Nowadays Hardening Operating system is a must! There are a lot of tools that can help to do this. One of my favorites is CIS Hardened Images that do more than others. Other solutions and companies can help on this also like Qualys and finally Azure Security Center. But the recommendation is one part, but the next part is implementation.
So I launched Azure Security Center Recommendations for Linux Github repo that is based on the recommendation from Azure Security Center and I hope some of you can contribute to them.
From another way you can visit some Security Technical Implementation Guides (STIG) scripts – especially I recommended these forked ones, but you can always jump to the source:
https://github.com/MariuszFerdyn/Ubuntu_18.04_STIG
https://github.com/MariuszFerdyn/Standalone-Windows-STIG-Script
https://github.com/MariuszFerdyn/STIG-SCRIPTS
So once again – please visit:
https://github.com/MariuszFerdyn/AzureSecurityCenterOSRemediations/tree/main/Linux
and contribute, now I cover only Redhat/Fedora and these, but updates will be only in Github:
| NAME |
Zeroconf networking should be disabled. |
| CCEID |
CCE-14054-1 |
| RULE SEVERITY |
Critical |
| FULL DESCRIPTION |
Zeroconf networking should be disabled. (disabled) |
| POTENTIAL IMPACT |
An attacker could use abuse this to gain information on network systems, or spoof DNS requests due to flaws in its trust model |
| ACTUAL VALUE |
File /etc/sysconfig/network should contain one or more lines matching [‘^NOZEROCONF=\w+\s*$’] |
| NAME |
Performing source validation by reverse path should be enabled for all interfaces. (net.ipv4.conf.all.rp_filter = 1) |
| CCEID |
CCE-4080-8 |
| RULE SEVERITY |
Critical |
| FULL DESCRIPTION |
Performing source validation by reverse path should be enabled for all interfaces. (net.ipv4.conf.all.rp_filter = 1) |
| POTENTIAL IMPACT |
The system will accept traffic from addresses that are unroutable. |
| ACTUAL VALUE |
File /proc/sys/net/ipv4/conf/all/rp_filter should contain one or more lines matching [‘^1$’] |
| NAME |
Performing source validation by reverse path should be enabled for all interfaces. (net.ipv4.conf.default.rp_filter = 1) |
| CCEID |
CCE-3840-6 |
| RULE SEVERITY |
Critical |
| FULL DESCRIPTION |
Performing source validation by reverse path should be enabled for all interfaces. (net.ipv4.conf.default.rp_filter = 1) |
| POTENTIAL IMPACT |
The system will accept traffic from addresses that are unroutable. |
| ACTUAL VALUE |
File /proc/sys/net/ipv4/conf/default/rp_filter should contain one or more lines matching [‘^1$’] |
| NAME |
Disable SMB V1 with Samba |
| RULE SEVERITY |
Critical |
| ACTUAL VALUE |
No matching lines for expression: ^\s*min protocol\s+=\s+SMB2 found in section: of file: /etc/samba/smb.conf |
| NAME |
SSH host-based authentication should be disabled. – ‘/etc/ssh/sshd_config HostbasedAuthentication = no’ |
| CCEID |
CCE-4370-3 |
| RULE SEVERITY |
Critical |
| FULL DESCRIPTION |
SSH host-based authentication should be disabled. – ‘/etc/ssh/sshd_config HostbasedAuthentication = no’ |
| POTENTIAL IMPACT |
An attacker could use use host-based authentication to gain access from a compromised host |
| ACTUAL VALUE |
File /etc/ssh/sshd_config should contain one or more lines matching [‘^[\s\t]*HostbasedAuthentication\s+no’] |
| NAME |
SSH must be configured and managed to meet best practices. – ‘/etc/ssh/sshd_config IgnoreRhosts = yes’ |
| CCEID |
CCE-4030-3 |
| RULE SEVERITY |
Critical |
| FULL DESCRIPTION |
SSH must be configured and managed to meet best practices. – ‘/etc/ssh/sshd_config IgnoreRhosts = yes’ |
| POTENTIAL IMPACT |
An attacker could use flaws in the Rhosts protocol to gain access |
| ACTUAL VALUE |
File /etc/ssh/sshd_config should contain one or more lines matching [‘^\s*IgnoreRhosts\s+yes’] |
| NAME |
File permissions for all rsyslog log files should be set to 640 or 600. |
| CCEID |
CCE-18095-0 |
| RULE SEVERITY |
Critical |
| FULL DESCRIPTION |
File permissions for all rsyslog log files should be set to 640. |
| POTENTIAL IMPACT |
An attacker could cover up activity by manipulating logs |
| ACTUAL VALUE |
File /etc/rsyslog.conf should contain one or more lines matching [‘^[\s]*.FileCreateMode\s+06[04]0’] |
| NAME |
Disable support for RDS. |
| CCEID |
CCE-14027-7 |
| RULE SEVERITY |
Warning |
| FULL DESCRIPTION |
Disable support for RDS. |
| POTENTIAL IMPACT |
An attacker could use a vulnerability in RDS to compromise the system |
| ACTUAL VALUE |
Found no files with lines matching ‘^install\srds’ in /etc/modprobe.d/ |
| NAME |
SSH must be configured and managed to meet best practices. – ‘/etc/ssh/sshd_config Protocol = 2’ |
| CCEID |
CCE-4325-7 |
| RULE SEVERITY |
Critical |
| FULL DESCRIPTION |
SSH must be configured and managed to meet best practices. – ‘/etc/ssh/sshd_config Protocol = 2’ |
| POTENTIAL IMPACT |
An attacker could use flaws in an earlier version of the SSH protocol to gain access |
| ACTUAL VALUE |
File /etc/ssh/sshd_config should contain one or more lines matching [‘^\s*Protocol\s+2$’] |
| NAME |
Ensure minimum days between password changes is 7 or more. |
| RULE SEVERITY |
Critical |
| ACTUAL VALUE |
File /etc/login.defs should contain one or more lines matching [‘^\s*PASS_MIN_DAYS\s+([7-9] |
| NAME |
Remote connections from accounts with empty passwords should be disabled. – ‘/etc/ssh/sshd_config PermitEmptyPasswords = no’ |
| CCEID |
CCE-3660-8 |
| RULE SEVERITY |
Critical |
| FULL DESCRIPTION |
Remote connections from accounts with empty passwords should be disabled. – ‘/etc/ssh/sshd_config PermitEmptyPasswords = no’ |
| POTENTIAL IMPACT |
An attacker could gain access through password guessing |
| ACTUAL VALUE |
File /etc/ssh/sshd_config should contain one or more lines matching [‘^[\s\t]*PermitEmptyPasswords\s+no’] |
| NAME |
Ensure SSH access is limited |
| RULE SEVERITY |
Critical |
| ACTUAL VALUE |
File /etc/ssh/sshd_config should contain one or more lines matching [‘^\s*(AllowUsers |