Following section provides several options to harden linux Debian system.
Partitioning
Following standards make sure the following additional directories are hosted on dedicated logical partitions.
[ /tmp ]
Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.
[ /var ]
Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition.
[ /var/tmp ]
Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.
[ /var/log ]
There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data.
[ /var/log/audit ]
There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired.
[ /home ]
If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home.
Specific Mount Options
| Mount Point | Option | Reason |
|---|---|---|
| /tmp | nodev | Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp. |
| /tmp | nosuid | Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp. |
| /tmp | noexec | Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp. |
| /var/tmp | nodev | Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp. |
| /var/tmp | nosuid | Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /var/tmp. |
| /var/tmp | noexec | Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /var/tmp. |
| /home | nodev | Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /home. |
| /dev/shm | nodev | Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions. |
| /dev/shm | nosuid | Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them. |
| /dev/shm | noexec | Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system. |
These setings can be defined by editing /etc/fstab and defining as follows:
.... /dev/mapper/system_vg-home /home ext4 nodev,nosuid,noexec 0 2 /dev/mapper/system_vg-tmp /tmp ext4 relatime,nodev,nosuid 0 2 /dev/mapper/system_vg-var /var ext4 discard 0 2 /dev/mapper/system_vg-varlog /var/log ext4 discard 0 2 /dev/mapper/system_vg-varlogaudit /var/log/audit ext4 discard 0 2 /dev/mapper/system_vg-vartmp /var/tmp ext4 nodev,nosuid,noexec 0 2 tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 ...
Disabling USB Storage
Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware. In Virtual Machines (VMs) USB Storage will never be used, unless in a specific circumstance.
/etc/modprobe.d/usb_storage.conf # Blacklist usb-storage install usb-storage /bin/true
Disabling Modules
Obscure unused filesystem types in particular add considerable remote attack surface. These will blacklist following:
/etc/modprobe.d/firewire.conf # Blacklist firewire drivers blacklist firewire-core
/etc/modprobe.d/dccp.conf # Disable Datagram Congestion Control Protocol (DCCP) install dccp /bin/true
/etc/modprobe.d/freevxfs.conf # Removing support for unneeded filesystem types reduces the local attack surface of the system. # If this filesystem type is not needed, disable it. install freevxfs /bin/true
/etc/modprobe.d/hfs.conf # Removing support for unneeded filesystem types reduces the local attack surface of the system. # If this filesystem type is not needed, disable it. install hfs /bin/true
/etc/modprobe.d/hfsplus.conf # Removing support for unneeded filesystem types reduces the local attack surface of the system. # If this filesystem type is not needed, disable it. # The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows # you to mount Mac OS filesystems. install hfsplus /bin/true
/etc/modprobe.d/jffs2.conf # Removing support for unneeded filesystem types reduces the local attack surface of the system. # If this filesystem type is not needed, disable it. # The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem # used in flash memory devices. install jffs2 /bin/true
/etc/modprobe.d/rds.conf # Disable RDS (Reliabe Datagram Sockets install rds /bin/true
/etc/modprobe.d/sctp.conf # Disable SCTP (Stream Control Transmission Protocol) install sctp /bin/true
/etc/modprobe.d/tipc.conf # Ensure TIPC is disabled install tipc /bin/true
/etc/modprobe.d/vfat.conf # Removing support for unneeded filesystem types reduces the local attack surface of the system. # If this filesystem type is not needed, disable it. # The vfat filesystem type is a log-structured filesystem used in flash memory devices. install vfat /bin/true
Obscure network protocols in particular add considerable remote attack surface. These will blacklist following:
install ax25 /bin/false install netrom /bin/false install x25 /bin/false install rose /bin/false install decnet /bin/false install econet /bin/false install af_802154 /bin/false install ipx /bin/false install appletalk /bin/false install psnap /bin/false install p8023 /bin/false install p8022 /bin/false install can /bin/false install atm /bin/false
Ensure CoreDump are Restricted
Disable setuid processes dumping their memory /etc/sysctl.d/98-harden-coredump.conf
# ====================================== # Coredump Hardening # ====================================== # # Disable setuid processes dumping their memory # Processes with elevated permissions (or the setuid bit), might be still able to # perform a core dump, depending on your other settings. As these processes usually # have more access, they might contain more sensitive data segments in memory. # So time to change this as well. The behavior can be altered with a sysctl key, # or directly via the /proc file system. For permanent settings, the sysctl command # and configuration is typically used. A setting is called a ‘key’, which has a # related value attached to it (also known as a key-value pair). # # To disable program with the setuid bit to dump fs.suid_dumpable = 0
Set Hard Limits core Dumps in /etc/security/limits.d/coredump-limits.conf
# ====================================== # Coredump Hardening # ====================================== # # Setting a hard limit on core dumps prevents users from overriding the soft variable. # If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). * hard core 0
Grub Password
Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time).
