top of page

Hardening OS - Checklist


Here the detailed Linux Hardening OS Checklist.



  • Create Separate Partition for /tmp

  • Set nodev option for /tmp Partition

  • Set nosuid option for /tmp Partition

  • Set noexec option for /tmp Partition

  • Create Separate Partition for /var

  • Bind Mount the /var/tmp directory to /tmp

  • Create Separate Partition for /var/log

  • Create Separate Partition for /var/log/audit

  • Create Separate Partition for /home

  • Add nodev Option to /home

  • Add nodev Option to /dev/shm Partition

  • Add nosuid Option to /dev/shm Partition

  • Add noexec Option to /dev/shm Partition

  • Set Sticky Bit on All World-Writable Directories

  • Verify CentOS GPG Key is Installed

  • Verify that gpgcheck is Globally Activated

  • Set User/Group Owner on /etc/grub.conf

  • Set Permissions on /etc/grub.conf

  • Set Boot Loader Password

  • Require Authentication for Single-User Mode

  • Disable Interactive Boot

  • Restrict Core Dumps

  • Configure ExecShield

  • Enable Randomized Virtual Memory Region Placement

  • Remove telnet-server

  • Remove telnet Clients

  • Remove rsh-server

  • Remove rsh

  • Remove NIS Client

  • Remove NIS Server

  • Remove tftp

  • Remove tftp-server

  • Remove talk

  • Remove talk-server

  • Disable chargen-dgram

  • Disable chargen-stream

  • Disable daytime-dgram

  • Disable daytime-stream

  • Disable echo-dgram

  • Disable echo-stream

  • Disable tcpmux-server

  • Set Daemon umask

  • Remove X Windows

  • Disable Avahi Server

  • Disable Print Server - CUPS

  • Remove DHCP Server

  • Configure Network Time Protocol (NTP)

  • Remove LDAP

  • Disable NFS and RPC

  • Remove DNS Server

  • Remove FTP Server

  • Remove HTTP Server

  • Remove Dovecot (IMAP and POP3 services)

  • Remove Samba

  • Remove HTTP Proxy Server

  • Configure Mail Transfer Agent for Local-Only Mode

  • Install the rsyslog package

  • Activate the rsyslog Service

  • Create and Set Permissions on rsyslog Log Files

  • Configure rsyslog to Send Logs to a Remote Log Host

  • Configure logrotate

  • Disable IP Forwarding

  • Disable Send Packet Redirects

  • Disable Source Routed Packet Acceptance

  • Disable ICMP Redirect Acceptance

  • Log Suspicious Packets

  • Enable Ignore Broadcast Requests

  • Enable Bad Error Message Protection

  • Enable TCP SYN Cookies

  • Deactivate Wireless Interfaces

  • Disable IPv6 Router Advertisements

  • Disable IPv6 Redirect Acceptance

  • Verify Permissions on /etc/hosts.allow

  • Verify Permissions on /etc/hosts.deny

  • Enable IPtables

  • Enable anacron Daemon

  • Enable crond Daemon

  • Set User/Group Owner and Permission on /etc/anacrontab

  • Set User/Group Owner and Permission on /etc/crontab

  • Set User/Group Owner and Permission on /etc/cron.hourly

  • Set User/Group Owner and Permission on /etc/cron.daily

  • Set User/Group Owner and Permission on /etc/cron.weekly

  • Set User/Group Owner and Permission on /etc/cron.monthly

  • Set User/Group Owner and Permission on /etc/cron.d

  • Restrict at Daemon

  • Restrict at/cron to Authorized Users

  • Set SSH Protocol to 2

  • Set LogLevel to INFO

  • Set Permissions on /etc/ssh/sshd_config

  • Disable SSH X11 Forwarding

  • Set SSH MaxAuthTries to 4 or Less

  • Set SSH IgnoreRhosts to Yes

  • Set SSH HostbasedAuthentication to No

  • Disable SSH Root Login

  • Set SSH PermitEmptyPasswords to No

  • Do Not Allow Users to Set Environment Options

  • Use Only Approved Cipher in Counter Mode

  • Set Idle Timeout Interval for User Login

  • Limit Access via SSH

  • Set SSH Banner

  • Upgrade Password Hashing Algorithm to SHA-512

  • Set Password Creation Requirement Parameters Using pam_cracklib

  • Set Lockout for Failed Password Attempts

  • Limit Password Reuse

  • Restrict Access to the su Command

  • Set Password Expiration Days

  • Set Password Change Minimum Number of Days

  • Set Password Expiring Warning Days

  • Disable System Accounts

  • Set Default Group for root Account

  • Set Default umask for Users

  • Lock Inactive User Accounts

  • Set Warning Banner for Standard Login Services

  • Remove OS Information from Login Warning Banners

  • Set GNOME Warning Banner

  • Verify Permissions on /etc/passwd

  • Verify Permissions on /etc/shadow

  • Verify Permissions on /etc/gshadow

  • Verify Permissions on /etc/group

  • Verify User/Group Ownership on /etc/passwd

  • Verify User/Group Ownership on /etc/shadow

  • Verify User/Group Ownership on /etc/gshadow

  • Verify User/Group Ownership on /etc/group

  • Find Un-owned Files and Directories

  • Find Un-grouped Files and Directories

  • Find SUID System Executables

  • Find SGID System Executables

  • Ensure Password Fields are Not Empty

  • Verify No Legacy + Entries Exist in /etc/passwd File

  • Verify No Legacy + Entries Exist in /etc/shadow File

  • Verify No Legacy + Entries Exist in /etc/group File

  • Verify No UID 0 Accounts Exist Other Than root

  • Ensure root PATH Integrity

  • Check Permissions on User Home Directories

  • Check User Dot File Permissions

  • Check Permissions on User .netrc Files

  • Check for Presence of User .rhosts Files

  • Check Groups in /etc/passwd

  • Check That Users Are Assigned Valid Home Directories

  • Check User Home Directory Ownership

  • Check for Duplicate UIDs

  • Check for Duplicate GIDs

  • Check for Duplicate User Names

  • Check for Duplicate Group Names

  • Check for Presence of User .netrc Files

  • Check for Presence of User .forward Files


The below file has all solutions for the hardening for centos OS .


CIS_CentOS_Linux_6_Benchmark_v1.0.0
.pdf
Download PDF • 2.38MB

Source : CIS SECURITY BENCHMARKS

Kubernetes Cluster - RBAC Examples

Creating Service Account Run the following command to add a new service account called king: $ kubectl create serviceaccount king serviceaccount/king created Find the name of the secret that stores t

Kubernetes - Role-based access control (RBAC)

Kubernetes RBAC The Kubernetes API provides access to sensitive data, including deployment details, persistent storage settings, and secrets. Over the years, the Kubernetes community has provided seve

Kubernetes Cheat Sheet

This page contains a list of commonly used kubectl commands and flags. Kubectl apply - Creating objects # create resource(s) kubectl apply -f ./my-manifest.yaml # create from multiple files kubectl a

Comments


bottom of page