LINUX- 48 SECURITY & HARDENING
(BASICS) -P3
IN LINUX (RHEL6 & RHEL7),
USER/LOGIN
SECURITY
NETWORK SECURITY
FILE / OPERATING
SYSTEM SECURITY
PHYSICAL SECURITY
LOG EVERYTHING
LOG FILE SECURITY
We
already covered USER SECURITY & NETWORK SECURITY. Let’s start FILE &
OPERATING SYSTEM SECURITY.
Disk encryption while
Installation
Encrypt Partition with LUKS
Prevent users from deleting
files (Sticky Bit)
Avoid SUID/SGID where ever
possible
Implement ACL
Disk Partitioning
Avoid world writable files
& directories
Avoid symbolic links
Protecting Important files
Protecting cron jobs
Only required packages
should install
Disable Unwanted Services
Verify the
integrity/genuineness of an rpm package
Remove GUI access
Resource Limit
Protecting Mounted file
systems
Change/boot to read-only
Data
might be casual or might be sensitive, if casual then no prob but if sensitive
then must need protection. What is better than encrypt all your data.
We
have two options to encrypt our data, first to encrypt whole disk while
installation and other to encrypt partition.
Disk encryption while Installation
Encrypt
the disk while installation by selecting following option,
Encrypt Partition with LUKS
What
is block device encryption?
Block
device encryption encrypts/decrypts the data transparently as it is
written/read from block devices, the underlying block device sees only
encrypted data.
To
mount encrypted block devices the sysadmin (or user, depending on context) must
provide a passphrase to activate the decryption key.
Encryption
provides additional security beyond existing OS security mechanisms in that it
protects the device's contents even if it has been physically removed from the
system. Some systems require the encryption key to be the same as for
decryption, and other systems require a specific key for encryption and
specific second key for enabling decryption.
Linux
Unified Key Setup (LUKS)is a specification for block device encryption. It
establishes an on-disk format for the data, as well as a passphrase/key
management policy.
LUKS
uses the kernel device mapper subsystem via the dm-crypt module. This
arrangement provides a low-level mapping that handles encryption and decryption
of the device's data. User-level operations, such as creating and accessing
encrypted devices, are accomplished through the use of the cryptsetup utility.
[root@rhel7-server ~]# yum install cryptsetup-luks
[root@rhel7-server ~]# fdisk -l /dev/sdc1
Disk
/dev/sdc1: 10.7 GB, 10736369664 bytes, 20969472 sectors
Units
= sectors of 1 * 512 = 512 bytes
Sector
size (logical/physical): 512 bytes / 512 bytes
I/O
size (minimum/optimal): 512 bytes / 512 bytes
[root@rhel7-server ~]# mount /dev/sdc1 /testdir1
[root@rhel7-server ~]# cd /testdir1
[root@rhel7-server testdir1]# touch 1 2 3 4 5
[root@rhel7-server testdir1]# mkdir -p /testdir1/dir1/dir2/dir3
[root@rhel7-server testdir1]# ls -l
total 0
-rw-r--r--. 1 root root 0 Oct
7 17:39 1
-rw-r--r--. 1 root root 0 Oct
7 17:39 2
-rw-r--r--. 1 root root 0 Oct
7 17:39 3
-rw-r--r--. 1 root root 0 Oct
7 17:39 4
-rw-r--r--. 1 root root 0 Oct
7 17:39 5
drwxr-xr-x. 3 root root 17 Oct 7 17:42 dir1
take
backup of /testdir1
here
I am using “star” to include all acl enabled files if any.
[root@rhel7-server ~]# mkdir /bkp
[root@rhel7-server testdir1]# cd /bkp
# star -xattr -H=exustar -c -f testdir.star /testdir1/
star:
3 blocks + 0 bytes (total of 30720 bytes = 30.00k).
[root@rhel7-server bkp]# ls -l
total
32
-rw-r--r--.
