CSEC_PUBLIC/the-practical-linux-hardening-guide
1
0
Fork 0
mirror of https://github.com/trimstray/the-practical-linux-hardening-guide.git synced 2025-12-06 09:12:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

flushed lib/ directory

Browse Source 
- signed-off-by: trimstray <trimstray@gmail.com>
This commit is contained in:
trimstray
2019-02-25 01:12:58 +01:00
parent 9d6f237b9b
commit d2777ca5f1
9 changed files with 0 additions and 1041 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
lib/external_resources/other_official_hardening_guides.md
View File

@@ -1,16 +0,0 @@
## External resources
### Other official hardening guides
| <b><u>Type of hardening guide</u></b> | <b><u>Comments</u></b> |
| :--- | :--- |
| <b>[STIGs Master List](https://iase.disa.mil/stigs/Pages/a-z.aspx)</b> ||
| <b>[Security Harden CentOS 7](https://highon.coffee/blog/security-harden-centos-7/)</b> | <sup>compliant with OpenSCAP</sup> |
| <b>[CentOS 7 Server Hardening Guide](https://www.lisenet.com/2017/centos-7-server-hardening-guide/)</b> | <sup>compliant with OpenSCAP</sup> |
| <b>[Arch Linux](https://wiki.archlinux.org/index.php/Security)</b> ||
| <b>[CentOS Linux](https://wiki.centos.org/HowTos/OS_Protection)</b> ||
| <b>[Debian GNU/Linux](https://www.debian.org/doc/manuals/securing-debian-howto/index.en.html)</b> | <sup>old guide - to update</sup> |
| <b>[Fedora Linux](https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/index.html)</b> | <sup>old guide - to update</sup> |
| <b>[Red Hat Enterprise](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/)</b> ||
| <b>[Slackware Linux](https://docs.slackware.com/howtos:security:start)</b> | <sup>some data may not be available</sup> |
| <b>[Ubuntu Linux](https://help.ubuntu.com/lts/serverguide/security.html.en)</b> | <sup>some data may not be available</sup> |

79
lib/post_install_tasks/bootloader_configuration.md
View File

@@ -1,79 +0,0 @@
## Post install tasks
### Bootloader configuration (grub)
#### :information_source: Introduction
Protection for the boot loader can prevent unauthorized users who have physical access to systems, e.g. attaining root privileges through single user mode.
Basically when you want to prohibit unauthorized reconfiguring of your system, otherwise anybody could load anything on it.
#### :eight_pointed_black_star: Protect bootloader with password
You can set password for the bootloader for prevents users from entering single user mode, changing settings at boot time, access to the bootloader console, reset the root password, if there is no password for GRUB-menu or access to non-secure operating systems.
##### Generate password hash
```bash
# Debian like distributions
grub-mkpasswd-pbkdf2
# RedHat like distributions
grub2-mkpasswd-pbkdf2
```
##### Updated grub configuration
```bash
cat > /etc/grub.d/01_hash << __EOF__
set superusers="user"
password_pbkdf2 user
grub.pbkdf2.sha512.<hash> # rest of your password hash
__EOF__
```
And regenerate grub configuration:
```bash
# Debian like distributions
grub-mkconfig > /boot/grub/grub.cfg
# RedHat like distributions
grub2-mkconfig > /boot/grub2/grub.cfg
```
###### Useful resources
- [How To Password Protect GRUB Bootloader In Linux](https://www.ostechnix.com/password-protect-grub-bootloader-linux/)
#### :eight_pointed_black_star: Protect bootloader config files
Set the owner and group of `/etc/grub.conf` to the root user:
```bash
chown root:root /etc/grub.conf
```
or
```bash
chown -R root:root /etc/grub.d
```
Set permission on the `/etc/grub.conf` or `/etc/grub.d` file to read and write for root only:
```bash
chmod og-rwx /etc/grub.conf
```
or
```bash
chmod -R og-rwx /etc/grub.d
```
#### :ballot_box_with_check: Summary checklist
| <b>Item</b> | <b>True</b> | <b>False</b> |
| :--- | :---: | :---: |
| Set password for the bootloader | :black_square_button: | :black_square_button: |

