Linux System Hardening
Posted by DDrDoof@reddit | sysadmin | View on Reddit | 21 comments
Hello!
I am a fairly inexperienced Linux administrator and was randomly selected to participate in a company-wide cyber security exercise. My task: Contribute to the automation of Linux hardening with Ansible.
Do any of you have tips on what I need to pay attention to or possibly sources for Ansible scripts that focus on securing Linux systems?
I am very grateful for any help!
LoveThemMegaSeeds@reddit
Basics for em would making sure users can’t see system level processes and making sure scripts like enum.sh don’t show anything for attacker to try
More_Purpose2758@reddit
CIS Benchmarks for the OS.
Organized into L1 and L2. Just target the easy one until your corp gets bandwidth to get specifics and details.
Klintrup@reddit
Take a look here:
https://github.com/ansible-lockdown/
Chris_M_81@reddit
Thanks for posting that, I’ll have to take a look at it. Where I work we have a bunch of RHEL VM’s and use Red Hat Satellite but just as a repo for software and patch, I know it can be set up with a lot of Ansible scripting tools which I’m keen to explore.
Currently we deploy a VM from a template, use the CIS security policy to ensure /tmp and the other ones i forget right now, are on their own partitions so it doesn’t fail those tests, and then run the CIS build kit to harden once the VM is deployed. A bunch of our domain specific stuff and some configuration is done just manually pasting lines of code so it’s ripe for scripting.
Ghosty_be@reddit
came here to post this, just saw that mentioned a couple months ago on a conference!
NETSPLlT@reddit
OOoo, this looks awesome. Thanks!
varky@reddit
This. Lockdown is very good, we fork it with some extra in-house stuff, but it's a great jumping off point.
usa_reddit@reddit
Is SE Linux still a thing? That is what I used to use, but it is somewhat painful to setup.
NETSPLlT@reddit
What are the regulatory requirements in your industry? list any associated risks out and identify how your systems can be hardened to mitigate them.
What threats / dangers does your leadership identify as being important? List those risks and identify how your systems can be hardened to mitigate them.
What threats / dangers do YOU identify as being important? List those risks and identify how your systems can be hardened to mitigate them.
What mitigations? Excellent question and fully in your wheelhouse. It depends on the risks and other factors. Do you need to apply STIGs? follow some NIST list? Something else? This is where you will need to work and research and spend time.
Once you have the risks and mitigations, roll those up into something you can handle within Ansible. Identify anything that can't be handled this way and say how they should be addressed. By your team with a different soloution than Ansible? Or does it fall to another team? Whatever you do, don't drop the ball. Don't say "this isn't for me" and then just ignore it. communicate, communicate, communicate.
Old_Acanthaceae5198@reddit
CIS 2 is the standard benchmark.
Something like this is building your own image.
https://aws.amazon.com/marketplace/pp/prodview-wm36yptaecjnu
ZealousidealTurn2211@reddit
A note, if you use the CIS-CAT tool to scan and report on compliance with the benchmark you need to carefully read how it's checking when something fails. Some of the automated checks are pretty brainless.
As an offhand example on at least some versions of Oracle Linux the CIS-CAT check will falsely flag your login banner if the pair of characters "ol" is used anywhere in it.
Noobmode@reddit
This is the way to start. If you aren’t sure take the benchmarks and look at what aligns with your organization. There will be exceptions but that’s expected, document them and keep the except ton scope as low as possible. Good luck!
VisineOfSauron@reddit
There's the DoD's STIG guides that you can download, which are the required security settings for computers used by the Department of Defense. This won't have ready-to-run scripts, but will go over a number of vulnerabilities.
SillyPuttyGizmo@reddit
The NSA has several good resources on hardening for Linux
shelfside1234@reddit
Bit too vague there mate
Are you also supposed to define exactly what is to be hardened or just write the playbooks to do so with someone else making the definitions?
Pflummy@reddit
Check lynis qnd vuls
shiftypugs@reddit
Go to cyber.mil find the stig for your os and go to town.
bobalob_wtf@reddit
https://ansible.jeffgeerling.com
pfak@reddit
Where's the hardening?
its_FORTY@reddit
Wait, isn't this the plot of Ex Machina?
dreadpiratewombat@reddit
A little long in the tooth now but still plenty of good practices in here: https://github.com/trimstray/the-practical-linux-hardening-guide