You are on page 1of 39

Red Hat Certificate of Expertise in Server

Hardening Notes (EX413)


page 1 of 39

TestingEnvironment
VirtualizationHyperVisor
HostEnvironment
GuestEnvironment
Postbasicinstallationtasks
Objective1
IdentifyRedHatCommonVulnerabilitiesandExposures(CVEs)andRedHatSecurity
Advisories(RHSAs)andselectivelyupdatesystemsbasedonthisinformation
Objective2
Verifypackagesecurityandvalidity
Objective3
Identifyandemploystandardsbasedpracticesforconfiguringfilesystemsecurity,create
anduseencryptedfilesystems,tunefilesystemfeatures,andusespecificmountoptions
torestrictaccesstofilesystemvolumes.
Objective4
Configuredefaultpermissionsforusersandusespecialfilepermissions,attributes,and
accesscontrollists(ACLs)tocontrolaccesstofiles
Objective5
InstallanduseintrusiondetectioncapabilitiesinRedHatEnterpriseLinuxtomonitor
criticalsystemfiles
Objective6
Manageuseraccountsecurityanduserpasswordsecurity
Objective7
Managesystemloginsecurityusingpluggableauthenticationmodules(PAM)
Objective8
Configureconsolesecuritybydisablingfeaturesthatallowsystemstoberebootedor
poweredoffusingbootloaderpasswords
Objective9
Configuresystemwideacceptableusenotifications
Objective10
Install,configure,andmanageidentitymanagementservicesandconfigureidentity
managementclients
Objective11
Configureremotesystemloggingservices,configuresystemlogging,andmanagesystem
logfilesusingmechanismssuchaslogrotationandcompression
LogRotation
journalisacomponentofsystemdforlogging

Official Red Hat documentation on RHEL 7 can be f ound at:


https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server


Hardening Notes (EX413)
page 2 of 39

journalctlisusedforviewingthejournallog
journalonlylogsinmemoryorasmallringfilein/run/log/journaltocreatepersistent
storagecreatethedirectory/var/log/journal
Objective12
Configuresystemauditingservicesandreviewauditreports
Objective13
Usenetworkscanningtoolstoidentifyopennetworkserviceportsandconfigureand
troubleshootsystemfirewalling
References

Official Red Hat documentation on RHEL 7 can be f ound at:


https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server


Hardening Notes (EX413)
page 3 of 39

TestingEnvironment
VirtualizationHyperVisor
VirtualBox
(Version 5.0.14 r 105127 as of this writing)

HostEnvironment
(Im double dipping and working at home and at work)
Xubuntu14.04LTS
CentOS7.2

GuestEnvironment
( These might seem a little odd, but I am using this image f or DISA STIG testing too)
CentOS6.7
(As of 8March2016 the E X413 is done under v6 f or some strange r eason)
2vCPU
1.5GBRAM
18GBHarddrive
(Something of an usual or non standard layout. T his is f rom the DISA STIG)
/ ~10GiB
/boot 250MiB
/home 1GiB
/tmp 500MiB
/var 5GiB
/var/log 500MiB
/var/log/audit 275MiB
swap 500MiB
2NetworkPorts
Port1)VboxNAT
Port2)HostonlyAdapter
ServerwithGUIinstallation
+DNSNameServer
+EmailServer
+FTPServer
+FileandStorageServer
+HardwareMonitoringUtilities
+JavaPlatform
+NetworkFileSystemClient

Official Red Hat documentation on RHEL 7 can be f ound at:


https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server


Hardening Notes (EX413)
page 4 of 39

+PerformanceTools
+C ompatibilityLibraries
+SecurityTools
Postbasicinstallationtasks
Limitthenumberofkernelstokeepto2forspacereasons
changeinstallonly_limit=2in/etc/yum.conf
EnableCentOSPlusRepo
Install/EnableEPELrepo
Install/EnableELRepo
Install/EnableVAULTRepos
This is because I started on purpose with an older version. Check http://vault.centos.org to match the version. I n this case
it was 7.1.1503
run yum disablerepos * enablerepos C7* update to update to the latest versions within the r elease.
InstallDKMS
run yum disablerepos * enablerepos C7* update to update to the latest versions within the r elease.

InstallVirtualBoxguestadditions

MAKEASNAPSHOTBEFOREYOUSTARTMESSINGAROUNDWITHTHINGS!!