1 root root 30720 Oct 7 17:52
testdir.star
Before
moving forward, lets check the contents of backup.
[root@rhel7-server bkp]# star -t -f=testdir.star
/testdir1/
/testdir1/1
/testdir1/2
/testdir1/3
/testdir1/4
/testdir1/5
/testdir1/dir1/
/testdir1/dir1/dir2/
/testdir1/dir1/dir2/dir3/
/testdir1/testdir.star
star: 3 blocks + 0 bytes (total of 30720 bytes =
30.00k).
[root@rhel7-server /]# star -x -f=/bkp/testdir.star
[root@rhel7-server bkp]# cd /testdir1/
[root@rhel7-server testdir1]# star -x -f=/bkp/testdir.star
OR,
[root@rhel7-server /]# xfsdump -l 0 -f ./testdir.xfsdump /testdir1
OR,
[root@rhel7-server /]# cd /testdir1/
[root@rhel7-server testdir1]# tar -cvf testdir1.tar *
[root@rhel7-server testdir1]# mv backup.tar /bkp
Let’s start encryption,
[root@rhel7-server /]# umount /testdir1
[root@rhel7-server /]# cryptsetup luksFormat -y -v /dev/sdc1
WARNING!
========
This
will overwrite data on /dev/sdc1 irrevocably.
Are
you sure? (Type uppercase yes): YES
Enter
passphrase:
Verify
passphrase:
Command
successful.
[root@rhel7-server /]# blkid | grep LUKS
/dev/sdc1:
UUID="18668172-3466-4c01-9a63-b7a90781a508"
TYPE="crypto_LUKS"
[root@rhel7-server /]# cryptsetup luksOpen /dev/sdc1 testdir1
Enter
passphrase for /dev/sdc1:
[root@rhel7-server /]# ls -l
/dev/mapper/
total 0
crw-------. 1 root root 10, 236 Oct 7 15:34 control
lrwxrwxrwx. 1 root root 7 Oct
7 15:34 rhel-home -> ../dm-2
lrwxrwxrwx. 1 root root 7 Oct
7 15:34 rhel-root -> ../dm-0
lrwxrwxrwx. 1 root root 7 Oct
7 15:34 rhel-swap -> ../dm-1
lrwxrwxrwx. 1 root root 7 Oct
7 18:34 testdir1 -> ../dm-3
[root@rhel7-server /]# mkfs.xfs /dev/mapper/testdir1
meta-data=/dev/mapper/testdir1 isize=256
agcount=4, agsize=655168 blks
=
sectsz=512 attr=2, projid32bit=1
= crc=0
data
=
bsize=4096 blocks=2620672,
imaxpct=25
=
sunit=0 swidth=0 blks
naming
=version 2
bsize=4096 ascii-ci=0 ftype=0
log
=internal log
bsize=4096 blocks=2560,
version=2
=
sectsz=512 sunit=0 blks,
lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
[root@rhel7-server /]# mount /dev/mapper/testdir1 /testdir1
[root@rhel7-server /]# xfsrestore -I
session 1:
mount point:
rhel7-server:/testdir1
device:
rhel7-server:/dev/sdc1
time: Sun Oct 7 18:10:57 2018
session label:
"./testdir.xfsdump"
session id:
4f77b6cf-42cd-43ac-af71-3bf1cd7b8220
level: 0
resumed: NO
subtree: NO
streams: 1
stream 0:
pathname: /testdir.xfsdump
start: ino 0 offset 0
end: ino 0 offset 0
interrupted: YES
media files: 0
session 2:
mount point:
rhel7-server:/testdir1
device:
rhel7-server:/dev/sdc1
time: Sun Oct 7 18:11:27 2018
session label: "testdir.xfsdump"
session id:
93fa786a-45c2-4a41-8c36-9e14e70c6314
level: 0
resumed: NO
subtree: NO
streams: 1
stream 0:
pathname: /testdir.xfsdump
start: ino 132 offset 0
end: ino 138 offset 0
interrupted: NO
media files: 1
media file 0:
mfile
index: 0
mfile
type: data
mfile
size: 37672
mfile start: ino 132 offset 0
mfile end: ino 138 offset 0
media
label: "0"
media id: 54248116-3034-4f06-8920-da62aef70e01
xfsrestore: Restore Status: SUCCESS
