In this post we ll lock down the server even more, adding google authenticator and auditd.

Size: px

Start display at page:

Download "In this post we ll lock down the server even more, adding google authenticator and auditd."

Derek Hudson
9 years ago
Views:

1 1 of 7 12/1/2014 1:14 PM This is some sort of part two of Creating a baseline Ubuntu server ( a baseline ubuntu server/), so read that first and check back afterwards. In this post we ll lock down the server even more, adding google authenticator and auditd. Let s start with modifying /etc/login.defs: LOG_OK_LOGINS yes SULOG_FILE /var/log/sulog Set the default shell to /bin/false in both /etc/default/useradd and /etc/adduser.conf. Modify /etc/skel/.bashrc: HISTSIZE=10 HISTFILESIZE=0 Stricter /etc/fstab mount options: ~# egrep v "# swap" /etc/fstab awk '{print $2,$4}' / errors=remount ro /boot defaults,nodev,nosuid,noexec /home defaults,nodev,nosuid,noexec /usr defaults,nodev /var/log defaults,nodev,noexec /tmp defaults,nosuid,nodev,noatime,size=100m,mode=1700 /var/tmp defaults,nosuid,nodev,noatime,noexec,size=100m,mode=1700 Remove suid bits: chmod s /bin/fusermount /bin/mount /bin/su /bin/umount /usr/bin /bsd write /usr/bin/chage /usr/bin/chfn /usr/bin/chsh /usr/bin/mlocate /usr/bin/mtr /usr/bin/newgrp /usr/bin/traceroute6.iputils /usr/bin/wall Verify that all network connected services except sshd are in Apparmor enforce mode with apparmor_status verbose

Let s start with modifying /etc/login.defs: LOG_OK_LOGINS yes SULOG_FILE /var/log/sulog Set the default shell to /bin/false in both /etc/default/useradd and /etc/adduser.conf. Modify /etc/skel/.

2 2 of 7 12/1/2014 1:14 PM netstat anlp inet We ll be using the Google authenticator for two factor authentication. sudo aptitude update && sudo aptitude install libpam googleauthenticator Run google authenticator as the user with sudo. Choose Disallow multiple uses of the same authentication token, Do not increase the time window and Enable rate limiting. Add auth required pam_google_authenticator.so to the top of the Primary block in /etc/pam.d/common auth Since we got an encrypted $HOME we need to move the pam_google_authenticator.so secret. auth required pam_google_authenticator.so secret=/etc/auth/${user} /.google_authenticator ( Set up the directories: ~# mkdir p /etc/auth/${user} ~# chmod 0755 /etc/auth ~# chown R ${USER}:${USER} /etc/auth/${user} ~# chmod R 0700 /etc/auth/${user} ~# cat /home/${user}/.google_authenticator > /etc/auth/${user} /.google_authenticator ~# chmod 0600 /etc/auth/${user}/.google_authenticator Don t forget to install and set up the Google authenticator app.

Choose Disallow multiple uses of the same authentication token, Do not increase the time window and Enable rate limiting. Add auth required pam_google_authenticator.

3 3 of 7 12/1/2014 1:14 PM And finally we ll install auditd The Linux Audit daemon. ~# sudo aptitude update && sudo aptitude install auditd Edit /etc/default/grub to include audit=1 as part of GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="audit=1" ~# update grub Add auditd rules to /etc/audit/audit.rules: # # Rules grabbed from /4629/simple example auditd configuration ( exampleauditd configuration) # First rule delete all D # Increase the buffers to survive stress events. # Make this bigger for busy system # Increase the buffers to survive stress events. # Make this bigger for busy systems b 1024 ## special files a exit,always F arch=b64 S mknod S mknodat k specialfiles ## Mount operations a exit,always F arch=b64 S mount S umount2 k mount ## changes to the time ## a exit,always F arch=b64 S adjtimex S settimeofday S clock_settime k time ## cron configuration & scheduled jobs w /etc/cron.allow p wa k cron w /etc/cron.deny p wa k cron w /etc/cron.d/ p wa k cron w /etc/cron.daily/ p wa k cron w /etc/cron.hourly/ p wa k cron w /etc/cron.monthly/ p wa k cron w /etc/cron.weekly/ p wa k cron w /etc/crontab p wa k cron w /var/spool/cron/crontabs/ k cron ## user, group, password databases w /etc/group p wa k etcgroup w /etc/passwd p wa k etcpasswd w /etc/gshadow k etcgroup w /etc/shadow k etcpasswd w /etc/security/opasswd k opasswd

/etc/audit/audit.rules: # # Rules grabbed from https://security.stackexchange.

