From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 18F02138247 for ; Fri, 20 Dec 2013 10:59:18 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 13795E09F1; Fri, 20 Dec 2013 10:59:16 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 89AF3E09F1 for ; Fri, 20 Dec 2013 10:59:15 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 8FA8533F65F for ; Fri, 20 Dec 2013 10:59:14 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 1C9D0E5797 for ; Fri, 20 Dec 2013 10:59:12 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1387537053.327c9ee7d8b0bb54aa951fafa7fa10dc666d0bb2.swift@gentoo> Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: xml/SCAP/gentoo-xccdf.xml X-VCS-Directories: xml/SCAP/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 327c9ee7d8b0bb54aa951fafa7fa10dc666d0bb2 X-VCS-Branch: master Date: Fri, 20 Dec 2013 10:59:12 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 0efc6e77-11e0-47bd-8ca9-675ac6756df7 X-Archives-Hash: 9b8e1a1db849e5f34147b49a26f16e22 commit: 327c9ee7d8b0bb54aa951fafa7fa10dc666d0bb2 Author: Sven Vermeulen siphos be> AuthorDate: Fri Dec 20 10:57:33 2013 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Fri Dec 20 10:57:33 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=327c9ee7 Update HTML code in descriptions, anonimize text --- xml/SCAP/gentoo-xccdf.xml | 645 ++++++++++++++++++++++++++++------------------ 1 file changed, 401 insertions(+), 244 deletions(-) diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml index 6b3172e..e51a0ab 100644 --- a/xml/SCAP/gentoo-xccdf.xml +++ b/xml/SCAP/gentoo-xccdf.xml @@ -1,13 +1,13 @@ - draft + draft Gentoo Security Benchmark This benchmarks helps people in improving their system configuration to be more resilient against attacks and vulnerabilities. - 20130917.1 + 20131220.1 @@ -17,15 +17,27 @@ This profile extends the default server profile by including tests that are more intensive to run on a system. Tests such as full file system scans to find world-writable files or directories have an otherwise too - large impact on the performance of a server. + large impact on the performance of a server. Tests include scripted + validationn. - - Default server setup settings + + Intensive validation profile (non-scripted) + + This profile extends the default server profile by including tests that + are more intensive to run on a system. Tests such as full file system + scans to find world-writable files or directories have an otherwise too + large impact on the performance of a server. Tests do not include + scripted validation. + + + + Default server setup settings (non-scripted) In this profile, we verify common settings for Gentoo Linux configurations. The tests that are enabled in this profile can be ran - without visibly impacting the performance of the system. + without visibly impacting the performance of the system. No scripted + checks are executed. Introduction + Since years, Gentoo Linux has a Gentoo Security Handbook which provides a good insight in secure system configuration for a Gentoo systems. Although this is important, an improved method for describing and tuning a systems' security state has emerged: SCAP, or the Security Content Automation Protocol. - - + + As such, this benchmark is an update on the security handbook, including both the in-depth explanation of settings as well as the means to validate if a system complies with this or not. Now, during - the development of this benchmark document, we did not include all - information from the Gentoo Security Handbook as some of the settings are - specific to a service that is not all that default on a Gentoo Linux - system. Although these settings are important as well, it is our believe - that this is best done in separate benchmarks for those services instead. - - + the development of this benchmark document, not include all + information from the Gentoo Security Handbook is included as some of the + settings are specific to a service that is not all that default on a + Gentoo Linux system or sufficiently separate that can benefit other + distributions as well. Although these settings are important as well, it is + best done in separate benchmarks for those services instead. + + Where applicable, this benchmark will refer to a different hardening guide for specific purposes (such as the Hardening OpenSSH benchmark). + Gentoo Security Handbook This is no security policy + It is very important to realize that this document is not a policy. There is no obligation to follow this to make a secure system - nor should everything in this document be agreed upon. What we document is + nor should everything in this document be agreed upon. This document is a set of common best practices with the explanation (why is it a best practice) and method (how to implement the best practice). - - + + The purpose of this document is to guide readers in their quest to hardening their systems. It will provide pointers that could help in deciding particular configuration settings and will do this hopefully using sufficient background information to allow readers to make a good choice. - - + + Readers might find settings they don't agree with. That's fine, but if there is disagreement about why it is documented, we would like to hear it