CCDC Linux Handbook William Houde - Mercer University - 3/30/2017

Transcription

1 CCDC Linux Handbook William Houde - Mercer University - 3/30/ Hardening Checklist 1 2. Reference Log Files Old Repository Archives 7 Ubuntu 7 Debian 7 CentOS Package Management System Information 9 Checking OS Version 9 Hardware Information Useful Repositories 9 CentOS/Red Hat 9 Ubuntu User Accounts and Groups 10 Users 10 Groups 10 Account Creation 13

2 CCDC Linux Handbook!1 1. Hardening Checklist 1. Take a snapshot of the machine. 2. Change the passwords of root and any other administrator account. This can be done using passwd or using a graphical equivalent. No arguments are needed if changing the password for the current user. Don t forget to change passwords for MySQL and other programs! 3. Check /tmp for suspicious files. # ls -la /tmp If the folder is not empty, create an IR report listing what was found and delete everything in /tmp: # rm -rf /tmp/* 4. Check cron jobs for default accounts. # crontab -l USERNAME If there is anything in the crontab, remove it: # crontab -r USERNAME 5. Check for suspicious programs. Run this to see a list of processes: $ ps -eo pid,tty,user,args less Look for programs that are running from a location they should not be in, such as /tmp, / root, or /home. In general, programs should only be in /bin, /opt, /sbin, and /usr. 6. Check for suspicious user accounts. This can be done while ClamAV is running. First, check user groups: $ cat /etc/group sort less Pay special attention to the adm, admin, sudo, root, and wheel groups. Any user that is in a large number of groups should be investigated. Next, check users: $ less /etc/passwd The users in the file are in order of creation. Look for accounts that have names of

3 CCDC Linux Handbook!2 services, such as avahi, that have home directories and login shells they should not have. For example: avahi:x:107:114:avahi mdns daemon,,,:/home/bob:/bin/bash In this example, this account appears to be Avahi, but is really a normal user because it has a standard home directory and a valid login shell. Daemons like Avahi should have their shells set to /bin/false, /sbin/nologin, or /usr/sbin/nologin. Next, check the sudoers file: # less /etc/sudoers The only user specified here should be root and the only groups should be admin and sudo. In addition, make sure that no one is able to use sudo without entering a password. If suspicious users are found, check with management and, if approved, disable the accounts. 7. Create a new user for administrative tasks and give new user admin privileges. This username should probably not be easy to guess as this will be the only account with admin permissions allowed on the system. The new user can be added using adduser or a graphical equivalent. Next, add the new user to the sudoers file: # usermod -a -G sudo USERNAME Use a command with sudo as the new user to verify that sudo works: # su newuser $ sudo whoami 8. Disable root and other default administrators. Run the following command for each user to be disabled and replace USERNAME with the username. # usermod --lock --shell /usr/sbin/nologin --expiredate USERNAME 9. Reboot the system to make sure the disabled accounts are no longer in use. 10. Take a snapshot. 11. Enable additional logging. Enable command logging in auditd: # echo -a exit,always -F arch=b64 -S execve >> /etc/audit/

4 CCDC Linux Handbook!3 audit.rules # echo -a exit,always -F arch=b32 -S execve >> /etc/audit/ audit.rules Auditd will log commands to /var/log/audit/audit.log. Install Snoopy in Debian, Ubuntu, or similar: # apt-get install snoopy Install Snoopy in CentOS, RHEL, or similar (Requires EPEL on CentOS and RHEL): # yum install snoopy Enable snoopy: # Snoopy will log commands to /var/log/secure, /var/log/auth.log, or /var/log/messages. Sudo additional logging? 12. Check running/startup services and disable unnecessary services. Check running services. List services for systemd servers. Running services are indicated under the SUB column: $ systemctl --type=service List services for non-systemd servers. If a service is running, it will have [ + ] label and if it is not running it will be [ - ]: $ service --status-all To stop a running service (works with or without systemd). Note that this only applies until next reboot: # service SERVICE stop Check startup services when systemd is used: # systemctl list-unit-files --type=service Check startup services on non-systemd servers: # chkconfig --list To keep a service from running at boot (both with and without systemd): # chkconfig SERVICE off 13. Configure local firewall. First, set iptables to deny all incoming and allow all outgoing: # iptables -P INPUT DROP

