- Security Harden CentOS 7
- Based on a Minimal Install
- Issues with Security Hardening
- Why use OpenSCAP ?
- Kickstart
- Secure Partition Mount Options
- Install NTP
- Configure System for AIDE
- Install AIDE
- Prevent Users Mounting USB Storage
- Enable Secure (high quality) Password Policy
- Secure /etc/login.defs Pasword Policy
- Set Last Logon/Access Notification
- Max Password Login Attempts per Session
- Set Deny For Failed Password Attempts
- Limit Password Reuse
- Verify /boot/grub2/grub.cfg Permissions
- Set Boot Loader Password
- Require Authentication for Single User Mode
- Disable Ctrl-Alt-Del Reboot Activation
- Enable Console Screen Locking
- Disable Zeroconf Networking
- Disable IPv6 Support Automatically Loading
- Disable Interface Usage of IPv6
- Disable Support for RPC IPv6
- Securing root Logins
- Enable UMASK 077
- Prune Idle Users
- Securing Cron
- Sysctl Security
- Deny All TCP Wrappers
- Basic iptables Firewall Rules
- Verify iptables Enabled
- Disable Uncommon Protocols
- Ensure Rsyslog is installed
- Enable Rsyslog
- Auditd - Audit Daemon
- Enable auditd Service
- Audit Processes Which Start Prior to auditd
- Auditd Number of Logs Retained
- Auditd Max Log File Size
- Auditd max_log_file_action
- Auditd space_left
- Auditd admin_space_left
- Auditd mail_acct
- Configure auditd to use audispd plugin
- Auditd Rules: /etc/audit/audit.rules
- Bulk Remove of Services
- Bulk Enable / Disable Services
- Disable Secure RPC Client Service
- Disable Secure RPC Server Service
- Disable RPC ID Mapping Service
- Disable Network File Systems (netfs)
- Disable Network File System (nfs)
- If you don’t need SSH disable it
- Disable SSH iptables Firewall rule
- Disable Avahi Server Software
- Disable the CUPS Service
- Disable DHCP Service
- Uninstall DHCP Server Package
- Disable DHCP Client
- Specify Additional Remote NTP Servers
- Enable Postfix
- Remove Sendmail
- Postfix Disable Network Listening
- Configure SMTP Greeting Banner
- Disable xinetd Service
- System Audit Logs Permissions
- System Audit Logs Must Be Owned By Root
- Disable autofs
- Disable uncommon filesystems
- Disable core dumps for all users
- Disable core dumps for SUID programs
- Buffer Overflow Protection
- SELinux
- Prevent Log In to Accounts With Empty Password
- Secure SSH
- Allow Only SSH Protocol 2
- Limit Users’ SSH Access
- Set SSH Idle Timeout Interval
- Set SSH Client Alive Count
- Disable SSH Support for .rhosts Files
- Disable Host-Based Authentication
- Disable SSH Root Login
- Disable SSH Access via Empty Passwords
- Enable SSH Warning Banner
- Do Not Allow SSH Environment Options
- Use Only Approved Ciphers
- Secure X Windows
- Prompt OS update installation
Security Harden CentOS 7
This HowTo walks you through the steps required to security harden CentOS 7, it’s based on the OpenSCAP benchmark, unfortunately the current version of OpenSCAP that ships with CentOS does not offically support CentOS CPE’s. But there is a “workaround” that will allow OpenSCAP + OpenSCAP workbench to run on CentOS, I’ll document this in a separate post.
Based on a Minimal Install
To follow this guide you will need a minimal CentOS 7 install, ideally using the Kickstart file below or copying it’s partition layout. Installing CentOS 7 using a minimal installation reduces the attack surface and ensures you only install software that you require.
This guide only covers the base system + SSH hardening, I will document specific service hardening separately such as HTTPD, SFTP, LDAP, BIND etc…
In the section related to removing unrequired services, if you installed a minimal centos 7 install, you’ll likely have nothing to remove or disable - I’ve included this section for completeness.
