├── .github ├── CODE_OF_CONDUCT.md └── CONTRIBUTING.md ├── LICENSE.md ├── README.md ├── lib └── .gitkeep └── static └── img ├── high.png ├── linux-hardening-checklist_preview.png ├── low.png ├── medium.png └── openscap_logo.png /.github/CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. 6 | 7 | ## Our Standards 8 | 9 | Examples of behavior that contributes to creating a positive environment include: 10 | 11 | * Using welcoming and inclusive language 12 | * Being respectful of differing viewpoints and experiences 13 | * Gracefully accepting constructive criticism 14 | * Focusing on what is best for the community 15 | * Showing empathy towards other community members 16 | 17 | Examples of unacceptable behavior by participants include: 18 | 19 | * The use of sexualized language or imagery and unwelcome sexual attention or advances 20 | * Trolling, insulting/derogatory comments, and personal or political attacks 21 | * Public or private harassment 22 | * Publishing others' private information, such as a physical or electronic address, without explicit permission 23 | * Other conduct which could reasonably be considered inappropriate in a professional setting 24 | 25 | ## Our Responsibilities 26 | 27 | Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. 28 | 29 | Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. 30 | 31 | ## Scope 32 | 33 | This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. 34 | 35 | ## Enforcement 36 | 37 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at trimstray@gmail.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. 38 | 39 | Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. 40 | 41 | ## Attribution 42 | 43 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version] 44 | 45 | [homepage]: http://contributor-covenant.org 46 | [version]: http://contributor-covenant.org/version/1/4/ 47 | -------------------------------------------------------------------------------- /.github/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | > _A real community, however, exists only when its members interact in a meaningful way that deepens their understanding of each other and leads to learning._ 4 | 5 | If you would like to support this project, have an interesting idea how to improve the operation of this tool, or if you found some errors - fork this, add your fixes, and add a pull request of your branch to the **master branch**. 6 | 7 | ## Using the issue tracker 8 | 9 | The [issue tracker](https://github.com/trimstray/linux-hardening-checklist/issues) is 10 | the preferred channel for bug reports, features requests and submitting pull requests, but please respect the following restrictions: 11 | 12 | * Please **do not** use the issue tracker for personal support requests (use 13 | [Stack Overflow](https://stackoverflow.com) or IRC) 14 | 15 | * Please **do not** derail or troll issues. Keep the discussion on topic and 16 | respect the opinions of others 17 | 18 | ## Signature of commit 19 | 20 | Moving forward all commits to this project must include a "signed-off-by" line indicating the name and email address of the contributor signing off on the change. To enable signatures add the following lines to `.git/hooks/prepare-commit-msg` : 21 | 22 | ``` 23 | SOB=$(git var GIT_AUTHOR_IDENT | sed -n 's/^\(.*>\).*$/- signed-off-by: \1/p') 24 | grep -qs "^$SOB" "$1" || echo "$SOB" >> "$1" 25 | ``` 26 | 27 | ## Pull requests 28 | 29 | When creating a pull request, please heed the following: 30 | 31 | - Base your code on the latest master branch to avoid manual merges 32 | - Code review may ensue in order to help shape your proposal 33 | - Explain the problem and your proposed solution 34 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 trimstray 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | 3 | Master 4 | 5 |

6 | 7 |
8 | 9 |

10 | 11 | Pull Requests 12 | 13 | 14 | MIT License 15 | 16 |

17 | 18 |
