Skip to main content

hardening fedora

  

sudo lynis audit system 

consider explicit disabling of core dump in /etc/security/limits.conf 

* hard core 0
* soft core 0
 
Configure password hashing rounds in /etc/login.defs 
 When possible set expire dates for all password protected accounts 
 Configure minimum password age in /etc/login.defs 
Configure maximum password age in /etc/login.defs
Default umask in /etc/login.defs could be more strict like 027 
To decrease the impact of a full /var file system, place /var on a separate partition 
 Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft
Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft
 Check DNS configuration for the dns domain name
 Add the IP name and FQDN to /etc/hosts for proper name resolving
 Consider using a tool to automatically apply upgrades
 Determine if protocol 'dccp',sctp,rds,tipc  is really needed on this system  
 Enable logging to an external logging host for archiving purposes and additional protection 
Aadd a legal banner to /etc/issue,/etc/issue.net to warn unauthorized users 
  Enable process accounting 
 Enable sysstat to collect accounting (no results) 
Use NTP daemon or NTP client to prevent time issues
Determine if automation tools are present for system management 
 Double check the permissions of home directories as some might be not strict enough.
One or more sysctl values differ from the scan profile and could be tweaked 
    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
 
Harden compilers like restricting access to root user only 
Harden the system by installing at least one malware scanner, to perform periodic file system scans 
 
 
 
    - dev.tty.ldisc_autoload (exp: 0)                         [ DIFFERENT ]
    - fs.protected_fifos (exp: 2)                             [ DIFFERENT ]
    - fs.protected_hardlinks (exp: 1)                         [ OK ]
    - fs.protected_regular (exp: 2)                           [ DIFFERENT ]
    - fs.protected_symlinks (exp: 1)                          [ OK ]
    - fs.suid_dumpable (exp: 0)                               [ DIFFERENT ]
    - kernel.core_uses_pid (exp: 1)                           [ OK ]
    - kernel.ctrl-alt-del (exp: 0)                            [ OK ]
    - kernel.dmesg_restrict (exp: 1)                          [ DIFFERENT ]
    - kernel.kptr_restrict (exp: 2)                           [ DIFFERENT ]
    - kernel.modules_disabled (exp: 1)                        [ DIFFERENT ]
    - kernel.perf_event_paranoid (exp: 3)                     [ DIFFERENT ]
    - kernel.randomize_va_space (exp: 2)                      [ OK ]
    - kernel.sysrq (exp: 0)                                   [ DIFFERENT ]
    - kernel.unprivileged_bpf_disabled (exp: 1)               [ DIFFERENT ]
    - kernel.yama.ptrace_scope (exp: 1 2 3)                   [ DIFFERENT ]
    - net.core.bpf_jit_harden (exp: 2)                        [ DIFFERENT ]
    - net.ipv4.conf.all.accept_redirects (exp: 0)             [ DIFFERENT ]
    - net.ipv4.conf.all.accept_source_route (exp: 0)          [ OK ]
    - net.ipv4.conf.all.bootp_relay (exp: 0)                  [ OK ]
    - net.ipv4.conf.all.forwarding (exp: 0)                   [ OK ]
    - net.ipv4.conf.all.log_martians (exp: 1)                 [ DIFFERENT ]
    - net.ipv4.conf.all.mc_forwarding (exp: 0)                [ OK ]
    - net.ipv4.conf.all.proxy_arp (exp: 0)                    [ OK ]
    - net.ipv4.conf.all.rp_filter (exp: 1)                    [ DIFFERENT ]
    - net.ipv4.conf.all.send_redirects (exp: 0)               [ DIFFERENT ]
    - net.ipv4.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv4.conf.default.accept_source_route (exp: 0)      [ OK ]
    - net.ipv4.conf.default.log_martians (exp: 1)             [ DIFFERENT ]
    - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1)           [ OK ]
    - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1)     [ OK ]
    - net.ipv4.tcp_syncookies (exp: 1)                        [ OK ]
    - net.ipv4.tcp_timestamps (exp: 0 1)                      [ OK ]
    - net.ipv6.conf.all.accept_redirects (exp: 0)             [ DIFFERENT ]
    - net.ipv6.conf.all.accept_source_route (exp: 0)          [ OK ]
    - net.ipv6.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv6.conf.default.accept_source_route (exp: 0)      [ OK ]
 