so we can update the guide accordingly. + A little more about SCAP and OVAL + Within SCAP, NIST has defined some new standards of which XCCDF and OVAL are notably important in light of this guide. + XCCDF (Extensible Configuration Checklist Description Format) is @@ -138,74 +164,104 @@ and validate system settings - + Thanks to the OVAL and XCCDF standards, a security engineer can now describe how the state of a system should be configured, how this can be checked automatically and even report on these settings. Furthermore, within the description, the engineer can make "profiles" of different states (such as a profile for a workstation, server (generic), webserver, LDAP server, ...) and reusing the states (rules) identified in a more global scope. + Using this guide + This guide is generated from SCAP content (more specifically, the XCCDF document) using openscap, a free software implementation for handling SCAP content. Within Gentoo, the package app-forensics/openscap provides the tools, and the following command is used to generate the HTML output: - - # oscap xccdf generate guide gentoo-xccdf.xml > output.html - - + + +# oscap xccdf generate guide gentoo-xccdf.xml > output.html + Secondly, together with this XCCDF XML, an OVAL XML file is made available. The two files combined allow OVAL interpreters to automatically validate various settings as documented in the benchmark. - - + + + Finally, if certain tests are not available in OVAL yet, scripts are provided + that can be executed through the SCE (Script Check Engine) support in openscap. + As scripts are not guaranteed to have no impact on the system (or leave traces), + -oval profiles are available that only enable the OVAL (and not SCE) + checks. + + To validate the tests, the following commands can be used: - # oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default gentoo-xccdf.xml - + + +# export PROFILE="xccdf_org.gentoo.dev.swift_profile_default" +# oscap xccdf eval --profile ${PROFILE} gentoo-xccdf.xml + To generate a full report in HTML as well, use the next command: - # oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default --results xccdf-results.xml --report report.html gentoo-xccdf.xml - - + + +# oscap xccdf eval --profile ${PROFILE} --results xccdf-results.xml \ + --report report.html gentoo-xccdf.xml + Finally, this benchmark will suggest some settings that do not reflect the will of the reader. That is perfectly fine - even more, some settings might even raise eyebrows left and right. This document will explain the reasoning behind the settings but deviations are always possible. If that is the case, disable the rules in the XCCDF document or, better yet, create a new profile and only refer to the tests that are required. + Available XCCDF Profiles + As mentioned earlier, the XCCDF document supports multiple profiles. For the time being, two profiles are defined: - + - The default profile (xccdf_org.gentoo.dev.swift_profile_default) contains + The default profile (xccdf_org.gentoo.dev.swift_profile_default) contains tests that are quick to validate + + The default-oval profile (xccdf_org.gentoo.dev.swift_profile_default-oval) + is like the default one, but does not call any other checker than OVAL + (so no scripts). + - The intensive profile (xccdf_org.gentoo.dev.swift_profile_intensive) + The intensive profile (xccdf_org.gentoo.dev.swift_profile_intensive) contains all tests, including those that take a while (for instance because they perform full file system scans) + + The intensive-oval profile (xccdf_org.gentoo.dev.swift_profile_intensive-oval) + is like the intensive one, but does not call any other checker than OVAL + (so no scripts). + + Substitute the profile information in the commands above with the required profile. + About the rule weights + Within this guide, weights are assigned to tests to give some importance to the rule (higher weight is more important) as well as a severity. - - + + The severity is one of the following: + high constitutes a grave or critical problem. A rule with this severity @@ -227,29 +283,31 @@ does not mean failure to comply with the document itself. + It is important to understand though that rules with a low severity can still lead to grave security problems if they are not met. Chaining of vulnerabilities or misconfiguration can still lead to full system compromise. - - + + For this reason, weights are added to rules as well. A higher weight has a more severe potential impact. - - - Weights are the CVSS score that the author assumes is the case for a misconfiguration. + + + Weights are the CVSS (or CCSS) score that is thought to be the case for a misconfiguration. They are calculated by NVD's CVSS calculator. Each rule is scored individually; a "chain" of misconfigurations might lead to a significantly higher issue, but this would make it very hard to make proper scoring. - - + + As an example, take the rule that says /var has to be on its own partition. The metrics we fill in in the calculator are currently based on the risk that the root file system is filled (no more free space), which can halt the system. + The related exploit range (access vector) is "Local", because this is by itself not exploitable remotely - unless of course certain services