In this post we ll lock down the server even more, adding google authenticator and auditd.



Similar documents
## Remove any existing rules -D

Red Hat Linux Administration II Installation, Configuration, Software and Troubleshooting

Network Infrastructure Security Recommendations

Unit objectives IBM Power Systems

Intrusion Detection using the Linux Audit Framework. Stephen Quinney School of Informatics University of Edinburgh

Using Network Attached Storage with Linux. by Andy Pepperdine

Linux System Administration on Red Hat

Introduction to Linux (Authentication Systems, User Accounts, LDAP and NIS) Süha TUNA Res. Assist.

RH033 Red Hat Linux Essentials or equivalent experience with Red Hat Linux..

Distributed File System

Local File Sharing in Linux

How To Harden An Hp Server For A Long Time

Unifying Authorization Models

Secure Shell Demon setup under Windows XP / Windows Server 2003

Linux Server Configuration Guidelines

Secure File Transfer Installation. Sender Recipient Attached FIles Pages Date. Development Internal/External None 11 6/23/08

CA and SSL Certificates

# Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server ; wins support = no

Linux System Administration. System Administration Tasks

USEFUL UNIX COMMANDS

Introduction to Operating Systems

Connectivity using ssh, rsync & vsftpd

IT6204 Systems & Network Administration. (Optional)

Auditing and Hardening Unix Systems Using CIS benchmarks on SUSE Linux

Laboration 3 - Administration

Configuring Secure Linux Hosts

Firebird on Linux. Author: Philippe Makowski IBPhoenix Licence: Public Documentation License Date:

Configuring MailArchiva with Insight Server

SAMBA SERVER (PDC) Samba is comprised of a suite of RPMs that come on the RHEL/Fedora CDs. The files are named:

Samba. Samba. Samba 2.2.x. Limitations of Samba 2.2.x 1. Interoperating with Windows. Implements Microsoft s SMB protocol

COURCE TITLE DURATION LPI-202 Advanced Linux Professional Institute 40 H.

Linux Security Guidelines Document ID: GUI-0001

Likewise Security Benefits

Monitoring Clearswift Gateways with SCOM

A SHORT INTRODUCTION TO DUPLICITY WITH CLOUD OBJECT STORAGE. Version

X-ROAD 5 SECURITY SERVER USER'S GUIDE

Red Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux.

Ubuntu Professional Training Course Overview (E-learning, Ubuntu LTS)

Basic Linux & Package Management. Original slides from GTFO Security

Installation Guide for Basler pylon 2.3.x for Linux

NATIONAL POPULATION REGISTER (NPR)

CRYPTOCard Authentication. Using PAM for Linux and Solaris. Quick Start Guide. Copyright CRYPTOCard Corporation All Rights Reserved

HP Education Services

AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT EIGHT. Ubuntu Security.

Nessus Training Session 2 - Scanning and Reporting

A candidate following a programme of learning leading to this unit will be able to:

TFS UnixControl White Paper

Ubuntu Sever Administration

Basic Installation of the Cisco Collection Manager

Installation and Configuration Guide. NetIQ Sentinel UNIX Agent

Btrfs and Rollback How It Works and How to Avoid Pitfalls

Extending Remote Desktop for Large Installations. Distributed Package Installs

Getting Started with the Linux Intrusion Detection

w1r3 Network Documentation

What s New in Centrify Server Suite 2013 Update 2

Wavelink Avalanche Mobility Center Linux Reference Guide

Creating an LDAP Directory

Wolfr am Lightweight Grid M TM anager USER GUIDE

System Administration and your Bio-Linux Machine

Introduction to AIX 6L System Administration Course Summary

Deploying Ubuntu Server Edition. Training Course Overview. (Ubuntu LTS)

Chapter 7: Unix Security. Chapter 7: 1

Contents III: Contents II: Contents: Rule Set Based Access Control (RSBAC) 4.2 Model Specifics 5.2 AUTH

Partitioning. Files on the Hard Drive. Administration of Operating Systems DO2003. Partition = Binder with index. Write file = Insert document

issh v. Auditd: Intrusion Detection in High Performance Computing

Automated Offsite Backup with rdiff-backup

SSH! Keep it secret. Keep it safe

Requirements for Rosetta Installation. Version 4.2

Advanced SUSE Linux Enterprise Server Administration (Course 3038) Chapter 5 Manage Backup and Recovery

Recommended File System Ownership and Privileges

1. Introduction to the UNIX File System: logical vision

SUSE Manager in the Public Cloud. SUSE Manager Server in the Public Cloud

EMC VNX Version 8.1 Configuring and Using the Audit Tool on VNX for File P/N Rev 01 August, 2013

Linux Audit Quick Start SUSE Linux Enterprise 10 SP1

CipherMail Gateway Installation Guide

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

How To Install Storegrid Server On Linux On A Microsoft Ubuntu 7.5 (Amd64) Or Ubuntu (Amd86) (Amd77) (Orchestra) (For Ubuntu) (Permanent) (Powerpoint

Dell Proximity Printing Solution. Installation Guide

Linux Operating System Security

Linux FTP Server Setup

[HOW TO RECOVER AN INFINITI/EVOLUTION MODEM IDX ] 1

Backing up the Embedded Oracle database of a Red Hat Network Satellite

The commands and some parts of the driver are distributed in binary form only.