264
lib/post_install_tasks/disk_partitions.md
View File

@@ -1,264 +0,0 @@
## Post install tasks
### Disk partitions
#### :information_source: Introduction
Critical file systems should be separated into different partitions in ways that make your system a better and more secure.
#### :eight_pointed_black_star: Separate disk partitions
Make sure the following filesystems are mounted on separate partitions:
- `/boot`
- `/tmp`
- `/var`
- `/var/log`
Additionally, depending on the purpose of the server, you should consider separating the following partitions:
- `/usr`
- `/home`
- `/var/www`
You should also consider separating these partitions:
- `/var/tmp`
- `/var/log/audit`
###### Policies
- STIG:
- CIS:
###### Useful resources
- [Recommended partitioning scheme](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/installation_guide/s2-diskpartrecommend-x86)
- [Most secure way to partition linux?](https://security.stackexchange.com/questions/38793/most-secure-way-to-partition-linux)
#### :eight_pointed_black_star: Mount options: nodev, nosuid and noexec
For more security-focused situations is as follows:
- `nodev` - specifies that the filesystem cannot contain special devices: This is a security precaution. You don't want a user world-accessible filesystem like this to have the potential for the creation of character devices or access to random device hardware
- `nosuid` - specifies that the filesystem cannot contain set userid files. Preventing setuid binaries on a world-writable filesystem makes sense because there's a risk of root escalation or other awfulness there
- `noexec` - this param might be useful for a partition that contains no binaries, like **/var**, or contains binaries you do not want to execute on your system (from partitions with `noexec`), or that cannot even be executed on your system
###### Policies
- STIG:
- CIS:
###### Useful resources
- [Linux Security: Mount /tmp With nodev, nosuid, and noexec Options](https://www.cyberciti.biz/faq/linux-add-nodev-nosuid-noexec-options-to-temporary-storage-partitions/)
- [Security Handbook/Mounting partitions](https://wiki.gentoo.org/wiki/Security_Handbook/Mounting_partitions)
#### :eight_pointed_black_star: Secure /boot directory
The boot directory contains important files related to the Linux kernel, so you need to make sure that this directory is locked down to read-only permissions.
Add **ro** option and `nodev`, `nosuid` and `noexec` to `/etc/fstab` for **/boot** entry:
```bash
LABEL=/boot /boot ext2 defaults,ro,nodev,nosuid,noexec 1 2
```
> When updating the kernel you will have to move the flag to `rw`:
> ```bash
> mount -o remount,defaults,rw /boot
> ```
#### :eight_pointed_black_star: Secure /tmp and /var/tmp
On Linux systems, the **/tmp** and **/var/tmp** locations are world-writable.
Several daemons/applications use the **/tmp** or **/var/tmp** directories to temporarily store data, log information, or to share information between their sub-components. However, due to the shared nature of these directories, several attacks are possible, including:
- Leaks of confidential data via secrets in file names
- Race-condition attacks (TOCTOU) on the integrity of processes and data
- Denial-of-Service (DoS) attacks based on race conditions and pre-allocating file/directory names
As a rule of thumb, malicious applications usually write to **/tmp** and then attempt to run whatever was written. A way to prevent this is to mount **/tmp** on a separate partition with the options `nodev`, `nosuid` and `noexec` enabled.
This will deny binary execution from **/tmp**, disable any binary to be suid root, and disable any block devices from being created.
**The first possible scenario is create symlink**
```bash
mv /var/tmp /var/tmp.old
ln -s /tmp /var/tmp
cp -prf /var/tmp.old/* /tmp && rm -fr /var/tmp.old
```
and set properly mount params:
```bash
UUID=<...> /tmp ext4 defaults,nodev,nosuid,noexec 1 2
```
**The second scenario is a bind mount**
The storage location **/var/tmp** should be bind mounted to **/tmp**, as having multiple locations for temporary storage is not required:
```bash
/tmp /var/tmp none rw,nodev,nosuid,noexec,bind 0 0
```
**The third scenario is setting up polyinstantiated directories**
Create new directories:
```bash
mkdir --mode 000 /tmp-inst
mkdir --mode 000 /var/tmp/tmp-inst
```
Edit `/etc/security/namespace.conf`:
```bash
/tmp /tmp-inst/ level root,adm
/var/tmp /var/tmp/tmp-inst/ level root,adm
```
Set correct **SELinux** context:
```bash
setsebool polyinstantiation_enabled=1
chcon --reference=/tmp /tmp-inst
chcon --reference=/var/tmp/ /var/tmp/tmp-inst
```
And set `nodev`, `nosuid` and `noexec` mount options in `/etc/fstab`.
> Alternative for **polyinstantiated directories** is **PrivateTmp** feature available from **systemd**. For more information please see: [New Red Hat Enterprise Linux 7 Security Feature: PrivateTmp](https://access.redhat.com/blogs/766093/posts/1976243).