  - HW RNG & rngd                                             [ NO ]
  - SW prng                                                   [ NO ]
  MOR-bit set                                                 [ NO ]
  - Checking for a running NTP daemon or client               [ WARNING ]
 
 
 
sudo update-crypto-policies  --show
DEFAULT,LEGACY, FUTURE,FIPS
 
fips-mode-setup --enable
update-crypto-policies --set DEFAULT:NO-SHA1
 
 dnf install systemd-resolved
ln -sf ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf 
nano /etc/systemd/resolved.conf.d/dnssec.conf
[Resolve]
DNSSEC=true
DNS=1.1.1.1
FallbackDNS=9.9.9.9
DNSOverTLS=yes
  
 resolvectl query badsig.go.dnscheck.tools
resolvectl query go.dnscheck.tools 
remove resolv line from iwd/main.conf else it will create new dns 192.xx  
 
https://wiki.archlinux.org/title/Systemd-resolved
 
 
 
 
 

Comments

Post a Comment

Popular posts from this blog

sxhkd volume andbrightness config for dwm on void

xbps-install  sxhkd ------------ mkdir .config/sxhkd cd .config/sxhkd nano/vim sxhkdrc -------------------------------- XF86AudioRaiseVolume         amixer -c 1 -- sset Master 2db+ XF86AudioLowerVolume         amixer -c 1 -- sset Master 2db- XF86AudioMute         amixer -c 1 -- sset Master toggle alt + shift + Escape         pkill -USR1 -x sxhkd XF86MonBrightnessUp          xbacklight -inc 20 XF86MonBrightnessDown          xbacklight -dec 20 ------------------------------------------------------------- amixer -c card_no -- sset Interface volume run alsamixer to find card no and interface names xbps-install -S git git clone https://git.suckless.org/dwm xbps-install -S base-devel libX11-devel libXft-devel libXinerama-devel  vim config.mk # FREETYPEINC = ${X11INC}/freetype2 #comment for non-bsd make clean install   cp config.def.h config.h vim config.h xbps-install -S font-symbola #for emoji on statusbar support     void audio config xbps-i
1 comment
Read more

download office 2021 and activate

get office from here  https://tb.rg-adguard.net/public.php open powershell as admin (win+x and a ) type cmd  goto insall dir 1.         cd /d %ProgramFiles(x86)%\Microsoft Office\Office16 2.           cd /d %ProgramFiles%\Microsoft Office\Office16 try 1 or 2 depending on installation  install volume license  for /f %x in ('dir /b ..\root\Licenses16\ProPlus2021VL_KMS*.xrm-ms') do cscript ospp.vbs /inslic:"..\root\Licenses16\%x" activate using kms cscript ospp.vbs /setprt:1688 cscript ospp.vbs /unpkey:6F7TH >nul cscript ospp.vbs /inpkey:FXYTK-NJJ8C-GB6DW-3DYQT-6F7TH cscript ospp.vbs /sethst:s8.uk.to cscript ospp.vbs /act Automatic script (windefender may block it) ------------------------------------------------------------------------------------------------------------------- @echo off title Activate Microsoft Office 2021 (ALL versions) for FREE - MSGuides.com&cls&echo =====================================================================================&
Post a Comment
Read more

Hidden Wiki

Welcome to The Hidden Wiki New hidden wiki url 2015 http://zqktlwi4fecvo6ri.onion Add it to bookmarks and spread it!!! Editor's picks Bored? Pick a random page from the article index and replace one of these slots with it. The Matrix - Very nice to read. How to Exit the Matrix - Learn how to Protect yourself and your rights, online and off. Verifying PGP signatures - A short and simple how-to guide. In Praise Of Hawala - Anonymous informal value transfer system. Volunteer Here are five different things that you can help us out with. Plunder other hidden service lists for links and place them here! File the SnapBBSIndex links wherever they go. Set external links to HTTPS where available, good certificate, and same content. Care to start recording onionland's history? Check out Onionland's Museum Perform Dead Services Duties. Introduction Points Ahmia.fi - Clearnet search engine for Tor Hidden Services (allows you
5 comments
Read more