# xfsrestore -f testdir.xfsdump -S
93fa786a-45c2-4a41-8c36-9e14e70c6314 /testdir1
xfsrestore: using file dump (drive_simple) strategy
xfsrestore: version 3.1.3 (dump format 3.0) - type
^C for status and control
xfsrestore: using online session inventory
xfsrestore: searching media for directory dump
xfsrestore: examining media file 0
xfsrestore: reading directories
xfsrestore: 5 directories and 10 entries processed
xfsrestore: directory post-processing
xfsrestore: restoring non-directory files
xfsrestore: restore complete: 0 seconds elapsed
xfsrestore: Restore Summary:
xfsrestore:
stream 0 /testdir.xfsdump OK (success)
xfsrestore: Restore Status: SUCCESS
[root@rhel7-server /]# ls -l /testdir1
total 0
-rw-r--r--. 1 root root 0 Oct
7 17:39 1
-rw-r--r--. 1 root root 0 Oct
7 17:39 2
-rw-r--r--. 1 root root 0 Oct
7 17:39 3
-rw-r--r--. 1 root root 0 Oct
7 17:39 4
-rw-r--r--. 1 root root 0 Oct
7 17:39 5
drwxr-xr-x. 3 root root 17 Oct 7 17:42 dir1
drwxr-xr-x. 2 root root 6 Oct
7 18:10 testdir1
Prevent users from deleting files (Sticky Bit)
Sticky
bit is used to prevent deleting of files owned by other users, used on
directories in shared environment.
[root@rhel7-server ~]# mkdir /shared-dir
[root@rhel7-server ~]# chmod 1555 /shared-dir/
[root@rhel7-server ~]# ls -ld /shared-dir/
dr-sr-xr-t.
2 root root 6 Jan 2 12:50 /shared-dir/
[root@rhel7-server ~]# chmod 1554 /shared-dir/
[root@rhel7-server ~]# ls -ld /shared-dir/
dr-sr-xr-T.
2 root root 6 Jan 2 12:5 0 /shared-dir/
[root@rhel7-server /]# chmod 777 /shared-dir/
[root@rhel7-server /]# ls -ld /shared-dir/
drwsrwxrwx.
2 root root 6 Jan 2 12:50 /shared-dir/
[root@rhel7-server /]# chmod ug+t /shared-dir/
[root@rhel7-server /]# ls -ld /shared-dir/
drwsrwxrwt.
2 root root 6 Jan 2 12:50 /shared-dir/
Check
the small “t” and capital “T”
t
meaning x is also there
T
when there is no x for others.
Avoid SUID/SGID where ever possible
These
two permissions cause an executable file to be executed with the permissions of
the file owner instead of the executing owner. This means that if any user
executes a program that belongs to the root user, and the setuid bit is set on
that program, then the program runs as root.
Let
the files already implemented with suid by system as it is, it’s recommended to
do not create an script file with suid set.
I
already created a post on SUID/SGID/STICKY BIT, please refer below link to
understand them better.
Find files having suid &
sgid set,
# find / \( -perm -004000 -o -perm -002000 \) -type f -print
Find files with 777 &
SUID owned by root,
[root@rhel7-server ~]# find / -user root -perm 4777 -ls
Find files with 777 &
SGID owned by root,
[root@rhel7-server ~]# find / -user root -perm 2777 -ls
Find files with 777 along
with SUID & SGID owned by root,
[root@rhel7-server ~]# find / -user root -perm 6777 -ls
Please
refer below links to see the exploit of SUID,
Implement ACL
An
additional layer of protection, with extremely flexible permission mechanism
for file systems.
