Hardening Guide for

CentOS 7
Guidelines for CentOS 7 deployment personnel and
compliance readiness

Nikhil Firke
 Note

This guide is intended for the use of production level deployment in CentOS
7.4. You can consider this a baseline for hardening the Base Operating System. Here
we have removed the services that are not used. However, if you have the need then
you need to consider the hardening guides for the specific services. This guide does
not address the Web Servers or Database servers running on the CentOS. We have
covered that topic in separate hardening guides to specific servers. We always
appreciate your input to improvise this guide to a better level. If you want to share
your input please mail it to nikhil@orealz.com with your suggestions.
 Contents
1:- Security Harden CentOS 7................................................................................................ 6

2:- Based on a Minimal Install ............................................................................................... 6

3:- Issues with Security Hardening ...................................................................................... 6

4:- Why use OpenSCAP ? ........................................................................................................ 6

6:- Secure Partition Mount Options .................................................................................... 8

7:- Install NTP .............................................................................................................................. 9

8:- Configure System for AIDE .............................................................................................. 9

9:- Install AIDE ............................................................................................................................. 9

10:- Prevent Users Mounting USB Storage..................................................................... 10

11:- Enable Secure (high quality) Password Policy ...................................................... 10

12:- Secure /etc/login.defs Pasword Policy .................................................................... 11

13:- Set Last Logon/Access Notification .......................................................................... 11

14:- Max Password Login Attempts per Session .......................................................... 11

19:- Require Authentication for Single User Mode ..................................................... 13

20:- Disable Ctrl-Alt-Del Reboot Activation ................................................................... 13

21:- Enable Console Screen Locking ................................................................................. 13

22:- Disable Zeroconf Networking..................................................................................... 13

23:- Disable IPv6 Support Automatically Loading (IF NOT USED) ......................... 14

24:- Disable Interface Usage of IPv6 (IF NOT USED) ................................................... 14

25:- Disable Support for RPC IPv6 (IF NOT USED) ....................................................... 14

26:- Securing root Logins ...................................................................................................... 14

27:- Enable UMASK 077 ......................................................................................................... 14

28:- Prune Idle Users ............................................................................................................... 15

29:- Securing Cron ................................................................................................................... 15

30:- Sysctl Security ................................................................................................................... 15

31:- Deny All TCP Wrappers ................................................................................................. 15

32:- Basic iptables Firewall Rules ........................................................................................ 16

33:- Verify iptables Enabled ................................................................................................. 16

34:- Disable Uncommon Protocols.................................................................................... 16

35:- Ensure Rsyslog is installed ........................................................................................... 17

36:- Enable Rsyslog ................................................................................................................. 17

37:- Auditd - Audit Daemon ................................................................................................ 17

37.1) Enable auditd Service ............................................................................................. 17

37.2) Audit Processes Which Start Prior to auditd .................................................. 17

37.3) Auditd Number of Logs Retained ...................................................................... 17

37.4) Auditd Max Log File Size ....................................................................................... 17

37.5) Auditd max_log_file_action ................................................................................... 17

37.6) Auditd space_left ...................................................................................................... 18

37.7) Auditd admin_space_left ....................................................................................... 18

37.8) Auditd mail_acct ....................................................................................................... 18

37.9) Configure auditd to use audispd plugin.......................................................... 18

37.10) Auditd Rules: /etc/audit/audit.rules ................................................................ 18

37.11) Bulk Remove of Services ..................................................................................... 22

37.12) Bulk Enable / Disable Services .......................................................................... 23

37.13) Disable Secure RPC Client Service ................................................................... 24

37.14) Disable Secure RPC Server Service .................................................................. 24

37.15) Disable RPC ID Mapping Service ..................................................................... 24

37.16) Disable Network File Systems (netfs) ............................................................. 24

37.17) Disable Network File System (nfs) ................................................................... 24

37.18) If you don’t need SSH disable it ....................................................................... 24

37.19) Disable SSH iptables Firewall rule.................................................................... 24

37.20) Disable Avahi Server Software .......................................................................... 25

37.21) Disable the CUPS Service .................................................................................... 25

37.22) Disable DHCP Service........................................................................................... 25

37.23) Uninstall DHCP Server Package ........................................................................ 25

37.24) Disable DHCP Client ............................................................................................. 25

37.25) Specify Additional Remote NTP Servers ....................................................... 25

 37.26) Enable Postfix .......................................................................................................... 25

37.27) Remove Sendmail .................................................................................................. 26