Create an encrypted password with grub-mkpasswd-pbkdf2
# grub-mkpasswd-pbkdf2
Enter password: <password>
Reenter password: <password>
PBKDF2 hash of your password is <encrypted-password>
Add the following into a custom /etc/grub.d configuration file /etc/grub.d/grub_password
set superusers="<username>" password_pbkdf2 <username> <encrypted-password>
The superuser/user information and password should not be contained in the /etc/grub.d/00_header file as this file could be overwritten in a package update.
If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add –unrestricted to the line CLASS=
CLASS="--class gnu-linux --class gnu --class os --unrestricted"
Run the following command to update the grub2 configuration:
# update-grub
Network/Packet Settings
Various settings below are to disallow specific network or packet settings, inline comments provide extra information. Create a file /etc/sysctl.d/98_harden_network
# ----------------------------------------------------------------------------- # Ensure suspicious packets are logged # ----------------------------------------------------------------------------- # Enabling this feature and logging these packets allows an administrator to # investigate the possibility that an attacker is sending spoofed packets to their server. net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 # ----------------------------------------------------------------------------- # Ensure packet redirect sending is disabled # ----------------------------------------------------------------------------- # Rationale: An attacker could use a compromised host to send invalid ICMP redirects to # other router devices in an attempt to corrupt routing and have users access # a system set up by the attacker as opposed to a valid system. net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # ----------------------------------------------------------------------------- # Ensure IP forwarding is disabled # ----------------------------------------------------------------------------- # Rationale: Setting the flags to 0 ensures that a system with multiple interfaces # (for example, a hard proxy), will never be able to forward packets, # and therefore, never serve as a router. net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0 # ----------------------------------------------------------------------------- # Ensure source routed packets are not accepted # ----------------------------------------------------------------------------- # Rationale: Setting these parameters disables the system from accepting source # routed packets. Assume this system was capable of routing packets to Internet # routable addresses on one interface and private addresses on another interface. # Assume that the private addresses were not routable to the Internet routable # addresses and vice versa. Under normal routing circumstances, an attacker from # the Internet routable addresses could not use the system as a way to reach the # private address systems. If, however, source routed packets were allowed, # they could be used to gain access to the private address systems as the route # could be specified, rather than rely on routing protocols that did not allow # this routing. net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # ----------------------------------------------------------------------------- # Ensure ICMP redirects are not accepted # ----------------------------------------------------------------------------- # Attackers could use bogus ICMP redirect messages to maliciously alter the # system routing tables and get them to send packets to incorrect networks # and allow your system packets to be captured. net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 # ----------------------------------------------------------------------------- # Ensure secure ICMP redirects are not accepted # ----------------------------------------------------------------------------- # It is still possible for even known gateways to be compromised. # Protects the system from routing table updates by possibly compromised known gateways. net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 # ----------------------------------------------------------------------------- # Ensure broadcast ICMP requests are ignored # ----------------------------------------------------------------------------- # Accepting ICMP echo and timestamp requests with broadcast or multicast destinations # for your network could be used to trick your host into starting (or participating) # in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of # ICMP broadcast messages with a spoofed source address. All hosts receiving this # message and responding would send echo-reply messages back to the spoofed address, # which is probably not routable. If many hosts respond to the packets, the amount # of traffic on the network could be significantly multiplied. net.ipv4.icmp_echo_ignore_broadcasts = 1 # ----------------------------------------------------------------------------- # Ensure bogus ICMP responses are ignored # ----------------------------------------------------------------------------- # Some routers (and some attackers) will send responses that violate RFC-1122 # and attempt to fill up a log file system with many useless error messages. net.ipv4.icmp_ignore_bogus_error_responses = 1 # ----------------------------------------------------------------------------- # Ensure Reverse Path Filtering is enabled # ----------------------------------------------------------------------------- # Setting these flags is a good way to deter attackers from sending your system # bogus packets that cannot be responded to. One instance where this feature # breaks down is if asymmetrical routing is employed. This would occur when # using dynamic routing protocols (bgp, ospf, etc) on your system. # If you are using asymmetrical routing on your system, you will not be able # to enable this feature without breaking the routing. net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. # ----------------------------------------------------------------------------- # Ensure TCP SYN Cookies is enabled # ----------------------------------------------------------------------------- # Attackers use SYN flood attacks to perform a denial of service attacked on a # system by sending many SYN packets without completing the three way handshake. # This will quickly use up slots in the kernel's half-open connection queue and # prevent legitimate connections from succeeding. SYN cookies allow the system to # keep accepting valid connections, even if under a denial of service attack. net.ipv4.tcp_syncookies = 1 # ----------------------------------------------------------------------------- # Ensure IPv6 router advertisements are not accepted # ----------------------------------------------------------------------------- # It is recommended that systems not accept router advertisements as they could be # tricked into routing traffic to compromised machines. Setting hard routes within # the system (usually a single default route to a trusted router) protects the system # from bad routes. net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 # ----------------------------------------------------------------------------- # Protect against time-wait assassination by dropping RST # ----------------------------------------------------------------------------- # This protects against time-wait assassination by dropping RST packets for # sockets in the time-wait state. net.ipv4.tcp_rfc1337 = 1
Auditd
The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.