I
already created a post on ACL, please refer below link to understand them
better.
Disk Partitioning
It’s
always better to have different partitions and have designated data in those
partitions to avoid any mishap.
/boot
/usr
/var
/home
/opt
/tmp
/
Avoid world writable files & directories
Its
dangerous to have 777 permission on files & directories. World-writable files
are a security risk since it allows anyone to modify them. Additionally,
world-writable directories allow anyone to add or delete files.
/tmp
having 777 but also have sticky bit set to avoid deletion of files by other
users.
# find / -path /proc -prune -o -perm -2 ! -type l -ls |tail -5
53712051 0
drwxrwxrwt 2 root root 6 Oct 7 15:34 /var/tmp/systemd-private-WBlxuR/tmp
53738853 0
drwxrwxrwt 2 root root 6 Oct 7 15:34 /var/tmp/systemd-private-ZRGaiB/tmp
18259871 0
drwxrwxrwx 2 sambatest sambagr 26 Aug
5 15:31 /samba-share-test
2068705 0
drwxrwxrwx 2 root root 45 Aug 12 16:22 /anonymous-samba
2068738 0
-rwxrwxrwx 1 root root 0 Aug 26 14:49 /audit-test-dir/f1
Here
finding symlinks with 777 are avoided by using “! -type
l”
Find the Files/Dirs having
permission 777,
[root@rhel7-server ~]# find / -perm 0777 -ls
Find the Files/Dirs having
permission 777 and owned by root,
[root@rhel7-server ~]# find / -user root -perm 0777 -ls
Find directories having
permission other than 775,
[root@rhel7-server ~]# find / -type d -not -perm 775 -ls
Find files having permission
other than 644,
[root@rhel7-server ~]# find -type f -not -perm 644 -ls
# find / -type d -not -perm 775 -o -type f -not -perm 664 -ls
Find all files beginning
with a period in the / filesystem that are either group-writable or
world-writable,
[root@rhel7-server ~]# find / -perm -2 -o -perm -20 -name .\* -ls
Any
file beginning with a period (.) should not be world/group-writable.
Files
that begin with a period (.) should not be readable or writable by anyone other
than the file's owner (they must be 600).
What
happen if .cshrc and .profile, .login are world-writable.
Avoid
all 777 and if not then set sticky bit.
Avoid symbolic links
Symbolic
links are good till they are not exploited, need to find the symlinks and avoid
unnecessary links.
[root@rhel7-server ~]# find . -type l -ls
[root@rhel7-server ~]# find -L /var -xtype l -ls
[root@rhel6-server ~]# find /var/www/ -type l
[root@rhel7-server ~]# find /var/ -type l
/var/run
/var/lock
/var/mail
Check the subdirectories
with symlinks,
[root@rhel7-server ~]# find -L /var -xtype l
/var/run
/var/run/user/42/X11-display
/var/run/udev/watch/8
/var/run/udev/watch/7
/var/run/udev/watch/6
/var/run/udev/watch/5
/var/run/udev/watch/4
/var/run/udev/watch/3
/var/run/udev/watch/2
/var/run/udev/watch/1
/var/run/udev/static_node-tags/uaccess/snd\x2ftimer
/var/run/systemd/generator/vsftpd.target.wants/vsftpd@vsftpd.service
/var/run/systemd/generator/swap.target.wants/dev-mapper-rhel\x2dswap.swap
/var/run/systemd/generator/local-fs.target.requires/home.mount
/var/run/systemd/generator/local-fs.target.requires/boot.mount
/var/run/systemd/generator/local-fs.target.requires/-.mount
find:
‘/var/run/systemd/generator/local-fs.target.wants/systemd-fsck-root.service’:
Too many levels of symbolic links