4 4 of 7 12/1/2014 1:14 PM ## monitor usage of passwd w /usr/bin/passwd p x k passwd_modification #Monitor for use of tools to change group identifiers w /usr/sbin/groupadd p x k group_modification w /usr/sbin/groupmod p x k group_modification w /usr/sbin/addgroup p x k group_modification w /usr/sbin/useradd p x k user_modification w /usr/sbin/usermod p x k user_modification w /usr/sbin/adduser p x k user_modification ## login configuration and information w /etc/login.defs p wa k login w /etc/securetty p wa k login w /var/log/faillog p wa k login w /var/log/lastlog p wa k login w /var/log/tallylog p wa k login ## network configuration w /etc/hosts p wa k hosts w /etc/network/ p wa k network ## system startup scripts w /etc/inittab p wa k init w /etc/init.d/ p wa k init w /etc/init/ p wa k init ## library search paths w /etc/ld.so.conf p wa k libpath ## local time zone w /etc/localtime p wa k localtime ## kernel parameters w /etc/sysctl.conf p wa k sysctl ## modprobe configuration w /etc/modprobe.conf p wa k modprobe ## pam configuration w /etc/pam.d/ p wa k pam w /etc/security/limits.conf p wa k pam w /etc/security/pam_env.conf p wa k pam w /etc/security/namespace.conf p wa k pam w /etc/security/namespace.init p wa k pam ## postfix configuration w /etc/aliases p wa k mail w /etc/postfix/ p wa k mail ## ssh configuration

x k user_modification ## login configuration and information w /etc/login.

5 5 of 7 12/1/2014 1:14 PM w /etc/ssh/sshd_config k sshd ## changes to hostname a exit,always F arch=b64 S sethostname k hostname ## changes to issue w /etc/issue p wa k etcissue w /etc/issue.net p wa k etcissue ## this was to noisy currently. # log all commands executed by an effective id of 0 aka root. a exit,always F arch=b64 F euid=0 S execve k rootcmd ## Capture all failures to access on critical elements a exit,always F arch=b64 S open F dir=/etc F success=0 k a exit,always F arch=b64 S open F dir=/bin F success=0 k a exit,always F arch=b64 S open F dir=/sbin F success=0 k a exit,always F arch=b64 S open F dir=/usr/bin F success=0 k a exit,always F arch=b64 S open F dir=/usr/sbin F success=0 k a exit,always F arch=b64 S open F dir=/var F success=0 k a exit,always F arch=b64 S open F dir=/home F success=0 k a exit,always F arch=b64 S open F dir=/srv F success=0 k ## Monitor for use of process ID change (switching accounts) applications w /bin/su p x k priv_esc w /usr/bin/sudo p x k priv_esc w /etc/sudoers p rw k priv_esc ## Monitor usage of commands to change power state w /sbin/shutdown p x k power w /sbin/poweroff p x k power w /sbin/reboot p x k power w /sbin/halt p x k power ## Make the configuration immutable # e 2 Uncomment e 2 only after you re happy with the logging.

a exit,always F arch=b64 F euid=0 S execve k rootcmd ## Capture all failures to access on critical elements a exit,always F arch=b64 S open F dir=/etc F success=0 k a exit,always F arch=b64 S open F

6 6 of 7 12/1/2014 1:14 PM ( Recommended reading: CIS Ubuntu LTS Server Benchmark ( /ubuntu/cis_ubuntu_12.04_lts_server_benchmark_v1.0.0.pdf) [PDF] Guide to the Secure Configuration of Red Hat Enterprise Linux 5 ( guidei731.pdfhttp://) [PDF] PCI DSS v3.0 available at /documents.php ( /documents.php)

nsa.gov/ia/_files/os/redhat/rhel5 guidei731.pdfhttp://) [PDF] PCI DSS v3.0 available at https://www.pcisecuritystandards.

7 7 of 7 12/1/2014 1:14 PM BLOG AT WORDPRESS.COM. THE TONAL THEME. Follow Build a website with WordPress.com

## Remove any existing rules -D

## Remove any existing rules -D This file contains a sample audit configuration. Combined with the system events that are audited by default, this set of rules causes audit to generate records for the auditable events specified by the