- Security Harden CentOS 7
- Based on a Minimal Install
- Issues with Security Hardening
- Why use OpenSCAP ?
- Secure Partition Mount Options
- Install NTP
- Configure System for AIDE
- Install AIDE
- Prevent Users Mounting USB Storage
- Enable Secure (high quality) Password Policy
- Secure /etc/login.defs Pasword Policy
- Set Last Logon/Access Notification
- Max Password Login Attempts per Session
- Set Deny For Failed Password Attempts
- Limit Password Reuse
- Verify /boot/grub2/grub.cfg Permissions
- Set Boot Loader Password
- Require Authentication for Single User Mode
- Disable Ctrl-Alt-Del Reboot Activation
- Enable Console Screen Locking
- Disable Zeroconf Networking
- Disable IPv6 Support Automatically Loading
- Disable Interface Usage of IPv6
- Disable Support for RPC IPv6
- Securing root Logins
- Enable UMASK 077
- Prune Idle Users
- Securing Cron
- Sysctl Security
- Deny All TCP Wrappers
- Basic iptables Firewall Rules
- Verify iptables Enabled
- Disable Uncommon Protocols
- Ensure Rsyslog is installed
- Enable Rsyslog
- Auditd - Audit Daemon
- Enable auditd Service
- Audit Processes Which Start Prior to auditd
- Auditd Number of Logs Retained
- Auditd Max Log File Size
- Auditd max_log_file_action
- Auditd space_left
- Auditd admin_space_left
- Auditd mail_acct
- Configure auditd to use audispd plugin
- Auditd Rules: /etc/audit/audit.rules
- Bulk Remove of Services
- Bulk Enable / Disable Services
- Disable Secure RPC Client Service
- Disable Secure RPC Server Service
- Disable RPC ID Mapping Service
- Disable Network File Systems (netfs)
- Disable Network File System (nfs)
- If you don’t need SSH disable it
- Disable SSH iptables Firewall rule
- Disable Avahi Server Software
- Disable the CUPS Service
- Disable DHCP Service
- Uninstall DHCP Server Package
- Disable DHCP Client
- Specify Additional Remote NTP Servers
- Enable Postfix
- Remove Sendmail
- Postfix Disable Network Listening
- Configure SMTP Greeting Banner
- Disable xinetd Service
- System Audit Logs Permissions
- System Audit Logs Must Be Owned By Root
- Disable autofs
- Disable uncommon filesystems
- Disable core dumps for all users
- Disable core dumps for SUID programs
- Buffer Overflow Protection
- Prevent Log In to Accounts With Empty Password
- Secure SSH
- Allow Only SSH Protocol 2
- Limit Users’ SSH Access
- Set SSH Idle Timeout Interval
- Set SSH Client Alive Count
- Disable SSH Support for .rhosts Files
- Disable Host-Based Authentication
- Disable SSH Root Login
- Disable SSH Access via Empty Passwords
- Enable SSH Warning Banner
- Do Not Allow SSH Environment Options
- Use Only Approved Ciphers
- Secure X Windows
- Prompt OS update installation
Security Harden CentOS 7
This HowTo walks you through the steps required to security harden CentOS 7, it’s based on the OpenSCAP benchmark, unfortunately the current version of OpenSCAP that ships with CentOS does not offically support CentOS CPE’s. But there is a “workaround” that will allow OpenSCAP + OpenSCAP workbench to run on CentOS, I’ll document this in a separate post.
Based on a Minimal Install
To follow this guide you will need a minimal CentOS 7 install, ideally using the Kickstart file below or copying it’s partition layout. Installing CentOS 7 using a minimal installation reduces the attack surface and ensures you only install software that you require.
This guide only covers the base system + SSH hardening, I will document specific service hardening separately such as HTTPD, SFTP, LDAP, BIND etc…
In the section related to removing unrequired services, if you installed a minimal centos 7 install, you’ll likely have nothing to remove or disable - I’ve included this section for completeness.
Issues with Security Hardening
After hardening a system you may run into issues, hardening a system will make it more restrictive, especially SELinux or filesystem related permission hardening. When hardening a system for a specific task I recommend creating a duplicate virtual machine you can use for troubleshooting should you run into a issue that you think is related to security hardening, you’ll be able to confirm by running it on the Vanilla system.
Obviously don’t expose the Vanilla (un-hardened) system to the network!
Why use OpenSCAP ?
After a lot of research I decided to use OpenSCAP over other security hardening benchmarks / guides, here is my reasoning for doing so:
- It’s open, free and actively worked on
- It has an audit tool, essential to verify each system
- OpenSCAP has a GUI called, workbench
- OpenSCAP Workbench supports remote audits via SSH
- OpenSCAP Workbench allows you to customize your scan, should you not agree with all hardening checks
If you don’t get on with workbench or auditing from the command line, Nessus has functionality for authenticated SCAP scans.
