|
|
|
# Ubuntu hardening
|
|
|
|
|
|
|
|
#### Error: Couldn't find 2 responsive nameservers
|
|
|
|
|
|
|
|
Oletuksena sisältää vain yhden, mistä Lynis huomauttaa.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo nano /etc/resolvconf/resolv.conf.d/base
|
|
|
|
nameserver 8.8.8.8
|
|
|
|
sudo resolvconf -u
|
|
|
|
```
|
|
|
|
|
|
|
|
Tarkistus:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo nano /etc/resolv.conf
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Set a password on GRUB bootloader to prevent altering boot configuration
|
|
|
|
|
|
|
|
Luodaan hashattu salasana GRUB bootloaderille
|
|
|
|
|
|
|
|
```bash
|
|
|
|
grub-mkpasswd-pbkdf2
|
|
|
|
```
|
|
|
|
|
|
|
|
Syötä salasana ja kopioi hash talteen. Lisätään käyttäjä grub-asetustiedostoon:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo nano /etc/grub.d/40_custom
|
|
|
|
# tiedoston loppuun
|
|
|
|
set superusers=”name”
|
|
|
|
password_pbkdf2 name [aikaisempi hash]
|
|
|
|
sudo update-grub
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Run pwck manually and correct any errors in the password file
|
|
|
|
|
|
|
|
pwck varmaa käyttäjätietojen eheyden, tarkistaa /etc/shadow ja /etc/passwd tiedostojen formaatin. -q näyttää vain tulokset, mitä käyttäjän tulee korjata.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo pwck -q
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc
|
|
|
|
|
|
|
|
PAM-moduuli tarkistaa salasanan sanakirjahyökkäyksen varalta. Sillä voidaan myös määrittää minimi pituus ym. asetuksia.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo apt-get install libpam-cracklib
|
|
|
|
sudo nano /etc/pam.d/system-auth
|
|
|
|
password required pam_cracklib.so retry=3 minlen=12 difok=6
|
|
|
|
```
|
|
|
|
|
|
|
|
Moduuli nyt antaa kolme yritystä, vaatii vähintään 12-merkin salasanan sekä salasanaa vaihtaessa kuuden merkin tulee olla erilaisia vanhaan salasanaan verrattuna.
|
|
|
|
|
|
|
|
#### Configure minimum/maximum password age in /etc/login.defs
|
|
|
|
|
|
|
|
Lisätään minimi ja maksimi elinaika salasanalle.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo nano /etc/login.defs
|
|
|
|
# tiedoston loppuun
|
|
|
|
PASS_MAX_DAYS 30
|
|
|
|
PASS_MIN_DAYS 1
|
|
|
|
PASS_WARN_AGE 3
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Default umask in /etc/init.d/rc could be more strict like 027
|
|
|
|
|
|
|
|
#### Default umask in /etc/login.defs could be more strict like 027
|
|
|
|
|
|
|
|
umask määrittää tiedostoja luodessa oletus oikeudet. Rajataan oikeuksia muilta kuin tiedoston luojalta ja ryhmältä.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo nano /etc/login.defs
|
|
|
|
umask 027
|
|
|
|
sudo nano /etc/init.d/rc
|
|
|
|
umask 027
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Remove duplicate lines in /etc/hosts
|
|
|
|
|
|
|
|
Poistetaan rivi joka on kahteen kertaan:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo nano /etc/hosts
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Install debsums utility for the verification of packages with known good database
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo apt-get install debsums
|
|
|
|
sudo debsums -a -s
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Install package apt-show-versions for patch management purposes
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo apt-get install apt-show-versions
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Install a package audit tool to determine vulnerable packages
|
|
|
|
|
|
|
|
Ei löytynyt Ubuntulle
|
|
|
|
|
|
|
|
#### Consider running ARP monitoring software
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo apt-get install arpwatch
|
|
|
|
```
|
|
|
|
|
|
|
|
#### SSH hardening
|
|
|
|
|
|
|
|
Banner-viestin asetus:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo nano /etc/issue.net
|
|
|
|
# lisää loppuun
|
|
|
|
Unauthorized access is probihited
|
|
|
|
sudo nano /etc/ssh/sshd_config
|
|
|
|
# ota kommentti pois banner edestä
|
|
|
|
Banner /etc/issue.net
|
|
|
|
```
|
|
|
|
|
|
|
|
Asetuksia:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo nano /etc/ssh/sshd_config
|
|
|
|
# loppuun
|
|
|
|
AllowTcpForwarding no
|
|
|
|
ClientAliveCountMax 2
|
|
|
|
Compression no
|
|
|
|
MaxSessions 2
|
|
|
|
MaxAuthTries 3
|
|
|
|
AllowAgentForwarding no
|
|
|
|
UsePrivilegeSeparation sandbox
|
|
|
|
# muokkaa
|
|
|
|
LogLevel VERBOSE
|
|
|
|
X11Forwarding no
|
|
|
|
TCPKeepAlive no
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Docker: WARNING: No swap limit support
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo nano /etc/default/grub
|
|
|
|
GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"
|
|
|
|
sudo update-grub
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Enable sysstat to collect accounting
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo apt-get install sysstat
|
|
|
|
sudo nano /etc/default/sysstat
|
|
|
|
# vaihda falsesta true
|
|
|
|
ENABLED="true"
|
|
|
|
sudo service sysstat restart
|
|
|
|
```
|
|
|
|
|
|
|
|
##### Enable auditd to collect audit information
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo apt-get install auditd audispd-plugins
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Harden the system by installing at least one malware scanner, to perform periodic file system scans
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo apt-get install rkhunter
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo nano /etc/modprobe.d/blacklist.conf
|
|
|
|
# lisätään blacklistiin usb-storage
|
|
|
|
blacklist usb-storage
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Install a file integrity tool to monitor changes to critical and sensitive files
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo apt-get install aide
|
|
|
|
```
|
|
|
|
|
|
|
|
#### nginx enforcing
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo mkdir /etc/nginx/certs
|
|
|
|
wget -O /etc/nginx/certs/lets-encrypt-x3-cross-signed.pem \
|
|
|
|
"https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem"
|
|
|
|
sudo nano /etc/nginx/nginx.conf
|
|
|
|
# ssl alle
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
|
|
|
|
ssl_stapling on;
|
|
|
|
ssl_stapling_verify on;
|
|
|
|
ssl_trusted_certificate /etc/nginx/certs/lets-encrypt-x3-cross-signed.pem;
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Enable process accounting
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo apt-get install acct
|
|
|
|
``` |