###### Policies
- STIG:
- CIS:
###### Useful resources
- [Increasing Linux server security with nodev, nosuid and no exec options](https://kb.iweb.com/hc/en-us/articles/230267488--Increasing-Linux-server-security-with-nodev-nosuid-and-no-exec-options)
- [Why it is important to Securing /dev/shm and /tmp](https://askubuntu.com/questions/389408/why-it-is-important-to-securing-dev-shm-and-tmp)
#### :eight_pointed_black_star: Secure /dev/shm
`/dev/shm` is a temporary file storage filesystem, i.e. **tmpfs**, that uses RAM for the backing store. One of the major security issue with the `/dev/shm` is anyone can upload and execute files inside the `/dev/shm` similar to the `/tmp` partition. Further the size should be limited to avoid an attacker filling up this mountpoint to the point where applications could be affected. (normally it allows 20% or more of RAM to be used). The sticky bit should be set like for any world writeable directory.
For applies to shared memory `/dev/shm` mount params:
```bash
tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,size=1024M,mode=1777 0 0
```
> You can also create a group named 'shm' and put application users for SHM-using applications in there. Then the access can be completely be restricted as such:
```bash
tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,size=1024M,mode=1770,uid=root,gid=shm 0 0
```
###### Policies
- STIG:
- CIS:
###### Useful resources
- [Securing /dev/shm partition](https://www.gnutoolbox.com/securing-devshm-partition/)
#### :eight_pointed_black_star: Secure /proc filesystem
The proc pseudo-filesystem `/proc` should be mounted with `hidepid`. When setting `hidepid` to **2**, directories entries in `/proc` will hidden.
```bash
proc /proc proc defaults,hidepid=2 0 0
```
> Some of the services/programs operate incorrectly when the `hidepid` parameter is set, e.g. Nagios checks.
###### Policies
- STIG:
- CIS:
###### Useful resources
- [Linux system hardening: adding hidepid to /proc mount point](https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/)
#### :eight_pointed_black_star: Swap partition
Encryption of swap space is used to protect sensitive information. It improves the availability of the system, which is also an important part of information security.
```bash
# Turn off the swap area
swapoff -a
# Wipe the swap area
shred -vfz -n 10 /dev/sda2
# Update /etc/fstab
UUID=7e1e715e-7ac4-45ad-b029-18fed80f225f none swap defaults 0 0
# Add the swap area to /etc/crypttab
swap /dev/sda2 /dev/urandom swap
# Activate the mapping
cryptdisks_start swap
/etc/init.d/cryptdisks restart
# Add the encrypted swap area to /etc/fstab
/dev/mapper/swap none swap defaults 0 0
# Turn on the swap area
swapon -a
```
###### Policies
- STIG:
- CIS:
###### Useful resources
- [dm-crypt/Swap encryption](https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption)
- [Encrypted swap partition on Debian/Ubuntu](https://feeding.cloud.geek.nz/posts/encrypted-swap-partition-on/)
#### :eight_pointed_black_star: Disk quotas
###### Policies
- STIG:
- CIS:
###### Useful resources
- [The Lost Art of Disk Quota Management](https://linuxacademy.com/blog/linux/the-lost-art-of-disk-quota-management/)
- [Disk quota](https://wiki.archlinux.org/index.php/disk_quota)
#### :ballot_box_with_check: Summary checklist
| <b>Item</b> | <b>True</b> | <b>False</b> |
| :--- | :---: | :---: |
| Separate base partition scheme: `/boot`, `/tmp`, `/var`, `/var/log` | :black_square_button: | :black_square_button: |
| Separate `/usr` partition | :black_square_button: | :black_square_button: |
| Separate `/home` partition | :black_square_button: | :black_square_button: |
| Separate `/var/www` partition | :black_square_button: | :black_square_button: |
| Separate `/var/tmp` partition | :black_square_button: | :black_square_button: |
| Separate `/var/audit` partition | :black_square_button: | :black_square_button: |
| Secure `/boot` directory with `ro`, `nodev`, `nosuid`, `noexec` options | :black_square_button: | :black_square_button: |
| Secure `/tmp` and `/var/tmp` directory with `nodev`, `nosuid`, `noexec` options | :black_square_button: | :black_square_button: |
| Create symlink for `/var/tmp` in `/tmp` | :black_square_button: | :black_square_button: |
| Setting up bind-mount `/var/tmp` to `/tmp` | :black_square_button: | :black_square_button: |
| Setting up polyinstantiated directories for `/tmp` and `/var/tmp` | :black_square_button: | :black_square_button: |
| Secure `/dev/shm` directory with `nodev`, `nosuid`, `noexec` options | :black_square_button: | :black_square_button: |
| Secure `/proc` filesystem with `hidepid=2` option | :black_square_button: | :black_square_button: |
| Secure swap area with cryptsetup | :black_square_button: | :black_square_button: |

