diff --git a/README.md b/README.md index 13f184b..aa9c6d5 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@

- Master

@@ -106,13 +106,13 @@ I'm not advocating throwing your existing hardening and deployment best practice All items in this checklist contains three levels of priority: -* low means that the item has a **low** priority. -* medium means that the item has a **medium** priority. You shouldn't avoid tackling that item. -* high means that the item has a **high** priority. You can't avoid following that rule and implement the corrections recommended. +* low means that the item has a **low** priority. +* medium means that the item has a **medium** priority. You shouldn't avoid tackling that item. +* high means that the item has a **high** priority. You can't avoid following that rule and implement the corrections recommended. ## OpenSCAP -OpenSCAP +OpenSCAP

SCAP (Security Content Automation Protocol) provides a mechanism to check configurations, vulnerability management and evaluate policy compliance for a variety of systems. One of the most popular implementations of SCAP is OpenSCAP and it is very helpful for vulnerability assessment and also as hardening helper. @@ -124,21 +124,21 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Separate partitions -- low Ensure `/boot` located on separate partition. +- low Ensure `/boot` located on separate partition. -- low Ensure `/home` located on separate partition. +- low Ensure `/home` located on separate partition. -- low Ensure `/usr` located on separate partition. +- low Ensure `/usr` located on separate partition. -- medium Ensure `/var` located on separate partition. +- medium Ensure `/var` located on separate partition. -- high Ensure `/var/log` and `/var/log/audit` located on separate partitions. +- high Ensure `/var/log` and `/var/log/audit` located on separate partitions. -- high Ensure `/tmp` and `/var/tmp` located on separate partitions. +- high Ensure `/tmp` and `/var/tmp` located on separate partitions. ## Restrict mount options -- low Restrict `/usr` partition mount options. +- low Restrict `/usr` partition mount options. **Example:** @@ -146,7 +146,7 @@ Some of the external audit tools use this standard. For example Nessus has funct UUID=<...> /usr ext4 defaults,nodev,ro 0 2 ``` -- low Restrict `/var` partition mount options. +- low Restrict `/var` partition mount options. **Example:** @@ -154,7 +154,7 @@ Some of the external audit tools use this standard. For example Nessus has funct UUID=<...> /var ext4 defaults,nosuid 0 2 ``` -- low Restrict `/var/log` and `/var/log/audit` partitions mount options. +- low Restrict `/var/log` and `/var/log/audit` partitions mount options. **Example:** @@ -163,7 +163,7 @@ Some of the external audit tools use this standard. For example Nessus has funct UUID=<...> /var/log/audit ext4 defaults,nosuid,noexec,nodev 0 2 ``` -- low Restrict `/proc` partition mount options. +- low Restrict `/proc` partition mount options. **Example:** @@ -171,7 +171,7 @@ Some of the external audit tools use this standard. For example Nessus has funct proc /proc proc defaults,hidepid=2 0 0 ``` -- medium Restrict `/boot` partition mount options. +- medium Restrict `/boot` partition mount options. **Example:** @@ -179,7 +179,7 @@ Some of the external audit tools use this standard. For example Nessus has funct LABEL=/boot /boot ext2 defaults,nodev,nosuid,noexec,ro 1 2 ``` -- medium Restrict `/home` partition mount options. +- medium Restrict `/home` partition mount options. **Example:** @@ -187,7 +187,7 @@ Some of the external audit tools use this standard. For example Nessus has funct UUID=<...> /home ext4 defaults,nodev,nosuid 0 2 ``` -- medium Restrict `/var` and `/var/tmp` partitions mount options. +- medium Restrict `/var` and `/var/tmp` partitions mount options. **Example:** @@ -199,7 +199,7 @@ Some of the external audit tools use this standard. For example Nessus has funct UUID=<...> /tmp ext4 defaults,nodev,nosuid,noexec 0 2 ``` -- medium Restrict `/dev/shm` partition mount options. +- medium Restrict `/dev/shm` partition mount options. **Example:** @@ -209,7 +209,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Polyinstantiated directories -- medium Setting up polyinstantiated `/var` and `/var/tmp` directories. +- medium Setting up polyinstantiated `/var` and `/var/tmp` directories. **Example:** @@ -230,7 +230,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Shared memory -- low Set group for `/dev/shm`. +- low Set group for `/dev/shm`. **Example:** @@ -240,7 +240,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Encrypt partitions -- low Encrypt `swap` partition. +- low Encrypt `swap` partition. **Example:** @@ -256,33 +256,33 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Separate `/boot` | low | :black_square_button: | -| Separate `/home` | low | :black_square_button: | -| Separate `/usr` | low | :black_square_button: | -| Separate `/var` | medium | :black_square_button: | -| Separate `/var/log` and `/var/log/audit` | high | :black_square_button: | -| Separate `/tmp` and `/var/tmp` | high | :black_square_button: | +| Separate `/boot` | low | :black_square_button: | +| Separate `/home` | low | :black_square_button: | +| Separate `/usr` | low | :black_square_button: | +| Separate `/var` | medium | :black_square_button: | +| Separate `/var/log` and `/var/log/audit` | high | :black_square_button: | +| Separate `/tmp` and `/var/tmp` | high | :black_square_button: | | | | | -| Restrict `/usr` mount options | low | :black_square_button: | -| Restrict `/var` mount options | low | :black_square_button: | -| Restrict `/var/log` and `/var/log/audit` mount options | low | :black_square_button: | -| Restrict `/proc` mount options | low | :black_square_button: | -| Restrict `/boot` mount options | medium | :black_square_button: | -| Restrict `/home` mount options | medium | :black_square_button: | -| Restrict `/tmp/` and `/var/tmp` mount options | medium | :black_square_button: | -| Restrict `/dev/shm` mount options | medium | :black_square_button: | +| Restrict `/usr` mount options | low | :black_square_button: | +| Restrict `/var` mount options | low | :black_square_button: | +| Restrict `/var/log` and `/var/log/audit` mount options | low | :black_square_button: | +| Restrict `/proc` mount options | low | :black_square_button: | +| Restrict `/boot` mount options | medium | :black_square_button: | +| Restrict `/home` mount options | medium | :black_square_button: | +| Restrict `/tmp/` and `/var/tmp` mount options | medium | :black_square_button: | +| Restrict `/dev/shm` mount options | medium | :black_square_button: | | | | | -| Polyinstantiated `/tmp` and `/var/tmp` | medium | :black_square_button: | +| Polyinstantiated `/tmp` and `/var/tmp` | medium | :black_square_button: | | | | | -| Set group for `/dev/shm` | low | :black_square_button: | +| Set group for `/dev/shm` | low | :black_square_button: | | | | | -| Encrypt `swap` | low | :black_square_button: | +| Encrypt `swap` | low | :black_square_button: | # Physical Access ## Password for Single User Mode -- low Protect Single User Mode with root password. +- low Protect Single User Mode with root password. **Example:** @@ -295,13 +295,13 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Protect Single User Mode. | low | :black_square_button: | +| Protect Single User Mode. | low | :black_square_button: | # Bootloader ## Protect bootloader config files -- low Ensure bootloader config files are set properly permissions. +- low Ensure bootloader config files are set properly permissions. **Example:** @@ -319,13 +319,13 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Protect bootloader config files | low | :black_square_button: | +| Protect bootloader config files | low | :black_square_button: | # Linux Kernel ## Kernel logs -- low Restricting access to kernel logs. +- low Restricting access to kernel logs. **Example:** @@ -335,7 +335,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Kernel pointers -- low Restricting access to kernel pointers. +- low Restricting access to kernel pointers. **Example:** @@ -345,7 +345,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## ExecShield -- low ExecShield protection. +- low ExecShield protection. **Example:** @@ -355,7 +355,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Memory protections -- low Randomise memory space. +- low Randomise memory space. ```bash echo "kernel.randomize_va_space=2" > /etc/sysctl.d/50-rand-va-space.conf @@ -365,16 +365,16 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Restricting access to kernel logs | low | :black_square_button: | -| Restricting access to kernel pointers | low | :black_square_button: | -| ExecShield protection | low | :black_square_button: | -| Randomise memory space. | low | :black_square_button: | +| Restricting access to kernel logs | low | :black_square_button: | +| Restricting access to kernel pointers | low | :black_square_button: | +| ExecShield protection | low | :black_square_button: | +| Randomise memory space. | low | :black_square_button: | # Logging ## Syslog -- medium Ensure syslog service is enabled and running. +- medium Ensure syslog service is enabled and running. **Example:** @@ -383,7 +383,7 @@ Some of the external audit tools use this standard. For example Nessus has funct systemctl start rsyslog ``` -- medium Send syslog data to external server. +- medium Send syslog data to external server. **Example:** @@ -398,14 +398,14 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Ensure syslog service is enabled and running. | medium | :black_square_button: | -| Ensure syslog service is enabled and running. | medium | :black_square_button: | +| Ensure syslog service is enabled and running. | medium | :black_square_button: | +| Ensure syslog service is enabled and running. | medium | :black_square_button: | # Users and Groups ## Passwords -- medium Update password policy (PAM). +- medium Update password policy (PAM). **Example:** @@ -422,7 +422,7 @@ Some of the external audit tools use this standard. For example Nessus has funct --update ``` -- medium Limit password reuse (PAM). +- medium Limit password reuse (PAM). **Example:** @@ -436,7 +436,7 @@ Some of the external audit tools use this standard. For example Nessus has funct password requisite pam_pwhistory.so ... remember=5 ``` -- medium Secure `/etc/login.defs` password policy. +- medium Secure `/etc/login.defs` password policy. **Example:** @@ -450,7 +450,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Logon