37.28) Postfix Disable Network Listening ................................................................... 26

37.29) Disable xinetd Service .......................................................................................... 26

37.30) System Audit Logs Permissions ........................................................................ 26

37.31) System Audit Logs Must Be Owned By Root .............................................. 26

37.32) Disable autofs ......................................................................................................... 26

38:- Disable uncommon filesystems ................................................................................. 26

39:- Disable core dumps for all users ............................................................................... 26

40:- Disable core dumps for SUID programs ................................................................. 26

41:- Buffer Overflow Protection .......................................................................................... 27

41.1) Enable ExecShield .................................................................................................... 27

41.2) Check / Enable ASLR ............................................................................................... 27

41.3) Enable XD or NX Support on x86 Systems ..................................................... 27

42:- SELinux ................................................................................................................................ 28

42.1) Confirm SELinux is not disabled ......................................................................... 28

42.2) SELinux Targeted / Enforcing .............................................................................. 28

42.3) Enable the SELinux restorecond Service .......................................................... 28

42.4) Check no daemons are unconfined by SELinux ............................................ 28

43:- Prevent Log In to Accounts With Empty Password ............................................ 28

44:- Secure SSH ........................................................................................................................ 28

44.1) Allow Only SSH Protocol 2 ................................................................................... 28

44.2) Limit Users’ SSH Access ......................................................................................... 28

44.3) Set SSH Idle Timeout Interval .............................................................................. 28

44.4) Set SSH Client Alive Count ................................................................................... 29

44.5) Disable SSH Support for .rhosts Files ............................................................... 29

44.6) Disable Host-Based Authentication .................................................................. 29

44.7) Disable SSH Root Login ......................................................................................... 29

44.8) Disable SSH Access via Empty Passwords ....................................................... 29

44.9) Enable a warning banner (Renforce policy awareness). ............................. 29

44.10) Do Not Allow SSH Environment Options...................................................... 29

44.11) Use Only Approved Ciphers .............................................................................. 30

45.1) Disable X Windows Startup By Setting Runlevel .......................................... 30

45.2) Remove the X Windows Package Group ......................................................... 30

1:- Security Harden CentOS 7
This How-to walks you through the steps required to security harden CentOS
7, it’s based on the OpenSCAP benchmark, unfortunately the current version of
OpenSCAP that ships with CentOS does not offically support CentOS CPE’s. However,
there is a “workaround” that will allow OpenSCAP + OpenSCAP workbench to run on
CentOS.

2:- Based on a Minimal Install

To follow this guide you will need a minimal CentOS 7 install, ideally using the
Kick-start file below or copying its partition layout. Installing CentOS 7 using a
minimal installation reduces the attack surface and ensures you only install software
that you require.

This guide only covers the base system + SSH hardening, I will document
specific service hardening separately such as HTTPD, SFTP, LDAP, BIND etc…

In the section related to removing unrequired services, if you installed a

minimal centos 7 install, you will likely have nothing to remove or disable - I’ve
included this section for completeness.

3:- Issues with Security Hardening

After hardening a system, you may run into issues, hardening a system will
make it more restrictive, especially SELinux or filesystem related permission
hardening. When hardening a system for a specific task I recommend creating a
duplicate virtual machine you can use for troubleshooting should you run into a issue
that you think is related to security hardening, you’ll be able to confirm by running it
on the Vanilla system.

Obviously, do not expose the Vanilla (un-hardened) system to the

network!

4:- Why use OpenSCAP ?

After a lot of research I decided to use OpenSCAP over other security
hardening benchmarks / guides, here is my reasoning for doing so:

• It’s open, free and actively worked on

• It has an audit tool, essential to verify each system

• OpenSCAP has a GUI called, workbench

 • OpenSCAP Workbench supports remote audits via SSH

• OpenSCAP Workbench allows you to customize your scan, should you not
agree with all hardening checks

If you do not get on with workbench or auditing from the command line,
Nessus has functionality for authenticated SCAP scans.

5:- Kickstart
I’ve provided the following RHEL kickstart file below, it’s a minimal install with
a heavy partition scheme, allowing for stricter mount options.