83
lib/post_install_tasks/keep_system_updated.md
View File

@@ -1,83 +0,0 @@
## Post install tasks
### Keep system updated
#### :information_source: Introduction
Software updates offer plenty of benefits. Its all about revisions. These might include repairing security holes that have been discovered and fixing or removing bugs.
Some benefits:
- close up problems of security that has been discovered
- it can improve the stability of the system
- improvements the system stacks or network stacks
#### :eight_pointed_black_star: Make sure that the system is up to date
###### RedHat/CentOS
```bash
# Check for updates
yum check-update
# Install updates
yum update
# Install upgrades (with security updates)
yum --security upgrade
```
###### Policy
| Type | Severity | Reference | Comment |
| :--- | :--- | :--- | :--- |
| <sup>OpenSCAP</sup> | <sup>High</sup> | <sup>[Ensure Software Patches Installed](https://static.open-scap.org/ssg-guides/ssg-centos7-guide-pci-dss.html#xccdf_org.ssgproject.content_rule_security_patches_up_to_date)<sup> | |
| <sup>STIG</sup> | <sup>Medium</sup> | <sup>[Vendor packaged system security patches and updates must be installed and up to date.](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-71999)</sup> | <sup>ID: V-71999</sup> |
| <sup>CIS</sup> | | | <sup>ID: 1.2, 1.8</sup> |
###### Debian
```bash
# Check for updates
apt-get update && apt-get upgrade
# Install updates
apt-get upgrade && apt-get dist-upgrade
```
#### :eight_pointed_black_star: Automatic security updates
###### RedHat/CentOS
```bash
yum install yum-cron
# Edit /etc/yum/yum-cron.conf
update_cmd = security
apply_updates = yes
# Enable service
systemctl enable yum-cron
systemctl start yum-cron
```
###### Debian
```bash
apt-get install unattended-upgrades apt-listchanges
# Edit /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
```
#### :eight_spoked_asterisk: Useful resources
- [How Often Should I Update our Linux Server?](https://serverfault.com/questions/9490/how-often-should-i-update-our-linux-server)
#### :ballot_box_with_check: Summary checklist
| <b>Item</b> | <b>True</b> | <b>False</b> |
| :--- | :---: | :---: |
| Regulary update your system | :black_square_button: | :black_square_button: |
| Automatic check system updates | :black_square_button: | :black_square_button: |

51
lib/post_install_tasks/package_management.md
View File

@@ -1,51 +0,0 @@
## Post install tasks
### Package management
#### :information_source: Introduction
Package manager is a popular way to distribute software. It's also provide a privileged, central mechanism for the management of software on your operating system.
#### :eight_pointed_black_star: Check package signatures
###### RedHat/CentOS
```bash
# Edit '[main]' section in /etc/yum.conf
gpgcheck=1
```
###### Policy
| Type | Severity | Reference | Comment |
| :--- | :--- | :--- | :--- |
| <sup>OpenSCAP</sup> | <sup>High</sup> | <sup>[Ensure gpgcheck Enabled In Main yum Configuration ](https://static.open-scap.org/ssg-guides/ssg-centos7-guide-pci-dss.html#xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated)<sup> | |
| <sup>STIG</sup> | <sup></sup> | <sup></sup> | <sup></sup> |
| <sup>CIS</sup> | | | <sup></sup> |
#### :eight_pointed_black_star: Remove packages with known issues
###### RedHat/CentOS
```bash
```
###### Policy
| Type | Severity | Reference | Comment |
| :--- | :--- | :--- | :--- |
| <sup>OpenSCAP</sup> | <sup></sup> | <sup><sup> | |
| <sup>STIG</sup> | <sup></sup> | <sup></sup> | <sup></sup> |
| <sup>CIS</sup> | | | <sup></sup> |
#### :eight_spoked_asterisk: Useful resources
#### :ballot_box_with_check: Summary checklist
| <b>Item</b> | <b>True</b> | <b>False</b> |
| :--- | :---: | :---: |
| | :black_square_button: | :black_square_button: |
| | :black_square_button: | :black_square_button: |