Access -- low Set auto logout inactive users. +- low Set auto logout inactive users. **Example:** @@ -460,7 +460,7 @@ Some of the external audit tools use this standard. For example Nessus has funct chmod +x /etc/profile.d/idle-users.sh ``` -- low Set last logon/access notification. +- low Set last logon/access notification. **Example:** @@ -469,7 +469,7 @@ Some of the external audit tools use this standard. For example Nessus has funct session required pam_lastlog.so showfailed ``` -- medium Lock out accounts after a number of incorrect login (PAM). +- medium Lock out accounts after a number of incorrect login (PAM). **Example:** @@ -490,19 +490,19 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Update password policy | medium | :black_square_button: | -| Limit password reuse | medium | :black_square_button: | -| Secure `/etc/login.defs` password policy | medium | :black_square_button: | +| Update password policy | medium | :black_square_button: | +| Limit password reuse | medium | :black_square_button: | +| Secure `/etc/login.defs` password policy | medium | :black_square_button: | | | | | -| Set auto logout inactive users. | low | :black_square_button: | -| Set last logon/access notification | low | :black_square_button: | -| Lock out accounts after a number of incorrect login | medium | :black_square_button: | +| Set auto logout inactive users. | low | :black_square_button: | +| Set last logon/access notification | low | :black_square_button: | +| Lock out accounts after a number of incorrect login | medium | :black_square_button: | # Filesystem ## Hardlinks & Symlinks -- low Enable hard/soft link protection. +- low Enable hard/soft link protection. **Example:** @@ -513,7 +513,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Dynamic Mounting and Unmounting -- medium Disable uncommon filesystems. +- medium Disable uncommon filesystems. **Example:** @@ -536,8 +536,8 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Enable hard/soft link protection. | low | :black_square_button: | -| Disable uncommon filesystems. | medium | :black_square_button: | +| Enable hard/soft link protection. | low | :black_square_button: | +| Disable uncommon filesystems. | medium | :black_square_button: | # Permissions @@ -545,7 +545,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## SELinux Enforcing -- high Set SELinux Enforcing mode. +- high Set SELinux Enforcing mode. **Example:** @@ -558,7 +558,7 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Set SELinux Enforcing mode. | high | :black_square_button: | +| Set SELinux Enforcing mode. | high | :black_square_button: | # System Updates @@ -566,7 +566,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## TCP/SYN -- medium Enable TCP SYN Cookie protection. +- medium Enable TCP SYN Cookie protection. **Example:** @@ -576,7 +576,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Routing -- medium Disable IP source routing. +- medium Disable IP source routing. **Example:** @@ -586,7 +586,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## ICMP Protocol -- medium Disable ICMP redirect acceptance. +- medium Disable ICMP redirect acceptance. **Example:** @@ -594,7 +594,7 @@ Some of the external audit tools use this standard. For example Nessus has funct echo "net.ipv4.conf.all.accept_redirects = 0" > /etc/sysctl.d/50-net-stack.conf ``` -- medium Enable ignoring to ICMP requests. +- medium Enable ignoring to ICMP requests. **Example:** @@ -604,7 +604,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Broadcast -- medium Enable ignoring broadcasts request. +- medium Enable ignoring broadcasts request. **Example:** @@ -616,14 +616,14 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Enable TCP SYN Cookie protection. | medium | :black_square_button: | +| Enable TCP SYN Cookie protection. | medium | :black_square_button: | | | | | -| Disable IP source routing. | medium | :black_square_button: | +| Disable IP source routing. | medium | :black_square_button: | | | | | -| Disable ICMP redirect acceptance. | medium | :black_square_button: | -| Enable ignoring to ICMP requests. | medium | :black_square_button: | +| Disable ICMP redirect acceptance. | medium | :black_square_button: | +| Enable ignoring to ICMP requests. | medium | :black_square_button: | | | | | -| Enable ignoring broadcasts request. | medium | :black_square_button: | +| Enable ignoring broadcasts request. | medium | :black_square_button: | # Services diff --git a/doc/img/high.png b/static/img/high.png similarity index 100% rename from doc/img/high.png rename to static/img/high.png diff --git a/doc/img/linux-hardening-checklist_preview.png b/static/img/linux-hardening-checklist_preview.png similarity index 100% rename from doc/img/linux-hardening-checklist_preview.png rename to static/img/linux-hardening-checklist_preview.png diff --git a/doc/img/low.png b/static/img/low.png similarity index 100% rename from doc/img/low.png rename to static/img/low.png diff --git a/doc/img/medium.png b/static/img/medium.png similarity index 100% rename from doc/img/medium.png rename to static/img/medium.png diff --git a/doc/img/openscap_logo.png b/static/img/openscap_logo.png similarity index 100% rename from doc/img/openscap_logo.png rename to static/img/openscap_logo.png