The hardening checklists are based on the comprehensive checklists produced by CIS. The Information Security Office has distilled the CIS lists down to the most critical steps for your systems, with a particular focus on configuration issues that are unique to the computing environment at The University of Texas at Austin.
How to use the checklist
Print the checklist and check off each item you complete to ensure that you cover the critical steps for securing your server. The Information Security Office uses this checklist during risk assessments as part of the process to verify that servers are secure.
How to read the checklist
Step - The step number in the procedure. If there is a UT Note for this step, the note # corresponds to the step #.
Check √ - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do to harden the respective system
CIS - Reference number in the Center for Internet Security Red Hat Enterprise Linux 7 Benchmark v1.1.0. The CIS document outlines in much greater detail how to complete each step.
UT Note - The UT Note at the bottom of the page provides additional detail about the step for the university computing environment.
Cat I - For systems that include Category-I data, required steps are denoted with the ! symbol. All steps are recommended.
Cat II/III - For systems that include Category-II or -III data, all steps are recommended, and some are required (denoted by the !).
Min Std - This column links to the specific requirement for the university in the Minimum Security Standards for Systems document.
Server Information
MAC Address |
|
IP Address |
|
Machine Name |
|
Asset Tag |
|
Administrator Name |
|
Date |
|
Step | √ | To Do | CIS | UT Note | Cat I | Cat II/III | Min Std |
|
| Preparation and Physical Security |
|
|
|
|
|
---|---|---|---|---|---|---|---|
1 |
| If machine is a new install, protect it from hostile network traffic until the operating system is installed and hardened. |
| ! | ! | ||
2 |
| Set a BIOS/firmware password. |
|
| ! |
| |
3 | Configure the device boot order to prevent unauthorized booting from alternate media. | ||||||
4 | Use the latest version of RHEL available, if possible. | 1.7 | ! | ! | 5.2 | ||
Filesystem Configuration | |||||||
5 | Create a separate partition with the nodev, nosuid, and noexec options set for /tmp. | 1.1.1-.4 | |||||
6 | Create separate partitions for /var, /var/log, /var/log/audit, and /home. | 1.1.{5,7,8,9} | |||||
7 | Bind mount /var/tmp to /tmp. | 1.1.6 | |||||
8 | Set nodev option to /home. | 1.1.10 | |||||
9 | Set nodev, nosuid, and noexec options on /dev/shm. | 1.1.14-.16 | |||||
10 | Set sticky bit on all world-writable directories. | 1.1.17 | |||||
|
| System Updates |
|
|
|
|
|
11 | Register with Red Hat Satellite Server so that the system can receive patch updates. | 1.2.1 | § | ! | ! | 5.2 | |
12 | Install the Red Hat GPG key and enable gpgcheck. | 1.2.2-.3 | |||||
Secure Boot Settings | |||||||
13 | Set user/group owner to root, and permissions to read and write for root only, on /boot/grub2/grub.cfg. | 1.5.1-.2 | |||||
14 | Set boot loader password. | 1.5.3 | |||||
15 | Remove the X Window system. | 3.2 | § | ||||
16 |
| Disable X Font Server. |
|
|
|
|
|
Process Hardening | |||||||
17 | Restrict core dumps. | 1.6.1 | |||||
18 | Enable Randomized Virtual Memory Region Placement. | 1.6.2 | ! | ||||
OS Hardening | |||||||
19 | Remove legacy services (e.g., telnet-server; rsh, rlogin, rcp; ypserv, ypbind; tftp, tftp-server; talk, talk-server) | 2.1.{1,3-10} | ! | ! | |||
20 |
| Disable any services and applications started by xinetd or inetd that are not being utilized. |
| ! | ! | ||
21 | Remove xinetd, if possible. | 2.1.11 | ! | ||||
22 | Disable legacy services (e.g., chargen-dgram, chargen-stream, daytime-dgram, daytime-stream, echo-dgram, echo-stream, tcpmux-server) | 2.1.{12-18} | ! | ! | |||
23 | Disable or remove server services that are not going to be utilized (e.g., FTP, DNS, LDAP, SMB, DHCP, NFS, SNMP, etc.) | ! | 5.4 | ||||
24 | Set Daemon umask | 3.1 | |||||
Network Security and Firewall Configuration | |||||||
25 |
| Limit connections to services running on the host to authorized users of the service via firewalls and other access control technologies. | 4.7 | ! | ! | ||
26 | Disable IP forwarding. | 4.1.1 | |||||
27 | Disable send packet redirects. | 4.1.2 | |||||
28 | Disable source routed packet acceptance. | 4.2.1 | |||||
29 | Disable ICMP redirect acceptance. | 4.2.2 | |||||
30 | Enable Ignore Broadcast Requests. | 4.2.5 | |||||
31 | Enable Bad Error Message Protection. | 4.2.6 | |||||
32 | Enable TCP/SYN cookies. | 4.2.8 | |||||
Remote Administration via SSH | |||||||
33 |
| Set SSH protocol to 2. | 6.2.1 | ! | ! | ||
34 | Set SSH LogLevel to INFO. | 6.2.2 | ! | ! | |||
35 | Disable SSH Root login. | 6.2.8 | |||||
36 | Set SSH PermitEmptyPasswords to No. | 6.2.9 | ! | ! | |||
System Integrity and Intrusion Detection | |||||||
37 | Install and configure AIDE. | 1.3.1-.2 | § | 5.8 | |||
38 | Configure SELinux. | 1.4.1-.6 | |||||
39 | Install and configure OSSec HIDS. | ||||||
|
| Logging |
|
|
|
|
|
40 |
| Configure Network Time Protocol (NTP). | 3.6 | ! |
|
| |
41 |
| Enable system accounting (auditd). | 5.2 | ! |
| ||