I’ve provided the following RHEL kickstart file below, it’s a minimal install with a heavy partition scheme, allowing for stricter mount options.
Secure Partition Mount Options
Your millage will vary here, for example if you have a website that uses cgi-bin executables you won’t be able to use the noexec mount options, but you can and should use it on /tmp and /var/tmp as this is typically the first place an attacker will attempt to write and execute from when performing privilege escalation.
Your /etc/fstab file should look something like:
NTP is required for a number of compliance audits and is general good practice.
Configure System for AIDE
Pre-linking binaries (arguably) improved execution time, however this cause issues with AIDE, so it must be disabled.
Open /etc/sysconfig/prelink and make sure the line
Set PRELINKING=no is present, if you’re writing a script:
Disable previous prelink changes to binaries:
Disable previous prelink changes to binaries
root:~# /usr/sbin/prelink -ua</p>
Install AIDE - Advanced Intrusion Detection Environment
Configure periodic execution of AIDE, runs every morning at 04:30
Prevent Users Mounting USB Storage
Enable Secure (high quality) Password Policy
The following command will Enable SHA512 instead of using MD5:
Secure /etc/login.defs Pasword Policy
Add the following to
Set Last Logon/Access Notification
/etc/pam.d/system-auth and add the following line immediately after session required pam_limits.so:
session required pam_lastlog.so showfailed
Max Password Login Attempts per Session
Set the amount of password reprompts per session, by editing the
pam_pwquality.so statement in
retry=3 or lower.
Set Deny For Failed Password Attempts
Blocks logins for failed authentication on accounts.
Add the following lines immediately below the
pam_unix.so statement in AUTH section of both
Limit Password Reuse
Open /etc/pam.d/system-auth, append remember=24 to the pam_unix.so line - preventing users from reusing passwords, remembering 24 times is the DoD standard.
The line should look like:
Verify /boot/grub2/grub.cfg Permissions
Set grub.conf to chmod 600:
Set Boot Loader Password
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.
To do so, select a superuser account and password and add them into the appropriate grub2 configuration file(s) under /etc/grub.d. Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command:
When prompted, enter the password that was selected and insert the returned password hash into the appropriate grub2 configuration file(s) under /etc/grub.d immediately after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as the value of password-hash):
Don't use common admin account names for the grub2 superuser
Avoid using common admin account names like, root, admin or administrator for the grub2 superuser account. To meet FISMA Moderate, the bootloader superuser account password must differ from the root credentials.
Don't manually add the superuser account to grub.cfg
Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
Require Authentication for Single User Mode
Require root password when entering single user mode, open
/etc/sysconfig/init and add the line:
Disable Ctrl-Alt-Del Reboot Activation
Prevernt ALT+CTRL+DEL from rebooting.
/etc/init/control-alt-delete.conf and modify the existing line:
Enable Console Screen Locking
Install the screen Package to allow console screen locking.
Users can now run
screen and lock the console with
Disable Zeroconf Networking
Zeroconf network typically occours when you fail to get an address via DHCP, the interface will be assigned a 169.254.0.0 address.
To prevernt this:
Disable IPv6 Support Automatically Loading
/etc/modprobe.d/disabled.conf and add the line:
Disable Interface Usage of IPv6
Add the following to
Disable Support for RPC IPv6
RPC services like NFSv4 attempt to start using IPv6 even if it’s disabled in
/etc/modprobe.d. To prevent this behaviour open
/etc/netconfig and comment the following lines:
Securing root Logins
Only allow root logins via local terminal:
Enable UMASK 077
Can causes issues on systems where users share files:
Prune Idle Users
Deny All TCP Wrappers
TCP wrappers can provide a quick and easy method for controlling access to applications linked to them. Examples of TCP Wrapper aware applications are sshd, and portmap.
Below commands block all but SSH:
Basic iptables Firewall Rules
Basic iptables Firewall rules, set to denyall as the default.
Verify iptables Enabled
Disable Uncommon Protocols
The following Protocols will be disabled:
- Datagram Congestion Control Protocol (DCCP)
- Stream Control Transmission Protocol (SCTP)
- Reliable Datagram Sockets (RDS)
- Transparent Inter-Process Communication (TIPC)
Ensure Rsyslog is installed
Auditd - Audit Daemon
Enable auditd Service
Audit Processes Which Start Prior to auditd
Audit process which start before the Audit Daemon.
Add the following line to
Auditd Number of Logs Retained
/etc/audit/auditd.conf and add or modify:
Auditd Max Log File Size
/etc/audit/auditd.conf and set this to rotate.
Configure auditd to email you when space gets low, open
/etc/audit/auditd.conf and modify the following:
Configure auditd to halt when auditd log space is used up, forcing the system admin to rectify the space issue.
On some systems where monitoring is less important another action could be leveraged.