19 | 20 | **** 21 | 22 | # Table of Contents 23 | 24 | - **[Introduction](#introduction)** 25 | * [Status](#status) 26 | * [Todo](#todo) 27 | * [Prologue](#prologue) 28 | * [Levels of priority](#levels-of-priority) 29 | * [OpenSCAP](#openscap) 30 | - **[Partitioning](#partitioning)** 31 | * [Separate partitions](#separate-partitions) 32 | * [Restrict mount options](#restrict-mount-options) 33 | * [Polyinstantiated directories](#polyinstantiated-directories) 34 | * [Shared memory](#shared-memory) 35 | * [Encrypt partitions](#encrypt-partitions) 36 | * [Summary checklist](#ballot_box_with_check-summary-checklist) 37 | - **[Physical Access](#physical-access)** 38 | * [Password for Single User Mode](#password-for-single-user-mode) 39 | * [Summary checklist](#ballot_box_with_check-summary-checklist-1) 40 | - **[Bootloader](#bootloader)** 41 | * [Protect bootloader config files](#protect-bootloader-config-files) 42 | * [Summary checklist](#ballot_box_with_check-summary-checklist-2) 43 | - **[Linux Kernel](#linux-kernel)** 44 | * [Kernel logs](#kernel-logs) 45 | * [Kernel pointers](#kernel-pointers) 46 | * [ExecShield](#execshield) 47 | * [Memory protection](#memory-protection) 48 | * [Summary checklist](#ballot_box_with_check-summary-checklist-3) 49 | - **[Logging](#logging)** 50 | * [Syslog](#syslog) 51 | - **[Users and Groups](#users-and-groups)** 52 | * [Passwords](#passwords) 53 | * [Logon Access](#logon-access) 54 | * [Summary checklist](#ballot_box_with_check-summary-checklist-4) 55 | - **[Filesystem](#filesystem)** 56 | * [Hardlinks & Symlinks](#hardlinks--symlinks) 57 | * [Dynamic Mounting and Unmounting](#dynamic-mounting-and-unmounting) 58 | * [Summary checklist](#ballot_box_with_check-summary-checklist-5) 59 | - **[Permissions](#permissions)** 60 | - **[SELinux & Auditd](#selinux--auditd)** 61 | * [SELinux Enforcing](#selinux-enforcing) 62 | * [Summary checklist](#ballot_box_with_check-summary-checklist-6) 63 | - **[System Updates](#system-updates)** 64 | - **[Network](#network)** 65 | * [TCP/SYN](#tcp-syn) 66 | * [Routing](#routing) 67 | * [ICMP Protocol](#icmp-protocol) 68 | * [Broadcast](#broadcast) 69 | * [Summary checklist](#ballot_box_with_check-summary-checklist-7) 70 | - **[Services](#services)** 71 | - **[Tools](#tools)** 72 | 73 | # Introduction 74 | 75 | > In computing, **hardening** is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle a single-function system is more secure than a multipurpose one. The main goal of systems hardening is to reduce security risk by eliminating potential attack vectors and condensing the system’s attack surface. 76 | 77 | This list contains the most important hardening rules for GNU/Linux systems. 78 | 79 | ## Status 80 | 81 | Still work in progress... :construction_worker: 82 | 83 | I also created another repository (in a more detailed way): [the-practical-linux-hardening-guide](https://github.com/trimstray/the-practical-linux-hardening-guide). 84 | 85 | ## Todo 86 | 87 | - [ ] Add rationale (e.g. url's, external resources) 88 | - [ ] Review levels of priority 89 | 90 | ## Prologue 91 | 92 | I'm not advocating throwing your existing hardening and deployment best practices out the door but I recommend is to always turn a feature from this checklist on in pre-production environments instead of jumping directly into production. 93 | 94 | ## Levels of priority 95 | 96 | All items in this checklist contains three levels of priority: 97 | 98 | * low means that the item has a **low** priority. 99 | * medium means that the item has a **medium** priority. You shouldn't avoid tackling that item. 100 | * high means that the item has a **high** priority. You can't avoid following that rule and implement the corrections recommended. 101 | 102 | ## OpenSCAP 103 | 104 | OpenSCAP 105 | 106 |

SCAP (Security Content Automation Protocol) provides a mechanism to check configurations, vulnerability management and evaluate policy compliance for a variety of systems. One of the most popular implementations of SCAP is OpenSCAP and it is very helpful for vulnerability assessment and also as hardening helper. 107 | 108 | Some of the external audit tools use this standard. For example Nessus has functionality for authenticated SCAP scans.