42 | Install and configure rsyslog. | 5.1.1-.4 | ! | ||||
43 |
| All administrator or root access must be logged. |
| ! |
| ||
44 | Configure log shipping to separate device/service | 5.1.5 | |||||
|
| Files/Directory Permissions/Access |
|
|
|
|
|
45 |
| Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested. |
| ! |
| ||
|
| PAM Configuration |
|
|
|
|
|
46 |
| Ensure that the configuration files for PAM, /etc/pam.d/* are secure. | 6.3 | ! | ! | ||
47 | Upgrade password hashing algorithm to SHA-512. | 6.3.1 | ! | ||||
48 | Set password creation requirements. | 6.3.2 | ! | ! | |||
49 | Restrict root login to system console. | 6.4 | |||||
|
| Warning Banners |
|
|
|
|
|
50 |
| If network or physical access services are running, ensure the university warning banner is displayed. | 6.2.14, 8.1 | ! | ! | ||
51 |
| If the system allows logins via a graphical user interface, ensure the university warning banner is displayed prior to login. | 8.3 |
| ! |
|
|
|
| Anti-Virus Considerations |
|
|
|
|
|
52 |
| Install and enable anti-virus software. |
| ||||
53 |
| Configure to update signature daily on AV. |
| ||||
|
| Additional Security Notes |
|
|
|
|
|
54 |
| Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate. |
| ! | ! |
UT Note: Addendum
This list provides specific tasks related to the computing environment at The University of Texas at Austin.
1 | If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall in between the network and the host to be protected. |
11 | Install and use the yum-security plugin. yum install yum-security
yum --security check-update
yum --security update |
15 | A simple way to disable the GUI is to change the default run level. Edit the file /etc/inittab. Look for the line that contains the following: id:5:initdefault:
Replace the "5" with "3". The line will then read: id:3:initdefault: |
17 | |
18 | |
20 | Disable any xinetd services you do not absolutely require by setting "disable=yes" in /etc/xinetd.d/*. sudo service xinetd stop; sudo chkconfig xinetd off
$ sudo chkconfig off
$ lsof \| grep '*:'
$ sudo netstat \--tulp
ntsysv \--level 345
|
25 | Red Hat comes with iptables. Below is a list of some iptables resources: |
4 | If you decide to utilize SSH, the ISO highly recommends the following:
|
5 | System accounting gathers baseline system data (CPU utilization, disk I/O, etc.) every 10 minutes. The data may be accessed with the sar command (part of the sysstat package), or by reviewing the nightly report files named /var/log/sa/sar*. Once a normal baseline for the system has been established, unauthorized activity (password crackers and other CPU-intensive jobs, and activity outside of normal usage hours) may be detected due to departures from the normal system performance curve. |
6 | The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton, and sa.
|
40 | ITS Networking operates two stratum 2 NTPv4 (NTP version 4) servers for network time synchronization services for university network administrators. |
13 | Examples: syslogRed Hat:http://www.redhat.com/docs/manuals/enterprise/RHEL-AS-2.1-Manual/cluster-manager/s1-software-syslog.html |
14 |
|
15 | Ensure the following are set in /etc/pam.d/other:
Warn will report alerts to syslog.
To require strong passwords, in compliance with section 5.18 of the Information Resources Use and Security Policy: For RHEL 6: In /etc/pam.d/system-auth, add or change the file as required to read: password required pam_cracklib.so retry=3 difok=5 minlen=8 lcredit=-1 dcredit=-1 ocredit=-1 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=10 password required pam_deny.so password required pam_warn.so
For RHEL 7: In /etc/security/pwquality.conf, add: difok = 5 minlen = 8 minclass = 1 maxrepeat = 0 maxclassrepeat = 0 lcredit = -1 ucredit = 0 dcredit = -1 ocredit = -1 gecoscheck = 1 In /etc/pam.d/system-auth, add or change the file as required to read: password required pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=10 password required pam_deny.so |
16 | Ensure that the terminal security file (for example, /etc/securetty or /etc/ttys) is configured to deny privileged (root) access. On a Red Hat box, this means that no virtual devices (such as /dev/pty*) appear in this file. |
17 | The text of the university's official warning banner can be found on the ITS Web site. You may add localized information to the banner as long as the university banner is included. |
19 | There are few viruses that infect Linux computers; therefore, it is understandable for most Linux servers to have an exception to this rule. See the Operations Manual for information on the exception process. You may choose any proven anti-virus product. One option is ClamAV. |
20 | There are few viruses that infect Linux computers; therefore, it is understandable for most Linux servers to have an exception to this rule. See the Operations Manual for information on the exception process. |
21 | There are a variety of methods available to accomplish this goal. Two good candidates are LUKS and GNUPG (free). |
22 | There is a license fee for Tripwire. The Tripwire management console can be very helpful for managing more complex installations. |
Copyright © 2001-2011 Information Technology Services. All rights reserved.