Professional Documents
Culture Documents
CentOS 7 Hardening Guide
CentOS 7 Hardening Guide
CentOS 7
Guidelines for CentOS 7 deployment personnel and
compliance readiness
Nikhil Firke
Note
This guide is intended for the use of production level deployment in CentOS
7.4. You can consider this a baseline for hardening the Base Operating System. Here
we have removed the services that are not used. However, if you have the need then
you need to consider the hardening guides for the specific services. This guide does
not address the Web Servers or Database servers running on the CentOS. We have
covered that topic in separate hardening guides to specific servers. We always
appreciate your input to improvise this guide to a better level. If you want to share
your input please mail it to nikhil@orealz.com with your suggestions.
Contents
1:- Security Harden CentOS 7................................................................................................ 6
23:- Disable IPv6 Support Automatically Loading (IF NOT USED) ......................... 14
25:- Disable Support for RPC IPv6 (IF NOT USED) ....................................................... 14
This guide only covers the base system + SSH hardening, I will document
specific service hardening separately such as HTTPD, SFTP, LDAP, BIND etc…
• OpenSCAP Workbench allows you to customize your scan, should you not
agree with all hardening checks
If you do not get on with workbench or auditing from the command line,
Nessus has functionality for authenticated SCAP scans.
5:- Kickstart
I’ve provided the following RHEL kickstart file below, it’s a minimal install with
a heavy partition scheme, allowing for stricter mount options.
#version=RHEL7
install
# System authorization information
auth --enableshadow --passalgo=sha512
services --enabled=NetworkManager,sshd
reboot
%packages
@core
%end
%post
%end
#
# /etc/fstab
# Created by anaconda on Sat Oct 11 14:28:47 2014
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/lg_os-lv_root / xfs defaults 1
1
UUID=d73c5d22-75ed-416e-aad2-8c1bb1dfc713 /boot ext4
defaults,nosuid,noexec,nodev 1 2
/dev/mapper/lg_data-lv_home /home xfs defaults 1
2
/dev/mapper/lg_os-lv_tmp /tmp xfs
defaults,nosuid,noexec,nodev 1 2
/dev/mapper/lg_os-lv_var /var xfs defaults,nosuid
1 2
/dev/mapper/lg_os-lv_var_tmp /var/tmp xfs
defaults,nosuid,noexec,nodev 1 2
/dev/mapper/lg_os-lv_var_tmp /var/log xfs
defaults,nosuid,noexec,nodev 1 2
/dev/mapper/lg_os-lv_var_tmp /var/log/audit xfs
defaults,nosuid,noexec,nodev 1 2
/dev/mapper/lg_data-lv_var_www /var/www xfs
defaults,nosuid,noexec,nodev 1 2
/dev/mapper/lg_data-lv_swap swap swap defaults 0
0
PASS_MIN_LEN 14
PASS_MIN_DAYS 1
PASS_MAX_DAYS 60
To do so, select a superuser account and password and add them into the
appropriate grub2 configuration file(s) under /etc/grub.d. Since plaintext passwords
are a security risk, generate a hash for the pasword by running the following
command:
grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected and insert the returned
password hash into the appropriate grub2 configuration file(s) under /etc/grub.d
immediately after the superuser account. (Use the output from grub2-mkpasswd-
pbkdf2 as the value of password-hash):
password_pbkdf2 superusers-accountpassword-hash
Don't use common admin account names for the grub2 superuser
Avoid using common admin account names like, root, admin or administrator
for the grub2 superuser account. To meet FISMA Moderate, the bootloader
superuser account password must differ from the root credentials.
grub2-mkconfig -o /boot/grub2/grub.cfg
Do NOT manually add the superuser account and password to the grub.cfg
file as the grub2-mkconfig command overwrites this file.
SINGLE=/sbin/sulogin
NETWORKING_IPV6=no
IPV6INIT=no
num_logs = 5
37.4) Auditd Max Log File Size
max_log_file = 30MB
max_log_file_action = rotate
37.6) Auditd space_left
Configure auditd to email you when space gets low, open
/etc/audit/auditd.conf and modify the following:
space_left_action = email
37.7) Auditd admin_space_left
Configure auditd to halt when auditd log space is used up, forcing the system
admin to rectify the space issue.
admin_space_left_action = halt
37.8) Auditd mail_acct
When space gets low auditd can send a email notification via email, to
configure this and the following line to /etc/audit/auditd.conf:
action_mail_acct = root
37.9) Configure auditd to use audispd plugin
Auditd does not have the functionality to send logs directly to an external log
server, however the audispd plugin pass audit records to the local syslog server, to
enable this open /etc/audisp/plugins.d/syslog.conf and set the active line to yes, then
restart audispd daemon:
The rpcidmapd service is used to map user names and groups to UID and GID
numbers on NFSv4 mounts. If NFS is not in use on the local system then this service
should be disabled. The rpcidmapd service can be disabled with the following
command:
Example:
BOOTPROTO=none
NETMASK=255.255.255.0
IPADDR=192.168.1.2
GATEWAY=192.168.1.1
37.25) Specify Additional Remote NTP Servers
Open /etc/ntp.conf and add the following line:
server ntpserver
Use an internal NTP server if possible.
inet_interfaces = localhost
Change the greeting banner, the default banner discloses the SMTP server is
Postfix.
sysctl -q -n -w kernel.randomize_va_space=2
Add kernel.randomize_va_space = 2 to /etc/sysctl.conf if it does not already
exist.
Check bios and ensure XD/NX is enabled, not relevant for VM’s.
42:- SELinux
42.1) Confirm SELinux is not disabled
sed -i "s/selinux=0//gI" /etc/grub.conf
sed -i "s/enforcing=0//gI" /etc/grub.conf
42.2) SELinux Targeted / Enforcing
Open /etc/selinux/config and check for SELINUXTYPE=targeted or
SELINUXTYPE=enforcing, depending on your requirements.
Protocol 2
44.2) Limit Users’ SSH Access
Open /etc/ssh/sshd_config and add:
ClientAliveCountMax 0
44.5) Disable SSH Support for .rhosts Files
SSH can emulate the behavior of the obsolete rsh command in allowing users
to enable insecure access to their accounts via .rhosts files.
IgnoreRhosts yes
44.6) Disable Host-Based Authentication
SSH’s cryptographic host-based authentication is more secure than .rhosts
authentication. However, it is not recommended that hosts unilaterally trust one
another, even within an organization.
HostbasedAuthentication no
44.7) Disable SSH Root Login
Disable root logins via SSH, open /etc/ssh/sshd_config and ensure the
following line exists:
PermitRootLogin no
44.8) Disable SSH Access via Empty Passwords
Open /etc/ssh/sshd_config:
PermitEmptyPasswords no
44.9) Enable a warning banner (Renforce policy awareness).
Banner /etc/issue
44.10) Do Not Allow SSH Environment Options
To ensure users are not able to present environment options to the SSH
daemon, add or correct the following line in /etc/ssh/sshd_config:
PermitUserEnvironment no
44.11) Use Only Approved Ciphers
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR)
mode is also preferred over cipher-block chaining (CBC) mode. The following line in
/etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-
cbc,aes256-cbc
45:- Secure X Windows
45.1) Disable X Windows Startup By Setting Runlevel
Disable X windows system, further reducing your attack surface.