When space gets low auditd can send a email notification via email, to configure this and the following line to
Configure auditd to use audispd plugin
Auditd does not have the functionality to send logs directly to an external log server, however the audispd plugin pass audit records to the local syslog server, to enable this open
/etc/audisp/plugins.d/syslog.conf and set the active line to yes, then restart audispd daemon:
Auditd Rules: /etc/audit/audit.rules
/etc/audit/audit.rules and add the following lines to monitor various system files and activities:
##Removal of Unrequired Services
The section outlines software that should be removed, instruction for disabling the service is also documented.
Bulk Remove of Services
Bulk Enable / Disable Services
Disable Secure RPC Client Service
The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcgssd service can be disabled with the following command:
Disable Secure RPC Server Service
Disable RPC ID Mapping Service
The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The rpcidmapd service can be disabled with the following command:
Disable Network File Systems (netfs)
The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. The netfs service can be disabled with the following command:
Disable Network File System (nfs)
If you don’t need SSH disable it
Disable SSH iptables Firewall rule
Only do this if you don’t need SSH.
Tips™ - You probable need to leave SSH alone
Unless you know you don't need SSH, leave SSH and it's iptables rule enabled.
###Remove Rsh Trust Files
Disable Avahi Server Software
The avahi-daemon service can be disabled with the following command:
Disable the CUPS Service
If you don’t need CUPS, disable it to further reduce your attack surface:
Disable DHCP Service
The dhcpd service should be disabled on any system that does not need to act as a DHCP server.
Uninstall DHCP Server Package
If you don’t need a DHCP client, remove it:
Disable DHCP Client
/etc/sysconfig/network-scripts/ifcfg-eth0 (if you have more interfaces, do this for each one) and make sure the address is statically assigned with the BOOTPROTO=none
Specify Additional Remote NTP Servers
/etc/ntp.conf and add the following line:
Use an internal NTP server if possible.
Postfix Disable Network Listening
/etc/postfix/main.cf and ensure the following inet_interfaces line appears:
Configure SMTP Greeting Banner
Change the greeting banner, the default banner discloses the SMTP server is Postfix.
Disable xinetd Service
System Audit Logs Permissions
System audit logs must have 0640 or less permissions set.
System Audit Logs Must Be Owned By Root
Disable uncommon filesystems
Disable core dumps for all users
Disable core dumps for SUID programs
sysctl -w fs.suid_dumpable=0 and
fs.suid_dumpable = 0.
Buffer Overflow Protection
This section helps mitigate against Buffer Overflow attacks (BOF).
Helps prevent stack smashing / BOF.
Enable on current kernel:
sysctl -w kernel.exec-shield=1
Add to /etc/sysctl.conf:
Check / Enable ASLR
Set runtime for kernel.randomize_va_space
sysctl -q -n -w kernel.randomize_va_space=2
kernel.randomize_va_space = 2 to /etc/sysctl.conf if it does not already exist.
Enable XD or NX Support on x86 Systems
Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature.
Check bios and ensure XD/NX is enabled, not relevant for VM’s.
Confirm SELinux is not disabled
SELinux Targeted / Enforcing
Open /etc/selinux/config and check for
SELINUXTYPE=enforcing, depending on your requirements.
Enable the SELinux restorecond Service
The restorecond service utilizes inotify to look for the creation of new files listed in the /etc/selinux/restorecond.conf configuration file. When a file is created, restorecond ensures the file receives the proper SELinux security context. The restorecond service can be enabled with the following command:
Enable restorecond for all run levels:
chkconfig --level 0123456 restorecond on
Start restorecond if not currently running:
service restorecond start
Check no daemons are unconfined by SELinux
This should return no output.
Prevent Log In to Accounts With Empty Password
Allow Only SSH Protocol 2
/etc/ssh/sshd_config and ensure the following line exists:
Limit Users’ SSH Access
/etc/ssh/sshd_config and add:
Set SSH Idle Timeout Interval
To set an idle timeout interval, edit the following line in
/etc/ssh/sshd_config as follows:
Set SSH Client Alive Count
To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit
/etc/ssh/sshd_config as follows:
Disable SSH Support for .rhosts Files
SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.
To ensure this behavior is disabled, add or correct the following line in
Disable Host-Based Authentication
SSH’s cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.
To disable host-based authentication, add or correct the following line in
Disable SSH Root Login
Disable root logins via SSH, open
/etc/ssh/sshd_config and ensure the following line exists:
Disable SSH Access via Empty Passwords
Enable SSH Warning Banner
Enable a warning banner (Renforce policy awareness).
Do Not Allow SSH Environment Options
To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in
Use Only Approved Ciphers
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in
/etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:
Secure X Windows
Disable X Windows Startup By Setting Runlevel
Disable X windows system, further reducing your attack surface.
Remove the X Windows Package Group
Prompt OS update installation
A process for prompt installation of OS updates must exist
Make sure yum-cron is set to “check only”, I don’t recommend installing updates automatically.
If this was helpfull, click tweet below.