Linux Hardening

Following are the areas of hardening / security that needs to be addressed on a Linux VM, along with their procedures.

 

  • No internet access on the server

This can be taken care through the Mirantis dashboard for the VMs.

Locate the Access & Security >> Egress rule for ipv4 & ipv6 which is enabled by default.

Verify that the same Access & Security rule template is not being used by any other VM, it is then you will have to create a new custom template for your VM.

Disable the default Egress rule for ipv4 & ipv6, which is set to send any & all traffic out of the VM. This will disable any http, https, ftp, request going out of the system.

Please Note : As this approch affects all out going traffic from the VM, hence you might have to enable outgoing ports as per request only incase needed.

 

  • No direct root login, only sudo enabled

Rather than disabling the root account, you can lock the root account password. This will not allow the root user to login with his credential.

Before locking the root user, create a new user using useradd.

Locate the group that has sudo access in the /etc/sudoers files, and add the new user to this group.

Test the sudo access for the new user.

Now lock root user account ‘sudo passwd -l root’

 

  • Only key based login, no X

Goto /etc/inittab, check the line indicating ” id:5:initdefault: “

Replace with ” id:3:initdefault: ” & save the file.

On the next boot / reboot the system should boot in to shell.

 

  • Enable SE Linux

Verify the current selinux status using the command – sestatus

It should be in either of these states :

# enforcing – SELinux security policy is enforced.

# permissive – SELinux prints warnings instead of enforcing.

# disabled – No SELinux policy is loaded.

Set the appropriate value in the file /etc/selinux/config

To fully enable selinux, set it to :

SELINUX=permissive

SELINUXTYPE=targeted

 

  • Enable logrotate for system logs under /var/log

Most of the logs under /var/log/ are set for auto backup & rotation.

Incase any help is needed with setting new log rotate scripts, refer to http://www.thegeekstuff.com/2010/07/logrotate-examples/

 

  • Disable rlogin & rsh services

None of these services are enabled, even their binaries were missing on the host.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s