changed directory for static files
- signed-off-by: trimstray <trimstray@gmail.com>
166
README.md
@ -1,5 +1,5 @@
|
|||||||
<p align="center">
|
<p align="center">
|
||||||
<img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/linux-hardening-checklist_preview.png"
|
<img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/linux-hardening-checklist_preview.png"
|
||||||
alt="Master">
|
alt="Master">
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
@ -106,13 +106,13 @@ I'm not advocating throwing your existing hardening and deployment best practice
|
|||||||
|
|
||||||
All items in this checklist contains three levels of priority:
|
All items in this checklist contains three levels of priority:
|
||||||
|
|
||||||
* <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> means that the item has a **low** priority.
|
* <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> means that the item has a **low** priority.
|
||||||
* <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> means that the item has a **medium** priority. You shouldn't avoid tackling that item.
|
* <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> means that the item has a **medium** priority. You shouldn't avoid tackling that item.
|
||||||
* <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/high.png" alt="high"> means that the item has a **high** priority. You can't avoid following that rule and implement the corrections recommended.
|
* <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/high.png" alt="high"> means that the item has a **high** priority. You can't avoid following that rule and implement the corrections recommended.
|
||||||
|
|
||||||
## OpenSCAP
|
## OpenSCAP
|
||||||
|
|
||||||
<img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/openscap_logo.png" alt="OpenSCAP" align="left">
|
<img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/openscap_logo.png" alt="OpenSCAP" align="left">
|
||||||
|
|
||||||
<p align="left"><b>SCAP</b> (<i>Security Content Automation Protocol</i>) provides a mechanism to check configurations, vulnerability management and evaluate policy compliance for a variety of systems. One of the most popular implementations of SCAP is <b>OpenSCAP</b> and it is very helpful for vulnerability assessment and also as hardening helper.
|
<p align="left"><b>SCAP</b> (<i>Security Content Automation Protocol</i>) provides a mechanism to check configurations, vulnerability management and evaluate policy compliance for a variety of systems. One of the most popular implementations of SCAP is <b>OpenSCAP</b> and it is very helpful for vulnerability assessment and also as hardening helper.
|
||||||
|
|
||||||
@ -124,21 +124,21 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
## Separate partitions
|
## Separate partitions
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Ensure `/boot` located on separate partition.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Ensure `/boot` located on separate partition.
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Ensure `/home` located on separate partition.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Ensure `/home` located on separate partition.
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Ensure `/usr` located on separate partition.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Ensure `/usr` located on separate partition.
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Ensure `/var` located on separate partition.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Ensure `/var` located on separate partition.
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/high.png" alt="high"> Ensure `/var/log` and `/var/log/audit` located on separate partitions.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/high.png" alt="high"> Ensure `/var/log` and `/var/log/audit` located on separate partitions.
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/high.png" alt="high"> Ensure `/tmp` and `/var/tmp` located on separate partitions.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/high.png" alt="high"> Ensure `/tmp` and `/var/tmp` located on separate partitions.
