sudo lynis audit system consider explicit disabling of core dump in /etc/security/limits.conf * hard core 0 * soft core 0 Configure password hashing rounds in /etc/login.defs When possible set expire dates for all password protected accounts Configure minimum password age in /etc/login.defs Configure maximum password age in /etc/login.defs Default umask in /etc/login.defs could be more strict like 027 To decrease the impact of a full /var file system, place /var on a separate partition Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft Check DNS configuration for the dns domain name Add the IP name and FQDN to /etc/hosts for proper name resolving Consider using a tool to automatically apply upgrades Determine if protocol 'dccp',sctp,rds,tipc is really needed on this system Enable logging to an external logging host
cat /etc/modprobe.d/30_security-misc.conf options nf_conntrack nf_conntrack_helper=0 install bluetooth /bin/true install btusb /bin/true ## Disable thunderbolt and firewire modules to prevent some DMA attacks install thunderbolt /bin/true install firewire-core /bin/true install firewire_core /bin/true install firewire-ohci /bin/true install firewire_ohci /bin/true install firewire_sbp2 /bin/true install firewire-sbp2 /bin/true install ohci1394 /bin/true install sbp2 /bin/true install dv1394 /bin/true install raw1394 /bin/true install video1394 /bin/true ## Disable CPU MSRs as they can be abused to write to arbitrary memory. install msr /bin/true ## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. ## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. install dccp /bin/true install sctp /bin/true install rds /bin/true install tipc /bin/true install n-hdlc /bin/true install ax25 /bin/true insta