127
lib/pre_install_tasks/hard_disk_encryption.md
View File

@@ -1,127 +0,0 @@
## Pre install tasks
### Hard disk encryption
#### :information_source: Introduction
Disk encryption is focused on securing physical access, while relying on other parts of the system to provide things like network security and user-based access control.
Most of the Linux distributions will allow you to encrypt your disks before installation.
If you use an alternative installation method (e.g. from `debootstrap`) you can create an [encrypted disk manually](lib/post_install_tasks/disk_partitions.md#disk-partitions).
Before this you should to answer the following questions:
- What part of filesystem do you want to encrypt?
* only user data
* user data and system data
- How should `swap`, `/tmp` and other be taken care of?
* disable or mount as ramdisk
* encrypt (separately of as part of full)
- How should encrypted parts of the disk be unlocked?
* passphrase
* key file
- When should encrypted parts of the disk be unlocked?
* before boot process
* during boot process
* mixed above or manually
#### :eight_pointed_black_star: Encrypt root filesystem
Unlocked during boot, using passphrases or USB stick with keyfiles.
###### Useful resources
- [dm-crypt/Encrypting an entire system](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system)
#### :eight_pointed_black_star: Encrypt /boot partition
- encrypting the whole disk without `/boot` partition but keeping it on a flash drive you carry at all times
- using a checksum value of the boot sector
- boot partition to detect it and change you passphrase
This may not completely get rid of the attack vector described in this post as there is still part of the bootloader that isn't encrypted, but at least the grub stage2 and the kernel/ramdisk are encrypted and should make it much harder to attack.
In addition, the `/boot` partition may be a weak point if you use encryption methods for the rest of the disk.
Historically it has been necessary to leave `/boot` unencrypted because bootloaders didn't support decrypting block devices. However, there are some dangers to leaving the bootloader and ramdisks unencrypted.
Before this you should to answer the following questions:
- Where your `/boot` partition is stored?
* the same place where stored `/`
* separately partition
* external flash drive
The following recipe should be made after installing the system (however, these steps are included in this section to avoid mixing issues).
##### Create copy of your /boot
```bash
mkdir /mnt/boot
mount --bind / /mnt/boot
rsync -aAXv /boot/ /mnt/boot/
umount /mnt/boot
```
##### Removed old /boot partition
```bash
umount /boot
sed -i -e '/\/boot/d' /etc/fstab
```
##### Regenerate grub configuration
```bash
# Debian like distributions
grub-mkconfig > /boot/grub/grub.cfg
# RedHat like distributions
grub2-mkconfig > /boot/grub2/grub.cfg
```
##### Enable `GRUB_ENABLE_CRYPTODISK` param
```bash
echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub
```
##### Reinstall grub
```bash
# Debian like distributions
grub-install /dev/sda
# RedHat like distributions
grub2-install /dev/sda
```
> More details can be found here [Bootloader configuration (grub) section](lib/post_install_tasks/bootloader_configuration.md#bootloader-configuration-grub)
###### Useful resources
- [Encrypting More: /boot Joins The Party](https://dustymabe.com/2015/07/06/encrypting-more-boot-joins-the-party/)
- [Encrypting the /boot partition in a Linux system can protect from an Evil Maid Attack?](https://security.stackexchange.com/questions/166075/encrypting-the-boot-partition-in-a-linux-system-can-protect-from-an-evil-maid-a)
#### :eight_pointed_black_star: Swap partition
- swap area is not required to survive a reboot, therefore a new random encryption key can be chosen each time the swap area is activated
- get the key from `/dev/urandom` because `/dev/random` maybe stalling your boot sequence
> More details can be found here [Swap partition](lib/post_install_tasks/disk_partitions.md#eight_pointed_black_star-swap-partition)
###### Useful resources
- [An introduction to swap space on Linux systems](https://opensource.com/article/18/9/swap-space-linux-systems)
#### :ballot_box_with_check: Summary checklist
| <b>Item</b> | <b>True</b> | <b>False</b> |
| :--- | :---: | :---: |
| Encrypting the whole disk | :black_square_button: | :black_square_button: |
| Usage passphrase or key file to disk unlocked | :black_square_button: | :black_square_button: |
| Choosing a strong passphrase | :black_square_button: | :black_square_button: |
| Encrypting the `/boot` partition | :black_square_button: | :black_square_button: |
| Securing swap partition with `/dev/urandom` | :black_square_button: | :black_square_button: |
| `swap` or `tmp` using an automatically generated per-session throwaway key | :black_square_button: | :black_square_button: |