/var/lock
/var/mail
Find which file symlinks are
targeting,
[root@rhel7-server tmp]# find -L /var -xtype l -exec ls -al {} \;
lrwxrwxrwx. 1 root root 6 Nov 12 2017 /var/run -> ../run
lrwxrwxrwx. 1 root root 17 Oct 7 15:34 /var/run/user/42/X11-display ->
/tmp/.X11-unix/X0
lrwxrwxrwx. 1 root root 6 Oct 7 15:34 /var/run/udev/watch/8 -> b253:0
lrwxrwxrwx. 1 root root 4 Oct 7 15:34 /var/run/udev/watch/7 -> b8:1
lrwxrwxrwx. 1 root root 6 Oct 7 15:34 /var/run/udev/watch/6 -> b253:2
lrwxrwxrwx. 1 root root 6 Oct 7 15:34 /var/run/udev/watch/5 -> b253:1
lrwxrwxrwx. 1 root root 4 Oct 7 15:34 /var/run/udev/watch/4 -> b8:2
lrwxrwxrwx. 1 root root 4 Oct 7 15:34 /var/run/udev/watch/3 -> b8:0
lrwxrwxrwx. 1 root root 5 Oct 7 15:34 /var/run/udev/watch/2 -> b8:16
lrwxrwxrwx. 1 root root 5 Oct 7 15:34 /var/run/udev/watch/1 -> b8:32
lrwxrwxrwx. 1 root root 14 Oct 7 15:34 /var/run/udev/static_node-tags/uaccess/snd\x2ftimer
-> /dev/snd/timer
lrwxrwxrwx. 1 root root 39 Oct 7 15:34
/var/run/systemd/generator/vsftpd.target.wants/vsftpd@vsftpd.service ->
/usr/lib/systemd/system/vsftpd@.service
lrwxrwxrwx. 1 root root 51 Oct 7 15:34 /var/run/systemd/generator/swap.target.wants/dev-mapper-rhel\x2dswap.swap
-> /run/systemd/generator/dev-mapper-rhel\x2dswap.swap
lrwxrwxrwx. 1 root root 33 Oct 7 15:34
/var/run/systemd/generator/local-fs.target.requires/home.mount ->
/run/systemd/generator/home.mount
lrwxrwxrwx. 1 root root 33 Oct 7 15:34
/var/run/systemd/generator/local-fs.target.requires/boot.mount ->
/run/systemd/generator/boot.mount
lrwxrwxrwx. 1 root root 30 Oct 7 15:34
/var/run/systemd/generator/local-fs.target.requires/-.mount ->
/run/systemd/generator/-.mount
find:
‘/var/run/systemd/generator/local-fs.target.wants/systemd-fsck-root.service’:
Too many levels of symbolic links
lrwxrwxrwx. 1 root root 11 Nov 12 2017 /var/lock -> ../run/lock
lrwxrwxrwx. 1 root root 10 Nov 12 2017 /var/mail -> spool/mail
[root@rhel7-server tmp]# find -L . -type l -ls
find:
‘./123’: Permission denied
find:
‘./1234’: Permission denied
I
got 2 symlinks in /tmp and want to delete,
[root@rhel7-server tmp]# find /tmp -type l -delete
Extra
caution required for symlinks while dealing with Apache.
Please
refer below links to see the exploit of Symbolic Links,
Protecting Imp files
This
topic is very diversified to implement, we have to carefully choose the files
that must be protected. Once identified we can make it immutable so no one can
delete.
# chattr +i <File Name>
Also,
we can assure that file always to be appended,
# chattr +a <File Nmae>
Protecting cron jobs
It
might be possible that by mistake some cron script file is/are left readable by
normal users.
No
user should allow to read the cron scripts set by root.
So
better to do following to avoid any mishap,
[root@rhel7-server ~]# chmod 0700 /etc/cron.daily/*
Do
the same for following directories also,
cron.daily/ cron.deny
cron.hourly/ cron.monthly/
cron.weekly/
One
more thing we can consider to block cron,
We
can block users to run cron by putting their user names in /etc/cron.deny
/etc/cron.allow
and /etc/cron.deny
Only required packages should install
When
I am not running any website then why http is required in my system.