Installing the VPN Client

Computer Science and Engineering Linux Cisco VPN Client Installation and Setup Guide

128 CERT Exercises Toolset Document for students

Red Hat Linux Networking

How to Set Up 2-Factor Authentication in Horizon View with Google Authenticator

Hardened Hosting. Quintin Russ. OWASP New Zealand Chapter th December 2011

Univention Corporate Server. Extended domain services documentation

Privileged Account Discovery for UNIX

GL254 - RED HAT ENTERPRISE LINUX SYSTEMS ADMINISTRATION III

Installing and Running MOVES on Linux

Create a virtual machine at your assigned virtual server. Use the following specs

Transcription:

1 of 7 12/1/2014 1:14 PM This is some sort of part two of Creating a baseline Ubuntu 14.04 server (http://konstruktoid.net/2014/04/25/creating a baseline ubuntu 14 04 server/), so read that first and check back afterwards. In this post we ll lock down the server even more, adding google authenticator and auditd. Let s start with modifying /etc/login.defs: LOG_OK_LOGINS yes SULOG_FILE /var/log/sulog Set the default shell to /bin/false in both /etc/default/useradd and /etc/adduser.conf. Modify /etc/skel/.bashrc: HISTSIZE=10 HISTFILESIZE=0 Stricter /etc/fstab mount options: ~# egrep v "# swap" /etc/fstab awk '{print $2,$4}' / errors=remount ro /boot defaults,nodev,nosuid,noexec /home defaults,nodev,nosuid,noexec /usr defaults,nodev /var/log defaults,nodev,noexec /tmp defaults,nosuid,nodev,noatime,size=100m,mode=1700 /var/tmp defaults,nosuid,nodev,noatime,noexec,size=100m,mode=1700 Remove suid bits: chmod s /bin/fusermount /bin/mount /bin/su /bin/umount /usr/bin /bsd write /usr/bin/chage /usr/bin/chfn /usr/bin/chsh /usr/bin/mlocate /usr/bin/mtr /usr/bin/newgrp /usr/bin/traceroute6.iputils /usr/bin/wall Verify that all network connected services except sshd are in Apparmor enforce mode with apparmor_status verbose

2 of 7 12/1/2014 1:14 PM netstat anlp inet We ll be using the Google authenticator for two factor authentication. sudo aptitude update && sudo aptitude install libpam googleauthenticator Run google authenticator as the user with sudo. Choose Disallow multiple uses of the same authentication token, Do not increase the time window and Enable rate limiting. Add auth required pam_google_authenticator.so to the top of the Primary block in /etc/pam.d/common auth Since we got an encrypted $HOME we need to move the pam_google_authenticator.so secret. auth required pam_google_authenticator.so secret=/etc/auth/${user} /.google_authenticator (http://konstruktoid.files.wordpress.com/2014/04/ath.png) Set up the directories: ~# mkdir p /etc/auth/${user} ~# chmod 0755 /etc/auth ~# chown R ${USER}:${USER} /etc/auth/${user} ~# chmod R 0700 /etc/auth/${user} ~# cat /home/${user}/.google_authenticator > /etc/auth/${user} /.google_authenticator ~# chmod 0600 /etc/auth/${user}/.google_authenticator Don t forget to install and set up the Google authenticator app.