# apt install auditd audispd-plugins # systemctl enable auditd # systemctl start auditd
Ensure auditing for processes that start prior to auditd is enabled, edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX, example:
# If you change this file, run 'update-grub' afterwards to update # /boot/grub/grub.cfg. # For full documentation of the options in this file, see: # info -f grub -n 'Simple configuration' GRUB_DEFAULT=0 GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX="audit=1"
Rerun grub update
# grub-update
It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost. Best recommendation is also to place /var/log/audit on a seperate mount point to isolate these files. Set the following parameter in /etc/audit/auditd.conf in accordance with the site policy, once the log reaches the maximum size, it will be rotated and a new log file will be started.
max_log_file = 100
Ensure audit logs are not automatically deleted and in high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history. Set the following parameter in /etc/audit/auditd.conf
max_log_file_action = keep_logs
Ensure the audit configuration is immutable. n immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes. Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line: -e 2. Notes: This setting will ensure reloading the auditd config to set active settings requires a system reboot.
## Make the configuration immutable - reboot is required to change audit rules -e 2
Journald
Following will tune journald, see inline comments for options/descriptions by editing /etc/systemd/journald.conf
# ----------------------------------------------------------------------------- # Ensure journald is configured to send logs to rsyslog # ----------------------------------------------------------------------------- ForwardToSyslog=yes # ----------------------------------------------------------------------------- # Ensure journald is configured to compress large log files # ----------------------------------------------------------------------------- Compress=yes # ----------------------------------------------------------------------------- # Ensure journald is configured to write logfiles to persistent disk # ----------------------------------------------------------------------------- Storage=persistent
Extra Kernel Hardening
Various settings below are to disallow specific system settings, inline comments provide extra information. Create a file /etc/sysctl.d/98_harden_kernel
# ====================================== # Kernel Hardening # ====================================== # # # The %pK format specifier is designed to hide exposed kernel pointers, # specifically via /proc interfaces. Exposing these pointers provides an # easy target for kernel write vulnerabilities, since they reveal the # locations of writable structures containing easily triggerable function # pointers. The behavior of %pK depends on the kptr_restrict sysctl. # # If kptr_restrict is set to 0, no deviation from the standard %p behavior # occurs. If kptr_restrict is set to 1, if the current user (intended to # be a reader via seq_printf(), etc.) does not have CAP_SYSLOG (which is # currently in the LSM tree), kernel pointers using %pK are printed as # 0's. If kptr_restrict is set to 2, kernel pointers using %pK are # printed as 0's regardless of privileges. Replacing with 0's was chosen # over the default "(null)", which cannot be parsed by userland %p, which # expects "(nil)". kernel.kptr_restrict = 2 # # # # Ptrace is a great troubleshooting tool for developers to determine how a process functions. # It can be used to find programming flaws, like memory leakage. On the other hand, the tool # also be used by people with malicious intent. For example to debug a process as a # non-privileged user and find the contents of application memory. # # kernel.yama.ptrace_scope = 0: all processes can be debugged, as long as they have same uid. This is the classical way of how ptracing worked. # kernel.yama.ptrace_scope = 1: only a parent process can be debugged. # kernel.yama.ptrace_scope = 2: Only admin can use ptrace, as it required CAP_SYS_PTRACE capability. # kernel.yama.ptrace_scope = 3: No processes may be traced with ptrace. Once set, a reboot is needed to enable ptracing kernel.yama.ptrace_scope = 2 # # # Randomly placing virtual memory regions will make it difficult to write memory page exploits # as the memory placement will be consistently shifting. kernel.randomize_va_space = 2
SSH
Follow basic guidelines and make sure the following properties are defined in the /etc/ssh/sshd_config
| SSH Option | Reason |
|---|---|
| Protocol 2 | SSH v1 suffers from insecurities that do not affect SSH v2. Notes: This command not longer exists in newer versions of SSH. This check is still being included for systems that may be running an older version of SSH. As of openSSH version 7.4 this parameter will not cause an issue when included. |
| LogLevel VERBOSE
or LogLevel INFO |
SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. |
| X11Forwarding no | Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. |
| MaxAuthTries 4 | Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy. |
| IgnoreRhosts yes | Setting this parameter forces users to enter a password when authenticating with ssh. |
| HostbasedAuthentication no | Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection. |
| PermitRootLogin no | Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident. |
| PermitEmptyPasswords no | Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system |
