Skip to main content

fsec

for gui

dnf5 install scap-workbench

 

dnf5 install openscap-scanner

 

 dnf5 install scap-security-guide

 

ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml

 

openscap-engine-sce

 


dnf install update-crypto-policies

 

authselect

sssd=System Security Services Daemon (SSSD) for systems that use LDAP authentication

winbind= Winbind utility for systems directly integrated with Microsoft Active Directory.

nis = compatibility with legacy Network Information Service (NIS) systems

minimal= only local users and groups allows administrators to remove network authentication services that are no longer needed.


with-ecryptfs,with-faillock, with-pamaccess

cat /usr/share/authselect/default/minimal/README

or authselect show minimal

authselect select minimal with-faillock without-nullok

 authselect apply-changes 

authselect  current  

 

 

CUSP 

 

update-crypto-policies --set 
DEFAULT 

 

/etc/crypto-policies/back-ends/gnutls.config

+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0

 

ls -lah /etc/crypto-policies/back-ends/krb5.config 

/etc/crypto-policies/back-ends/krb5.config -> /usr/share/crypto-policies/FIPS/krb5.txt

otherwise  
rm -f /etc/krb5.conf.d/crypto-policies
ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies 
 
 /etc/ipsec.conf
include /etc/crypto-policies/back-ends/libreswan.config
 
/etc/pki/tls/openssl.cnf
[ crypto_policy ]
include = /etc/crypto-policies/back-ends/opensslcnf.config    

 

/etc/sysconfig/sshd

sed -i "/^\s*CRYPTO_POLICY.*$/Id" /etc/sysconfig/sshd

 

/etc/gdm/custom.conf

[daemon]
AutomaticLoginEnable=false
 
##xdmcp is unecrypted protocol 
[xdmcp]
Enable=false
 

 SUDO

sudo dnf install sudo

sudo use_pty  : will only execute sudo commands from users logged in to a real tty

echo "Defaults use_pty" >> /etc/sudoers

echo "Defaults logfile=/var/log/sudo.log >> /etc/sudoers

 

avoid NOPASSWD and !authenticate in /etc/sudoers

ensure timestamp_timeout>0 

echo "Defaults timestamp_timeout=5 >> /etc/sudoers

 #includedir only points to /etc/sudoers.d dir

 

PAM  

 Running authconfig or system-config-authentication will re-write the PAM configuration files with defaults

pam_faillock /usr/share/doc/pam-VERSION/txts/README.pam_faillock 

/etc/security/faillock.conf /etc/pam.d/system-auth /etc/pam.d/password-auth

 

 grep -r  pam_faillock /etc 

 use authselect to enable faillock authselect select minimal with-faillock

 

/etc/login.defs

ENCRYPT_METHOD YESCRYPT
 

/etc/pam.d/password-auth

##password    sufficient    pam_unix.so sha512 other arguments...
password    sufficient   pam_unix.so yescrypt shadow nullok use_authtok
 

/etc/pam.d/system-auth

password    sufficient    pam_unix.so yescrypt shadow nullok use_authtok
  

 

account expiry 

sudo chage -I NUM_DAYS USER
 
 getent passwd | awk -F: '{ print $1}' | uniq -d
 

All GIDs referenced in /etc/passwd must be defined in /etc/group

If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Group Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group.

 

Prevent Login to Accounts With Empty Password

authselect select minimal with-faillock without-nullok

 

ensuer no blank password

 awk -F: '!$2 {print $1}' /etc/shadow

 

only one account with uid=0, system account 1000>uid >0, other uid>1000

awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs --no-run-if-empty --max-lines=1 passwd -l

 

Verify Root Has A Primary GID 0

To help ensure that root-owned files are not inadvertently exposed to other users.

 

/etc/pam.d/su

auth required pam_wheel.so use_uid

 

Ensure All Accounts on the System Have Unique User IDs

Ensure All Groups on the System Have Unique Group ID 

Ensure All Groups on the System Have Unique Group Names

 

Ensure that Root's Path Does Not Include World or Group-Writable Directories

/etc/sudoers

delete secure_path = /var/lib/snapd/snap/bin

 

.bashrc

UMASK 027

 

/etc/login.defs

UMASK 027

 

/etc/profile 

umask 027

 

/etc/profile 

declare -xr TMOUT=900

 

User Initialization Files Must Not Run World-Writable Programs

 sudo chmod o-w FILE

 