109 | 110 | > I tried to make this list compatible with OpenSCAP standard and rules. However, there may be differences. 111 | 112 | # Partitioning 113 | 114 | ## Separate partitions 115 | 116 | - low Ensure `/boot` located on separate partition. 117 | 118 | - low Ensure `/home` located on separate partition. 119 | 120 | - low Ensure `/usr` located on separate partition. 121 | 122 | - medium Ensure `/var` located on separate partition. 123 | 124 | - high Ensure `/var/log` and `/var/log/audit` located on separate partitions. 125 | 126 | - high Ensure `/tmp` and `/var/tmp` located on separate partitions. 127 | 128 | ## Restrict mount options 129 | 130 | - low Restrict `/usr` partition mount options. 131 | 132 | **Example:** 133 | 134 | ```bash 135 | UUID=<...> /usr ext4 defaults,nodev,ro 0 2 136 | ``` 137 | 138 | - low Restrict `/var` partition mount options. 139 | 140 | **Example:** 141 | 142 | ```bash 143 | UUID=<...> /var ext4 defaults,nosuid 0 2 144 | ``` 145 | 146 | - low Restrict `/var/log` and `/var/log/audit` partitions mount options. 147 | 148 | **Example:** 149 | 150 | ```bash 151 | UUID=<...> /var/log ext4 defaults,nosuid,noexec,nodev 0 2 152 | UUID=<...> /var/log/audit ext4 defaults,nosuid,noexec,nodev 0 2 153 | ``` 154 | 155 | - low Restrict `/proc` partition mount options. 156 | 157 | **Example:** 158 | 159 | ```bash 160 | proc /proc proc defaults,hidepid=2 0 0 161 | ``` 162 | 163 | - medium Restrict `/boot` partition mount options. 164 | 165 | **Example:** 166 | 167 | ```bash 168 | LABEL=/boot /boot ext2 defaults,nodev,nosuid,noexec,ro 1 2 169 | ``` 170 | 171 | - medium Restrict `/home` partition mount options. 172 | 173 | **Example:** 174 | 175 | ```bash 176 | UUID=<...> /home ext4 defaults,nodev,nosuid 0 2 177 | ``` 178 | 179 | - medium Restrict `/var` and `/var/tmp` partitions mount options. 180 | 181 | **Example:** 182 | 183 | ```bash 184 | mv /var/tmp /var/tmp.old 185 | ln -s /tmp /var/tmp 186 | cp -prf /var/tmp.old/* /tmp && rm -fr /var/tmp.old 187 | 188 | UUID=<...> /tmp ext4 defaults,nodev,nosuid,noexec 0 2 189 | ``` 190 | 191 | - medium Restrict `/dev/shm` partition mount options. 192 | 193 | **Example:** 194 | 195 | ```bash 196 | tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,size=1024M,mode=1777 0 0 197 | ``` 198 | 199 | ## Polyinstantiated directories 200 | 201 | - medium Setting up polyinstantiated `/var` and `/var/tmp` directories. 202 | 203 | **Example:** 204 | 205 | ```bash 206 | # Create new directories: 207 | mkdir --mode 000 /tmp-inst 208 | mkdir --mode 000 /var/tmp/tmp-inst 209 | 210 | # Edit /etc/security/namespace.conf: 211 | /tmp /tmp-inst/ level root,adm 212 | /var/tmp /var/tmp/tmp-inst/ level root,adm 213 | 214 | # Set correct SELinux context: 215 | setsebool polyinstantiation_enabled=1 216 | chcon --reference=/tmp /tmp-inst 217 | chcon --reference=/var/tmp/ /var/tmp/tmp-inst 218 | ``` 219 | 220 | ## Shared memory 221 | 222 | - low Set group for `/dev/shm`. 223 | 224 | **Example:** 225 | 226 | ```bash 227 | tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,size=1024M,mode=1770,uid=root,gid=shm 0 0 228 | ``` 229 | 230 | ## Encrypt partitions 231 | 232 | - low Encrypt `swap` partition. 233 | 234 | **Example:** 235 | 236 | ```bash 237 | # Edit /etc/crypttab: 238 | sdb1_crypt /dev/sdb1 /dev/urandom cipher=aes-xts-plain64,size=256,swap,discard 239 | 240 | # Edit /etc/fstab: 241 | /dev/mapper/sdb1_crypt none swap sw 0 0 242 | ``` 243 | 244 | ## :ballot_box_with_check: Summary checklist 245 | 246 | | Rule | Priority | Checkbox | 247 | | :--- | :---: | :---: | 248 | | Separate `/boot` | low | :black_square_button: | 249 | | Separate `/home` | low | :black_square_button: | 250 | | Separate `/usr` | low | :black_square_button: | 251 | | Separate `/var` | medium | :black_square_button: | 252 | | Separate `/var/log` and `/var/log/audit` | high | :black_square_button: | 253 | | Separate `/tmp` and `/var/tmp` | high | :black_square_button: | 254 | | | | | 255 | | Restrict `/usr` mount options | low | :black_square_button: | 256 | | Restrict `/var` mount options | low | :black_square_button: | 257 | | Restrict `/var/log` and `/var/log/audit` mount options | low | :black_square_button: | 258 | | Restrict `/proc` mount options | low | :black_square_button: | 259 | | Restrict `/boot` mount options | medium | :black_square_button: | 260 | | Restrict `/home` mount options | medium | :black_square_button: | 261 | | Restrict `/tmp/` and `/var/tmp` mount options | medium | :black_square_button: | 262 | | Restrict `/dev/shm` mount options | medium | :black_square_button: | 263 | | | | | 264 | | Polyinstantiated `/tmp` and `/var/tmp` | medium | :black_square_button: | 265 | | | | | 266 | | Set group for `/dev/shm` | low | :black_square_button: | 267 | | | | | 268 | | Encrypt `swap` | low | :black_square_button: | 269 | 270 | # Physical Access 271 | 272 | ## Password for Single User Mode 273 | 274 | - low Protect Single User Mode with root password. 275 | 276 | **Example:** 277 | 278 | ```bash 279 | # Edit /etc/sysconfig/init. 280 | SINGLE=/sbin/sulogin 281 | ``` 282 | 283 | ## :ballot_box_with_check: Summary checklist 284 | 285 | | Rule | Priority | Checkbox | 286 | | :--- | :---: | :---: | 287 | | Protect Single User Mode. | low | :black_square_button: | 288 | 289 | # Bootloader 290 | 291 | ## Protect bootloader config files 292 | 293 | - low Ensure bootloader config files are set properly permissions. 294 | 295 | **Example:** 296 | 297 | ```bash 298 | # Set the owner and group of /etc/grub.conf to the root user: 299 | chown root:root /etc/grub.conf 300 | chown -R root:root /etc/grub.d 301 | 302 | # Set permissions on the /etc/grub.conf or /etc/grub.d file to read and write for root only: 303 | chmod og-rwx /etc/grub.conf 304 | chmod -R og-rwx /etc/grub.d 305 | ``` 306 | 307 | ## :ballot_box_with_check: Summary checklist 308 | 309 | | Rule | Priority | Checkbox | 310 | | :--- | :---: | :---: | 311 | | Protect bootloader config files | low | :black_square_button: | 312 | 313 | # Linux Kernel 314 | 315 | ## Kernel logs 316 | 317 | - low Restricting access to kernel logs. 318 | 319 | **Example:** 320 | 321 | ```bash 322 | echo "kernel.dmesg_restrict = 1" > /etc/sysctl.d/50-dmesg-restrict.conf 323 | ``` 324 | 325 | ## Kernel pointers 326 | 327 | - low Restricting access to kernel pointers. 328 | 329 | **Example:** 330 | 331 | ```bash 332 | echo "kernel.kptr_restrict = 1" > /etc/sysctl.d/50-kptr-restrict.conf 333 | ``` 334 | 335 | ## ExecShield 336 | 337 | - low ExecShield protection. 338 | 339 | **Example:** 340 | 341 | ```bash 342 | echo "kernel.exec-shield = 2" > /etc/sysctl.d/50-exec-shield.conf 343 | ``` 344 | 345 | ## Memory protections 346 | 347 | - low Randomise memory space. 348 | 349 | ```bash 350 | echo "kernel.randomize_va_space=2" > /etc/sysctl.d/50-rand-va-space.conf 351 | ``` 352 | 353 | ## :ballot_box_with_check: Summary checklist 354 | 355 | | Rule | Priority | Checkbox | 356 | | :--- | :---: | :---: | 357 | | Restricting access to kernel logs | low | :black_square_button: | 358 | | Restricting access to kernel pointers | low | :black_square_button: | 359 | | ExecShield protection | low | :black_square_button: | 360 | | Randomise memory space. | low | :black_square_button: | 361 | 362 | # Logging 363 | 364 | ## Syslog 365 | 366 | - medium Ensure syslog service is enabled and running. 367 | 368 | **Example:** 369 | 370 | ```bash 371 | systemctl enable rsyslog 372 | systemctl start rsyslog 373 | ``` 374 | 375 | - medium Send syslog data to external server. 376 | 377 | **Example:** 378 | 379 | ```bash 380 | # ELK 381 | # Logstash 382 | # Splunk 383 | # ... 384 | ``` 385 | 386 | ## :ballot_box_with_check: Summary checklist 387 | 388 | | Rule | Priority | Checkbox | 389 | | :--- | :---: | :---: | 390 | | Ensure syslog service is enabled and running. | medium | :black_square_button: | 391 | | Ensure syslog service is enabled and running. | medium | :black_square_button: | 392 | 393 | # Users and Groups 394 | 395 | ## Passwords 396 | 397 | - medium Update password policy (PAM). 