Table of Contents

• Introduction
  • Status
  • Todo
  • Prologue
  • Levels of priority
  • OpenSCAP
• Partitioning
  • Separate partitions
  • Restrict mount options
  • Polyinstantiated directories
  • Shared memory
  • Encrypt partitions
  • Summary checklist
• Physical Access
  • Password for Single User Mode
  • Summary checklist
• Bootloader
  • Protect bootloader config files
  • Summary checklist
• Linux Kernel
  • Kernel logs
  • Kernel pointers
  • ExecShield
  • Memory protection
  • Summary checklist
• Logging
  • Syslog
• Users and Groups
  • Passwords
  • Logon Access
  • Summary checklist
• Filesystem
  • Hardlinks & Symlinks
  • Dynamic Mounting and Unmounting
  • Summary checklist
• Permissions
• SELinux & Auditd
  • SELinux Enforcing
  • Summary checklist
• System Updates
• Network
  • TCP/SYN
  • Routing
  • ICMP Protocol
  • Broadcast
  • Summary checklist
• Services
• Tools

Introduction

In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle a single-function system is more secure than a multipurpose one. The main goal of systems hardening is to reduce security risk by eliminating potential attack vectors and condensing the system’s attack surface.

This list contains the most important hardening rules for GNU/Linux systems.

Status

Still work in progress... 👷

I also created another repository (in a more detailed way): the-practical-linux-hardening-guide.

Todo

• Add rationale (e.g. url's, external resources)
• Review levels of priority

Prologue

I'm not advocating throwing your existing hardening and deployment best practices out the door but I recommend is to always turn a feature from this checklist on in pre-production environments instead of jumping directly into production.

Levels of priority

All items in this checklist contains three levels of priority:

• means that the item has a low priority.
• means that the item has a medium priority. You shouldn't avoid tackling that item.
• means that the item has a high priority. You can't avoid following that rule and implement the corrections recommended.

OpenSCAP

SCAP (Security Content Automation Protocol) provides a mechanism to check configurations, vulnerability management and evaluate policy compliance for a variety of systems. One of the most popular implementations of SCAP is OpenSCAP and it is very helpful for vulnerability assessment and also as hardening helper.

Some of the external audit tools use this standard. For example Nessus has functionality for authenticated SCAP scans.

I tried to make this list compatible with OpenSCAP standard and rules. However, there may be differences.

Partitioning

Separate partitions

• Ensure /boot located on separate partition.

• Ensure /home located on separate partition.

• Ensure /usr located on separate partition.

• Ensure /var located on separate partition.

• Ensure /var/log and /var/log/audit located on separate partitions.

• Ensure /tmp and /var/tmp located on separate partitions.

Restrict mount options

• Restrict /usr partition mount options.

  Example:

  UUID=<...>  /usr  ext4  defaults,nodev,ro  0 2

• Restrict /var partition mount options.

  Example:

  UUID=<...>  /var  ext4  defaults,nosuid  0 2

• Restrict /var/log and /var/log/audit partitions mount options.

  Example:

  UUID=<...>  /var/log        ext4  defaults,nosuid,noexec,nodev  0 2
  UUID=<...>  /var/log/audit  ext4  defaults,nosuid,noexec,nodev  0 2

• Restrict /proc partition mount options.

  Example:

  proc  /proc  proc  defaults,hidepid=2  0 0

• Restrict /boot partition mount options.

  Example:

  LABEL=/boot  /boot  ext2  defaults,nodev,nosuid,noexec,ro  1 2

• Restrict /home partition mount options.

  Example:

  UUID=<...>  /home  ext4  defaults,nodev,nosuid  0 2

• Restrict /var and /var/tmp partitions mount options.

  Example:

  mv /var/tmp /var/tmp.old
  ln -s /tmp /var/tmp
  cp -prf /var/tmp.old/* /tmp && rm -fr /var/tmp.old
  
  UUID=<...>  /tmp  ext4  defaults,nodev,nosuid,noexec  0 2

• Restrict /dev/shm partition mount options.

  Example:

  tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,size=1024M,mode=1777 0 0

Polyinstantiated directories

• Setting up polyinstantiated /var and /var/tmp directories.