105
lib/pre_install_tasks/physical_system_security.md
View File

@@ -1,105 +0,0 @@
## Pre install tasks
### Physical system security
#### :information_source: Introduction
The primary goal of physical security is to stop physical attacks whenever possible, and, failing that, to slow them down so that hopefully someone will notice the presence of the attacker in a restricted area, preventing any tampering with the system. Weak physical security often invalidates any other security measure, and thus should be prioritized.
#### :eight_pointed_black_star: Secure rooms
For secure rooms make sure that the walls go beyond the false ceiling, and below the raised floor, large vents should also be covered with bars if possible.
###### Useful resources
- [Establishing Server Room Security](https://www.getkisi.com/guides/server-room-security)
- [How to secure your server room](https://www.hpe.com/us/en/insights/articles/how-to-secure-your-server-room-1809.html)
#### :eight_pointed_black_star: Monitoring
Monitoring the room with CCTV or wired cameras is a great way to provide security for your server room or data center. As well as providing video footage of events which may occur - door open events, motion detection or any other sensor event, they also act as a visual deterrent to would be criminals.
Solution for remotely monitoring the temperature ensue proactively notify you when the temperature goes above or below pre-defined thresholds, potentially allowing you to take corrective measures before encountering costly downtime.
###### Useful resources
[Monitoring Physical Security for your Server Room](https://www.enviromon.net/monitoring-physical-security-server-room/)
#### :eight_pointed_black_star: Air conditioning
Computer equipment generates heat, and is sensitive to heat, humidity, and dust, but also the need for very high resilience and failover requirements. Maintaining a stable temperature and humidity within tight tolerances is critical to IT system reliability.
Air conditioning designs for most computer or server rooms will vary depending on various design considerations, but they are generally one of two types: "up-flow" and "down-flow" configurations.
###### Useful resources
[How to Monitor Server Room Temperature and Environmental Conditions](https://www.enviromon.net/how-to-monitor-server-room-temperature/)
#### :eight_pointed_black_star: Fire protection
The fire protection system's main goal should be to detect and alert of fire in the early stages, then bring fire under control without disrupting the flow of business and without threatening the personnel in the facility. Server room fire suppression technology has been around for as long as there have been server rooms.
There are a series of things you need in a fire suppression system:
- an emergency power off function
- gas-based suppression system
- fire detection sensors
###### Useful resources
[What Type of Suppression System Works Best for Computer Room Fires?](https://www.controlfiresystems.com/news/what-type-of-suppression-system-works-best-for-computer-room-fires/)
#### :eight_pointed_black_star: Locked racks
All systems should be securely fastened to something with a cable system, or locked in an equipment cage if possible. Case locks should be used when possible to slow attackers down.
###### Useful resources
[Securing the Physical Safety of Data with Rack-Level Access Control](https://securitytoday.com/blogs/reaction/2018/02/Securing-the-Physical-Safety-of-Data-with-Rack-Level-Access-Control.aspx)
#### :eight_pointed_black_star: Console security
With physical access to most machines you can simply reboot the system and ask it nicely to launch into single user mode, or tell it to use `/bin/sh` for init.
###### Useful resources
[Physical Security](https://www.tldp.org/HOWTO/Security-HOWTO/physical-security.html)
#### :eight_pointed_black_star: BIOS protection
In the program itself to edit the BIOS settings:
- only boot from specific drive
- disable the unused controllers
- disable the booting from external media devices (USB/CD/DVD)
- enable BIOS password
You need to protect the BIOS of the host with a password so the end-user wont be able to change and override the security settings in the BIOS.
Main reasons for password protecting the BIOS:
- preventing changes to BIOS settings
- preventing system booting
Because the methods for setting a BIOS password vary between computer manufacturers, consult the computer's manual for specific instructions.
> For this reason, it is good practice to lock the computer case if possible. However, consult the manual for the computer or motherboard before attempting to disconnect the CMOS battery.
###### Useful resources
[BIOS Protection Guidelines for Servers (Draft)](https://csrc.nist.gov/csrc/media/publications/sp/800-147b/final/documents/draft-sp800-147b_july2012.pdf)
#### :ballot_box_with_check: Summary checklist
| <b>Item</b> | <b>True</b> | <b>False</b> |
| :--- | :---: | :---: |
| Physically secure machine (also outside of a server room) | :black_square_button: | :black_square_button: |
| Monitoring server rooms with CCTV or wired cameras | :black_square_button: | :black_square_button: |
| Remotely monitoring the temperature | :black_square_button: | :black_square_button: |
| Efficient air conditioning solution | :black_square_button: | :black_square_button: |
| Efficient fire protection system | :black_square_button: | :black_square_button: |
| Locked cage (server case) | :black_square_button: | :black_square_button: |
| Physical access to server console | :black_square_button: | :black_square_button: |
| Password on the BIOS | :black_square_button: | :black_square_button: |
| Disable external media devices | :black_square_button: | :black_square_button: |
| Periodic physical inspections | :black_square_button: | :black_square_button: |