#version=RHEL7
install
# System authorization information
auth --enableshadow --passalgo=sha512

# Use CDROM installation media

cdrom
# Accept EULA
eula --agreed

services --enabled=NetworkManager,sshd
reboot

# Run the Setup Agent on first boot

#firstboot --enable
ignoredisk --only-use=sda
# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'
# System language
lang en_US.UTF-8
# SELinux
selinux --enforcing
# Network information
network --bootproto=dhcp --device=eno16777736 --onboot=on --ipv6=off
network --hostname=default-vm
# Root password
rootpw --iscrypted HASHGOESHERE
# System timezone
timezone Europe/London --isUtc --ntpservers=prime.transformers
# System bootloader configuration
bootloader --location=mbr --boot-drive=sda
# Partition clearing information
clearpart --all --drives=sda
ignoredisk --only-use=sda
# LVM

# Disk partitioning information

part pv.18 --fstype="lvmpv" --ondisk=sda --size=8004
part pv.11 --fstype="lvmpv" --ondisk=sda --size=8004
part /boot --fstype="ext4" --ondisk=sda --size=1000
volgroup lg_data --pesize=4096 pv.18
volgroup lg_os --pesize=4096 pv.11
logvol / --fstype="xfs" --size=4000 --name=lv_root --vgname=lg_os
logvol /home --fstype="xfs" --size=2000 --name=lv_home --vgname=lg_data
logvol /tmp --fstype="xfs" --size=1000 --name=lv_tmp --vgname=lg_os
logvol /var --fstype="xfs" --size=2000 --name=lv_var --vgname=lg_os
logvol /var/tmp --fstype="xfs" --size=1000 --name=lv_var_tmp --vgname=lg_os
logvol /var/www --fstype="xfs" --size=5000 --name=lv_var_www --
vgname=lg_data
logvol /var/log --fstype="xfs" --size=1500 --name=lv_var_log --vgname=lg_os
logvol /var/log/audit --fstype="xfs" --size=500 --name=lv_var_log_audit -
-vgname=lg_os
logvol swap --fstype="swap" --size=1000 --name=lv_swap --vgname=lg_data

%packages
@core
%end

%post
%end

6:- Secure Partition Mount Options

Your millage will vary here, for example if you have a website that uses cgi-bin
executables you won’t be able to use the noexec mount options, but you can and
should use it on /tmp and /var/tmp as this is typically the first place an attacker will
attempt to write and execute from when performing privilege escalation.

Your /etc/fstab file should look something like:

#
# /etc/fstab
# Created by anaconda on Sat Oct 11 14:28:47 2014
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/lg_os-lv_root / xfs defaults 1
1
UUID=d73c5d22-75ed-416e-aad2-8c1bb1dfc713 /boot ext4
defaults,nosuid,noexec,nodev 1 2
/dev/mapper/lg_data-lv_home /home xfs defaults 1
2
/dev/mapper/lg_os-lv_tmp /tmp xfs
defaults,nosuid,noexec,nodev 1 2
/dev/mapper/lg_os-lv_var /var xfs defaults,nosuid
1 2
/dev/mapper/lg_os-lv_var_tmp /var/tmp xfs
defaults,nosuid,noexec,nodev 1 2
/dev/mapper/lg_os-lv_var_tmp /var/log xfs
defaults,nosuid,noexec,nodev 1 2
/dev/mapper/lg_os-lv_var_tmp /var/log/audit xfs
defaults,nosuid,noexec,nodev 1 2
/dev/mapper/lg_data-lv_var_www /var/www xfs
defaults,nosuid,noexec,nodev 1 2
/dev/mapper/lg_data-lv_swap swap swap defaults 0
0

7:- Install NTP

NTP is required for a number of compliance audits and is general good
practice.

yum install ntp ntpdate

chkconfig ntpd on
ntpdate pool.ntp.org
/etc/init.d/ntpd start

8:- Configure System for AIDE

Pre-linking binaries (arguably) improved execution time, however this cause
issues with AIDE, so it must be disabled.

Open /etc/sysconfig/prelink and make sure the line Set PRELINKING=no is

present, if you’re writing a script:

# Disable prelinking altogether

#
if grep -q ^PRELINKING /etc/sysconfig/prelink
then
sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
else
echo -e "\n# Set PRELINKING=no per security requirements" >>
/etc/sysconfig/prelink
echo "PRELINKING=no" >> /etc/sysconfig/prelink
fi
Disable previous prelink changes to binaries:
Disable previous prelink changes to binaries
root:~# /usr/sbin/prelink -ua

9:- Install AIDE

Install AIDE - Advanced Intrusion Detection Environment
yum install aide -y && /usr/sbin/aide --init && cp
/var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz && /usr/sbin/aide --
check
Configure periodic execution of AIDE, runs every morning at 04:30
echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab

10:- Prevent Users Mounting USB Storage

echo "install usb-storage /bin/false" > /etc/modprobe.d/usb-storage.conf

11:- Enable Secure (high quality) Password Policy

The following command will Enable SHA512 instead of using MD5:

authconfig --passalgo=sha512 —update

vi /etc/security/pwquality.conf
# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password.
difok = 5
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
minlen = 14
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
dcredit = 1
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
ucredit = 1
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
lcredit = 1
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
ocredit = 1
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
minclass = 4
#
# The maximum number of allowed consecutive same characters in the new
password.
# The check is disabled if the value is 0.
maxrepeat = 3
#
# The maximum number of allowed consecutive characters of the same class in
the
# new password.
# The check is disabled if the value is 0.
maxclassrepeat = 3
#
# Whether to check for the words from the passwd entry GECOS string of the
user.
# The check is enabled if the value is not 0.
gecoscheck = 1
#
# Path to the cracklib dictionaries. Default is to use the cracklib default.
# dictpath =

12:- Secure /etc/login.defs Pasword Policy

Add the following to /etc/login.defs

PASS_MIN_LEN 14
PASS_MIN_DAYS 1
PASS_MAX_DAYS 60

13:- Set Last Logon/Access Notification

Open /etc/pam.d/system-auth and add the following line immediately after
session required pam_limits.so:

session required pam_lastlog.so showfailed

14:- Max Password Login Attempts per Session

Set the amount of password reprompts per session, by editing the
pam_pwquality.so statement in /etc/pam.d/system-auth to retry=3 or lower.

15:- Set Deny For Failed Password Attempts

Blocks logins for failed authentication on accounts.
 Add the following lines immediately below the pam_unix.so statement in
AUTH section of both /etc/pam.d/system-auth and /etc/pam.d/password-auth:

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800

fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800
fail_interval=900

16:- Limit Password Reuse

Open /etc/pam.d/system-auth, append remember=24 to the pam_unix.so line
- preventing users from reusing passwords, remembering 24 times is the DoD
standard.

The line should look like:

password sufficient pam_unix.so existing_options remember=24

17:- Verify /boot/grub2/grub.cfg Permissions

Set grub.conf to chmod 600:

sudo chmod 600/boot/grub2/grub.cfg

18:- Set Boot Loader Password

The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.

To do so, select a superuser account and password and add them into the
appropriate grub2 configuration file(s) under /etc/grub.d. Since plaintext passwords
are a security risk, generate a hash for the pasword by running the following
command:

grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected and insert the returned
password hash into the appropriate grub2 configuration file(s) under /etc/grub.d
immediately after the superuser account. (Use the output from grub2-mkpasswd-
pbkdf2 as the value of password-hash):

password_pbkdf2 superusers-accountpassword-hash
 Don't use common admin account names for the grub2 superuser

Avoid using common admin account names like, root, admin or administrator
for the grub2 superuser account. To meet FISMA Moderate, the bootloader
superuser account password must differ from the root credentials.

grub2-mkconfig -o /boot/grub2/grub.cfg

Don't manually add the superuser account to grub.cfg

Do NOT manually add the superuser account and password to the grub.cfg
file as the grub2-mkconfig command overwrites this file.

19:- Require Authentication for Single User Mode

Require root password when entering single user mode, open
/etc/sysconfig/init and add the line:

SINGLE=/sbin/sulogin

20:- Disable Ctrl-Alt-Del Reboot Activation

Prevernt ALT+CTRL+DEL from rebooting.

Open /etc/init/control-alt-delete.conf and modify the existing line:

exec /sbin/shutdown -r now "Control-Alt-Delete pressed"

To:

exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"

21:- Enable Console Screen Locking

Install the screen Package to allow console screen locking.

sudo yum install screen

Users can now run screen and lock the console with ctrl+a x.

22:- Disable Zeroconf Networking

Zeroconf network typically occours when you fail to get an address via DHCP,
the interface will be assigned a 169.254.0.0 address.
 To prevernt this:

echo "NOZEROCONF=yes" >> /etc/sysconfig/network

23:- Disable IPv6 Support Automatically Loading (IF NOT

USED)
Open /etc/modprobe.d/disabled.conf and add the line:

options ipv6 disable=1

24:- Disable Interface Usage of IPv6 (IF NOT USED)

Add the following to /etc/sysconfig/network

NETWORKING_IPV6=no
IPV6INIT=no

25:- Disable Support for RPC IPv6 (IF NOT USED)

