└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # Sean "Forty-Bot" Anderson's 0x539 Linux Checklist v1.0
  2 | 
  3 | ## Notes
  4 | 
  5 | **If a command errors or fails, try it again with `sudo` (or `sudo !!` to save typing)**
  6 | 
  7 | **Google anything and everything. If you don't know or understand something, google it**
  8 | 
  9 | When you see the syntax `$word`, do not type it verbatim, but instead substitute the appropriate word (usually referenced in a previous command).
 10 | 
 11 | When the order of steps does not matter, bullet points have been used instead of ordinals.
 12 | 
 13 | To edit files, run `gedit`, a graphical editor akin to notepad; `nano`, a simple command-line editor; or `vim`, a powerful  but less intuitive command-line editor. Note that vim may need to be installed with `apt-get install vim`.
 14 | 
 15 | ## Checklist
 16 | 
 17 | 1. Read the readme
 18 | 	
 19 | 	Note down which ports/users are allowed.
 20 | 
 21 | 1. **Do Forensics Questions**
 22 | 	
 23 | 	You may destroy the requisite information if you work on the checklist!
 24 | 
 25 | 1. Secure root
 26 | 
 27 | 	set `PermitRootLogin no` in `/etc/ssh/sshd_config`
 28 | 
 29 | 1. Secure Users
 30 | 	1. Disable the guest user.
 31 | 	
 32 | 		Go to `/etc/lightdm/lightdm.conf` and add the line
 33 | 		
 34 | 		`allow-guest=false`
 35 | 
 36 | 		Then restart your session with `sudo restart lightdm`. This will log you out, so make sure you are not executing anything important.
 37 | 
 38 | 	1. Open up `/etc/passwd` and check which users
 39 | 		* Are uid 0
 40 | 		* Can login
 41 | 		* Are allowed in the readme
 42 | 	1. Delete unauthorized users:
 43 | 		
 44 | 		`sudo userdel -r $user`
 45 | 
 46 | 		`sudo groupdel $user`
 47 | 	1. Check `/etc/sudoers.d` and make sure only members of group sudo can sudo.
 48 | 	1. Check `/etc/group` and remove non-admins from sudo and admin groups.
 49 | 	1. Check user directories.
 50 | 		1. cd `/home`
 51 | 		1. `sudo ls -Ra *`
 52 | 		1. Look in any directories which show up for media files/tools and/or "hacking tools."
 53 | 	1. Enforce  Password Requirements.
 54 | 		1. Add or change password expiration requirements to `/etc/login.defs`.
 55 | 			
 56 | 			```
 57 | 			PASS_MIN_DAYS 7
 58 | 			PASS_MAX_DAYS 90
 59 | 			PASS_WARN_AGE 14
 60 | 			```
 61 | 		1. Add a minimum password length, password history, and add complexity requirements.
 62 | 			1. Open `/etc/pam.d/common-password` with sudo.
 63 | 			1. Add `minlen=8` to the end of the line that has `pam_unix.so` in it.
 64 | 			1. Add `remember=5` to the end of the line that has `pam_unix.so` in it.
 65 | 			1. Locate the line that has pam.cracklib.so in it. If you cannot find that line, install cracklib with `sudo apt-get install libpam-cracklib`.
 66 | 			1. Add `ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-` to the end of that line.
 67 | 		3. Implement an account lockout policy.
 68 | 			1. Open `/etc/pam.d/common-auth`.
 69 | 			2. Add `deny=5 unlock_time=1800` to the end of the line with `pam_tally2.so` in it.
 70 | 		4. Change all passwords to satisfy these requirements.
 71 | 			
 72 | 			`chpasswd` is very useful for this purpose.
 73 | 
 74 | 1. Enable automatic updates
 75 | 	
 76 | 	In the GUI set Update Manager->Settings->Updates->Check for updates:->Daily.