Issues with Security Hardening
After hardening a system you may run into issues, hardening a system will make it more restrictive, especially SELinux or filesystem related permission hardening. When hardening a system for a specific task I recommend creating a duplicate virtual machine you can use for troubleshooting should you run into a issue that you think is related to security hardening, you’ll be able to confirm by running it on the Vanilla system.
Obviously don’t expose the Vanilla (un-hardened) system to the network!
Why use OpenSCAP ?
After a lot of research I decided to use OpenSCAP over other security hardening benchmarks / guides, here is my reasoning for doing so:
- It’s open, free and actively worked on
- It has an audit tool, essential to verify each system
- OpenSCAP has a GUI called, workbench
- OpenSCAP Workbench supports remote audits via SSH
- OpenSCAP Workbench allows you to customize your scan, should you not agree with all hardening checks
If you don’t get on with workbench or auditing from the command line, Nessus has functionality for authenticated SCAP scans.
Kickstart
I’ve provided the following RHEL kickstart file below, it’s a minimal install with a heavy partition scheme, allowing for stricter mount options.
Secure Partition Mount Options
Your millage will vary here, for example if you have a website that uses cgi-bin executables you won’t be able to use the noexec mount options, but you can and should use it on /tmp and /var/tmp as this is typically the first place an attacker will attempt to write and execute from when performing privilege escalation.
Your /etc/fstab file should look something like:
Install NTP
NTP is required for a number of compliance audits and is general good practice.
Configure System for AIDE
Pre-linking binaries (arguably) improved execution time, however this cause issues with AIDE, so it must be disabled.
Open /etc/sysconfig/prelink and make sure the line Set PRELINKING=no
is present, if you’re writing a script:
Disable previous prelink changes to binaries:
Disable previous prelink changes to binaries
root:~# /usr/sbin/prelink -ua
</p>Install AIDE
Install AIDE - Advanced Intrusion Detection Environment
Configure periodic execution of AIDE, runs every morning at 04:30
Prevent Users Mounting USB Storage
Enable Secure (high quality) Password Policy
The following command will Enable SHA512 instead of using MD5:
vi /etc/security/pwquality.conf
Secure /etc/login.defs Pasword Policy
Add the following to /etc/login.defs
Set Last Logon/Access Notification
Open /etc/pam.d/system-auth
and add the following line immediately after session required pam_limits.so:
session required pam_lastlog.so showfailed
Max Password Login Attempts per Session
Set the amount of password reprompts per session, by editing the pam_pwquality.so
statement in /etc/pam.d/system-auth
to retry=3
or lower.
Set Deny For Failed Password Attempts
Blocks logins for failed authentication on accounts.
Add the following lines immediately below the pam_unix.so
statement in AUTH section of both /etc/pam.d/system-auth
and /etc/pam.d/password-auth
:
Limit Password Reuse
Open /etc/pam.d/system-auth, append remember=24 to the pam_unix.so line - preventing users from reusing passwords, remembering 24 times is the DoD standard.
The line should look like:
Verify /boot/grub2/grub.cfg Permissions
Set grub.conf to chmod 600:
Set Boot Loader Password
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.
To do so, select a superuser account and password and add them into the appropriate grub2 configuration file(s) under /etc/grub.d. Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command:
When prompted, enter the password that was selected and insert the returned password hash into the appropriate grub2 configuration file(s) under /etc/grub.d immediately after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as the value of password-hash):
Don't use common admin account names for the grub2 superuser
Avoid using common admin account names like, root, admin or administrator for the grub2 superuser account. To meet FISMA Moderate, the bootloader superuser account password must differ from the root credentials.
Don't manually add the superuser account to grub.cfg
Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
Require Authentication for Single User Mode
Require root password when entering single user mode, open /etc/sysconfig/init
and add the line:
Disable Ctrl-Alt-Del Reboot Activation
Prevernt ALT+CTRL+DEL from rebooting.
