diff --git a/README.md b/README.md index 13f184b..aa9c6d5 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@
-
@@ -106,13 +106,13 @@ I'm not advocating throwing your existing hardening and deployment best practice All items in this checklist contains three levels of priority: -* means that the item has a **low** priority. -* means that the item has a **medium** priority. You shouldn't avoid tackling that item. -* means that the item has a **high** priority. You can't avoid following that rule and implement the corrections recommended. +* means that the item has a **low** priority. +* means that the item has a **medium** priority. You shouldn't avoid tackling that item. +* means that the item has a **high** priority. You can't avoid following that rule and implement the corrections recommended. ## OpenSCAP - +SCAP (Security Content Automation Protocol) provides a mechanism to check configurations, vulnerability management and evaluate policy compliance for a variety of systems. One of the most popular implementations of SCAP is OpenSCAP and it is very helpful for vulnerability assessment and also as hardening helper. @@ -124,21 +124,21 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Separate partitions -- Ensure `/boot` located on separate partition. +- Ensure `/boot` located on separate partition. -- Ensure `/home` located on separate partition. +- Ensure `/home` located on separate partition. -- Ensure `/usr` located on separate partition. +- Ensure `/usr` located on separate partition. -- Ensure `/var` located on separate partition. +- Ensure `/var` located on separate partition. -- Ensure `/var/log` and `/var/log/audit` located on separate partitions. +- Ensure `/var/log` and `/var/log/audit` located on separate partitions. -- Ensure `/tmp` and `/var/tmp` located on separate partitions. +- Ensure `/tmp` and `/var/tmp` located on separate partitions. ## Restrict mount options -- Restrict `/usr` partition mount options. +- Restrict `/usr` partition mount options. **Example:** @@ -146,7 +146,7 @@ Some of the external audit tools use this standard. For example Nessus has funct UUID=<...> /usr ext4 defaults,nodev,ro 0 2 ``` -- Restrict `/var` partition mount options. +- Restrict `/var` partition mount options. **Example:** @@ -154,7 +154,7 @@ Some of the external audit tools use this standard. For example Nessus has funct UUID=<...> /var ext4 defaults,nosuid 0 2 ``` -- Restrict `/var/log` and `/var/log/audit` partitions mount options. +- Restrict `/var/log` and `/var/log/audit` partitions mount options. **Example:** @@ -163,7 +163,7 @@ Some of the external audit tools use this standard. For example Nessus has funct UUID=<...> /var/log/audit ext4 defaults,nosuid,noexec,nodev 0 2 ``` -- Restrict `/proc` partition mount options. +- Restrict `/proc` partition mount options. **Example:** @@ -171,7 +171,7 @@ Some of the external audit tools use this standard. For example Nessus has funct proc /proc proc defaults,hidepid=2 0 0 ``` -- Restrict `/boot` partition mount options. +- Restrict `/boot` partition mount options. **Example:** @@ -179,7 +179,7 @@ Some of the external audit tools use this standard. For example Nessus has funct LABEL=/boot /boot ext2 defaults,nodev,nosuid,noexec,ro 1 2 ``` -- Restrict `/home` partition mount options. +- Restrict `/home` partition mount options. **Example:** @@ -187,7 +187,7 @@ Some of the external audit tools use this standard. For example Nessus has funct UUID=<...> /home ext4 defaults,nodev,nosuid 0 2 ``` -- Restrict `/var` and `/var/tmp` partitions mount options. +- Restrict `/var` and `/var/tmp` partitions mount options. **Example:** @@ -199,7 +199,7 @@ Some of the external audit tools use this standard. For example Nessus has funct UUID=<...> /tmp ext4 defaults,nodev,nosuid,noexec 0 2 ``` -- Restrict `/dev/shm` partition mount options. +- Restrict `/dev/shm` partition mount options. **Example:** @@ -209,7 +209,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Polyinstantiated directories -- Setting up polyinstantiated `/var` and `/var/tmp` directories. +- Setting up polyinstantiated `/var` and `/var/tmp` directories. **Example:** @@ -230,7 +230,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Shared memory -- Set group for `/dev/shm`. +- Set group for `/dev/shm`. **Example:** @@ -240,7 +240,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Encrypt partitions -- Encrypt `swap` partition. +- Encrypt `swap` partition. **Example:** @@ -256,33 +256,33 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Separate `/boot` | | :black_square_button: | -| Separate `/home` | | :black_square_button: | -| Separate `/usr` | | :black_square_button: | -| Separate `/var` | | :black_square_button: | -| Separate `/var/log` and `/var/log/audit` | | :black_square_button: | -| Separate `/tmp` and `/var/tmp` | | :black_square_button: | +| Separate `/boot` | | :black_square_button: | +| Separate `/home` | | :black_square_button: | +| Separate `/usr` | | :black_square_button: | +| Separate `/var` | | :black_square_button: | +| Separate `/var/log` and `/var/log/audit` | | :black_square_button: | +| Separate `/tmp` and `/var/tmp` | | :black_square_button: | | | | | -| Restrict `/usr` mount options | | :black_square_button: | -| Restrict `/var` mount options | | :black_square_button: | -| Restrict `/var/log` and `/var/log/audit` mount options | | :black_square_button: | -| Restrict `/proc` mount options | | :black_square_button: | -| Restrict `/boot` mount options | | :black_square_button: | -| Restrict `/home` mount options | | :black_square_button: | -| Restrict `/tmp/` and `/var/tmp` mount options | | :black_square_button: | -| Restrict `/dev/shm` mount options | | :black_square_button: | +| Restrict `/usr` mount options | | :black_square_button: | +| Restrict `/var` mount options | | :black_square_button: | +| Restrict `/var/log` and `/var/log/audit` mount options | | :black_square_button: | +| Restrict `/proc` mount options | | :black_square_button: | +| Restrict `/boot` mount options | | :black_square_button: | +| Restrict `/home` mount options | | :black_square_button: | +| Restrict `/tmp/` and `/var/tmp` mount options | | :black_square_button: | +| Restrict `/dev/shm` mount options | | :black_square_button: | | | | | -| Polyinstantiated `/tmp` and `/var/tmp` | | :black_square_button: | +| Polyinstantiated `/tmp` and `/var/tmp` | | :black_square_button: | | | | | -| Set group for `/dev/shm` | | :black_square_button: | +| Set group for `/dev/shm` | | :black_square_button: | | | | | -| Encrypt `swap` | | :black_square_button: | +| Encrypt `swap` | | :black_square_button: | # Physical Access ## Password for Single User Mode -- Protect Single User Mode with root password. +- Protect Single User Mode with root password. **Example:** @@ -295,13 +295,13 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Protect Single User Mode. | | :black_square_button: | +| Protect Single User Mode. | | :black_square_button: | # Bootloader ## Protect bootloader config files -- Ensure bootloader config files are set properly permissions. +- Ensure bootloader config files are set properly permissions. **Example:** @@ -319,13 +319,13 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Protect bootloader config files | | :black_square_button: | +| Protect bootloader config files | | :black_square_button: | # Linux Kernel ## Kernel logs -- Restricting access to kernel logs. +- Restricting access to kernel logs. **Example:** @@ -335,7 +335,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Kernel pointers -- Restricting access to kernel pointers. +- Restricting access to kernel pointers. **Example:** @@ -345,7 +345,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## ExecShield -- ExecShield protection. +- ExecShield protection. **Example:** @@ -355,7 +355,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Memory protections -- Randomise memory space. +- Randomise memory space. ```bash echo "kernel.randomize_va_space=2" > /etc/sysctl.d/50-rand-va-space.conf @@ -365,16 +365,16 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Restricting access to kernel logs | | :black_square_button: | -| Restricting access to kernel pointers | | :black_square_button: | -| ExecShield protection | | :black_square_button: | -| Randomise memory space. | | :black_square_button: | +| Restricting access to kernel logs | | :black_square_button: | +| Restricting access to kernel pointers | | :black_square_button: | +| ExecShield protection | | :black_square_button: | +| Randomise memory space. | | :black_square_button: | # Logging ## Syslog -- Ensure syslog service is enabled and running. +- Ensure syslog service is enabled and running. **Example:** @@ -383,7 +383,7 @@ Some of the external audit tools use this standard. For example Nessus has funct systemctl start rsyslog ``` -- Send syslog data to external server. +- Send syslog data to external server. **Example:** @@ -398,14 +398,14 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Ensure syslog service is enabled and running. | | :black_square_button: | -| Ensure syslog service is enabled and running. | | :black_square_button: | +| Ensure syslog service is enabled and running. | | :black_square_button: | +| Ensure syslog service is enabled and running. | | :black_square_button: | # Users and Groups ## Passwords -- Update password policy (PAM). +- Update password policy (PAM). **Example:** @@ -422,7 +422,7 @@ Some of the external audit tools use this standard. For example Nessus has funct --update ``` -- Limit password reuse (PAM). +- Limit password reuse (PAM). **Example:** @@ -436,7 +436,7 @@ Some of the external audit tools use this standard. For example Nessus has funct password requisite pam_pwhistory.so ... remember=5 ``` -- Secure `/etc/login.defs` password policy. +- Secure `/etc/login.defs` password policy. **Example:** @@ -450,7 +450,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Logon Access -- Set auto logout inactive users. +- Set auto logout inactive