This
question is applied on all unnecessary packages, again be careful while
choosing unnecessary packages. Avoid playing with system packages.
Let’s
find the list of installed packages on system.
[root@rhel7-server ~]# yum list installed
OR,
[root@rhel7-server ~]# rpm -qa
[root@rhel7-server ~]# yum erase <Package Name>
OR,
[root@rhel7-server ~]# rpm -e <Package Name>
Disable Unwanted Services
How to check services
enabled at boot,
[root@rhel7-server ~]# systemctl list-unit-files | grep enabled
OR,
[root@rhel6-server ~]# chkconfig --list |grep '3:on'
Disable services at boot,
[root@rhel7-server ~]# systemctl disable <service name>
OR,
[root@rhel6-server ~]# chkconfig <service name> off
There
is one more thing to consider in respect of RPM’s.
Verify the integrity/genuineness of an rpm package
It
might possible that package files are tempered after installation, to find out integrity
we need to verify the package.
Verifying
a package compares information about files installed from a package with the
same information from the original package. Among other things, verifying
compares the size, MD5 sum, permissions, type, owner, and group of each file.
Verifying
particular package,
[root@rhel6-test1 /]# rpm -Vv vsftpd
......... c
/etc/logrotate.d/vsftpd
......... c
/etc/pam.d/vsftpd
.........
/etc/rc.d/init.d/vsftpd
.........
/etc/vsftpd
......... c
/etc/vsftpd/ftpusers
......... c
/etc/vsftpd/user_list
......... c
/etc/vsftpd/vsftpd.conf ççç
.........
/etc/vsftpd/vsftpd_conf_migrate.sh
.........
/usr/sbin/vsftpd
.........
/usr/share/doc/vsftpd-2.2.2
......... d
/usr/share/doc/vsftpd-2.2.2/AUDIT
......... d
/usr/share/doc/vsftpd-2.2.2/BENCHMARKS
......... d
/usr/share/doc/vsftpd-2.2.2/BUGS
......... d
/usr/share/doc/vsftpd-2.2.2/COPYING
......... d
/usr/share/doc/vsftpd-2.2.2/Changelog
.........
/usr/share/doc/vsftpd-2.2.2/EXAMPLE
.........
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE
......... d
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE/README
......... d
/usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE/README.configuration
=============O/P
REMOVED======================================
I
filled some garbage value to “/etc/vsftpd/vsftpd.conf”
[root@rhel6-test1 /]# service vsftpd restart
[root@rhel6-test1 /]# rpm -Vv vsftpd
......... c
/etc/logrotate.d/vsftpd
......... c
/etc/pam.d/vsftpd
.........
/etc/rc.d/init.d/vsftpd
.........
/etc/vsftpd
......... c
/etc/vsftpd/ftpusers
......... c
/etc/vsftpd/user_list
S.5....T. c
/etc/vsftpd/vsftpd.conf ççç
.........
/etc/vsftpd/vsftpd_conf_migrate.sh
.........
/usr/sbin/vsftpd
.........
/usr/share/doc/vsftpd-2.2.2
......... d
/usr/share/doc/vsftpd-2.2.2/AUDIT
......... d
/usr/share/doc/vsftpd-2.2.2/BENCHMARKS
=============O/P
REMOVED======================================
What is this S.5....T.
5 —
MD5 checksum differ
S —
file size differ
L —
symbolic link path mismatch
T —
file modification time differ
D —
device major/minor no differ
U —
user ownership differ
G —
group ownership differ
M —
mode (includes permissions and file type)
? —
Unreadable file
We are getting error of “S-5
& T”
Means file size, MD5 &
modification time is different
[root@rhel6-test1 /]# rpm -Vvf /etc/ssh/sshd_config
......... c
/etc/pam.d/ssh-keycat
......... c
/etc/pam.d/sshd
.........