|
||||||
|
|
||||||
## Restrict mount options
|
## Restrict mount options
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Restrict `/usr` partition mount options.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Restrict `/usr` partition mount options.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -146,7 +146,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
UUID=<...> /usr ext4 defaults,nodev,ro 0 2
|
UUID=<...> /usr ext4 defaults,nodev,ro 0 2
|
||||||
```
|
```
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Restrict `/var` partition mount options.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Restrict `/var` partition mount options.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -154,7 +154,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
UUID=<...> /var ext4 defaults,nosuid 0 2
|
UUID=<...> /var ext4 defaults,nosuid 0 2
|
||||||
```
|
```
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Restrict `/var/log` and `/var/log/audit` partitions mount options.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Restrict `/var/log` and `/var/log/audit` partitions mount options.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -163,7 +163,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
UUID=<...> /var/log/audit ext4 defaults,nosuid,noexec,nodev 0 2
|
UUID=<...> /var/log/audit ext4 defaults,nosuid,noexec,nodev 0 2
|
||||||
```
|
```
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Restrict `/proc` partition mount options.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Restrict `/proc` partition mount options.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -171,7 +171,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
proc /proc proc defaults,hidepid=2 0 0
|
proc /proc proc defaults,hidepid=2 0 0
|
||||||
```
|
```
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Restrict `/boot` partition mount options.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Restrict `/boot` partition mount options.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -179,7 +179,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
LABEL=/boot /boot ext2 defaults,nodev,nosuid,noexec,ro 1 2
|
LABEL=/boot /boot ext2 defaults,nodev,nosuid,noexec,ro 1 2
|
||||||
```
|
```
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Restrict `/home` partition mount options.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Restrict `/home` partition mount options.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -187,7 +187,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
UUID=<...> /home ext4 defaults,nodev,nosuid 0 2
|
UUID=<...> /home ext4 defaults,nodev,nosuid 0 2
|
||||||
```
|
```
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Restrict `/var` and `/var/tmp` partitions mount options.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Restrict `/var` and `/var/tmp` partitions mount options.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -199,7 +199,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
UUID=<...> /tmp ext4 defaults,nodev,nosuid,noexec 0 2
|
UUID=<...> /tmp ext4 defaults,nodev,nosuid,noexec 0 2
|
||||||
```
|
```
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Restrict `/dev/shm` partition mount options.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Restrict `/dev/shm` partition mount options.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -209,7 +209,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
## Polyinstantiated directories
|
## Polyinstantiated directories
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Setting up polyinstantiated `/var` and `/var/tmp` directories.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Setting up polyinstantiated `/var` and `/var/tmp` directories.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -230,7 +230,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
## Shared memory
|
## Shared memory
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Set group for `/dev/shm`.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Set group for `/dev/shm`.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -240,7 +240,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
## Encrypt partitions
|
## Encrypt partitions
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Encrypt `swap` partition.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Encrypt `swap` partition.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -256,33 +256,33 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
||||||
| :--- | :---: | :---: |
|
| :--- | :---: | :---: |
|
||||||
| Separate `/boot` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Separate `/boot` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
| Separate `/home` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Separate `/home` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
| Separate `/usr` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Separate `/usr` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
| Separate `/var` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Separate `/var` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
| Separate `/var/log` and `/var/log/audit` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/high.png" alt="high"> | :black_square_button: |
|
| Separate `/var/log` and `/var/log/audit` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/high.png" alt="high"> | :black_square_button: |
|
||||||
| Separate `/tmp` and `/var/tmp` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/high.png" alt="high"> | :black_square_button: |
|
| Separate `/tmp` and `/var/tmp` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/high.png" alt="high"> | :black_square_button: |
|
||||||
| | | |
|
| | | |
|
||||||
| Restrict `/usr` mount options | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Restrict `/usr` mount options | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
| Restrict `/var` mount options | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Restrict `/var` mount options | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
| Restrict `/var/log` and `/var/log/audit` mount options | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Restrict `/var/log` and `/var/log/audit` mount options | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
| Restrict `/proc` mount options | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Restrict `/proc` mount options | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
| Restrict `/boot` mount options | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Restrict `/boot` mount options | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
| Restrict `/home` mount options | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Restrict `/home` mount options | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
| Restrict `/tmp/` and `/var/tmp` mount options | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Restrict `/tmp/` and `/var/tmp` mount options | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
| Restrict `/dev/shm` mount options | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Restrict `/dev/shm` mount options | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
| | | |
|
| | | |
|
||||||
| Polyinstantiated `/tmp` and `/var/tmp` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Polyinstantiated `/tmp` and `/var/tmp` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