All Interactive User Home Directories Must Be Group-Owned By The Primary Group

sudo chgrp USER_GROUP /home/USER
sudo chown USER /home/USER
 
sudo chmod 0750 /home/USER
 
 
auditd
augenrules reads /etc/audit/rules.d/*.rules and compile /etc/audit/audit.rules 
auditctl reads   /etc/audit/audit.rules 
/usr/lib/systemd/system/auditd.service
ExecStartPost=-/sbin/augenrules --load
or 
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules  

 

 sudo service auditd restart

 

/etc/audit/audit.rules

-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
    -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
    -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

 

add arch=b64 for x64 system call
 
/etc/audit/rules.d/
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
  

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
 
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
 
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
 
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
 
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
 
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
 
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
 
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
 
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
 
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
 
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
 
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
 
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete
 
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
 
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
 
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
 
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
 
Record Unauthorized Access Attempts Events to Files 
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access 

 

-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
-a always,exit -F arch=ARCH -S delete_module -F key=modules
-a always,exit -F arch=ARCH -S init_module -F key=modules
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /var/log/lastlog -p wa -k logins
  
 
findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid"
sudo find  / -xdev -perm /6000 -type f 2>/dev/null 
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/libexec/utempter/utempter
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/bin/mount
/usr/bin/umount
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/write
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/sudo 
-a always,exit -F path=PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

 

-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
 
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
 
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
 
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
-w /etc/localtime -p wa -k audit_time_rules
 
make auditd config immutable
-e 2
 
-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy
 
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
 
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
 
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
 
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
 
$ sudo grep execve /etc/audit/audit.rules
 -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
 
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
 
-w /etc/group -p wa -k audit_rules_usergroup_modification
 
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification 

 

$ sudo auditctl -l | grep sudo.log
-w /var/log/sudo.log -p wa -k maintenance
 
/etc/audit/auditd.conf
max_log_file = STOREMB
>=6mb
max_log_file_action = ACTION
    ignore
    syslog
    suspend
    rotate (default)
    keep_logs    
sudo systemctl enable auditd.service
 
grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"
grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit_backlog_limit=8192" 
sudo chgrp root /boot/grub2/grub.cfg  /boot/grub2/user.cfg
sudo chown root /boot/grub2/grub.cfg /boot/grub2/user.cfg 
sudo chmod 600 /boot/grub2/grub.cfg /boot/grub2/user.cfg 
 
grub2-setpassword
 
sudo systemctl enable systemd-journald.service
/etc/systemd/journald.conf
Compress='yes'
Storage='persistent'
 
systemctl -q list-unit-files --type socket | grep -q systemd-journal-remote.socket    
 systemctl stop systemd-journal-remote.socket
 
 firewall-cmd --zone=public --list-all
firewall-cmd --get-service
firewall-cmd --get-service --permanent
 
 sudo dnf install firewalld
 sudo systemctl enable firewalld.service
 
sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
...
 
/etc/sysctl.d
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_source_route = 0 
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.default.accept_source_route = 0
 net.ipv4.conf.default.log_martians = 1
 net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
 kernel.kptr_restrict = 1
kernel.randomize_va_space = 2
 
 
/etc/modprobe.d/block.conf
install dccp /bin/true
install sctp /bin/true  
install cramfs /bin/true  
install squashfs /bin/true
install udf /bin/true
 
 
sudo chgrp root /etc/group- /etc/shadow- /etc/passwd- /etc/group  /etc/gshadow  /etc/passwd /etc/shadow
sudo chown root /etc/group-  /etc/gshadow- /etc/passwd- /etc/shadow- /etc/group /etc/gshadow  /etc/passwd  /etc/shadow 
 
sudo chmod 0644 /etc/group- /etc/passwd-  /etc/passwd  /etc/passwd 
sudo chmod 0000 /etc/gshadow- /etc/shadow- /etc/gshadow /etc/shadow
 
sudo chmod +t DIR

Verify that All World-Writable Directories Have Sticky Bits Set

 

Ensure No World-Writable Files Exist 

find / -xdev -type f -perm -002 -exec chmod o-w {} \;

 

df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup
sudo find PARTITION -xdev -nogroup 
 
df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
sudo find PARTITION -xdev -nouser
 
getent passwd
enumerate = true
 

 

find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'
 
nodev,nosuid to /home 


 
sudo dnf install libselinux
sudo dnf5 remove mcstrans
 
/etc/selinux/config
SELINUXTYPE=targeted
SELINUX=enforcing

 sudo rm /etc/cron.deny
  sudo rm /etc/at.deny
 
sudo dnf5 remove dhcp  nginx bind vsftpd httpd cyrus-imapd dovecot sendmail  xinetd ypbind  
dnf5 remove ypserv  rsh-server rsh talk-server talk telnet-server telnet tftp-server tftp rsync 
 dnf5 remove samba net-snmp openssh-server 
 
sudo systemctl mask --now rpcbind.service
sudo systemctl mask --now nfs-server.service
 
