harden.sh

This is a script to harden your Linux installation.

Why I made this

• Bastille is obsolete
• Not a member of CIS, so no downloading of the ready made scripts
• For learning
• For minimizing the effort needed to tweak fresh installations
  • Also for consistency

What does it do?

Common

• Enables TCP wrappers
• Creates legal banners
• Disable core dumps in /etc/security/limits.conf
• sysctl settings hardening
  • IP stack hardening
  • Enables SAK and disables the other magic SysRq stuff
  • Restricts the use of dmesg by regular users
  • For the complete list, see sysctl.conf.new
• Hardens mount options (creates /etc/fstab.new)
  • Also, mount /proc with hidepid=2
• Disables the use of certain kernel modules via modprobe
  • Disable Firewire
• Configures shells
  • Creates an option to use restricted shell (rbash)
    • Also sets it as default for new users
  • Restricts the number of available shells (/etc/shells)
• Configures basic auditing based on stig.rules if audit is installed
  • NOTE: non-PAM systems (namely Slackware) don't set the loginuid properly, so some of the rules don't work when they have -F auid!=4294967295
• Enables system accounting (sysstat)
  • Sets it's log retention to 99999 days (the logs are really small, so it doesn't eat up disk space)
• Configures password policies
  • Maximum age for password
  • Minimum age for password
  • Password warn age
  • Does this for existing users also
  • Note: password strength should be enforced with applicable PAM module (such as pam_passwdqc or pam_pwquality)
• Reduce the amount of trusted CAs
  • Doesn't work in CentOS/RHEL
• Create a strict securetty
• Sets default umask to a more stricter 077
• Sets console session timeout via $TMOUT (Bash)
• PAM:
  • Configures /etc/security/namespace.conf
  • Configures /etc/security/access.conf
  • Configures /etc/security/pwquality.conf if available
  • Require pam_wheel in /etc/pam.d/su
  • Creates a secure /etc/pam.d/other
• Disables unnecessary systemd services
• Configures sshd_config
• Display managers:
  • Disables user lists in GDM3 & LightDM
  • Disables guest sessions in LightDM

User accounts

• Configures failure limits (faillog)
• Creates /etc/ftpusers
• Restricts the use of cron and at
• Properly locks down system accounts (0 - SYS_UID_MAX && !root)
  • Lock the user's password
  • Sets shell to nologin
  • Expire the account
  • Adds the accounts to /etc/ftpusers
• Sets strict permissions to users home directories
• Configures the default password inactivity period

Debian specific

• Enables AppArmor
• Sets the authorized_default to USB devices via rc.local
• APT:
  • Configures APT not to install suggested packages
  • Configure SUITE in debsecan (if installed)

PAM

Creates bunch of pam-configs that are toggleable with pam-auth-update:

1. Not a pam-config, but a modification to existing /etc/pam.d/ files
2. For all login methods and not just the console login

CentOS/RHEL specific

• PAM configuration with authconfig:
  • Enables pam_faillock
  • Configures pwquality

Slackware specific

See SLACKWARE.md.

Additional features

• SSH moduli creation
• Some hardening steps utilize Lynis to verify themselves (to be improved/extended over time)

PGP

The import_pgp_keys() function imports a bunch of PGP keys to your trustedkeys.gpg keyring, so you can verify downloaded files/packages with gpgv. The keys that are imported are listed in the PGP_URLS[] and PGP_KEYS[] arrays.

Notes

• Rebooting the system after running this is highly recommended, since many startup scripts are modified
• The script is quite verbose, so you might want to record it with script
• It is best to run this script on a fresh installation for best results

Other security software

Antivirus

I think it's justified and recommended to run an antivirus software on all of your Linux servers. This is because, even though the server's role would not be something like a file sharing server or a mail server, a proper antivirus is able to detect much more than these "traditional" malwares. I'm talking about rootkits, exploits, PHP shells and the like. Something that a malicious user might be holding at their home dirs or maybe some PHP shell was dropped through a vulnerable web application. If you would get an early warning from an antivirus software, it just might save you on that one occasion :)

So consider getting ClamAV.

Post-hardening checklist

After running the hardening script, the following actions still need to be performed manually:

• [ ] Set LILO/GRUB password
  • [ ] Update LILO/GRUB with lilo || update-grub
• Install at least the following additional software:
  • [ ] audit (and run harden.sh -S afterwards)
  • [ ] Aide
  • [ ] ClamAV
  • [ ] arpwatch
  • [ ] rngd (if you have HRNG)
• [ ] Make sure NTP is running
• [ ] Configure remote log host
• [ ] Add legit users to:
  • /etc/porttime
  • To the users group

References

Hardening guides

Some of these documents are quite old, but most of the stuff still applies.

• CIS Slackware Linux 10.2 Benchmark v1.1.0
• Slackware System Hardening by Jeffrey Denton
• SlackDocs: Security HOWTOs
• Alien's Wiki: Security issues
• SlackWiki: Basic Security Fixes
• Wikipedia: Fork bomb Prevention

Other docs

• Linux Standard Base Core Specification 4.1
  • Chapter 21. Users & Groups
• Filesystem Hierarchy Standard 2.3
• https://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx
• PAM Mastery book by Michael W Lucas
• The Linux-PAM System Administrators' Guide
• Sudo Mastery, 2nd Edition