5 CCDC Linux Handbook!4 # iptables -P FORWARD DROP # iptables -P OUTPUT ACCEPT # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT Next, add exceptions for necessary ports. Replace PORT with the port number: # iptables -I INPUT -p tcp --dport PORT -j ACCEPT Fedora: 52 (DNS) CentOS: 80 (HTTP), 443 (HTTPS) Ubuntu: 22 (SSH), 25 (SMTP), 110 (POP3), 465 (SMTPS), 995 (POP3S) 14. Check cron jobs for whole system. Create and run the script from here: Look for anything malicious, especially by root. This may include something like rm -rf /. 15. Install and configure fail2ban. # apt-get install fail2ban Or: # yum install fail2ban By default, only SSH is protected. Enable any other necessary filters by adding them in / etc/fail2ban/jail.d/customization.conf. Names of available jails are in /etc/fail2ban/ jail.conf. Example: [sshd] enabled = true Restart fail2ban: # service fail2ban restart If fail2ban fails to start, check the syslog and resolve any issues with the configuration file. 16. Install and run rkhunter. This will check for rootkits, suspicious files, and other vulnerabilities.

6 CCDC Linux Handbook!5 To install on Debian, Ubuntu, or similar: # apt-get install rkhunter To install on Red Hat, CentOS, or similar (Requires EPEL on CentOS and RHEL): # yum install rkhunter Update and run: # rkhunter --update # rkhunter --check 17. Install and run ClamAV. This should hopefully catch any keyloggers or other malware. This will take some time, up to 20 minutes. To install on Debian, Ubuntu, or similar: # apt-get install clamav To install on Red Hat, CentOS, or similar (Requires EPEL on CentOS and RHEL): # yum install clamav Refresh ClamAV database: # freshclam Run ClamAV for whole system: # clamscan -irl clam.log / This command will scan the whole system and put a scan log in clam.log. If any files are detected as infected, fill out an IR form and take appropriate steps to remove infection. 18. Install security updates. Installing only security-related updates will save time over installing all available updates. Debian/Ubuntu: # unattended-upgrades CentOS/Red Hat: # yum update --security 19. Take a snapshot. 20. Apache hardening. Hide Apache version:

7 CCDC Linux Handbook!6 # echo ServerTokens Prod >> /etc/httpd/conf/httpd.conf # echo ServerSignature Off >> /etc/httpd/conf/httpd.conf Hide etags: # echo FileETag None >> /etc/httpd/conf/httpd.conf Disable directory list and prevent settings from being overridden: # vim /etc/httpd/conf/httpd.conf Find the <Directory> headings and do the following: a. Make sure AllowOverride is None. b. Make sure Options contains -Indexes. c. In /, make sure there is a line Deny from all and make sure there is a line Allow from all in /var/www/html. d. Add the following in the / directory section: <LimitExcept GET POST HEAD> Deny from all </LimitExcept> 21. Take a snapshot. 2. Reference 2.1. Log Files Most, but not all, log files are stored in /var/log. Older log files will have a number appended to them (lower is newer) and may be zipped. Zipped files can be opened using several special commands, which act the same as their regular counterparts: zcat, zdiff, zgrep, zless, zmore, znew. Here are some important log files: ~/.bash_history /var/log/apache2/ /var/log/audit/audit.log /var/log/auth.log /var/log/dmesg This file exists in the home directory of each user. Command history is listed chronologically, but without timestamps by default. By default, commands are written at the end of each bash session. Contains authentication (access.log) and error logs (error.log) for the apache web server. Auditd log files. Will include command logs if configured. Lists authentication history for all users, as well as sudo attempts. Startup log. Can also be accessed with the dmesg command. This is what usually appears on the screen during boot.