28
lib/services/disable_all_unnecessary_services.md
View File

@@ -1,28 +0,0 @@
## Services
### Disable all unnecessary services
The action in this section provide guidance on some of unwanted applications and services which you might not needed but they are installed by default during OS installation and unknowingly start eating your system resources and also threats to the system security. If unused services is not enabled then it cannot be exploited.
#### :eight_pointed_black_star: Common Unix Print System
The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. If the system does not need to accept print jobs from other systems, it's recommended that CUPS be disabled to reduce the potential attack.
Run the following command to verify cups is not enabled:
```bash
# systemctl is-enabled cups
disabled
```
Run the following command to disable cups:
```bash
# systemctl disable cups
```
###### Policies
- STIG:
- CIS:

288
lib/services/web_services.md
View File

@@ -1,288 +0,0 @@
## Services
### Web services
#### Nginx
Nginx is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by [Igor Sysoev](http://sysoev.ru/en/).
It's used worldwide, and is one of best tools at what it does. Default configuration that comes with it, however, is not very security oriented, and it requires some work to set it up properly. That's what this section aims to help you with.
#### :eight_pointed_black_star: Files and directories permissions
Usually setting directories permissions to `0755` and file permissions to `0644` is a good practise.
`0755` permissions for directories allows nginx user to access files in the folder, however you don't want to grant same type of permissions to a file, as granting execution permissions to a file is not a good idea, especially on a publicly exposed server.
Script for setting all directories permissions to `0755` (here we assume that webserver directory path is `/var/www/html`):
```bash
find /var/www/html -type d -exec chmod 755 {} \;
```
Script for setting all files permissions to `0644`:
```bash
find /var/www/html -type f -exec chmod 644 {} \;
```
Whatever you do, never grant `0777` permissions to files, nor folders.
#### :eight_pointed_black_star: Use HTTPS
In this day and age, with services like [Let's Encrypt](https://letsencrypt.org/), there's no excuse not to use HTTPS for your website.
This example configuration also includes stronger cihper suite, ssl session adjustments, HSTS header, stronger DHE parameter, and OSCP Stapling.
**Example of a config with HTTP to HTTPS redirection:**
```
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;
return 301 https://$host$request_uri;
server_tokens off;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl;
server_name example.com;
server_tokens off;
ssl on;
ssl_certificate /etc/nginx/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/cert.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/nginx/ssl/dhparam-4096.pem;
}
```
###### Useful resources
- [Mozilla SSL Configuration Generator](https://mozilla.github.io/server-side-tls/ssl-config-generator/)
#### :eight_pointed_black_star: Enable HTTP/2
HTTP/2 is a replacement for how HTTP is expressed “on the wire.” It is not a ground-up rewrite of the protocol; HTTP methods, status codes and semantics are the same, and it should be possible to use the same APIs as HTTP/1.x (possibly with some small additions) to represent the protocol.
**Differences between HTTP/2 and HTTP/1.1:**
At a high level, HTTP/2:
<ul>
<li>is binary, instead of textual</li>
<li>is fully multiplexed, instead of ordered and blocking</li>
<li>can therefore use one connection for parallelism</li>
<li>uses header compression to reduce overhead</li>
<li>allows servers to “push” responses proactively into client caches</li>
</ul>
**Example config that enables HTTP/2:**
```
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;
return 301 https://$host$request_uri;
server_tokens off;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2;
server_name example.com;
server_tokens off;
ssl on;
ssl_certificate /etc/nginx/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/cert.key;
}
```
###### Useful resources
- [HTTP/2](https://http2.github.io/)
- [What are the key differences to HTTP/1.x?](https://http2.github.io/faq/#what-are-the-key-differences-to-http1x)