398 | 399 | **Example:** 400 | 401 | ```bash 402 | authconfig --passalgo=sha512 \ 403 | --passminlen=14 \ 404 | --passminclass=4 \ 405 | --passmaxrepeat=2 \ 406 | --passmaxclassrepeat=2 \ 407 | --enablereqlower \ 408 | --enablerequpper \ 409 | --enablereqdigit \ 410 | --enablereqother \ 411 | --update 412 | ``` 413 | 414 | - medium Limit password reuse (PAM). 415 | 416 | **Example:** 417 | 418 | ```bash 419 | # Edit /etc/pam.d/system-auth 420 | 421 | # For the pam_unix.so case: 422 | password sufficient pam_unix.so ... remember=5 423 | 424 | # For the pam_pwhistory.so case: 425 | password requisite pam_pwhistory.so ... remember=5 426 | ``` 427 | 428 | - medium Secure `/etc/login.defs` password policy. 429 | 430 | **Example:** 431 | 432 | ```bash 433 | # Edit /etc/login.defs 434 | PASS_MIN_LEN 14 435 | PASS_MIN_DAYS 1 436 | PASS_MAX_DAYS 60 437 | PASS_WARN_AGE 14 438 | ``` 439 | 440 | ## Logon Access 441 | 442 | - low Set auto logout inactive users. 443 | 444 | **Example:** 445 | 446 | ```bash 447 | echo "readonly TMOUT=900" >> /etc/profile.d/idle-users.sh 448 | echo "readonly HISTFILE" >> /etc/profile.d/idle-users.sh 449 | chmod +x /etc/profile.d/idle-users.sh 450 | ``` 451 | 452 | - low Set last logon/access notification. 453 | 454 | **Example:** 455 | 456 | ```bash 457 | # Edit /etc/pam.d/system-auth 458 | session required pam_lastlog.so showfailed 459 | ``` 460 | 461 | - medium Lock out accounts after a number of incorrect login (PAM). 462 | 463 | **Example:** 464 | 465 | ```bash 466 | # Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth 467 | 468 | # Add the following line immediately before the pam_unix.so statement in the AUTH section: 469 | auth required pam_faillock.so preauth silent deny=3 unlock_time=never fail_interval=900 470 | 471 | # Add the following line immediately after the pam_unix.so statement in the AUTH section: 472 | auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never fail_interval=900 473 | 474 | # Add the following line immediately before the pam_unix.so statement in the ACCOUNT section: 475 | account required pam_faillock.so 476 | ``` 477 | 478 | ## :ballot_box_with_check: Summary checklist 479 | 480 | | Rule | Priority | Checkbox | 481 | | :--- | :---: | :---: | 482 | | Update password policy | medium | :black_square_button: | 483 | | Limit password reuse | medium | :black_square_button: | 484 | | Secure `/etc/login.defs` password policy | medium | :black_square_button: | 485 | | | | | 486 | | Set auto logout inactive users. | low | :black_square_button: | 487 | | Set last logon/access notification | low | :black_square_button: | 488 | | Lock out accounts after a number of incorrect login | medium | :black_square_button: | 489 | 490 | # Filesystem 491 | 492 | ## Hardlinks & Symlinks 493 | 494 | - low Enable hard/soft link protection. 495 | 496 | **Example:** 497 | 498 | ```bash 499 | echo "fs.protected_hardlinks = 1" > /etc/sysctl.d/50-fs-hardening.conf 500 | echo "fs.protected_symlinks = 1" >> /etc/sysctl.d/50-fs-hardening.conf 501 | ``` 502 | 503 | ## Dynamic Mounting and Unmounting 504 | 505 | - medium Disable uncommon filesystems. 506 | 507 | **Example:** 508 | 509 | ```bash 510 | echo "install cramfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf 511 | echo "install freevxfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf 512 | echo "install jffs2 /bin/false" > /etc/modprobe.d/uncommon-fs.conf 513 | echo "install hfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf 514 | echo "install hfsplus /bin/false" > /etc/modprobe.d/uncommon-fs.conf 515 | echo "install squashfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf 516 | echo "install udf /bin/false" > /etc/modprobe.d/uncommon-fs.conf 517 | echo "install fat /bin/false" > /etc/modprobe.d/uncommon-fs.conf 518 | echo "install vfat /bin/false" > /etc/modprobe.d/uncommon-fs.conf 519 | echo "install nfs /bin/false" > /etc/modprobe.d/uncommon-fs.conf 520 | echo "install nfsv3 /bin/false" > /etc/modprobe.d/uncommon-fs.conf 521 | echo "install gfs2 /bin/false" > /etc/modprobe.d/uncommon-fs.conf 522 | ``` 523 | 524 | ## :ballot_box_with_check: Summary checklist 525 | 526 | | Rule | Priority | Checkbox | 527 | | :--- | :---: | :---: | 528 | | Enable hard/soft link protection. | low | :black_square_button: | 529 | | Disable uncommon filesystems. | medium | :black_square_button: | 530 | 531 | # Permissions 532 | 533 | # SELinux & Auditd 534 | 535 | ## SELinux Enforcing 536 | 537 | - high Set SELinux Enforcing mode. 538 | 539 | **Example:** 540 | 541 | ```bash 542 | # Edit /etc/selinux/config. 