are running - that can fill up /var, but we do not take such assumptions. + that can fill up /var, but such assumptions are not taken. The attack complexity (access complexity) is "Low", as all that is @@ -270,18 +328,21 @@ The availability impact is "Complete" (system crash or halt). + This results in the CVSS base score of 4.6. The environmental score metrics and temporal score metrics are ignored as those are too specific for environments and organizations. + NVD CVSS calculator + The Common Configuration Scoring System (PDF) - Before we start + Before startng - Before we start deploying Gentoo Linux and start hardening it, it is wise - to take a step back and think about what we want to accomplish. Setting + Before starting to deploy Gentoo Linux and start hardening it, it is wise + to take a step back and think about what to accomplish. Setting up a more secured Gentoo Linux isn't a goal, but a means to reach something. Most likely the system will become a Gentoo Linux powered server. What is this server for? Where will it be hosted? What services are scheduled to run @@ -290,47 +351,51 @@ Infrastructure architecturing + When considering the entire IT architecture, many architecturing frameworks exist to write down and further design infrastructure. There are very elaborate ones, like TOGAF (The Open Group Architecture Framework), but smaller ones exist as well. - - + + A well written and maintained infrastructure architecture helps to position new services or consider the impact of changes on existing components. - - + + Security is about reducing risks, not about harassing people or making work for a system administrator harder. And reducing risks also means that a clear eye needs to be kept on the architecture and all its components. If there is no knowledge as to what is being integrated, where it is going to be installed or why, then hardening by itself will probably not do much to the secure state of the system. + Mapping requirements + When designing a service, we need to take both functional and non-functional requirements into account. That does sound like overshooting for a simple server installation, but it is not. Is auditing considered? Where should the audit logs be sent to? What about authentication? Centrally managed, or manually set? And the server, will it only host a particular service, or will it provide several services? - - + + When hosting multiple services on the same server, make sure that the server is positioned within the network on an acceptable segment. It is not safe to host central LDAP infrastructure on the same system as a web server that is facing the Internet. + IBM DeveloperWorks article on "Capturing Architectural Requirements" Non-software security concerns - From the next chapter onwards, our focus will be on the software side + From the next chapter onwards, the focus will be on the software side hardening. There are of course also non-software concerns that need to be taken care of. @@ -338,17 +403,18 @@ Physical security + Make sure that the system is only accessible (physically) by trusted people. Fully hardening a system, only to have a malicious person take out the harddisk and run away with the confidential data is not - something we want to experience. - - + something fun to experience. + + When physical security cannot be guaranteed (like with laptops), make sure that theft of the device only results in the loss of the hardware and not of the data and software on it (take backups!), and also that the data on it cannot be read by unauthorized people. - We will describe disk encryption later. + Data Center Physical Security Checklist (SANS, PDF) @@ -356,16 +422,18 @@ Policies and contractual agreements + Create or validate the security policies in the organization. This is not only as a stick (against internal people who might want to abuse their powers) but also to document and describe why certain decisions are made (both architecturally as otherwise). - - + + Make sure that the reasoning for the guidelines is clear. If the policies ever need to be adjusted towards new environments or concepts (like "bring your own device") having the reasons for the (old) guidelines documented will make it much easier to write new ones. + Technical Writing for IT Security Policies in Five Easy Steps (SANS, PDF) @@ -377,10 +445,9 @@ Installation configuration - Let's focus now on the OS hardening. Gentoo Linux allows us to update various - parts of the system after installation, but it might be interesting to - consider the following aspects during (or before) installation if we do not want - to risk a huge migration project later. + Gentoo Linux allows us to update various parts of the system after installation, + but it might be interesting to consider the following aspects during (or before) + installation to not risk a huge migration project later. Storage configuration @@ -403,12 +470,14 @@ Separate file systems for important locations + Having a separate file system for important locations has several advantages, but - we need to weigh those advantages against the disadvantages of separate file + those advantages need to be weighted against the disadvantages of separate file systems. - - - Let's start with the disadvantages: + + + These