 77 | 
 78 | 1. Secure ports
 79 | 	1. `sudo ss -ln`
 80 | 	1. If a port has `127.0.0.1:$port` in its line, that means it's connected to loopback and isn't exposed. Otherwise, there should only be ports which are specified in the readme open (but there probably will be tons more).
 81 | 	1. For each open port which should be closed:
 82 | 		1. `sudo lsof -i :$port`
 83 | 		1. Copy the program which is listening on the port.
 84 | 		`whereis $program`
 85 | 		1. Copy where the program is (if there is more than one location, just copy the first one).
 86 | 		`dpkg -S $location`
 87 | 		1. This shows which package provides the file (If there is no package, that means you can probably delete it with `rm $location; killall -9 $program`).
 88 | 		`sudo apt-get purge $package`
 89 | 		1. Check to make sure you aren't accidentally removing critical packages before hitting "y".
 90 | 		1. `sudo ss -l` to make sure the port actually closed.
 91 | 
 92 | 1. Secure network
 93 | 	1. Enable the firewall
 94 | 	
 95 | 		`sudo ufw enable`
 96 | 	1. Enable syn cookie protection
 97 | 	
 98 | 		`sysctl -n net.ipv4.tcp_syncookies`
 99 | 	1. Disable IPv6 (Potentially harmful)
100 | 	
101 | 		`echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf`
102 | 	1. Disable IP Forwarding
103 | 		
104 | 		`echo 0 | sudo tee /proc/sys/net/ipv4/ip_forward`
105 | 	1. Prevent IP Spoofing
106 | 	
107 | 		`echo "nospoof on" | sudo tee -a /etc/host.conf`
108 | 
109 | 1. Install Updates
110 | 
111 | 	Start this before half-way.
112 | 
113 | 	* Do general updates.
114 | 		1. `sudo apt-get update`.
115 | 		1. `sudo apt-get upgrade`.
116 | 
117 | 	* Update services specified in readme.
118 | 		1. Google to find what the latest stable version is.
119 | 		1. Google "ubuntu install service version".
120 | 		1. Follow the instructions.
121 | 	
122 | 	* Ensure that you have points for upgrading the kernel, each service specified in the readme, and bash if it is [vulnerable to shellshock](https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29).
123 | 	
124 | 
125 | 1. Configure services
126 | 	1. Check service configuration files for required services.
127 | 		Usually a wrong setting in a config file for sql, apache, etc. will be a point.
128 | 	1. Ensure all services are legitimate.
129 | 		
130 | 		`service --status-all`
131 | 
132 | 1. Check the installed packages for "hacking tools," such as password crackers.
133 | 
134 | 1. Run other (more comprehensive) checklists. This is checklist designed to get most of the common points, but it may not catch everything.
135 |  
136 | ## Tips
137 | 
138 | * Netcat is installed by default in ubuntu. You will most likely not get points for removing this version.
139 | * Some services (such as `ssh`) may be required even if they are not mentioned in the readme. Others may be points even if they are explicitly mentioned in the readme
140 | 
141 | ## Acknowledgements
142 | * Michael "MB" Bailey and Christopher "CJ" Gardner without whose checklists this would never have been possible.
143 | * Alexander Dittman and Alistair Norton for being fellow linux buddies.
144 | * My 2015-16 CP team: Quiana Dang, Sieun Lee, Jasper Woolley, and David Randazzo.
145 | * In no particular order: Marcus Phoon, Joshua Hufnagel, Patrick Hufnagel, Michael-Andrew Keays, Christopher May, Garrett Brothers, Joseph Kelley, and Julian Vallyeason.
146 | * And the CyberPatriot program.
147 | 
148 | [![Creative Commons License][image-1]][1]  
149 |  This checklist is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License][1].
150 |  
151 |  [1]:    http://creativecommons.org/licenses/by-sa/4.0/
152 |  
153 |  [image-1]:    https://i.creativecommons.org/l/by-sa/4.0/88x31.png
154 | 


--------------------------------------------------------------------------------