Assessment of Host Configuration

A. CentOS

A1. File System Configuration

This section remains blank for your input.

A2. Services

A2.1 Ensure the following services are disabled.

Disable auto-mounting, xinetd, Avahi Server, CUPS, DHCP Server, LDAP server, NFS and RPC, DNS Server, FTP Server, HTTP server, IMAP and POP3 server, Samba, HTTP Proxy Server, SNMP Server, NIS Server, rsh server, telnet server, tftp server, rsync service, and talk server.

Use the following command to verify:

1
systemctl list-unit-files | grep "enabled" | grep "autofs\|xinetd\|avahi-daemon\|cups\|dhcpd\|slapd\|nfs\|named\|vsftpd\|httpd\|dovecot\|smb\|squid\|snmpd\|ypserv\|rsh.socket\|rlogin.socket\|rexec.socket\|telnet.socket\|tftp.socket\|rsyncd\|ntalk"

A2.2 Ensure the following services and service clients are not installed.

Make sure the X Window System, NIS Client, rsh client, talk client, telnet client, LDAP client, prelink, SETroubleshoot, and MCS Translation Service (mcstrans) are not present.

Use the following command to check:

1
rpm -qa | grep "xorg-x11\|ypbind\|rsh\|talk\|telnet\|openldap-clients\|prelink\|setroubleshoot\|mcstrans"

A2.3 Ensure the following services are in use.

Ensure that the auditd service, rsyslog Service, syslog-ng service, and cron daemon are running.

Verify using the command:

1
systemctl list-unit-files | grep "enabled" | grep "auditd\|rsyslog\|syslog-ng\|crond"

Confirm if Time Synchronization, TCP Wrappers, AIDE, SELinux, iptables, rsyslog, and syslog-ng are being used.

Use the command to verify:

1
rpm -qa | grep "ntp\|chrony\|tcp_wrappers\|AIDE, SELinux, iptables, rsyslog, syslog-ng"

A2.4 SMTP

Verify the SMTP configuration using:

1
cat /etc/postfix/main.cf | grep "smtpd_banner"

A3. Network Configuration

A3.1 Network Parameters

Review the network parameters using the following command:

1
sysctl -a | grep "net.ipv4.ip_forward\|net.ipv4.conf.all.send_redirects\|net.ipv4.conf.default.send_redirects\|net.ipv4.conf.all.accept_source_route\|net.ipv4.conf.default.accept_source_route\|net.ipv4.conf.all.accept_redirects\|net.ipv4.conf.default.accept_redirects\|net.ipv4.conf.all.secure_redirects\|net.ipv4.conf.default.secure_redirects\|net.ipv4.conf.all.log_martians\|net.ipv4.conf.default.log_martians\|net.ipv4.icmp_echo_ignore_broadcasts\|net.ipv4.icmp_ignore_bogus_error_responses\|net.ipv4.conf.all.rp_filter\|net.ipv4.conf.default.rp_filter\|net.ipv4.tcp_syncookies\|net.ipv6.conf.all.disable_ipv6"

Recommended network settings for both hosts and routers are:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv6.conf.all.disable_ipv6 = 1

A3.2 Uncommon Network Protocols

Disable the following network protocols: DCCP, SCTP, RDS, and TIPC.

You can verify their status with the command:

1
modprobe -n -v -a dccp sctp rds tipc

A4. Logging and Auditing

A4.1 Ensure logging is configured.

Check if the logging directory exists and review its contents:

1
ls -l /var/log/

A4.2 Configure System Accounting.

Verify the system accounting settings:

1
cat /etc/audit/auditd.conf | grep "max_log_file\|space_left_action\|action_mail_acct\|admin_space_left_action\|max_log_file_action"

Suggested audit log configuration:

1
2
3
4
5
max_log_file = 
space_left_action = email
action_mail_acct = root
admin_space_left_action = halt
max_log_file_action = keep_logs

A4.3 Ensure sufficient events information is collected.

Make sure the system gathers sufficient event details:

1
cat /etc/audit/audit.rules | grep "time-change\|identity\|system-locale\|MAC-policy\|logins\|session\|perm_mod\|access\|mounts\|delete\|scope\|actions\|modules"

A5. Access, Authentication, and Authorization

A5.1 Configure cron.

Verify cron related files have permissions set to 0600 (-rw——-):

1
ls -l /etc/ | grep "crontab\|cron.hourly\|cron.daily\|cron.weekly\|cron.monthly\|cron.d\|cron.deny\|cron.allow\|at.allow\|at.deny"

A5.2 SSH Server Configuration

Confirm the SSH configuration file has permissions set to 0600 (-rw——-):

1
ls -l /etc/ssh/sshd_config

Examine the SSH server settings:

1
cat /etc/ssh/sshd_config | grep "Protocol\|LogLevel\|X11Forwarding\|MaxAuthTries\|IgnoreRhosts\|HostbasedAuthentication\|PermitRootLogin\|PermitEmptyPasswords\|PermitUserEnvironment\|Ciphers\|MACs\|ClientAliveInterval\|ClientAliveCountMax\|LoginGraceTime\|AllowUsers\|AllowGroups\|DenyUsers\|DenyGroups\|Banner"

The recommended SSH server settings are:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
Protocol 2
LogLevel INFO
X11Forwarding no
MaxAuthTries 4
IgnoreRhosts yes
HostbasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
PermitUserEnvironment no
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
ClientAliveInterval 300
ClientAliveCountMax 0
LoginGraceTime 60
AllowUsers 
AllowGroups 
DenyUsers 
DenyGroups 
Banner /etc/issue.net

A5.3 Ensure password creation requirements are configured.

Verify the PAM configuration:

1
2
cat /etc/pam.d/system-auth | grep "pam_pwquality.so\|pam_unix.so\|pam_faillock.so"
cat /etc/pam.d/password-auth | grep "pam_pwquality.so\|pam_unix.so\|pam_faillock.so"

Recommended PAM configuration:

1
2
3
4
5
password requisite pam_pwquality.so try_first_pass retry=3
password sufficient pam_unix.so remember=5
password sufficient pam_unix.so sha512
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900

Check the password quality settings:

1
cat /etc/security/pwquality.conf | grep "minlen\|dcredit\|lcredit\|ocredit\|ucredit"

Suggested settings for password quality:

1
2
3
4
5
minlen=14
dcredit=-1
lcredit=-1
ocredit=-1
ucredit=-1

A5.4 Set Shadow Password Suite Parameters

Review the Shadow Password Suite settings:

1
cat /etc/login.defs | grep "PASS_MAX_DAYS\|PASS_MIN_DAYS\|PASS_WARN_AGE"

Recommended settings for Shadow Password Suite:

1
2
3
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 7

A5.5 Ensure the default user umask is 027 or more restrictive.

Confirm the default user umask setting:

1
2
cat /etc/bashrc | grep "umask"
cat /etc/profile | grep "umask"

A6. System Maintenance

A6.1 System File Permissions

Verify the permissions of critical system files:

1
ls -l /etc/ | grep "passwd\|shadow\|group\|gshadow"

Suggested file permissions:

1
2
3
4
5
6
7
8
0644 (-rw-r--r--) group
0600 (-rw-------) group-
0600 (-rw-------) gshadow
0600 (-rw-------) gshadow-
0644 (-rw-r--r--) passwd
0600 (-rw-------) passwd-
0000 (----------) shadow
0600 (-rw-------) shadow-

Automated Assessment Tool

Consider utilizing Lynis for automated security auditing.

1
./lynis audit system -Q

Reference:

For more information, refer to:

https://www.open-scap.org/tools/openscap-base/