disadvantages are: + Separate file systems mean that better disk space control is needed @@ -426,7 +495,9 @@ (such as creating an initial ram file system). + The advantages on the other hand: + A sudden disk space growth will eventually be stopped by the limits of the @@ -446,8 +517,10 @@ for a particular file system. + Considering these pros and cons, it is recommended to have at least the following file system locations to be on a different file system: + /tmp as this is a world-writable location and requires @@ -488,7 +561,7 @@ - Test if /tmp is a separate file system + /tmp is a separate file system Create a file system for /tmp; make sure it is added in the /etc/fstab file and reboot the system. @@ -498,7 +571,7 @@ - Test if /var is a separate file system + /var is a separate file system Create a file system for /var; make sure it is added in the /etc/fstab file and reboot the system. @@ -508,7 +581,7 @@ - Test if /var/log is a separate file system + /var/log is a separate file system Create a file system for /var/log; make sure it is added in the /etc/fstab file and reboot the system. @@ -518,7 +591,7 @@ - Test if /var/log/audit is a separate file system + /var/log/audit is a separate file system Create a file system for /var/log/audit; make sure it is added in the /etc/fstab file and reboot the system. @@ -528,7 +601,7 @@ - Test if /home is a separate file system + /home is a separate file system Create a file system for /home; make sure it is added in the /etc/fstab file and reboot the system. @@ -538,7 +611,7 @@ - Test if /var/tmp is a separate file system + /var/tmp is a separate file system Create a file system for /var/tmp; make sure it is added in the /etc/fstab file and reboot the system. @@ -553,11 +626,11 @@ Use a Hardened Toolchain + When Gentoo is installed, use the hardened stages and hardened toolchain. The hardened toolchain includes additional security patches, such as support for non-executable program stacks and buffer overflow detection. - - + Position Independent Executables (PIE) and Position Independent @@ -572,11 +645,14 @@ having the overflow succeed. + During installation, make sure that the default hardened toolchain is selected, not one of the -hardenedno* as those are toolchains where specific settings are disabled. The -vanilla one is a toolchain with no hardened patches. - # gcc-config -l + + +# gcc-config -l [1] x86_64-pc-linux-gnu-4.4.5 * [2] x86_64-pc-linux-gnu-4.4.5-hardenednopie [3] x86_64-pc-linux-gnu-4.4.5-hardenednopie.gcc-config-ref @@ -585,7 +661,7 @@ [6] x86_64-pc-linux-gnu-4.4.5-vanilla - Test if the hardened toolchain is used + The hardened toolchain is used Use a hardened Gentoo profile and select the default compiler (not vanilla nor any of the hardenedno* ones). @@ -596,27 +672,6 @@ - System settings @@ -634,24 +689,26 @@ Appropriate mount options for the file systems + Non-root file systems should be mounted with the nodev mount option. This mount option ensures that device files are not allowed on these file systems (and if they are there, they are ignored by the Linux kernel for any device operation). - - + + Having device files on non-root file systems could allow unauthorized people access to sensitive data (for instance when having a readable raw disk device files) or even manipulate the system. - - + + The privilege to create special device files (beyond regular sockets) such as character and block device files is handled through the CAP_MKNOD capability which is not granted to regular users. As such, the risk is when more privileged users or processes are tricked to create such device files. - - + + This setting is appropriate for file systems such as (non-exhaustive list): + /var (as it is recommended to be a separate file system) @@ -669,10 +726,12 @@ /tmp (as it is recommended to be a separate file system) + Specific file systems should also be mounted with the nosuid mount option. This prevents setuid binaries to run as a different user when hosted on this file system. As there are several locations where setuid binaries might be needed, this only affects particular file systems: + The /tmp file system should not be used for setuid binaries @@ -687,19 +746,21 @@ (shared memory region). + Specific file systems should also be mounted with the noexec mount option. This prevents some automated attacks to execute certain payload (exploits) from these locations. - - + + This is just one of the many "layers" though, as executing payload can still be done using different methods. For instance, scripts can be invoked through the shell itself (rather than directly) and in the past, binaries could even be executed through the ld-linux.so binary (although this has been fixed). - - + + File systems for which noexec is recommended are: + The /tmp file system as it is a popular target to store exploit @@ -716,7 +777,7 @@ Multiple authentication (one to create device file, one to log on) --> - Test if /var is mounted with nodev + /var is mounted with nodev Mount /var with nodev mount option - Test if /var/log is mounted with nodev + /var/log is mounted with nodev Mount /var/log with nodev mount option - Test if /var/log/audit is mounted with nodev + /var/log/audit is mounted with nodev Mount /var/log/audit with nodev mount option - Test if /home is mounted with nodev + /home is mounted with nodev Mount /home with nodev mount option - Test if /tmp is mounted with nodev + /tmp is mounted with nodev Mount /tmp with nodev mount option - Test if /tmp is mounted with nosuid + /tmp is mounted with nosuid Mount /tmp with nosuid mount option - Test if /home is mounted with nosuid + /home is mounted with nosuid Mount /home with nosuid mount option - Test if /dev/shm is mounted with nosuid + /dev/shm is mounted with nosuid Mount /dev/shm with nosuid mount option - Test if /tmp is mounted with noexec + /tmp is mounted with noexec Mount /tmp with noexec mount option - Test if /dev/shm is mounted with noexec + /dev/shm is mounted with noexec Mount /dev/shm with nosuid mount option Disk quota support + Most file systems support the notion of quotas - limits on the amount of data / files that are allowed on that particular file system. - - + + To enable quotas, first configure the Linux kernel to include CONFIG_QUOTA. - - + + Next, install the sys-fs/quota package. - # emerge quota + + +# emerge quota + Then add usrquota and grpquota to the partitions (in /etc/fstab) where quotas need to be enabled on. For instance, the following snippet from /etc/fstab enables quotas on /var and /home. - /dev/mapper/volgrp-home /home ext4 noatime,nodev,nosuid,usrquota,grpquota 0 0 -/dev/mapper/volgrp-var /var ext4 noatime,usrquota,grpquota 0 0 - + + +/dev/mapper/volgrp-home /home ext4 noatime,nodev,nosuid,usrquota,grpquota 0 0 +/dev/mapper/volgrp-var /var ext4 noatime,usrquota,grpquota 0 0 + Finally, add the quota service to the boot runlevel. + # rc-update add quota boot + Reboot the system so that the partitions are mounted with the correct mount options and that the quota service is running. Then the quotas for users and groups can be set up. + Managing Disk Usage with Quotas (LinuxHomeNetworking) Gentoo Linux Kernel Configuration - shorthand notation information - Test if the kernel supports quota (CONFIG_QUOTA) + The kernel supports quota (CONFIG_QUOTA) Rebuild the Linux kernel with quota support (CONFIG_QUOTA) @@ -884,42 +954,48 @@ mount -o remount,noexec /dev/shm System services + Services (daemons) are the primary reason for a server to exist. They represent the function of the server. For instance, a web server will run the apache2 or lighttpd service. A name server will run the named service. - - - In this benchmark, the focus is on those services that are either - default available on a Gentoo installation (like SSHd) or that are - commonly used in Gentoo server architectures (like rsync). For the other - services it is wise to consult other hardening guides specific for those - services. + + + In this benchmark, the focus is on a limited set of system services. For + the other services it is wise to consult other hardening guides specific + for those services. + Center for Internet Security, host of many service benchmarks Disable unsafe services + It is recommended to disable (or even uninstall) the following services unless absolutely necessary. These services use plain-text protocols and are as such unsafe to use on (untrusted) networks. + Telnet service FTP Service - + It is recommended to substitute these services with their more secure counterparts (like sFTP, SSH, ...). + - Test if no telnet daemons are running + No telnet daemons are running Stop telnet services -for service in /etc/init.d/*telnet*; do test -f ${service} && run_init rc-service ${service##*/} stop; done +for service in /etc/init.d/*telnet*; +do + test -f ${service} && run_init rc-service ${service##*/} stop; +done @@ -927,12 +1003,15 @@ for service in /etc/init.d/*telnet*; do test -f ${service} && run_init r - Test if no FTP daemons are running + No FTP daemons are running Stop FTPd services -for service in /etc/init.d/*ftp*; do test -f ${service} && run_init rc-service ${service##*/} stop; done +for service in /etc/init.d/*ftp*; +do + test -f ${service} && run_init rc-service ${service##*/} stop; +done @@ -942,26 +1021,29 @@ for service in /etc/init.d/*ftp*; do test -f ${service} && run_init rc-s Require single-user boot to give root password + When a system is booted in single user mode, some users might find it handy to immediately get a root prompt; many even have a specific bootloader entry to boot in single user mode. - - + + It is important that, for a more secure server environment, even booting in single user mode requires the user to enter the root password. This is already done by default in Gentoo through the rc_shell variable in /etc/rc.conf. - - + + Administrators should also make sure that no direct shells are provided in /etc/inittab for single-user mode. Gentoo's /etc/inittab definition should look like so: - su0:S:wait:/sbin/rc single + + +su0:S:wait:/sbin/rc single su1:S:wait:/sbin/sulogin - Test if sulogin is used for single-user boot (/etc/rc.conf) + sulogin is used for single-user boot (/etc/rc.conf) Set /sbin/sulogin for rc_shell - Test if sulogin is used for single-user boot (/etc/inittab) + sulogin is used for single-user boot (/etc/inittab) Set /sbin/sulogin or '/sbin/rc single' for single-user boot in /etc/inittab @@ -981,23 +1063,24 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf - Properly Configure TCP Wrappers + With TCP wrappers, services that support TCP wrappers (or those started through xinetd) should be configured to only accept communication with trusted hosts. With the use of /etc/hosts.allow and /etc/hosts.deny, proper access control lists can be created. - - + + More information on the format of these files can be obtained through man 5 hosts_access. + - Tests if /etc/hosts.allow exists + /etc/hosts.allow exists Create and properly configure /etc/hosts.allow @@ -1009,12 +1092,14 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf SSH service + The SSH service is used for secure remote access towards a system, but also to provide secure file transfers. It is very commonly found on Unix/Linux systems so proper hardening is definitely in place. - - + + Please use the "Hardening OpenSSH" guide for the necessary instructions. + @@ -1026,17 +1111,19 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf Only allow trusted accounts cron access + Only allow trusted accounts to use cron. How to achieve this depends on the cron service installed. - - - If vixie-cron is installed, then have (only) those users that need cron access take part in the - cron unix group. - - + + + If vixie-cron or cronie is installed, then have (only) those users that need cron access + take part in the cron unix group. + + If dcron is used, then make sure /usr/sbin/crontab is only executable by root and the cron unix group, and make sure (only) those users that need cron access take part in the cron unix group. + @@ -1050,17 +1137,19 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf Only allow trusted accounts at access + Only allow trusted accounts to use at. Unlike cron access, at access is governed through the /etc/at/at.allow file. If the at.allow file does not exist but /etc/at/at.deny does, then all names not mentioned in the file are allowed to run at. The most secure method is to use the at.allow method. - - + + The format of these files is one username per line. + - Tests if /etc/at/at.allow exists + /etc/at/at.allow exists Create and properly configure /etc/at/at.allow @@ -1073,21 +1162,25 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf NTP service + With NTP, systems can synchronise their clocks, ensuring correct date and time information. This is important as huge clock drift could cause misinterpretation of log files or even unwanted execution of commands. + Synchronise the system clock + Synchronise the systems' clock with an authorative NTP server, and use the same NTP service for all other systems. - - + + This can be accomplished by regularly executing ntpdate, but can also be handled using a service like net-misc/ntp's ntpd. + @@ -1095,25 +1188,29 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf Portage settings + The package manager of any system is a very important tool. It is responsible for handling proper software deployments, but also offers features that should not be neglected, like security patch roll-out. - - + + For Gentoo, the package manager offers a great deal of flexibility (as that is the goal of Gentoo anyhow). As such, good settings for a more secure environment within Portage (assuming that Portage is used as package manager) are important. + USE flags + USE flags in Gentoo are used to tune the functionality of many components and enable or disable features. - - + + For a well secured environment, there are a couple of USE flags that should be set in a global manner. These USE flags are + pam to enable Pluggable Authentication @@ -1126,43 +1223,51 @@ sed -i -e 's:^rc_shell=.*:rc_shell="/sbin/sulogin":g' /etc/rc.conf ssl for SSL/TLS support + Pluggable Authentication Modules are a powerful mechanism to manage authentication, authorization and user sessions. Applications that support PAM can be tuned to the liking of the organization, leveraging central authentication, password policies, auditing and more. - - + + With TCP wrappers, services can be shielded from unauthorized access on host level. It is an access control level mechanism which allows configuring allowed (and denied) hosts or network segments on application level. - - + + Finally, leveraging Secure Sockets Layer (or the standardized Transport Layer Security) allows applications to encrypt network communication or even implement a client-certificate based authentication mechanism. - - + + Set the USE flags globally in /etc/portage/make.conf so they are applicable to all installed software. - - USE="... pam tcpd ssl" + + +USE="... pam tcpd ssl" Fetching signed portage tree + Gentoo Portage supports fetching signed tree snapshots using emerge-webrsync. This is documented in the Gentoo Handbook, but as it is quite easy, here are the instructions again: - # mkdir -p /etc/portage/gpg + + +# mkdir -p /etc/portage/gpg # chmod 0700 /etc/portage/gpg -# gpg --homedir /etc/portage/gpg --keyserver subkeys.pgp.net --recv-keys 0x239C75C4 0x96D8BF6D -# gpg --homedir /etc/portage/gpg --edit-key 0x239C75C4 trust -# gpg --homedir /etc/portage/gpg --edit-key 0x96D8BF6D trust +# export SRV="subkeys.pgp.net" +# export KEY="0x96D8BF6D" +# gpg --homedir /etc/portage/gpg --keyserver ${SRV} --recv-keys ${KEY} +# gpg --homedir /etc/portage/gpg --edit-key ${KEY} trust + After this, edit /etc/portage/make.conf: + FEATURES="webrsync-gpg" PORTAGE_GPG_DIR="/etc/portage/gpg" @@ -1173,37 +1278,44 @@ SYNC="" Kernel configuration + The Linux kernel should be configured using a sane security standard in mind. When using grSecurity, additional security-enhancing settings can be enabled. - - + + For further details, please refer to the "Hardening the Linux kernel" guide. + Gentoo Kernel Configuration Guide - Shorthand notation information Bootloader configuration + The bootloader (be it GRUB or another tool) is responsible for loading the Linux kernel and handing over system control to the kernel. But boot loaders also allow for a flexible approach on kernel loading, which can be (ab)used to work around security mechanisms. + Password protect GRUB (legacy) + It is recommended to password-protect the GRUB configuration so that the boot options cannot be modified during a boot without providing the valid password. - - + + This can be accomplished by inserting password abc123 in /boot/grub/grub.conf (which will set the password to "abc123"). But as clear-text passwords in the configuration file are insecure as well, hash the passwords. Just start grub and, in the grub-shell, type md5crypt. - # grub + + +# grub GRUB version 0.92 (640K lower / 3072K upper memory) @@ -1215,25 +1327,28 @@ Password: abc123 Encrypted: $1$18u.M0$J8VbOsGXuoG9Fh3n7ZkqY. grub> quit - + This hashed password can now be used in grub.conf using password --md5 $1$18u.M0$J8VbOsGXuoG9Fh3n7ZkqY.. + Password protect LILO + It is recommended to password-protect the LILO configuration so that modifying the boot options during a boot without providing the valid password is not possible. - - + + This can be accomplished by inserting password=abc123 followed by restricted in the /etc/lilo.conf file. It is also possible to do this on a per-image level. - - password=abc123 + + +password=abc123 restricted delay=3 @@ -1241,40 +1356,46 @@ image=/boot/bzImage read-only password=def456 restricted - + The restricted keyword is needed to have LILO only ask for the password if a modification is given. If the defaults are used, then no password needs to be provided. - - + + Rerun lilo after updating the configuration file. + Authentication and authorization settings + An important part in a servers' security is its authentication and authorization support. We have already described how to build in PAM support (through the Portage USE flags), but proper authentication and authorization settings are mode than just compiling in the necessary functionality. + Restrict root system logon + To restrict where the root user can directly log on, edit /etc/securetty and specify the supported terminals for the root user. - - + + When properly configured, any attempt to log on as the root user from a non-defined terminal will result in logon failure. - - + + A recommended setting is to only allow root user login through the console and the physical terminals (tty0-tty12). - console + + +console tty0 tty1 ... @@ -1284,30 +1405,34 @@ tty12 Allow only known users to login + When PAM is enabled, the /etc/security/access.conf file is used to check which users are allowed to log on and not (through the login application). These limits are based on username, group and host, network or tty that the user is trying to log on from. - - + + By enabling these settings, the risk is reduced that a functional account (say apache) is abused to log on with, or that a new account is created as part of an exploit. + Restrict user resources + When facing a DoS (Denial-of-Service) attack, reducing the impact of the attack can be done by limited resource consumption. Although the component that is under attack will even more quickly fail, the impact towards the other services on the system (including remote logon to fix things) is more limited. - - + + In Gentoo Linux, the following methods are available to limit resources. + /etc/security/limits.conf defines the @@ -1320,17 +1445,19 @@ tty12 PAM-aware. + Generally, it should suffice to set up /etc/security/limits.conf, which is the configuration file used by the pam_limits.so module. - - + + Note that the settings are applicable on a per login session basis. - - + + More information on these files and their syntax can be obtained through their manual pages. + # man limits.conf # man limits @@ -1339,71 +1466,84 @@ tty12 Enforce password policy + Usually most organizations have a password policy, telling their users how long their passwords should be and how often the passwords should be changed. Most users see this as an annoying aspect, so it might be best to enforce this policy. - - + + Enforcing password policies is (partially) part of the sys-apps/shadow package (which is installed by default) and can be configured through the /etc/login.defs file. This file is well documented (using comments) and it has a full manual page as well. - - + + A second important player when dealing with password policies is the pam_cracklib.so library. This can be used in the appropriate /etc/pam.d/* files. For instance, for the /etc/pam.d/passwd definition: - auth required pam_unix.so shadow nullok -account required pam_unix.so -password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2 -password required pam_unix.so md5 use_authok -session required