  Example:

  # Create new directories:
  mkdir --mode 000 /tmp-inst
  mkdir --mode 000 /var/tmp/tmp-inst
  
  # Edit /etc/security/namespace.conf:
  /tmp      /tmp-inst/          level  root,adm
  /var/tmp  /var/tmp/tmp-inst/  level  root,adm
  
  # Set correct SELinux context:
  setsebool polyinstantiation_enabled=1
  chcon --reference=/tmp /tmp-inst
  chcon --reference=/var/tmp/ /var/tmp/tmp-inst

Shared memory

• Set group for /dev/shm.

  Example:

  tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,size=1024M,mode=1770,uid=root,gid=shm 0 0

Encrypt partitions

• Encrypt swap partition.

  Example:

  # Edit /etc/crypttab:
  sdb1_crypt /dev/sdb1 /dev/urandom cipher=aes-xts-plain64,size=256,swap,discard
  
  # Edit /etc/fstab:
  /dev/mapper/sdb1_crypt none swap sw 0 0

☑️ Summary checklist

Rule	Priority	Checkbox
Separate /boot		🔲
Separate /home		🔲
Separate /usr		🔲
Separate /var		🔲
Separate /var/log and /var/log/audit		🔲
Separate /tmp and /var/tmp		🔲
Restrict /usr mount options		🔲
Restrict /var mount options		🔲
Restrict /var/log and /var/log/audit mount options		🔲
Restrict /proc mount options		🔲
Restrict /boot mount options		🔲
Restrict /home mount options		🔲
Restrict /tmp/ and /var/tmp mount options		🔲
Restrict /dev/shm mount options		🔲
Polyinstantiated /tmp and /var/tmp		🔲
Set group for /dev/shm		🔲
Encrypt swap		🔲

Physical Access

Password for Single User Mode

• Protect Single User Mode with root password.

  Example:

  # Edit /etc/sysconfig/init.
  SINGLE=/sbin/sulogin

☑️ Summary checklist

Rule	Priority	Checkbox
Protect Single User Mode.		🔲

Bootloader

Protect bootloader config files

• Ensure bootloader config files are set properly permissions.

  Example:

  # Set the owner and group of /etc/grub.conf to the root user:
  chown root:root /etc/grub.conf
  chown -R root:root /etc/grub.d
  
  # Set permissions on the /etc/grub.conf or /etc/grub.d file to read and write for root only:
  chmod og-rwx /etc/grub.conf
  chmod -R og-rwx /etc/grub.d

☑️ Summary checklist

Rule	Priority	Checkbox
Protect bootloader config files		🔲

Linux Kernel

Kernel logs

• Restricting access to kernel logs.

  Example:

  echo "kernel.dmesg_restrict = 1" > /etc/sysctl.d/50-dmesg-restrict.conf

Kernel pointers

• Restricting access to kernel pointers.

  Example:

  echo "kernel.kptr_restrict = 1" > /etc/sysctl.d/50-kptr-restrict.conf

ExecShield

• ExecShield protection.

  Example:

  echo "kernel.exec-shield = 2" > /etc/sysctl.d/50-exec-shield.conf

Memory protections

• Randomise memory space.

  echo "kernel.randomize_va_space=2" > /etc/sysctl.d/50-rand-va-space.conf

☑️ Summary checklist

Rule	Priority	Checkbox
Restricting access to kernel logs		🔲
Restricting access to kernel pointers		🔲
ExecShield protection		🔲
Randomise memory space.		🔲

Logging

Syslog

• Ensure syslog service is enabled and running.

  Example:

  systemctl enable rsyslog
  systemctl start rsyslog

• Send syslog data to external server.

  Example:

  # ELK
  # Logstash
  # Splunk
  # ...

☑️ Summary checklist

Rule	Priority	Checkbox
Ensure syslog service is enabled and running.		🔲
Ensure syslog service is enabled and running.		🔲

Users and Groups

Passwords

• Update password policy (PAM).

  Example:

  authconfig --passalgo=sha512 \
  --passminlen=14 \
  --passminclass=4 \
  --passmaxrepeat=2 \
  --passmaxclassrepeat=2 \
  --enablereqlower \
  --enablerequpper \
  --enablereqdigit \
  --enablereqother \
  --update

• Limit password reuse (PAM).

  Example:

  # Edit /etc/pam.d/system-auth
  
  # For the pam_unix.so case:
  password sufficient pam_unix.so ... remember=5
  
  # For the pam_pwhistory.so case:
  password requisite pam_pwhistory.so ... remember=5

• Secure /etc/login.defs password policy.