Open /etc/init/control-alt-delete.conf
and modify the existing line:
To:
Enable Console Screen Locking
Install the screen Package to allow console screen locking.
Users can now run screen
and lock the console with ctrl+a x
.
Disable Zeroconf Networking
Zeroconf network typically occours when you fail to get an address via DHCP, the interface will be assigned a 169.254.0.0 address.
To prevernt this:
Disable IPv6 Support Automatically Loading
Open /etc/modprobe.d/disabled.conf
and add the line:
Disable Interface Usage of IPv6
Add the following to /etc/sysconfig/network
Disable Support for RPC IPv6
RPC services like NFSv4 attempt to start using IPv6 even if it’s disabled in /etc/modprobe.d
. To prevent this behaviour open /etc/netconfig
and comment the following lines:
Securing root Logins
Only allow root logins via local terminal:
Enable UMASK 077
Can causes issues on systems where users share files:
Prune Idle Users
Securing Cron
Sysctl Security
/etc/sysctl.conf
Deny All TCP Wrappers
TCP wrappers can provide a quick and easy method for controlling access to applications linked to them. Examples of TCP Wrapper aware applications are sshd, and portmap.
Below commands block all but SSH:
Basic iptables Firewall Rules
Basic iptables Firewall rules, set to denyall as the default.
Verify iptables Enabled
Disable Uncommon Protocols
The following Protocols will be disabled:
- Datagram Congestion Control Protocol (DCCP)
- Stream Control Transmission Protocol (SCTP)
- Reliable Datagram Sockets (RDS)
- Transparent Inter-Process Communication (TIPC)
Ensure Rsyslog is installed
Enable Rsyslog
Auditd - Audit Daemon
Enable auditd Service
Audit Processes Which Start Prior to auditd
Audit process which start before the Audit Daemon.
Add the following line to /etc/grub.conf
:
Auditd Number of Logs Retained
Open /etc/audit/auditd.conf
and add or modify:
Auditd Max Log File Size
Auditd max_log_file_action
Open /etc/audit/auditd.conf
and set this to rotate.
Auditd space_left
Configure auditd to email you when space gets low, open /etc/audit/auditd.conf
and modify the following:
Auditd admin_space_left
Configure auditd to halt when auditd log space is used up, forcing the system admin to rectify the space issue.
On some systems where monitoring is less important another action could be leveraged.
Auditd mail_acct
When space gets low auditd can send a email notification via email, to configure this and the following line to /etc/audit/auditd.conf
:
Configure auditd to use audispd plugin
Auditd does not have the functionality to send logs directly to an external log server, however the audispd plugin pass audit records to the local syslog server, to enable this open /etc/audisp/plugins.d/syslog.conf
and set the active line to yes, then restart audispd daemon:
Auditd Rules: /etc/audit/audit.rules
Open /etc/audit/audit.rules
and add the following lines to monitor various system files and activities:
##Removal of Unrequired Services
The section outlines software that should be removed, instruction for disabling the service is also documented.
Bulk Remove of Services
Bulk Enable / Disable Services
Disable Secure RPC Client Service
Disable rpcgssd:
The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcgssd service can be disabled with the following command:
Disable Secure RPC Server Service
Disable rpcsvcgssd:
Disable RPC ID Mapping Service
Disable rpcidmapd.
The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The rpcidmapd service can be disabled with the following command:
Disable Network File Systems (netfs)
The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. The netfs service can be disabled with the following command:
Disable Network File System (nfs)
If you don’t need SSH disable it
Disable SSH iptables Firewall rule
Only do this if you don’t need SSH.
Tips™ - You probable need to leave SSH alone
Unless you know you don't need SSH, leave SSH and it's iptables rule enabled.