RPC services like NFSv4 attempt to start using IPv6 even if it’s disabled in
/etc/modprobe.d. To prevent this behaviour open /etc/netconfig and comment the
following lines:

udp6 tpi_clts v inet6 udp - -

tcp6 tpi_cots_ord v inet6 tcp - -

26:- Securing root Logins

Only allow root logins via local terminal:

echo "tty1" > /etc/securetty

chmod 700 /root

27:- Enable UMASK 077

Can causes issues on systems where users share files:

perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc

perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc
28:- Prune Idle Users
echo "Idle users will be removed after 15 minutes"
echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh
echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
chmod +x /etc/profile.d/os-security.sh

29:- Securing Cron

echo "Locking down Cron"
touch /etc/cron.allow
chmod 600 /etc/cron.allow
awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny
echo "Locking down AT"
touch /etc/at.allow
chmod 600 /etc/at.allow
awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny

30:- Sysctl Security

/etc/sysctl.conf
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0

31:- Deny All TCP Wrappers

TCP wrappers can provide a quick and easy method for controlling access to
applications linked to them. Examples of TCP Wrapper aware applications are sshd,
and portmap.

Below commands block all but SSH:

echo "ALL:ALL" >> /etc/hosts.deny
echo "sshd:ALL" >> /etc/hosts.allow

32:- Basic iptables Firewall Rules

Basic iptables Firewall rules, set to denyall as the default.

#Drop anything we aren't explicitly allowing. All outbound traffic is okay

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
# Accept Pings
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Log anything on eth0 claiming it's from a local or non-routable network
# If you're using one of these local networks, remove it from the list below
-A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: "
-A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: "
-A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: "
-A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: "
-A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: "
-A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "
# Accept any established connections
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept ssh traffic. Restrict this to known ips if possible.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
#Log and drop everything else
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMIT

33:- Verify iptables Enabled

sudo systemctl enable iptables
systemctl start iptables.service

34:- Disable Uncommon Protocols

The following Protocols will be disabled:

• Datagram Congestion Control Protocol (DCCP)

 • Stream Control Transmission Protocol (SCTP)

• Reliable Datagram Sockets (RDS)

• Transparent Inter-Process Communication (TIPC)

echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf

echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf
echo "install rds /bin/false" > /etc/modprobe.d/rds.conf
echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf

35:- Ensure Rsyslog is installed

yum -y install rsyslog

36:- Enable Rsyslog

systemctl enable rsyslog.service
systemctl start rsyslog.service

37:- Auditd - Audit Daemon

37.1) Enable auditd Service
systemctl enable auditd.service
systemctl start auditd.service
37.2) Audit Processes Which Start Prior to auditd
Audit process which start before the Audit Daemon.

Add the following line to /etc/grub.conf:

kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet

audit=1
37.3) Auditd Number of Logs Retained
Open /etc/audit/auditd.conf and add or modify:

num_logs = 5
37.4) Auditd Max Log File Size
max_log_file = 30MB

37.5) Auditd max_log_file_action

Open /etc/audit/auditd.conf and set this to rotate.

max_log_file_action = rotate
 37.6) Auditd space_left
Configure auditd to email you when space gets low, open
/etc/audit/auditd.conf and modify the following:

space_left_action = email
37.7) Auditd admin_space_left
Configure auditd to halt when auditd log space is used up, forcing the system
admin to rectify the space issue.

On some systems where monitoring is less important another action could be

leveraged.

admin_space_left_action = halt
37.8) Auditd mail_acct
When space gets low auditd can send a email notification via email, to
configure this and the following line to /etc/audit/auditd.conf:

action_mail_acct = root
37.9) Configure auditd to use audispd plugin
Auditd does not have the functionality to send logs directly to an external log
server, however the audispd plugin pass audit records to the local syslog server, to
enable this open /etc/audisp/plugins.d/syslog.conf and set the active line to yes, then
restart audispd daemon:

sudo service auditd restart

37.10) Auditd Rules: /etc/audit/audit.rules
Open /etc/audit/audit.rules and add the following lines to monitor various
system files and activities:

# audit_time_rules - Record attempts to alter time through adjtime

-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules

# audit_time_rules - Record attempts to alter time through settimeofday

-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules

# audit_time_rules - Record Attempts to Alter Time Through stime

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime
-k audit_time_rules

# audit_time_rules - Record Attempts to Alter Time Through clock_settime

-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules

# Record Attempts to Alter the localtime File

-w /etc/localtime -p wa -k audit_time_rules
# Record Events that Modify User/Group Information
# audit_account_changes
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes

# Record Events that Modify the System's Network Environment

# audit_network_modifications
-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k
audit_network_modifications
-w /etc/issue -p wa -k audit_network_modifications
-w /etc/issue.net -p wa -k audit_network_modifications
-w /etc/hosts -p wa -k audit_network_modifications
-w /etc/sysconfig/network -p wa -k audit_network_modifications

#Record Events that Modify the System's Mandatory Access Controls

-w /etc/selinux/ -p wa -k MAC-policy

#Record Events that Modify the System's Discretionary Access Controls -

chmod
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k
perm_mod

#Record Events that Modify the System's Discretionary Access Controls -

chown
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k
perm_mod

#Record Events that Modify the System's Discretionary Access Controls -

fchmod
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k
perm_mod

#Record Events that Modify the System's Discretionary Access Controls -

fchmodat
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k
perm_mod

#Record Events that Modify the System's Discretionary Access Controls -

fchown
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k
perm_mod

#Record Events that Modify the System's Discretionary Access Controls -

fchownat
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k
perm_mod

#Record Events that Modify the System's Discretionary Access Controls -

fremovexattr
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295
-k perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295
-k perm_mod

#Record Events that Modify the System's Discretionary Access Controls -

fsetxattr
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -
k perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -
k perm_mod

#Record Events that Modify the System's Discretionary Access Controls -

lchown
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k
perm_mod

#Record Events that Modify the System's Discretionary Access Controls -

lremovexattr
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295
-k perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295
-k perm_mod

#Record Events that Modify the System's Discretionary Access Controls -

lsetxattr
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -
k perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -
k perm_mod

#Record Events that Modify the System's Discretionary Access Controls -

removexattr
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295
-k perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295
-k perm_mod-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F
auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k
perm_mod
#Record Events that Modify the System's Discretionary Access Controls -
fchown
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k
perm_mod

#Record Events that Modify the System's Discretionary Access Controls -

fchownat
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k
perm_mod

#Record Events that Modify the System's Discretionary Access Controls -

fremovexattr
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295
-k perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295
-k perm_mod

#Record Events that Modify the System's Discretionary Access Controls -

fsetxattr
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -
k perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -
k perm_mod

#Record Events that Modify the System's Discretionary Access Controls -

removexattr
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295
-k perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295
-k perm_mod

#Record Events that Modify the System's Discretionary Access Controls -

setxattr
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k
perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k
perm_mod

#Record Attempts to Alter Logon and Logout Events

-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins

#Record Attempts to Alter Process and Session Initiation Information

-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session

#Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)

-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at
-S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -
k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at
-S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -
k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at
-S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -
k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at
-S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -
k access

#Ensure auditd Collects Information on the Use of Privileged Commands

#
# Find setuid / setgid programs then modify and uncomment the line below.
#
## sudo find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null
#
# -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F
auid!=4294967295 -k privileged

#Ensure auditd Collects Information on Exporting to Media (successful)

-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k
export

#Ensure auditd Collects File Deletion Events by User

-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S
renameat -F auid>=500 -F auid!=4294967295 -k delete

#Ensure auditd Collects System Administrator Actions

-w /etc/sudoers -p wa -k actions

#Ensure auditd Collects Information on Kernel Module Loading and Unloading

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules

#Make the auditd Configuration Immutable

-e 2
##Removal of Unrequired Services
The section outlines software that should be removed, instruction for
disabling the service is also documented.

37.11) Bulk Remove of Services

# Remove

yum remove xinetd

yum remove telnet-server
yum remove rsh-server
yum remove telnet
yum remove rsh-server
yum remove rsh
yum remove ypbind
yum remove ypserv
yum remove tftp-server
yum remove cronie-anacron
yum remove bind
yum remove vsftpd
yum remove httpd
yum remove dovecot
yum remove squid
yum remove net-snmpd
37.12) Bulk Enable / Disable Services
#Disable / Enable

systemctl disable xinetd

systemctl disable rexec
systemctl disable rsh
systemctl disable rlogin
systemctl disable ypbind
systemctl disable tftp
systemctl disable certmonger
systemctl disable cgconfig
systemctl disable cgred
systemctl disable cpuspeed
systemctl enable irqbalance
systemctl disable kdump
systemctl disable mdmonitor
systemctl disable messagebus
systemctl disable netconsole
systemctl disable ntpdate
systemctl disable oddjobd
systemctl disable portreserve
systemctl enable psacct
systemctl disable qpidd
systemctl disable quota_nld
systemctl disable rdisc
systemctl disable rhnsd
systemctl disable rhsmcertd
systemctl disable saslauthd
systemctl disable smartd
systemctl disable sysstat
systemctl enable crond
systemctl disable atd
systemctl disable nfslock
systemctl disable named
systemctl disable httpd
systemctl disable dovecot
systemctl disable squid
systemctl disable snmpd
 37.13) Disable Secure RPC Client Service
Disable rpcgssd:

The rpcgssd service manages RPCSEC GSS contexts required to secure

protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the
client-side of RPCSEC GSS. If the system does not require secure RPC then this
service should be disabled. The rpcgssd service can be disabled with the following
command:

systemctl disable rpcgssd

37.14) Disable Secure RPC Server Service
Disable rpcsvcgssd:

systemctl disable rpcsvcgssd

37.15) Disable RPC ID Mapping Service
Disable rpcidmapd.

The rpcidmapd service is used to map user names and groups to UID and GID
numbers on NFSv4 mounts. If NFS is not in use on the local system then this service
should be disabled. The rpcidmapd service can be disabled with the following
command:

systemctl disable rpcidmapd

37.16) Disable Network File Systems (netfs)
The netfs script manages the boot-time mounting of several types of
networked filesystems, of which NFS and Samba are the most common. If these
filesystem types are not in use, the script can be disabled, protecting the system
somewhat against accidental or malicious changes to /etc/fstab and against flaws in
the netfs script itself. The netfs service can be disabled with the following command:

sudo systemctl disable netfs

37.17) Disable Network File System (nfs)
systemctl disable nfs
37.18) If you don’t need SSH disable it
systemctl disable sshd
37.19) Disable SSH iptables Firewall rule
Only do this if you don’t need SSH.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

Tips™ - You probable need to leave SSH alone
 Unless you know you don't need SSH, leave SSH and it's iptables rule enabled.

###Remove Rsh Trust Files

rm /etc/hosts.equiv
rm ~/.rhosts
37.20) Disable Avahi Server Software
The avahi-daemon service can be disabled with the following command:

systemctl disable avahi-daemon

37.21) Disable the CUPS Service
If you don’t need CUPS, disable it to further reduce your attack surface:

systemctl disable cups

37.22) Disable DHCP Service
The dhcpd service should be disabled on any system that does not need to act
as a DHCP server.

systemctl disable dhcpd

37.23) Uninstall DHCP Server Package
If you don’t need a DHCP client, remove it:

yum erase dhcp

37.24) Disable DHCP Client
Open /etc/sysconfig/network-scripts/ifcfg-eth0 (if you have more interfaces,
do this for each one) and make sure the address is statically assigned with the
BOOTPROTO=none

Example:

BOOTPROTO=none

NETMASK=255.255.255.0
IPADDR=192.168.1.2
GATEWAY=192.168.1.1
37.25) Specify Additional Remote NTP Servers
Open /etc/ntp.conf and add the following line:

server ntpserver
Use an internal NTP server if possible.

37.26) Enable Postfix

systemctl enable postfix
 37.27) Remove Sendmail
yum remove sendmail
37.28) Postfix Disable Network Listening
Open, /etc/postfix/main.cf and ensure the following inet_interfaces line
appears:

inet_interfaces = localhost
Change the greeting banner, the default banner discloses the SMTP server is
Postfix.

37.29) Disable xinetd Service

sudo systemctl disable xinetd
37.30) System Audit Logs Permissions
System audit logs must have 0640 or less permissions set.

sudo chmod 0640 audit_file

37.31) System Audit Logs Must Be Owned By Root
sudo chown root/var/log
37.32) Disable autofs
chkconfig --level 0123456 autofs off
service autofs stop

38:- Disable uncommon filesystems

echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf
echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf
echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf
echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf
echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf
echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf
echo "install udf /bin/false" > /etc/modprobe.d/udf.conf

39:- Disable core dumps for all users

vi /etc/security/limits.conf
* hard core 0

40:- Disable core dumps for SUID programs

Run

sysctl -w fs.suid_dumpable=0 and fs.suid_dumpable = 0.

# Set runtime for fs.suid_dumpable
#
sysctl -q -n -w fs.suid_dumpable=0
#
# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0"
# else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf
#
if grep --silent ^fs.suid_dumpable /etc/sysctl.conf ; then
sed -i 's/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g' /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set fs.suid_dumpable to 0 per security requirements" >>
/etc/sysctl.conf
echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
fi

41:- Buffer Overflow Protection

This section helps mitigate against Buffer Overflow attacks (BOF).