/etc/chrony.conf
port 0
cmdport 0
 to pool or serveer directive
maxpoll 10
 
echo 'OPTIONS="-u chrony"' >> /etc/sysconfig/chronyd
 
rest ssh config skipped  


OSCAP

 

rpm -qVa
rpm -Va --noconfig | grep '^..5'
  sudo dnf reinstall PACKAGENAME
 
to determine which package owns the file: 
rpm -qf FILENAME
 
reinstall pkg 
sudo rpm -Uvh PACKAGENAME
 
sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
 sudo rpm --setperms PACKAGENAME
  
sudo dnf install aide
sudo /usr/sbin/aide --init
sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
sudo /usr/sbin/aide --check
/usr/share/doc/aide-VERSION
 
sudo dnf install libreswan
The Libreswan package provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks
Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.
 
 
 
  
   

 

https://fossies.org/linux/Linux-PAM-docs/doc/sag/Linux-PAM_SAG.pdf 

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-user-authentication-using-authselect_configuring-authentication-and-authorization-in-rhel

https://www.nist.gov/

https://www.open-scap.org/getting-started/

https://static.open-scap.org/ssg-guides/ssg-fedora-guide-index.html

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages

 

Comments

Post a Comment

Popular posts from this blog

sxhkd volume andbrightness config for dwm on void

xbps-install  sxhkd ------------ mkdir .config/sxhkd cd .config/sxhkd nano/vim sxhkdrc -------------------------------- XF86AudioRaiseVolume         amixer -c 1 -- sset Master 2db+ XF86AudioLowerVolume         amixer -c 1 -- sset Master 2db- XF86AudioMute         amixer -c 1 -- sset Master toggle alt + shift + Escape         pkill -USR1 -x sxhkd XF86MonBrightnessUp          xbacklight -inc 20 XF86MonBrightnessDown          xbacklight -dec 20 ------------------------------------------------------------- amixer -c card_no -- sset Interface volume run alsamixer to find card no and interface names xbps-install -S git git clone https://git.suckless.org/dwm xbps-install -S base-devel libX11-devel libXft-devel libXinerama-devel  vim config.mk # FREETYPEINC = ${X11INC}/freetype2 #comment for non-bsd make clean install   cp config.def.h config.h vim config.h xbps-install -S font-symbola #for emoji on statusbar support     void audio config xbps-i
1 comment
Read more

download office 2021 and activate

get office from here  https://tb.rg-adguard.net/public.php open powershell as admin (win+x and a ) type cmd  goto insall dir 1.         cd /d %ProgramFiles(x86)%\Microsoft Office\Office16 2.           cd /d %ProgramFiles%\Microsoft Office\Office16 try 1 or 2 depending on installation  install volume license  for /f %x in ('dir /b ..\root\Licenses16\ProPlus2021VL_KMS*.xrm-ms') do cscript ospp.vbs /inslic:"..\root\Licenses16\%x" activate using kms cscript ospp.vbs /setprt:1688 cscript ospp.vbs /unpkey:6F7TH >nul cscript ospp.vbs /inpkey:FXYTK-NJJ8C-GB6DW-3DYQT-6F7TH cscript ospp.vbs /sethst:s8.uk.to cscript ospp.vbs /act Automatic script (windefender may block it) ------------------------------------------------------------------------------------------------------------------- @echo off title Activate Microsoft Office 2021 (ALL versions) for FREE - MSGuides.com&cls&echo =====================================================================================&
Post a Comment
Read more

Hidden Wiki

Welcome to The Hidden Wiki New hidden wiki url 2015 http://zqktlwi4fecvo6ri.onion Add it to bookmarks and spread it!!! Editor's picks Bored? Pick a random page from the article index and replace one of these slots with it. The Matrix - Very nice to read. How to Exit the Matrix - Learn how to Protect yourself and your rights, online and off. Verifying PGP signatures - A short and simple how-to guide. In Praise Of Hawala - Anonymous informal value transfer system. Volunteer Here are five different things that you can help us out with. Plunder other hidden service lists for links and place them here! File the SnapBBSIndex links wherever they go. Set external links to HTTPS where available, good certificate, and same content. Care to start recording onionland's history? Check out Onionland's Museum Perform Dead Services Duties. Introduction Points Ahmia.fi - Clearnet search engine for Tor Hidden Services (allows you
5 comments
Read more