3 of 7 12/1/2014 1:14 PM And finally we ll install auditd The Linux Audit daemon. ~# sudo aptitude update && sudo aptitude install auditd Edit /etc/default/grub to include audit=1 as part of GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="audit=1" ~# update grub Add auditd rules to /etc/audit/audit.rules: # # Rules grabbed from https://security.stackexchange.com/questions /4629/simple example auditd configuration (https://security.stackexchange.com/questions/4629/simple exampleauditd configuration) # First rule delete all D # Increase the buffers to survive stress events. # Make this bigger for busy system # Increase the buffers to survive stress events. # Make this bigger for busy systems b 1024 ## special files a exit,always F arch=b64 S mknod S mknodat k specialfiles ## Mount operations a exit,always F arch=b64 S mount S umount2 k mount ## changes to the time ## a exit,always F arch=b64 S adjtimex S settimeofday S clock_settime k time ## cron configuration & scheduled jobs w /etc/cron.allow p wa k cron w /etc/cron.deny p wa k cron w /etc/cron.d/ p wa k cron w /etc/cron.daily/ p wa k cron w /etc/cron.hourly/ p wa k cron w /etc/cron.monthly/ p wa k cron w /etc/cron.weekly/ p wa k cron w /etc/crontab p wa k cron w /var/spool/cron/crontabs/ k cron ## user, group, password databases w /etc/group p wa k etcgroup w /etc/passwd p wa k etcpasswd w /etc/gshadow k etcgroup w /etc/shadow k etcpasswd w /etc/security/opasswd k opasswd

4 of 7 12/1/2014 1:14 PM ## monitor usage of passwd w /usr/bin/passwd p x k passwd_modification #Monitor for use of tools to change group identifiers w /usr/sbin/groupadd p x k group_modification w /usr/sbin/groupmod p x k group_modification w /usr/sbin/addgroup p x k group_modification w /usr/sbin/useradd p x k user_modification w /usr/sbin/usermod p x k user_modification w /usr/sbin/adduser p x k user_modification ## login configuration and information w /etc/login.defs p wa k login w /etc/securetty p wa k login w /var/log/faillog p wa k login w /var/log/lastlog p wa k login w /var/log/tallylog p wa k login ## network configuration w /etc/hosts p wa k hosts w /etc/network/ p wa k network ## system startup scripts w /etc/inittab p wa k init w /etc/init.d/ p wa k init w /etc/init/ p wa k init ## library search paths w /etc/ld.so.conf p wa k libpath ## local time zone w /etc/localtime p wa k localtime ## kernel parameters w /etc/sysctl.conf p wa k sysctl ## modprobe configuration w /etc/modprobe.conf p wa k modprobe ## pam configuration w /etc/pam.d/ p wa k pam w /etc/security/limits.conf p wa k pam w /etc/security/pam_env.conf p wa k pam w /etc/security/namespace.conf p wa k pam w /etc/security/namespace.init p wa k pam ## postfix configuration w /etc/aliases p wa k mail w /etc/postfix/ p wa k mail ## ssh configuration

5 of 7 12/1/2014 1:14 PM w /etc/ssh/sshd_config k sshd ## changes to hostname a exit,always F arch=b64 S sethostname k hostname ## changes to issue w /etc/issue p wa k etcissue w /etc/issue.net p wa k etcissue ## this was to noisy currently. # log all commands executed by an effective id of 0 aka root. a exit,always F arch=b64 F euid=0 S execve k rootcmd ## Capture all failures to access on critical elements a exit,always F arch=b64 S open F dir=/etc F success=0 k a exit,always F arch=b64 S open F dir=/bin F success=0 k a exit,always F arch=b64 S open F dir=/sbin F success=0 k a exit,always F arch=b64 S open F dir=/usr/bin F success=0 k a exit,always F arch=b64 S open F dir=/usr/sbin F success=0 k a exit,always F arch=b64 S open F dir=/var F success=0 k a exit,always F arch=b64 S open F dir=/home F success=0 k a exit,always F arch=b64 S open F dir=/srv F success=0 k ## Monitor for use of process ID change (switching accounts) applications w /bin/su p x k priv_esc w /usr/bin/sudo p x k priv_esc w /etc/sudoers p rw k priv_esc ## Monitor usage of commands to change power state w /sbin/shutdown p x k power w /sbin/poweroff p x k power w /sbin/reboot p x k power w /sbin/halt p x k power ## Make the configuration immutable # e 2 Uncomment e 2 only after you re happy with the logging.

6 of 7 12/1/2014 1:14 PM (http://konstruktoid.files.wordpress.com/2014/04/grindmind.png) Recommended reading: http://benchmarks.cisecurity.org CIS Ubuntu 12.04 LTS Server Benchmark (https://benchmarks.cisecurity.org/tools2 /ubuntu/cis_ubuntu_12.04_lts_server_benchmark_v1.0.0.pdf) [PDF] Guide to the Secure Configuration of Red Hat Enterprise Linux 5 (http://www.nsa.gov/ia/_files/os/redhat/rhel5 guidei731.pdfhttp://) [PDF] PCI DSS v3.0 available at https://www.pcisecuritystandards.org/security_standards /documents.php (https://www.pcisecuritystandards.org/security_standards /documents.php)

7 of 7 12/1/2014 1:14 PM BLOG AT WORDPRESS.COM. THE TONAL THEME. Follow Build a website with WordPress.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information