users. **Example:** @@ -460,7 +460,7 @@ Some of the external audit tools use this standard. For example Nessus has funct chmod +x /etc/profile.d/idle-users.sh ``` -- Set last logon/access notification. +- Set last logon/access notification. **Example:** @@ -469,7 +469,7 @@ Some of the external audit tools use this standard. For example Nessus has funct session required pam_lastlog.so showfailed ``` -- Lock out accounts after a number of incorrect login (PAM). +- Lock out accounts after a number of incorrect login (PAM). **Example:** @@ -490,19 +490,19 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Update password policy | | :black_square_button: | -| Limit password reuse | | :black_square_button: | -| Secure `/etc/login.defs` password policy | | :black_square_button: | +| Update password policy | | :black_square_button: | +| Limit password reuse | | :black_square_button: | +| Secure `/etc/login.defs` password policy | | :black_square_button: | | | | | -| Set auto logout inactive users. | | :black_square_button: | -| Set last logon/access notification | | :black_square_button: | -| Lock out accounts after a number of incorrect login | | :black_square_button: | +| Set auto logout inactive users. | | :black_square_button: | +| Set last logon/access notification | | :black_square_button: | +| Lock out accounts after a number of incorrect login | | :black_square_button: | # Filesystem ## Hardlinks & Symlinks -- Enable hard/soft link protection. +- Enable hard/soft link protection. **Example:** @@ -513,7 +513,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Dynamic Mounting and Unmounting -- Disable uncommon filesystems. +- Disable uncommon filesystems. **Example:** @@ -536,8 +536,8 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Enable hard/soft link protection. | | :black_square_button: | -| Disable uncommon filesystems. | | :black_square_button: | +| Enable hard/soft link protection. | | :black_square_button: | +| Disable uncommon filesystems. | | :black_square_button: | # Permissions @@ -545,7 +545,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## SELinux Enforcing -- Set SELinux Enforcing mode. +- Set SELinux Enforcing mode. **Example:** @@ -558,7 +558,7 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Set SELinux Enforcing mode. | | :black_square_button: | +| Set SELinux Enforcing mode. | | :black_square_button: | # System Updates @@ -566,7 +566,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## TCP/SYN -- Enable TCP SYN Cookie protection. +- Enable TCP SYN Cookie protection. **Example:** @@ -576,7 +576,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Routing -- Disable IP source routing. +- Disable IP source routing. **Example:** @@ -586,7 +586,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## ICMP Protocol -- Disable ICMP redirect acceptance. +- Disable ICMP redirect acceptance. **Example:** @@ -594,7 +594,7 @@ Some of the external audit tools use this standard. For example Nessus has funct echo "net.ipv4.conf.all.accept_redirects = 0" > /etc/sysctl.d/50-net-stack.conf ``` -- Enable ignoring to ICMP requests. +- Enable ignoring to ICMP requests. **Example:** @@ -604,7 +604,7 @@ Some of the external audit tools use this standard. For example Nessus has funct ## Broadcast -- Enable ignoring broadcasts request. +- Enable ignoring broadcasts request. **Example:** @@ -616,14 +616,14 @@ Some of the external audit tools use this standard. For example Nessus has funct | Rule | Priority | Checkbox | | :--- | :---: | :---: | -| Enable TCP SYN Cookie protection. | | :black_square_button: | +| Enable TCP SYN Cookie protection. | | :black_square_button: | | | | | -| Disable IP source routing. | | :black_square_button: | +| Disable IP source routing. | | :black_square_button: | | | | | -| Disable ICMP redirect acceptance. | | :black_square_button: | -| Enable ignoring to ICMP requests. | | :black_square_button: | +| Disable ICMP redirect acceptance. | | :black_square_button: | +| Enable ignoring to ICMP requests. | | :black_square_button: | | | | | -| Enable ignoring broadcasts request. | | :black_square_button: | +| Enable ignoring broadcasts request. | | :black_square_button: | # Services diff --git a/doc/img/high.png b/static/img/high.png similarity index 100% rename from doc/img/high.png rename to static/img/high.png diff --git a/doc/img/linux-hardening-checklist_preview.png b/static/img/linux-hardening-checklist_preview.png similarity index 100% rename from doc/img/linux-hardening-checklist_preview.png rename to static/img/linux-hardening-checklist_preview.png diff --git a/doc/img/low.png b/static/img/low.png similarity index 100% rename from doc/img/low.png rename to static/img/low.png diff --git a/doc/img/medium.png b/static/img/medium.png similarity index 100% rename from doc/img/medium.png rename to static/img/medium.png diff --git a/doc/img/openscap_logo.png b/static/img/openscap_logo.png similarity index 100% rename from doc/img/openscap_logo.png rename to static/img/openscap_logo.png