  Example:

  # Edit /etc/login.defs
  PASS_MIN_LEN 14
  PASS_MIN_DAYS 1
  PASS_MAX_DAYS 60
  PASS_WARN_AGE 14

Logon Access

• Set auto logout inactive users.

  Example:

  echo "readonly TMOUT=900" >> /etc/profile.d/idle-users.sh
  echo "readonly HISTFILE" >> /etc/profile.d/idle-users.sh
  chmod +x /etc/profile.d/idle-users.sh

• Set last logon/access notification.

  Example:

  # Edit /etc/pam.d/system-auth
  session required pam_lastlog.so showfailed

• Lock out accounts after a number of incorrect login (PAM).

  Example:

  # Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth
  
  # Add the following line immediately before the pam_unix.so statement in the AUTH section:
  auth required pam_faillock.so preauth silent deny=3 unlock_time=never fail_interval=900
  
  # Add the following line immediately after the pam_unix.so statement in the AUTH section:
  auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never fail_interval=900
  
  # Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
  account required pam_faillock.so

☑️ Summary checklist

Rule	Priority	Checkbox
Update password policy		🔲
Limit password reuse		🔲
Secure /etc/login.defs password policy		🔲
Set auto logout inactive users.		🔲
Set last logon/access notification		🔲
Lock out accounts after a number of incorrect login		🔲

Filesystem

Hardlinks & Symlinks

• Enable hard/soft link protection.

  Example:

  echo "fs.protected_hardlinks = 1" > /etc/sysctl.d/50-fs-hardening.conf
  echo "fs.protected_symlinks = 1" >> /etc/sysctl.d/50-fs-hardening.conf

Dynamic Mounting and Unmounting

• Disable uncommon filesystems.

  Example:

  echo "install cramfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
  echo "install freevxfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
  echo "install jffs2 /bin/false" > /etc/modprobe.d/uncommon-fs.conf
  echo "install hfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
  echo "install hfsplus /bin/false" > /etc/modprobe.d/uncommon-fs.conf
  echo "install squashfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
  echo "install udf /bin/false" > /etc/modprobe.d/uncommon-fs.conf
  echo "install fat /bin/false" > /etc/modprobe.d/uncommon-fs.conf
  echo "install vfat /bin/false" > /etc/modprobe.d/uncommon-fs.conf
  echo "install nfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf
  echo "install nfsv3 /bin/false" > /etc/modprobe.d/uncommon-fs.conf
  echo "install gfs2 /bin/false" > /etc/modprobe.d/uncommon-fs.conf

☑️ Summary checklist

Rule	Priority	Checkbox
Enable hard/soft link protection.		🔲
Disable uncommon filesystems.		🔲

Permissions

SELinux & Auditd

SELinux Enforcing

• Set SELinux Enforcing mode.

  Example:

  # Edit /etc/selinux/config.
  SELINUXTYPE=enforcing

☑️ Summary checklist

Rule	Priority	Checkbox
Set SELinux Enforcing mode.		🔲

System Updates

Network

TCP/SYN

• Enable TCP SYN Cookie protection.

  Example:

  echo "net.ipv4.tcp_syncookies = 1" > /etc/sysctl.d/50-net-stack.conf

Routing

• Disable IP source routing.

  Example:

  echo "net.ipv4.conf.all.accept_source_route = 0" > /etc/sysctl.d/50-net-stack.conf

ICMP Protocol

• Disable ICMP redirect acceptance.

  Example:

  echo "net.ipv4.conf.all.accept_redirects = 0" > /etc/sysctl.d/50-net-stack.conf

• Enable ignoring to ICMP requests.

  Example:

  echo "net.ipv4.icmp_echo_ignore_all = 1" > /etc/sysctl.d/50-net-stack.conf

Broadcast

• Enable ignoring broadcasts request.

  Example:

  echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/50-net-stack.conf

☑️ Summary checklist

Rule	Priority	Checkbox
Enable TCP SYN Cookie protection.		🔲
Disable IP source routing.		🔲
Disable ICMP redirect acceptance.		🔲
Enable ignoring to ICMP requests.		🔲
Enable ignoring broadcasts request.		🔲

Services

Tools