| | | |
|
| | | |
|
||||||
| Set group for `/dev/shm` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Set group for `/dev/shm` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
| | | |
|
| | | |
|
||||||
| Encrypt `swap` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Encrypt `swap` | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
|
|
||||||
# Physical Access
|
# Physical Access
|
||||||
|
|
||||||
## Password for Single User Mode
|
## Password for Single User Mode
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Protect Single User Mode with root password.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Protect Single User Mode with root password.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -295,13 +295,13 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
||||||
| :--- | :---: | :---: |
|
| :--- | :---: | :---: |
|
||||||
| Protect Single User Mode. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Protect Single User Mode. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
|
|
||||||
# Bootloader
|
# Bootloader
|
||||||
|
|
||||||
## Protect bootloader config files
|
## Protect bootloader config files
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Ensure bootloader config files are set properly permissions.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Ensure bootloader config files are set properly permissions.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -319,13 +319,13 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
||||||
| :--- | :---: | :---: |
|
| :--- | :---: | :---: |
|
||||||
| Protect bootloader config files | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Protect bootloader config files | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
|
|
||||||
# Linux Kernel
|
# Linux Kernel
|
||||||
|
|
||||||
## Kernel logs
|
## Kernel logs
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Restricting access to kernel logs.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Restricting access to kernel logs.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -335,7 +335,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
## Kernel pointers
|
## Kernel pointers
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Restricting access to kernel pointers.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Restricting access to kernel pointers.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -345,7 +345,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
## ExecShield
|
## ExecShield
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> ExecShield protection.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> ExecShield protection.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -355,7 +355,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
## Memory protections
|
## Memory protections
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Randomise memory space.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Randomise memory space.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
echo "kernel.randomize_va_space=2" > /etc/sysctl.d/50-rand-va-space.conf
|
echo "kernel.randomize_va_space=2" > /etc/sysctl.d/50-rand-va-space.conf
|
||||||
@ -365,16 +365,16 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
||||||
| :--- | :---: | :---: |
|
| :--- | :---: | :---: |
|
||||||
| Restricting access to kernel logs | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Restricting access to kernel logs | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
| Restricting access to kernel pointers | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Restricting access to kernel pointers | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
| ExecShield protection | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| ExecShield protection | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
| Randomise memory space. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Randomise memory space. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
|
|
||||||
# Logging
|
# Logging
|
||||||
|
|
||||||
## Syslog
|
## Syslog
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Ensure syslog service is enabled and running.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Ensure syslog service is enabled and running.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -383,7 +383,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
systemctl start rsyslog
|
systemctl start rsyslog
|
||||||
```
|
```
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Send syslog data to external server.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Send syslog data to external server.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -398,14 +398,14 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
||||||
| :--- | :---: | :---: |
|
| :--- | :---: | :---: |
|
||||||
| Ensure syslog service is enabled and running. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Ensure syslog service is enabled and running. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
| Ensure syslog service is enabled and running. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Ensure syslog service is enabled and running. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
|
|
||||||
# Users and Groups
|
# Users and Groups
|
||||||
|
|
||||||
## Passwords
|
## Passwords
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Update password policy (PAM).
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Update password policy (PAM).
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -422,7 +422,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
--update
|
--update
|
||||||
```
|
```
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Limit password reuse (PAM).
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Limit password reuse (PAM).
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -436,7 +436,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
password requisite pam_pwhistory.so ... remember=5
|
password requisite pam_pwhistory.so ... remember=5
|
||||||
```
|
```
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Secure `/etc/login.defs` password policy.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Secure `/etc/login.defs` password policy.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -450,7 +450,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
## Logon Access
|
## Logon Access
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Set auto logout inactive users.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Set auto logout inactive users.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -460,7 +460,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
chmod +x /etc/profile.d/idle-users.sh
|
chmod +x /etc/profile.d/idle-users.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Set last logon/access notification.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Set last logon/access notification.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -469,7 +469,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
session required pam_lastlog.so showfailed
|
session required pam_lastlog.so showfailed
|
||||||
```
|
```
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Lock out accounts after a number of incorrect login (PAM).
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Lock out accounts after a number of incorrect login (PAM).