###Remove Rsh Trust Files
Disable Avahi Server Software
The avahi-daemon service can be disabled with the following command:
Disable the CUPS Service
If you don’t need CUPS, disable it to further reduce your attack surface:
Disable DHCP Service
The dhcpd service should be disabled on any system that does not need to act as a DHCP server.
Uninstall DHCP Server Package
If you don’t need a DHCP client, remove it:
Disable DHCP Client
Open /etc/sysconfig/network-scripts/ifcfg-eth0
(if you have more interfaces, do this for each one) and make sure the address is statically assigned with the BOOTPROTO=none
Example:
Specify Additional Remote NTP Servers
Open /etc/ntp.conf
and add the following line:
Use an internal NTP server if possible.
Enable Postfix
Remove Sendmail
Postfix Disable Network Listening
Open, /etc/postfix/main.cf
and ensure the following inet_interfaces line appears:
Configure SMTP Greeting Banner
Change the greeting banner, the default banner discloses the SMTP server is Postfix.
Disable xinetd Service
System Audit Logs Permissions
System audit logs must have 0640 or less permissions set.
System Audit Logs Must Be Owned By Root
Disable autofs
Disable uncommon filesystems
Disable core dumps for all users
vi /etc/security/limits.conf
Disable core dumps for SUID programs
Run sysctl -w fs.suid_dumpable=0
and fs.suid_dumpable = 0
.
Buffer Overflow Protection
This section helps mitigate against Buffer Overflow attacks (BOF).
Enable ExecShield
Helps prevent stack smashing / BOF.
Enable on current kernel: sysctl -w kernel.exec-shield=1
Add to /etc/sysctl.conf:
Check / Enable ASLR
Set runtime for kernel.randomize_va_space sysctl -q -n -w kernel.randomize_va_space=2
Add kernel.randomize_va_space = 2
to /etc/sysctl.conf if it does not already exist.
Enable XD or NX Support on x86 Systems
Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature.
Check bios and ensure XD/NX is enabled, not relevant for VM’s.
SELinux
Confirm SELinux is not disabled
SELinux Targeted / Enforcing
Open /etc/selinux/config and check for SELINUXTYPE=targeted
or SELINUXTYPE=enforcing
, depending on your requirements.
Enable the SELinux restorecond Service
The restorecond service utilizes inotify to look for the creation of new files listed in the /etc/selinux/restorecond.conf configuration file. When a file is created, restorecond ensures the file receives the proper SELinux security context. The restorecond service can be enabled with the following command:
Enable restorecond for all run levels:
chkconfig --level 0123456 restorecond on
Start restorecond if not currently running:
service restorecond start
Check no daemons are unconfined by SELinux
Run:
This should return no output.
Prevent Log In to Accounts With Empty Password
Secure SSH
Allow Only SSH Protocol 2
Open /etc/ssh/sshd_config
and ensure the following line exists:
Limit Users’ SSH Access
Open /etc/ssh/sshd_config
and add:
Set SSH Idle Timeout Interval
To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config
as follows:
Set SSH Client Alive Count
To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config
as follows:
Disable SSH Support for .rhosts Files
SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.
To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config
:
Disable Host-Based Authentication
SSH’s cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.
To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config
:
Disable SSH Root Login
Disable root logins via SSH, open /etc/ssh/sshd_config
and ensure the following line exists:
Disable SSH Access via Empty Passwords
Open /etc/ssh/sshd_config
:
Enable SSH Warning Banner
Enable a warning banner (Renforce policy awareness).
Banner /etc/issue
Do Not Allow SSH Environment Options
To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in /etc/ssh/sshd_config
:
Use Only Approved Ciphers
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers:
Secure X Windows
Disable X Windows Startup By Setting Runlevel
Disable X windows system, further reducing your attack surface.
Remove the X Windows Package Group
Prompt OS update installation
A process for prompt installation of OS updates must exist
Make sure yum-cron is set to “check only”, I don’t recommend installing updates automatically.
If this was helpfull, click tweet below.
Enjoy.