#### :eight_pointed_black_star: Separate domains
In case you have more than one website you'd like to serve from your server, nginx allows you to that.
In this example we'll have 2 different websites, with 2 different domains, served from same virtual machine.
**Example config that allows you to serve two websites with two different domains:**
```
server {
listen 80;
listen [::]:80;
server_name first-example.com;
root /var/www/html/website1;
index index.html;
server_tokens off;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 80;
listen [::]:80;
server_name second-example.com;
root /var/www/html/website2;
index index.html;
server_tokens off;
location / {
try_files $uri $uri/ =404;
}
}
```
#### :eight_pointed_black_star: Redirect all unencrypted traffic to HTTPS
This config entry is responsible for permanently redirecting all HTTP traffic to HTTPS. It will redirect all visitors that try to access website through HTTP on port 80, to HTTPS on port 443: `return 301 https://$host$request_uri;`
**Example config:**
```
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;
return 301 https://$host$request_uri;
server_tokens off;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2;
server_name example.com;
server_tokens off;
ssl on;
ssl_certificate /etc/nginx/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/cert.key;
}
```
#### :eight_pointed_black_star: Enable HTTP Strict Transport Security
**What is HSTS?**
HTTPS (HTTP encrypted with SSL or TLS) is an essential part of the measures to secure traffic to a website, making it very difficult for an attacker to intercept, modify, or fake traffic between a user and the website.
When a user enters a web domain manually (providing the domain name without the http:// or https:// prefix) or follows a plain http:// link, the first request to the website is sent unencrypted, using plain HTTP. Most secured websites immediately send back a redirect to upgrade the user to an HTTPS connection, but a wellplaced attacker can mount a maninthemiddle (MITM) attack to intercept the initial HTTP request and can control the users session from then on.
Config entry :
```bash
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
```
**Example config**
```bash
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;
return 301 https://$host$request_uri;
server_tokens off;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2;
server_name example.com;
server_tokens off;
ssl on;
ssl_certificate /etc/nginx/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/cert.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}
```
###### Useful resources
- [HTTP Strict Transport Security (HSTS) and NGINX](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/)
#### :eight_pointed_black_star: Diffie Hellman Ephemeral Parameter
All versions of nginx as of 1.4.4 rely on OpenSSL for input parameters to Diffie-Hellman (DH). Unfortunately, this means that Ephemeral Diffie-Hellman (DHE) will use OpenSSL's defaults, which include a 1024-bit key for the key-exchange.
This example aims to generate stronger DHE parameter:
```bash
cd /etc/nginx/ssl/
openssl dhparam -out dhparam-4096.pem 4096
```
Then add it to your nginx config with this config entry:
```bash
ssl_dhparam /etc/nginx/ssl/dhparam-4096.pem;
```
###### Useful resources
- [Strong SSL Security on Nginx](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html)
#### :eight_pointed_black_star: Security related headers
_Cross-site scripting (XSS) protection:_
Helps with preventing XSS attacks, it's enabling cross-site scripting filter built into modern browsers.
```bash
add_header x-xss-protection "1; mode=block" always;
```
_X-Frame-Options:_
Prevents iframe loading from different websites:
```bash
add_header x-frame-options "SAMEORIGIN" always;
```
_X-Content-Type-Options:_
It helps reducing drive-by downloads:
```bash
add_header X-Content-Type-Options "nosniff" always;
```
_HTTP Strict Transport Security (HSTS):_
When a browser sees this header from an HTTPS website, it “learns” that this domain must only be accessed using HTTPS (SSL or TLS). It caches this information for the max-age period (typically 31,536,000 seconds, equal to about 1 year).
```bash
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
```
###### Useful resources
- [OWASP Secure Headers Project](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project)