrace_scope

Mot de passe

Lenteur à la connexion

man 3 crypt

/etc/shadow

plop1:$6$rounds=656000$P7gp1PPaN9bdjMt/$M2xJFWCpmlTS8CkYCHOnjI1TqfhIabgkJhp4HNvHHsI3NkXYJ2vZ.OVSNpOtee3sXJQcCdcZhezlQfrHZm3fE1:18369:0:99999:7::: 

plop1:$6$LCJMGXiumcpyY7nP$8t/u6oewRH.GHk94QKmN/1pZyMFCIwG4Y/JzUF/qKSVU9/U.BhG1Vm6fpYIuUaZuIJq5b6omuGJVpD9XxFisM.:18369:0:99999:7:::

https://askubuntu.com/questions/894404/how-to-increase-the-number-of-hashing-rounds-for-etc-shadow

/etc/pam.d/common-password

#password       [success=1 default=ignore]      pam_unix.so obscure sha512
password        [success=1 default=ignore]      pam_unix.so obscure sha512 rounds=656000

Voir SHA_CRYPT_MIN_ROUNDS

man pam_unix
 
sudo chpasswd -s 10000 000 -c SHA512 <<< username:password; history -c

/etc/pam.d/common-password

password        [success=1 default=ignore]      pam_unix.so obscure sha512 rounds=656000

auth required pam_tally2.so onerr=fail deny=3 unlock_time=900 root_unlock_time=900 file=/var/log/tallylog

pam_tally2 --file /var/log/tallylog --reset --user root

pam_faildelay.so
faillock --user aaronkilik --reset 
faillock --user aaronkilik
fail --reset	#clears all authentication failure records

chown root:root /boot/grub2/grub.cfg
chmod og-rwx /boot/grub2/grub.cfg

Set the following restrict parameters in /etc/ntp.conf or use /etc/systemd/timesyncd.conf (for Debian)

/etc/ntp.conf

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

Set the following restrict parameters in /etc/ntp.conf

/etc/ntp.conf

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

/etc/ntp.conf

Also, make sure /etc/ntp.conf has an NTP server specified
server <ntp-server>

Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf Modify active kernel parameters to match:

/sbin/sysctl -w net.ipv4.ip_forward=0
/sbin/sysctl -w net.ipv4.route.flush=1

chown root:root /etc/cron.d
chmod og-rwx /etc/cron.d

rm /etc/at.deny
touch /etc/at.allow
chown root:root /etc/at.allow
chmod og-rwx /etc/at.allow

Edit the /etc/bashrc and /etc/profile.d/cis.sh files (and the appropriate files for any other shell supported on your system) and add the or use PAM following the UMASK parameter as shown

umask 027

Pas de version dans les fichiers suivants

/etc/motd
/etc/issue
/etc/issue.net

Autre

apt-get install auditd

Partition dédiée pour

/var/log
/var/log/audit/