/etc/rc.d/init.d/sshd
.M.....T. c
/etc/ssh/sshd_config
......... c
/etc/sysconfig/sshd
.........
/usr/libexec/openssh/sftp-server
.........
/usr/libexec/openssh/ssh-keycat
.........
/usr/sbin/.sshd.hmac
.........
/usr/sbin/sshd
.........
/usr/share/doc/openssh-server-5.3p1
......... d
/usr/share/doc/openssh-server-5.3p1/HOWTO.ssh-keycat
......... d
/usr/share/man/man5/moduli.5.gz
......... d
/usr/share/man/man5/sshd_config.5.gz
......... d
/usr/share/man/man8/sftp-server.8.gz
......... d
/usr/share/man/man8/sshd.8.gz
.........
/var/empty/sshd
To
verify all in one go,
[root@rhel6-test1 /]# rpm -Va
.M.......
/media
S.5....T. c
/etc/libuser.conf
....L.... c
/etc/pam.d/fingerprint-auth
....L.... c
/etc/pam.d/password-auth
....L.... c
/etc/pam.d/smartcard-auth
....L.... c
/etc/pam.d/system-auth
S.5....T. c
/etc/updatedb.conf
S.5....T. c
/etc/login.defs
..5....T. c
/etc/inittab
.......T. c
/etc/rc.d/rc.local
S.5....T. c
/etc/sysctl.conf
=============O/P
REMOVED======================================
Remove GUI access
Why
GUI is required? I think there is no need to have X Window in Linux.
Just
check what is default setting,
[root@rhel7-server ~]# systemctl get-default
graphical.target
Now
disable GUI,
[root@rhel7-server ~]# systemctl set-default multi-user.target
rm '/etc/systemd/system/default.target'
ln -s '/usr/lib/systemd/system/multi-user.target'
'/etc/systemd/system/default.target'
[root@rhel7-server ~]# systemctl get-default
multi-user.target
If anytime required to
enable GUI then,
[root@rhel7-server ~]# systemctl set-default graphical.target
rm '/etc/systemd/system/default.target'
ln -s '/usr/lib/systemd/system/graphical.target'
'/etc/systemd/system/default.target'
[root@rhel7-server ~]# systemctl get-default
graphical.target
Or,
if you don’t even want to see GUI ever then following options will suit you….
# yum groupremove "X Window System"
# yum groupremove "GNOME Desktop Environment"
Resource Limit
Knowingly
or Unknowingly… Intentionally or Unintentionally it is possible that some
user/process will eat all system resources and left a
down/dragged/crawling/unresponsive system behind.
PAM
module pam_limits is used to implement resource limiting.
/etc/security/limits.conf
#<domain> <type> <item> <value>
domain: list of
users/groups or wildcard * (for all users) where limit capping should apply
type: there is
hard/soft type, user can alter soft limit but hard limit can only be altered by
root.
item/resource: what we want to
put under limit like cpu, memlock..etc
value: limit value
configurable items/resources,
core: limits the core
file size (KB)
data: maximum data
size (KB)
fsize: maximum
filesize (KB)
memlock: maximum
locked-in-memory address space (KB)
nofile: maximum number
of open files
rss: maximum
resident set size (KB) (Ignored in Linux 2.4.30 and higher)
stack: maximum stack
size (KB)
cpu: maximum CPU
time (minutes)
nproc: maximum number
of processes
maxlogins: maximum number
of logins for this user except for this with uid=0
maxsyslogins: maximum number
of all logins on system
# cp /etc/security/limits.conf /etc/security/limits.conf.ORG
[root@rhel7-server ~]# vi /etc/security/limits.conf
anurag hard rss
500
anurag hard nproc
3
Now
see the magic,
login
as: anurag
#################################################################
WARNING:
Unauthorized access to this system is forbidden and will be
prosecuted
by law.
