Hardening OS - Checklist

Here the detailed Linux Hardening OS Checklist.

• Create Separate Partition for /tmp

• Set nodev option for /tmp Partition

• Set nosuid option for /tmp Partition

• Set noexec option for /tmp Partition

• Create Separate Partition for /var

• Bind Mount the /var/tmp directory to /tmp

• Create Separate Partition for /var/log

• Create Separate Partition for /var/log/audit

• Create Separate Partition for /home

• Add nodev Option to /home

• Add nodev Option to /dev/shm Partition

• Add nosuid Option to /dev/shm Partition

• Add noexec Option to /dev/shm Partition

• Set Sticky Bit on All World-Writable Directories

• Verify CentOS GPG Key is Installed

• Verify that gpgcheck is Globally Activated

• Set User/Group Owner on /etc/grub.conf

• Set Permissions on /etc/grub.conf

• Set Boot Loader Password

• Require Authentication for Single-User Mode

• Disable Interactive Boot

• Restrict Core Dumps

• Configure ExecShield

• Enable Randomized Virtual Memory Region Placement

• Remove telnet-server

• Remove telnet Clients

• Remove rsh-server

• Remove rsh

• Remove NIS Client

• Remove NIS Server

• Remove tftp

• Remove tftp-server

• Remove talk

• Remove talk-server

• Disable chargen-dgram

• Disable chargen-stream

• Disable daytime-dgram

• Disable daytime-stream

• Disable echo-dgram

• Disable echo-stream

• Disable tcpmux-server

• Set Daemon umask

• Remove X Windows

• Disable Avahi Server

• Disable Print Server - CUPS

• Remove DHCP Server

• Configure Network Time Protocol (NTP)

• Remove LDAP

• Disable NFS and RPC

• Remove DNS Server

• Remove FTP Server

• Remove HTTP Server

• Remove Dovecot (IMAP and POP3 services)

• Remove Samba

• Remove HTTP Proxy Server

• Configure Mail Transfer Agent for Local-Only Mode

• Install the rsyslog package

• Activate the rsyslog Service

• Create and Set Permissions on rsyslog Log Files

• Configure rsyslog to Send Logs to a Remote Log Host

• Configure logrotate

• Disable IP Forwarding

• Disable Send Packet Redirects

• Disable Source Routed Packet Acceptance

• Disable ICMP Redirect Acceptance

• Log Suspicious Packets

• Enable Ignore Broadcast Requests

• Enable Bad Error Message Protection

• Enable TCP SYN Cookies

• Deactivate Wireless Interfaces

• Disable IPv6 Router Advertisements

• Disable IPv6 Redirect Acceptance

• Verify Permissions on /etc/hosts.allow

• Verify Permissions on /etc/hosts.deny

• Enable IPtables

• Enable anacron Daemon

• Enable crond Daemon

• Set User/Group Owner and Permission on /etc/anacrontab

• Set User/Group Owner and Permission on /etc/crontab

• Set User/Group Owner and Permission on /etc/cron.hourly

• Set User/Group Owner and Permission on /etc/cron.daily

• Set User/Group Owner and Permission on /etc/cron.weekly

• Set User/Group Owner and Permission on /etc/cron.monthly

• Set User/Group Owner and Permission on /etc/cron.d

• Restrict at Daemon

• Restrict at/cron to Authorized Users

• Set SSH Protocol to 2

• Set LogLevel to INFO

• Set Permissions on /etc/ssh/sshd_config

• Disable SSH X11 Forwarding

• Set SSH MaxAuthTries to 4 or Less

• Set SSH IgnoreRhosts to Yes

• Set SSH HostbasedAuthentication to No

• Disable SSH Root Login

• Set SSH PermitEmptyPasswords to No

• Do Not Allow Users to Set Environment Options

• Use Only Approved Cipher in Counter Mode

• Set Idle Timeout Interval for User Login

• Limit Access via SSH

• Set SSH Banner

• Upgrade Password Hashing Algorithm to SHA-512

• Set Password Creation Requirement Parameters Using pam_cracklib

• Set Lockout for Failed Password Attempts

• Limit Password Reuse

• Restrict Access to the su Command

• Set Password Expiration Days

• Set Password Change Minimum Number of Days

• Set Password Expiring Warning Days

• Disable System Accounts

• Set Default Group for root Account

• Set Default umask for Users

• Lock Inactive User Accounts

• Set Warning Banner for Standard Login Services

• Remove OS Information from Login Warning Banners

• Set GNOME Warning Banner

• Verify Permissions on /etc/passwd

• Verify Permissions on /etc/shadow

• Verify Permissions on /etc/gshadow

• Verify Permissions on /etc/group

• Verify User/Group Ownership on /etc/passwd

• Verify User/Group Ownership on /etc/shadow

• Verify User/Group Ownership on /etc/gshadow

• Verify User/Group Ownership on /etc/group

• Find Un-owned Files and Directories

• Find Un-grouped Files and Directories

• Find SUID System Executables

• Find SGID System Executables

• Ensure Password Fields are Not Empty

• Verify No Legacy + Entries Exist in /etc/passwd File

• Verify No Legacy + Entries Exist in /etc/shadow File

• Verify No Legacy + Entries Exist in /etc/group File

• Verify No UID 0 Accounts Exist Other Than root

• Ensure root PATH Integrity

• Check Permissions on User Home Directories

• Check User Dot File Permissions

• Check Permissions on User .netrc Files

• Check for Presence of User .rhosts Files

• Check Groups in /etc/passwd

• Check That Users Are Assigned Valid Home Directories

• Check User Home Directory Ownership

• Check for Duplicate UIDs

• Check for Duplicate GIDs

• Check for Duplicate User Names

• Check for Duplicate Group Names

• Check for Presence of User .netrc Files

• Check for Presence of User .forward Files

The below file has all solutions for the hardening for centos OS .

Source : CIS SECURITY BENCHMARKS