41.1) Enable ExecShield

Helps prevent stack smashing / BOF.

Enable on current kernel: sysctl -w kernel.exec-shield=1

Add to /etc/sysctl.conf:
kernel.exec-shield = 1
41.2) Check / Enable ASLR
Set runtime for kernel.randomize_va_space

sysctl -q -n -w kernel.randomize_va_space=2
Add kernel.randomize_va_space = 2 to /etc/sysctl.conf if it does not already
exist.

41.3) Enable XD or NX Support on x86 Systems

Recent processors in the x86 family support the ability to prevent code
execution on a per memory page basis. Generically and on AMD processors, this
ability is called No Execute (NX), while on Intel processors it is called Execute
Disable (XD). This ability can help prevent exploitation of buffer overflow
vulnerabilities and should be activated whenever possible. Extra steps must be taken
to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other
processors, such as Itanium and POWER, have included such support since inception
and the standard kernel for those platforms supports the feature.

Check bios and ensure XD/NX is enabled, not relevant for VM’s.
42:- SELinux
42.1) Confirm SELinux is not disabled
sed -i "s/selinux=0//gI" /etc/grub.conf
sed -i "s/enforcing=0//gI" /etc/grub.conf
42.2) SELinux Targeted / Enforcing
Open /etc/selinux/config and check for SELINUXTYPE=targeted or
SELINUXTYPE=enforcing, depending on your requirements.

42.3) Enable the SELinux restorecond Service

The restorecond service utilizes inotify to look for the creation of new files
listed in the /etc/selinux/restorecond.conf configuration file. When a file is created,
restorecond ensures the file receives the proper SELinux security context. The
restorecond service can be enabled with the following command:

Enable restorecond for all run levels:

chkconfig --level 0123456 restorecond on
Start restorecond if not currently running:
service restorecond start
42.4) Check no daemons are unconfined by SELinux
Run:

sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' '

' | awk '{ print $NF }’
This should return no output.

43:- Prevent Log In to Accounts With Empty Password

sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth

44:- Secure SSH

44.1) Allow Only SSH Protocol 2
Open /etc/ssh/sshd_config and ensure the following line exists:

Protocol 2
44.2) Limit Users’ SSH Access
Open /etc/ssh/sshd_config and add:

DenyUsers USER1 USER2

44.3) Set SSH Idle Timeout Interval
To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config
as follows:
ClientAliveInterval interval
44.4) Set SSH Client Alive Count
To ensure the SSH idle timeout occurs precisely when the
ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows:

ClientAliveCountMax 0
44.5) Disable SSH Support for .rhosts Files
SSH can emulate the behavior of the obsolete rsh command in allowing users
to enable insecure access to their accounts via .rhosts files.

To ensure this behavior is disabled, add or correct the following line in

/etc/ssh/sshd_config:

IgnoreRhosts yes
44.6) Disable Host-Based Authentication
SSH’s cryptographic host-based authentication is more secure than .rhosts
authentication. However, it is not recommended that hosts unilaterally trust one
another, even within an organization.

To disable host-based authentication, add or correct the following line in

/etc/ssh/sshd_config:

HostbasedAuthentication no
44.7) Disable SSH Root Login
Disable root logins via SSH, open /etc/ssh/sshd_config and ensure the
following line exists:

PermitRootLogin no
44.8) Disable SSH Access via Empty Passwords
Open /etc/ssh/sshd_config:

PermitEmptyPasswords no
44.9) Enable a warning banner (Renforce policy awareness).
Banner /etc/issue
44.10) Do Not Allow SSH Environment Options
To ensure users are not able to present environment options to the SSH
daemon, add or correct the following line in /etc/ssh/sshd_config:

PermitUserEnvironment no
 44.11) Use Only Approved Ciphers
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR)
mode is also preferred over cipher-block chaining (CBC) mode. The following line in
/etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-
cbc,aes256-cbc
45:- Secure X Windows
45.1) Disable X Windows Startup By Setting Runlevel
Disable X windows system, further reducing your attack surface.

Add id:3:initdefault: to /etc/inittab.

45.2) Remove the X Windows Package Group

yum groupremove "X Window System"
46:- Prompt OS update installation
A process for prompt installation of OS updates must exist
yum -y install yum-cron
chkconfig yum-cron on
Make sure yum-cron is set to “check only”, I don’t recommend installing
updates automatically.