| PermitUserEnvironment no | Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan’d programs) |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised The DES, Triple DES, and Blowfish ciphers, as used in SSH, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, aka a “Sweet32” attack The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the “Bar Mitzvah” issue The passwords used during an SSH session encrypted with RC4 can be recovered by an attacker who is able to capture and replay the session Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors The mm_newkeys_from_blob function in monitor_wrap.c, when an AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote authenticated users to bypass intended ForceCommand and login-shell restrictions via packet data that provides a crafted callback address |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 | MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information |
| KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 | Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used, or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks |
| ClientAliveInterval 300
ClientAliveCountMax 0 |
Having no timeout value associated with a connection could allow an unauthorized user access to another user’s ssh session (e.g. user walks away from their computer and doesn’t lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent.Remediation |
| LoginGraceTime 60 | Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy. |
| AllowTcpForwarding no | Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network.Remediation |
| maxstartups 10:30:60 | To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon. |
| MaxSessions 10 | To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon. |
Password Quality
Strong passwords protect systems from being hacked through brute force methods.
# apt install pam_pwquality
Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy:
password requisite pam_pwquality.so retry=3
Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy:
# Minimum acceptable size for the new password (plus one if # credits are not disabled which is the default). (See pam_cracklib manual.) # Cannot be set to lower value than 6. minlen = 14 # The maximum credit for having digits in the new password. If less than 0 # it is the minimum number of digits in the new password. dcredit = -1 # The maximum credit for having uppercase characters in the new password. # If less than 0 it is the minimum number of uppercase characters in the new # password. ucredit = -1 # The maximum credit for having other characters in the new password. # If less than 0 it is the minimum number of other characters in the new # password. ocredit = -1 # The maximum credit for having lowercase characters in the new password. # If less than 0 it is the minimum number of lowercase characters in the new # password. lcredit = -1
Notes: Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more. Settings in /etc/security/pwquality.conf must use spaces around the = symbol.
Password Failure Lockout
Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.
Edit the /etc/security/faillock.conf file and uncomment the following lines
# Deny access if the number of consecutive authentication failures # for this user during the recent interval exceeds n tries. # The default is 3. deny = 3 The length of the interval during which the consecutive # authentication failures must happen for the user account # lock out is <replaceable>n</replaceable> seconds. # The default is 900 (15 minutes). fail_interval = 900 # The access will be re-enabled after n seconds after the lock out. # The value 0 has the same meaning as value `never` - the access # will not be re-enabled without resetting the faillock # entries by the `faillock` command. # The default is 600 (10 minutes). unlock_time = 600 # Root account can become locked as well as regular accounts. # Enabled if option is present. even_deny_root # This option implies the `even_deny_root` option. # Allow access after n seconds to root account after the # account is locked. In case the option is not specified # the value is the same as of the `unlock_time` option. root_unlock_time = 900
Password History
Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system.
Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown:
password required pam_pwhistory.so remember=5
Password Settings: Expiration
The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker’s window of opportunity.
Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs:
PASS_MAX_DAYS 90
Modify user parameters for all users with a password set to match:
# chage --maxdays 90 <user>
Notes: You can also check this setting in /etc/shadow directly. The 5th field should be 365 or less for all users with a password. A value of -1 will disable password expiration. Additionally the password expiration must be greater than the minimum days between password changes or users will be unable to change their password.
Password Settings: Minimum Days
By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls.
Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs:
PASS_MIN_DAYS 7
Modify user parameters for all users with a password set to match:
# chage --mindays 7 <user>
Notes: You can also check this setting in /etc/shadow directly. The 4th field should be 7 or more for all users with a password.
Password Settings: Warning
Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered.
Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs:
PASS_WARN_AGE 7
Modify user parameters for all users with a password set to match:
# chage --warndays 7 <user>
Notes: You can also check this setting in /etc/shadow directly. The 6th field should be 7 or more for all users with a password.
Password Settings: Inactive Lock
Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.
Run the following command to set the default password inactivity period to 30 days:
# useradd -D -f 30
Modify user parameters for all users with a password set to match:
# chage --inactive 30 <user>
Notes: You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password. A value of -1 would disable this setting.
Default UMASK
Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system.
Edit the /etc/bash.bashrc , /etc/profile and /etc/profile.d/*.sh files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: umask 027