Infrastructure Security

Basic Security Principals

What If

The resources you use are compromised

Your SSH keys are stolen

You shared your password accidentially

<addme>

Code Security Checks

Relevant information regarding scanning code that's about to be committed to git repositories and catching potential security issues like

More info TBD

Artifact Signing and Vulnerability Scanning 

Relevant information regarding signing the artifacts that are made available via Nordix (either by building or caching) and scanning them for security issues and vulnerabilities

More info TBD



Generic Checklist for Host/Server Hardening


HOST:-

1. Document the host information

Each time you work on a new Linux hardening job, you need to create a new document that has all the checklist items listed in this post, and you need to check off every item you applied on the system. Furthermore, on the top of the document, you need to include the Linux host information:

2. BIOS protection

You need to protect the BIOS of the host with a password so the end-user won’t be able to change and override the security settings in the BIOS; it’s important to keep this area protected from any changes. Each computer manufacturer has a different set of keys to enter the BIOS mode, then it’s a matter of finding the configuration where you set the administrative password.

Next, you need to disable the booting from external media devices (USB/CD/DVD). If you omit to change this setting, anyone can use a USB stick that contains a bootable OS and can access your OS data.

The latest servers’ motherboards have an internal web server where you can access them remotely. Make sure to change the default password of the admin page or disable it if it’s possible.


3. Hard disk encryption (confidentiality)

Most of the Linux distributions will allow you to encrypt your disks before installation. Disk encryption is important in case of theft because the person who stole your computer won’t be able to read your data if they connect the hard disk to their machine.

In the image below, choose the third option from the list: Guided-use entire disk and set up encrypted LVM (LVM stands for logical volume manager.)

If your Linux distribution doesn’t support encryption, you can go with a software like TrueCrypt.


4. Disk protection (availability)

Backups have so many advantages in case of a damaged system, bugs in the OS update. For important servers, the backup needs to be transferred offsite in case of a disaster. Backup needs to be managed as well. For example, how long will you keep the old backups? When do you need to backup your system (every day, every week …)?

Critical systems should be separated into different partitions for:

Portioning disks gives you the opportunity of performance and security in case of a system error. In the picture below, you can see the option of how to separate partitions in Kali Linux during the installation.


5. Lock the boot directory

The boot directory contains important files related to the Linux kernel, so you need to make sure that this directory is locked down to read-only permissions by following the next simple steps. First, open the “fstab” file.


Then, add the last line highlighted at the bottom.

When you finish editing the file, you need to set the owner by executing the following command:

#chown root:root /etc/fstab

Next, set few permissions for securing the boot settings:from: eoin

6. Disable USB usage

Depending on how critical your system is, sometimes it’s necessary to disable the USB sticks usage on the Linux host. There are multiple ways to deny the usage of USB storage; here’s a popular one:

 

SERVER

1. System update

The first thing to do after the first boot is to update the system; this should be an easy step. Generally, you open your terminal window and execute the appropriate commands. 


2. Check the installed packages

List all packages installed on your Linux OS and remove the unnecessary ones. You need to be very strict if the host you’re trying to harden is a server because servers need the least number of applications and services installed on them.

Remember that disabling unnecessary services will reduce the attack surface, so it is important to remove the following legacy services if you found them installed on the Linux server:

3. Check for open ports

Identifying open connections to the internet is a critical mission. Use natstat for this process.


4. Secure SSH

Yes, indeed SSH is secure, but you need to harden this service as well. First of all, if you can disable SSH, that’s a problem solved. However, if you want to use it, then you have to change the default configuration of SSH. To do it, browse to /etc/ssh and open the “sshd_config” file using your favorite text editor.

 


The list can go on and on, but these should be enough to start with. For example, some companies add banners to deter attackers and discourage them from continuing further.


Here are some additional options that you need to make sure exist in the “sshd_config” file:

Finally, set the permissions on the sshd_config file so that only root users can change its contents:

#chown root:root /etc/ssh/sshd_config

#chmod 600 /etc/ssh/sshd_config


5. Enable SELinux

Security Enhanced Linux is a Kernel security mechanism for supporting access control security policy. The SELinux has three configuration modes:

#nano /etc/selinux/config

SELINUX=enforcing


6. Network parameters

Securing your Linux host network activities is an essential task. Don’t always assume that your firewall will take care of everything. Here are some important features to consider for securing your host network:

Its Strongly recommended for using the Linux Firewall by applying the iptable rules and filtering all the incoming, outgoing and forwarded packets. Configuring your iptables rules will take some time, but it’s worth the pain.


7. Password policies

auth sufficient    pam_unix.so likeauth nullok

password sufficient pam_unix.so remember=4    -----------Will not allow users to reuse the last four passwords.------------



/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1

  Linux will hash the password to avoid saving it in cleartext so, you need to make sure to define a secure password hashing algorithm SHA512.


auth required pam_env.so

auth required pam_faillock.so preauth audit silent deny=5 unlock_time=604800

auth [success=1 default=bad] pam_unix.so

auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=604800

auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=604800

auth required pam_deny.so

Open the file “/etc/pam.d/system-auth” and make sure you have the following lines added:

auth required pam_env.so

auth required pam_faillock.so preauth audit silent deny=5 unlock_time=604800

auth [success=1 default=bad] pam_unix.so

auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=604800

auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=604800

auth required pam_deny.so

After five failed attempts, only an administrator can unlock the account by using the following command:

# /usr/sbin/faillock --user <userlocked>  --reset


auth required pam_wheel.so use_uid


#!/bin/bash

for user in `awk -F: '($3 < 500) {print $1 }' /etc/passwd`; do

if [ $user != "root" ]

then

/usr/sbin/usermod -L $user

if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]

then /usr/sbin/usermod -s /sbin/nologin $user

fi

fi

done


8. Permissions and verifications

Permissions is one of the most important and critical tasks to achieve the security goal on a Linux host.

#chown root:root /etc/anacrontab

#chmod og-rwx /etc/anacrontab

#chown root:root /etc/crontab

#chmod og-rwx /etc/crontab

#chown root:root /etc/cron.hourly

#chmod og-rwx /etc/cron.hourly

#chown root:root /etc/cron.daily

#chmod og-rwx /etc/cron.daily

#chown root:root /etc/cron.weekly

#chmod og-rwx /etc/cron.weekly

#chown root:root /etc/cron.monthly

#chmod og-rwx /etc/cron.monthly

#chown root:root /etc/cron.d

#chmod og-rwx /etc/cron.d

#chown root:root <crontabfile>

#chmod og-rwx <crontabfile>

#chmod 644 /etc/passwd

#chown root:root /etc/passwd

#chmod 644 /etc/group

#chown root:root /etc/group

#chmod 600 /etc/shadow

#chown root:root /etc/shadow

#chmod 600 /etc/gshadow

#chown root:root /etc/gshadow

9. Additional process hardening

Restrict Core Dumps by:

Configure Exec Shield by:

Enable randomized Virtual Memory Region Placement by:

More info TBD