543 | SELINUXTYPE=enforcing 544 | ``` 545 | 546 | ## :ballot_box_with_check: Summary checklist 547 | 548 | | Rule | Priority | Checkbox | 549 | | :--- | :---: | :---: | 550 | | Set SELinux Enforcing mode. | high | :black_square_button: | 551 | 552 | # System Updates 553 | 554 | # Network 555 | 556 | ## TCP/SYN 557 | 558 | - medium Enable TCP SYN Cookie protection. 559 | 560 | **Example:** 561 | 562 | ```bash 563 | echo "net.ipv4.tcp_syncookies = 1" > /etc/sysctl.d/50-net-stack.conf 564 | ``` 565 | 566 | ## Routing 567 | 568 | - medium Disable IP source routing. 569 | 570 | **Example:** 571 | 572 | ```bash 573 | echo "net.ipv4.conf.all.accept_source_route = 0" > /etc/sysctl.d/50-net-stack.conf 574 | ``` 575 | 576 | ## ICMP Protocol 577 | 578 | - medium Disable ICMP redirect acceptance. 579 | 580 | **Example:** 581 | 582 | ```bash 583 | echo "net.ipv4.conf.all.accept_redirects = 0" > /etc/sysctl.d/50-net-stack.conf 584 | ``` 585 | 586 | - medium Enable ignoring to ICMP requests. 587 | 588 | **Example:** 589 | 590 | ```bash 591 | echo "net.ipv4.icmp_echo_ignore_all = 1" > /etc/sysctl.d/50-net-stack.conf 592 | ``` 593 | 594 | ## Broadcast 595 | 596 | - medium Enable ignoring broadcasts request. 597 | 598 | **Example:** 599 | 600 | ```bash 601 | echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/50-net-stack.conf 602 | ``` 603 | 604 | ## :ballot_box_with_check: Summary checklist 605 | 606 | | Rule | Priority | Checkbox | 607 | | :--- | :---: | :---: | 608 | | Enable TCP SYN Cookie protection. | medium | :black_square_button: | 609 | | | | | 610 | | Disable IP source routing. | medium | :black_square_button: | 611 | | | | | 612 | | Disable ICMP redirect acceptance. | medium | :black_square_button: | 613 | | Enable ignoring to ICMP requests. | medium | :black_square_button: | 614 | | | | | 615 | | Enable ignoring broadcasts request. | medium | :black_square_button: | 616 | 617 | # Services 618 | 619 | # Tools 620 | -------------------------------------------------------------------------------- /lib/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trimstray/linux-hardening-checklist/6cfca081518a032d14954571425053c4ceed07df/lib/.gitkeep -------------------------------------------------------------------------------- /static/img/high.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trimstray/linux-hardening-checklist/6cfca081518a032d14954571425053c4ceed07df/static/img/high.png -------------------------------------------------------------------------------- /static/img/linux-hardening-checklist_preview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trimstray/linux-hardening-checklist/6cfca081518a032d14954571425053c4ceed07df/static/img/linux-hardening-checklist_preview.png -------------------------------------------------------------------------------- /static/img/low.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trimstray/linux-hardening-checklist/6cfca081518a032d14954571425053c4ceed07df/static/img/low.png -------------------------------------------------------------------------------- /static/img/medium.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trimstray/linux-hardening-checklist/6cfca081518a032d14954571425053c4ceed07df/static/img/medium.png -------------------------------------------------------------------------------- /static/img/openscap_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trimstray/linux-hardening-checklist/6cfca081518a032d14954571425053c4ceed07df/static/img/openscap_logo.png --------------------------------------------------------------------------------