#################################################################
anurag@192.168.135.134's
password:
Last login: Sun Oct
7 16:40:03 2018
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: Resource temporarily unavailable
-bash-4.2$ ls
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
Issue
resolved by doing following changes,
[root@rhel7-server ~]# vi /etc/security/limits.conf
anurag hard rss
50000
anurag hard nproc
50
Let’s
change the values again, and check.
anurag hard rss
50000
anurag hard nproc
50
anurag hard nofile
100
anurag hard fsize
2048
[anurag@rhel7-server ~]$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) 2048
pending signals (-i) 8285
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) 50000
open files (-n) 100
pipe size
(512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 50
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
Protecting Mounted file systems
First
check why NFS is required, if things can be done without NFS then its good. If it
is necessity of design then we should consider to make it secure.
[root@rhel7-server ~]# df -kh
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/rhel-root 12G
7.2G 4.6G 61% /
devtmpfs 518M 0
518M 0% /dev
tmpfs 527M 80K
527M 1% /dev/shm
tmpfs 527M 1.1M
526M 1% /run
tmpfs
527M 0
527M 0% /sys/fs/cgroup
/dev/mapper/rhel-home 1014M
33M 982M 4% /home
/dev/sda1 497M 119M
379M 24% /boot
/dev/mapper/testdir1 10G
33M 10G 1% /testdir1
192.168.135.142:/nfs-test 12G
6.5G 4.5G 59% /mnt/share
Here
I have one mounted FS over network.
Let’s
consider few options to secure the share.
AT NFS SERVER,
First
use “ro” instead of “rw”
Second
bar the NFS with trusted IP/s or Network like,
/nfs-test/
192.168.135.133(ro,sync)
/nfs-test/
192.168.135.0/24(ro,sync)
root_squash
- Prevents root users connected remotely from having root privileges and
assigns them the user ID for the user nfsnobody. This effectively
"squashes" the power of the remote root user to the lowest local
user, preventing unauthorized alteration of files on the remote server.
all_squash
- Map all uids and gids to the anonymous user. Useful for NFS-exported public
FTP directories
AT NFS CLIENT,
nosuid
- No setuid bits
noexec
- You can’t execute binaries on this file system.
nouser
- No user except the root user can mount this device.
nodev
- Do not interpret character or block special devices on the file system.
intr
— Allows NFS requests to be interrupted if the server goes down or cannot be
reached.
proto=tcp
- it is recommended to use NFS only over TCP since NFS over UDP is not secure
# mount -t nfs4 -o ro,intr,hard,proto=tcp,nodev,noexec,nosuid
192.168.135.142:/nfs-test /mnt/share
Check
the all enabled options by “mount” command.
[root@rhel7-server /]# mount |grep nfs-test
192.168.135.142:/nfs-test on /mnt/share type nfs4
(ro,nosuid,nodev,noexec,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.135.133,local_lock=none,addr=192.168.135.142)
[root@rhel7-server /]# grep nfs /etc/fstab
192.168.135.142:/nfs-test /mnt/share nfs4
ro,intr,hard,proto=tcp,nodev,noexec,nosuid 0 0
hard
— user cannot terminate the process waiting for the NFS communication to resume
unless the intr option is also specified.
intr
— Allows NFS requests to be interrupted if the server goes down or cannot be
reached.
Change/boot to read-only
When
securing everything then why left /boot FS RW?
All
files related to the kernel on a Linux server are held in the “/boot” directory
and by default it has RW permission set. By making /boot to “RO” we can avoid unauthorized
modification of critical boot files
[root@rhel7-server
/]# grep boot /etc/fstab
UUID=25b515af-afdf-43a3-a4ab-97098d78854a /boot xfs defaults
1 2
Change
it like below,
[root@rhel7-server /]# vi /etc/fstab
UUID=25b515af-afdf-43a3-a4ab-97098d78854a /boot xfs defaults,ro
1 2
Reboot
the system,
[root@rhel7-server ~]# cd /boot/
[root@rhel7-server boot]# touch 1
touch:
cannot touch ‘1’: Read-only file system
No comments:
Post a Comment