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -490,19 +490,19 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
||||||
| :--- | :---: | :---: |
|
| :--- | :---: | :---: |
|
||||||
| Update password policy | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Update password policy | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
| Limit password reuse | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Limit password reuse | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
| Secure `/etc/login.defs` password policy | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Secure `/etc/login.defs` password policy | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
| | | |
|
| | | |
|
||||||
| Set auto logout inactive users. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Set auto logout inactive users. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
| Set last logon/access notification | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Set last logon/access notification | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
| Lock out accounts after a number of incorrect login | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Lock out accounts after a number of incorrect login | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
|
|
||||||
# Filesystem
|
# Filesystem
|
||||||
|
|
||||||
## Hardlinks & Symlinks
|
## Hardlinks & Symlinks
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> Enable hard/soft link protection.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> Enable hard/soft link protection.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -513,7 +513,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
## Dynamic Mounting and Unmounting
|
## Dynamic Mounting and Unmounting
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Disable uncommon filesystems.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Disable uncommon filesystems.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -536,8 +536,8 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
||||||
| :--- | :---: | :---: |
|
| :--- | :---: | :---: |
|
||||||
| Enable hard/soft link protection. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/low.png" alt="low"> | :black_square_button: |
|
| Enable hard/soft link protection. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/low.png" alt="low"> | :black_square_button: |
|
||||||
| Disable uncommon filesystems. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Disable uncommon filesystems. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
|
|
||||||
# Permissions
|
# Permissions
|
||||||
|
|
||||||
@ -545,7 +545,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
## SELinux Enforcing
|
## SELinux Enforcing
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/high.png" alt="high"> Set SELinux Enforcing mode.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/high.png" alt="high"> Set SELinux Enforcing mode.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -558,7 +558,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
||||||
| :--- | :---: | :---: |
|
| :--- | :---: | :---: |
|
||||||
| Set SELinux Enforcing mode. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/high.png" alt="high"> | :black_square_button: |
|
| Set SELinux Enforcing mode. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/high.png" alt="high"> | :black_square_button: |
|
||||||
|
|
||||||
# System Updates
|
# System Updates
|
||||||
|
|
||||||
@ -566,7 +566,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
## TCP/SYN
|
## TCP/SYN
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Enable TCP SYN Cookie protection.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Enable TCP SYN Cookie protection.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -576,7 +576,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
## Routing
|
## Routing
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Disable IP source routing.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Disable IP source routing.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -586,7 +586,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
## ICMP Protocol
|
## ICMP Protocol
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Disable ICMP redirect acceptance.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Disable ICMP redirect acceptance.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -594,7 +594,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
echo "net.ipv4.conf.all.accept_redirects = 0" > /etc/sysctl.d/50-net-stack.conf
|
echo "net.ipv4.conf.all.accept_redirects = 0" > /etc/sysctl.d/50-net-stack.conf
|
||||||
```
|
```
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Enable ignoring to ICMP requests.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Enable ignoring to ICMP requests.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -604,7 +604,7 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
## Broadcast
|
## Broadcast
|
||||||
|
|
||||||
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> Enable ignoring broadcasts request.
|
- <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> Enable ignoring broadcasts request.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
@ -616,14 +616,14 @@ Some of the external audit tools use this standard. For example Nessus has funct
|
|||||||
|
|
||||||
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
| <b>Rule</b> | <b>Priority</b> | <b>Checkbox</b> |
|
||||||
| :--- | :---: | :---: |
|
| :--- | :---: | :---: |
|
||||||
| Enable TCP SYN Cookie protection. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Enable TCP SYN Cookie protection. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
| | | |
|
| | | |
|
||||||
| Disable IP source routing. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Disable IP source routing. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
| | | |
|
| | | |
|
||||||
| Disable ICMP redirect acceptance. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Disable ICMP redirect acceptance. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
| Enable ignoring to ICMP requests. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Enable ignoring to ICMP requests. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
| | | |
|
| | | |
|
||||||
| Enable ignoring broadcasts request. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/doc/img/medium.png" alt="medium"> | :black_square_button: |
|
| Enable ignoring broadcasts request. | <img src="https://github.com/trimstray/linux-hardening-checklist/blob/master/static/img/medium.png" alt="medium"> | :black_square_button: |
|
||||||
|
|
||||||
# Services
|
# Services
|
||||||
|
|
||||||
|
Before Width: | Height: | Size: 770 B After Width: | Height: | Size: 770 B |
Before Width: | Height: | Size: 44 KiB After Width: | Height: | Size: 44 KiB |
Before Width: | Height: | Size: 924 B After Width: | Height: | Size: 924 B |
Before Width: | Height: | Size: 959 B After Width: | Height: | Size: 959 B |
Before Width: | Height: | Size: 14 KiB After Width: | Height: | Size: 14 KiB |