top of page

Linux - Hardening OS


Document Linux host information


Each time you work on a new Linux hardening job, you need to create a new document that has all the checklist items listed in this post, and you need to check off every item you applied on the system. Furthermore, on the top of the document, you need to include the Linux host information:


  • Machine name

  • IP address

  • Mac address

  • Name of the person who is doing the hardening (most likely you)

  • Date

  • Asset Number (If you’re working for a company, then you need to include the asset number that your company uses for tagging hosts


BIOS protection


You need to protect the BIOS of the host with a password so the end-user won’t be able to change and override the security settings in the BIOS; it’s important to keep this area protected from any changes. Each computer manufacturer has a different set of keys to enter the BIOS mode, then it’s a matter of finding the configuration where you set the administrative password.


Next, you need to disable the booting from external media devices (USB/CD/DVD). If you omit to change this setting, anyone can use a USB stick that contains a bootable OS and can access your OS data.


The latest servers’ motherboards have an internal web server where you can access them remotely. Make sure to change the default password of the admin page or disable it if it’s possible.



Hard disk encryption (confidentiality)


Most of the Linux distributions will allow you to encrypt your disks before installation. Disk encryption is important in case of theft because the person who stole your computer won’t be able to read your data if they connect the hard disk to their machine.


Disk partitioning (availability)

Backups have so many advantages in case of a damaged system, bugs in the OS update. For important servers, the backup needs to be transferred offsite in case of a disaster. Backup needs to be managed as well. For example, how long will you keep the old backups? When do you need to backup your system (every day, every week …)?


Critical systems should be separated into different partitions for:


  • /

  • /boot

  • /usr

  • /home

  • /tmp

  • /var

  • /opt



Lock the boot directory

The boot directory contains important files related to the Linux kernel, so you need to make sure that this directory is locked down to read-only permissions in “fstab” file.

Permissions for secure boot settings


Set the owner and group of /etc/grub.conf to the root user:



 #chown root:root /etc/grub.conf
Set permission on the /etc/grub.conf file to read and write for root only:

#chmod og-rwx /etc/grub.conf
Require authentication for single-user mode:

 #sed -i "/SINGLE/s/sushell/sulogin/" /etc/sysconfig/init 

 #sed -i "/PROMPT/s/yes/no/" /etc/sysconfig/init
 



Check for open ports


Identifying open connections to the internet is a critical mission. Use the following command to spot any hidden open ports:


#netstat -pant


Secure SSH


SSH is secure, but you should harden this service as well. You can also disable SSH. However, if you want to use it, then you have to change the default configuration of SSH. To do it, browse to /etc/ssh and open the “sshd_config” file using your favorite text editor.


Make sure that root cannot login remotely through SSH:


  • PermitRootLogin no

  • Allow some specific users:

  • AllowUsers [username]

Here are some additional options that you need to make sure exist in the “sshd_config” file:


  • Protocol2

  • IgnoreRhosts to yes

  • HostbasedAuthentication no

  • PermitEmptyPasswords no

  • X11Forwarding no

  • MaxAuthTries 5

  • Ciphers aes128-ctr,aes192-ctr,aes256-ctr

  • ClientAliveInterval 900

  • ClientAliveCountMax 0

  • UsePAM yes


SELinux


Security Enhanced Linux is a Kernel security mechanism for supporting access control security policy. The SELinux has three configuration modes:


  • Disabled: Turned-off

  • Permissive: Prints warnings

  • Enforcing: Policy is enforced


Using a text editor, open the config file:



#nano /etc/selinux/config
And make sure that the policy is enforced:

SELINUX=enforcing

Kubernetes Cluster - RBAC Examples

Creating Service Account Run the following command to add a new service account called king: $ kubectl create serviceaccount king serviceaccount/king created Find the name of the secret that stores t

Kubernetes - Role-based access control (RBAC)

Kubernetes RBAC The Kubernetes API provides access to sensitive data, including deployment details, persistent storage settings, and secrets. Over the years, the Kubernetes community has provided seve

Kubernetes Cheat Sheet

This page contains a list of commonly used kubectl commands and flags. Kubectl apply - Creating objects # create resource(s) kubectl apply -f ./my-manifest.yaml # create from multiple files kubectl a

Comments


bottom of page