8 CCDC Linux Handbook!7 /var/log/fail2ban.log /var/log/kern.log /var/log/mail.log /var/log/secure /var/log/syslog General log for fail2ban. Errors when starting fail2ban will appear in syslog instead. Kernal messages, including driver messages. Mail server log. Contains some security messages. Overarching system log. May include messages from auth.log, kern.log, and other programs and services. While this log is the most complete, it may be large enough to make it hard to find specific messages Old Repository Archives Ubuntu Add these three lines to /etc/apt/sources.list: deb CODENAME main restricted universe multiverse deb CODENAME-updates main restricted universe multiverse deb CODENAME-security main restricted universe multiverse Replace CODENAME with the release codename. Codename can be found with: $ lsb_release -a Debian Add these two lines to /etc/apt/sources.list: deb CODENAME main non-free contrib deb CODENAME/updates main non-free contrib Replace CODENAME with the release codename. Codename can be found with: $ lsb_release -a If the above command does not work, use: $ cat /etc/debian_version And use the corresponding codename (in all lowercase): 4.x Etch 6.x Squeeze 8.x Jessie 5.x Lenny 7.x Wheezy

9 CCDC Linux Handbook!8 CentOS Edit /etc/yum.repos.d/centos-base.repo so that the lines that start with mirrorlist are commented out. In the section labeled base, add: baseurl= In the section labeled updates, add: baseurl= Replace VERSION with the version number specified by: $ cat /etc/redhat-release 2.3. Package Management In general, Linux package managers download software from repositories and keeps track of what versions of software are installed and are in the repositories by maintaining a local database. In Debain-based systems apt is generally used with the deb format, while in Red Hat-based systems yum is generally used with the rpm format. While using different package formats is possible, it requires some special conversion. Most, if not all, package management commands require root or sudo. Here s a comparison of basic apt and yum commands: Apt command Yum command Description apt-get update yum check-update Refreshes local database (do this before installing updates) apt-get upgrade yum update Updates installed packages apt-get distupgrade apt-get install PACKAGE apt-get remove PACKAGE apt-get purge PACKAGE apt-cache search PACKAGE dpkg --install PACKAGE.deb yum upgrade yum install PACKAGE rpm -e PACKAGE yum remove PACKAGE yum search PACKAGE rpm -i PACKAGE.rpm Updates installed packages (more thorough; can result in packages being removed) Installs specified package and dependencies Removes specified package Removes specified package and configuration files Searches database for packages with specified name (or part of name) Installs a local package file. Note that the file extension is required.

10 2.4. System Information CCDC Linux Handbook!9 Checking OS Version A general command that should work on most systems: $ lsb_release -a Specific commands for different distributions: $ cat /etc/debian_version $ cat /etc/redhat-release Note that the version number listed next to the distribution name in /proc/version is not the OS version number. Hardware Information # lshw less This program might not be installed by default on all systems, but should be available in the repositories Useful Repositories CentOS/Red Hat Extra Packages for Enterprise Linux (EPEL): EPEL contains useful packages included in Fedora s repositories, but not RHEL and CentOS repositories. Use the following to enable: # yum install epel-release Ubuntu Personal Package Archives (PPAs): PPAs are easy-to-add repositories for Ubuntu that can contain useful software or updates. However, since anyone can create PPAs, be careful when using them; they are quite capable of breaking system packages and can in theory be malicious. All PPAs are hosted at launchpad.net. Installing a PPA is done with a command like this: # add-apt-repository ppa:ppacreator/ppaname

11 2.6. User Accounts and Groups CCDC Linux Handbook!10 User accounts are listed in /etc/passwd, hashed passwords in /etc/shadow, and groups in /etc/ group. Users Creating a user: # adduser USERNAME Disabling a user: # usermod --lock --shell /usr/sbin/nologin --expiredate USERNAME Re-enable a user: # usermod --unlock --shell /bin/bash --expiredate USERNAME Delete a user (Disable instead!): # userdel USERNAME Groups Creating a group: # groupadd GROUPNAME Adding a user to a group: # usermod -a -G GROUPNAME USERNAME Removing a user from a group: # gpasswd -d USERNAME GROUPNAME Set group as primary for user: # usermod -g GROUPNAME USERNAME Show groups a user is in: # groups USERNAME Delete a group: # groupdel GROUPNAME