pam_unix.so + + +auth required pam_unix.so shadow nullok +account required pam_unix.so +password required pam_cracklib.so difok=3 retry=3 \ + minlen=8 dcredit=-2 \ + ocredit=-2 +password required pam_unix.so md5 use_authok +session required pam_unix.so + In the above example, the password is required to be at least 8 characters long, differ more than 3 characters from the previous password, contain 2 digits and 2 non-alphanumeric characters. + Review password strength regularly + Regularly check the strength of the users' passwords. There are tools out there, like app-crypt/johntheripper which, given a /etc/shadow file (or sometimes even LDAP dump) try to find the passwords for the users. - - + + When such a tool can guess a users' password, that users' password should be expired and the user should be notified and asked to change his password. + Session settings + Unlike authentication and authorization settings, a session setting is one that is applicable to an authenticated and authorized user when he is logged on to the system. + Disable access to user terminals + By default, user terminals are accessible by others to write messages to (using write, wall or talk). It is adviseable to disable this unless explicitly necessary. - - + + Messages can confuse users and trick them into performing malicious actions. - - + + This can be disabled by setting mesg n in /etc/profile. A user-friendly method for doing so in Gentoo is to create a file /etc/profile.d/disable_mesg which contains this command. + @@ -1417,37 +1557,44 @@ session required pam_unix.so Limit world writable files and locations + Limit (or even remove) the use of world writable files and locations. If a directory is world writable, it makes sense to have the sticky bit set on it as well (like with /tmp). - - + + Use find to locate such files or directories. - # find / -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print + + +# find / -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print + The above command shows world writable files and locations, unless it is a directory with the sticky bit set, or a symbolic link (whose world writable privilege is not accessible anyhow). + Limit setuid and setgid file and directory usage + The setuid and setgid flags for files and directories can be used to work around authentication and authorization measures taken on the system. So their use should be carefully guarded. - - + + In case of files, the setuid or setgid bit causes the application (if the file is marked as executable) to run with the privileges of the file owner (setuid) or group owner (setgid). It is necessary for applications that need elevated privileges, like su or sudo. - - + + In case of directories, the setgit bit causes newly created files in that directory to automatically be owned by the same group as the mentioned (parent) directory. + @@ -1463,12 +1610,14 @@ session required pam_unix.so Files only used by root should be root-only + Some files, like /etc/shadow, are meant to be read (and perhaps modified) by root only. These files should never have privileges for group- or others. - - + + A nonexhaustive list of such files is: + /etc/shadow which contains account password @@ -1508,13 +1657,15 @@ session required pam_unix.so Automated backups + Automate backups on the system. If the backups are performed manually then they are done wrong and someone will eventually forget it. - - + + Use scheduling software like cron to automatically take backups on regular intervals, or use a central backup solution like bacula. + @@ -1529,18 +1680,20 @@ session required pam_unix.so Retention + Ensure that the backups use a long enough retention. It is not wise to take a single backup and overwrite this one over and over again, as there will be a time that a file needs to be recovered that was corrupted long before the last backup was taken. - - + + There is no perfect retention period however, as the more backups are kept, the more storage is required and the more money or time needs to be invested in managing the backups. - - + + In most cases, introduce a "layered" approach on retention. For instance: + keep daily backups for a week @@ -1558,15 +1711,17 @@ session required pam_unix.so Off-site backups + Keep the backups off-site in case of disaster. But consider this location carefully. Investigate how fast the backup can be put there, but also how fast it can be retrieved it in case of need. Also investigate if this location is juridically sane (is it allowed to put the data on this location and is this off-site location trusted). - - + + Also ensure that the backups are stored securely. If necessary, encrypt the backups. + @@ -1588,16 +1743,18 @@ session required pam_unix.so Wipe disks + Clear all data from the disks on the server in a secure manner. Applications like shred (part of sys-apps/coreutils) can be used to security wipe data or even entire partitions or disks. - - + + It is recommended to perform full disk wipes rather than file wipes. If this needs to be done on file level, see if the file system journaling can be disabled during the wipe session as journaling might "buffer" the secure writes and only write the end result to the disk. + NIST Publication "Guidelines for Media Sanitization" (PDF)