12 CCDC Linux Handbook!11 #!/bin/bash # System-wide crontab file and cron job directory. Change these for your system. CRONTAB='/etc/crontab' CRONDIR='/etc/cron.d' tab=$(echo -en "\t") function clean_cron_lines() { while read line ; do echo "${line}" egrep --invert-match '^($ \s*# \s*[[:alnum:]_]+=)' sed --regexp-extended "s/\s+/ /g" sed --regexp-extended "s/^ //" done; } function lookup_run_parts() { while read line ; do match=$(echo "${line}" egrep -o 'run-parts (-{1,2}\S+ )*\S+') if [[ -z "${match}" ]] ; then echo "${line}" else cron_fields=$(echo "${line}" cut -f1-6 -d' ') cron_job_dir=$(echo "${match}" awk '{print $NF}') } if [[ -d "${cron_job_dir}" ]] ; then for cron_job_file in "${cron_job_dir}"/* ; do # */ <not a comment> [[ -f "${cron_job_file}" ]] && echo "${cron_fields} ${cron_job_file}" done fi fi done; temp=$(mktemp) exit 1 # Add all of the jobs from the system-wide crontab file. cat "${CRONTAB}" clean_cron_lines lookup_run_parts >"${temp}" # Add all of the jobs from the system-wide cron directory. cat "${CRONDIR}"/* clean_cron_lines >>"${temp}" # */ <not a comment> # Add each user's crontab (if it exists). Insert the user's name between the # five time fields and the command.

13 while read user ; do crontab -l -u "${user}" 2>/dev/null clean_cron_lines sed --regexp-extended "s/^((\s+ +){5})(.+)$/\1${user} \3/" >>"${temp}" done < <(cut --fields=1 --delimiter=: /etc/passwd) # Output the collected crontab lines. Replace the single spaces between the # fields with tab characters, sort the lines by hour and minute, insert the # header line, and format the results as a table. cat "${temp}" sed --regexp-extended "s/^(\s+) +(\S+) +(\S+) +(\S+) +(\S+) +(\S+) +(.*)$/ \1\t\2\t\3\t\4\t\5\t\6\t\7/" sort --numeric-sort --field-separator="${tab}" --key=2,1 sed "1i\mi\th\td\tm\tw\tuser\tcommand" column -s"${tab}" -t rm --force "${temp}" CCDC Linux Handbook!12

14 CCDC Linux Handbook!13 Account Creation First, open a root shell. This script can t be run using sudo. $ sudo su Create the following as a new text file (with a.sh extension) and mark it executable. There should be 5 lines total (excluding any comments). Alternatively, these can be run as commands, but will be harder to edit when they are mistyped. curl -s Phone-Roster.docx > halphone.docx; unzip -p halphone.docx word/document.xml > halphone.xml; cat halphone.xml perl -pe 's/<.*?<w:t>alphabetical.*?>//; s/<.*? Extension//; s/.*?<w:tbl>//; s/<\/w:tbl>.*?<\/w:document>//; s/<\/ w:p>/\n/g; s/<.*?>//g; s/\r$ \n$//g; s/^\n//; s/\n/:/g; s/(?<=[0-9]):/ \n/g;' > halphone; # Remove whoever is not present printf "\nviera:bruno:::\nhoude:william:::\njackson:jerome::: \nmamey:fabunde:::\noakes:jonathan:::\nowen:zachary::: \nrasmuson:nicholas:::\nrogers:charles:::\nrogers:steve:::" >> halphone; awk 'BEGIN{FS=":";IGNORECASE=1};{gsub(/[,.]/,"")};{print substr(tolower(substr($2,1,1))tolower($1 "000000"),1,8)}' halphone > halusers Next, check the halphone file to make sure everything is correct. Be sure to make sure that names with Jr and Sr are properly formatted. Finally, add the users: # while read line; do useradd -s /bin/bash "$line"; echo "$line:mc8hme3#vx" chpasswd; passwd -e "$line"; done < halusers