SINCEIORIGINALLYSTARTEDTHISDOCUMENTUNDERTHEINCORRECT
ASSUMPTIONTHATTHISTESTWOULDBEUNDERRHEL7IWILLKEEPTHE
INFORMATIONINTACTANDDENOTETHEDIFFERENCES





Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 5 of 39

Objective1
IdentifyRedHatCommonVulnerabilitiesandExposures(CVEs)
andRedHatSecurityAdvisories(RHSAs)andselectivelyupdate
systemsbasedonthisinformation
Usingy umtocheckifthereareanypackagesthatneedsecurityupdates.
# yum check-update --security
Loaded plugins: langpacks, product-id, subscription-manager
rhel-7-workstation-rpms/x86_64 | 3.4 kB 00:00:00
No packages needed for security; 0 packages available


Toupdateonlysecuritypackageswithyum
# yum update --security


Tolistallavailableerrataswithoutinstallingthem,run:
# yum updateinfo list available


Tolistallavailablesecurityupdateswithoutinstallingthem,run:
# yum updateinfo list security all

or
# yum updateinfo list sec

Togetalistofthec urrentlyinstalledsecurityupdatesthiscommandcanbeused:
# yum updateinfo list security installed

Tolistallavailablesecurityupdateswithverbosedescriptionsoftheissuestheyapply
to:
# yum info-sec


Runthefollowingcommandtodownloadanda pplyallavailablesecurityupdatesfrom
RedHatNetworkhostedorRedHatNetworkSatellite:
# yum -y update --security
NOTE: I t will install the last version available of any package with at least one security errata thus can install nonsecurity
erratas if they provide a more updated version of the package.



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 6 of 39

Toonlyinstallthepackagesthathaveasecurityerratause
# yum update-minimal --security -y

yumsecurityalsoallowsinstallingsecurityupdatesbasedontheC
VEreferenceofthe
issue.
ToinstallasecurityupdateusingaCVEreferencerun:
# yum update --cve <CVE>

Forexample:
# yum update --cve CVE-2008-0947


Viewingavailableadvisoriesbyseverities:
# yum updateinfo list
This system is receiving updates from RHN Classic or RHN Satellite.
RHSA-2014:0159 Important/Sec. kernel-headers-2.6.32-431.5.1.el6.x86_64
RHSA-2014:0164 Moderate/Sec. mysql-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec. mysql-devel-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec. mysql-libs-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec. mysql-server-5.1.73-3.el6_5.x86_64
RHBA-2014:0158 bugfix nss-sysinit-3.15.3-6.el6_5.x86_64
RHBA-2014:0158 bugfix nss-tools-3.15.3-6.el6_5.x86_64


Ifyouwanttoapplyonlyonespecificadvisory:
# yum update --advisory=RHSA-2014:0159

However,ifyouwouldliketoknowmoreinformationaboutthisadvisorybefore
toapplyit:
# yum updateinfo RHSA-2014:0159


Formorecommandsconsultthemanualpagesofy umsecuritywith
# man yum-security

Official Red Hat documentation on RHEL 7 can be f ound at:


https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server


Hardening Notes (EX413)
page 7 of 39

Objective2
Verifypackagesecurityandvalidity
TheYumpackagemanagerallowsforanautomaticverificationofallpackagesitinstalls
orupgrades.g pgcheckisenabledbydefault,localpkg_gpgcheckisNOT.Toconfigure
thisoptiononyoursystem,makesuretheg pgcheckandlocalpkg_gpgcheck
configurationdirectivesaresetto1inthe/ etc/yum.conf configurationfile.
# grep gpgcheck /etc/yum.conf
gpgcheck=1
localpkg_gpgcheck=1
**NOTE** T hese can be overridden in the /etc/repos.d/<repo>.conf f iles!!!

Usethefollowingcommandtomanuallyverifypackagefilesonyourfilesystem:
# rpmkeys --checksig package_file.rpm


Checkpackagescriptsandtriggers
# rpm -qp --scripts /home/userx/Downloads/my-awesome-application-1.2.rpm

CheckGPGkeysignatures
# rpm -K /home/userx/Downloads/my-awesome-application-1.1.rpm


# rpm -vvK /home/userx/Downloads/my-awesome-application-1.1.rpm


ToverifyRedHatpackages,youmustimporttheRedHatGPGkey.
# rpm --import /usr/share/rhn/RPM-GPG-KEY


TodisplayalistofallkeysinstalledforRPMverification
# rpm -qa gpg-pubkey*

FortheRedHatkey,theoutputincludes:
gpg-pubkey-db42a60e-37ea5438


Todisplaydetailsaboutaspecifickey
# rpm -qi gpg-pubkey-db42a60e-37ea5438



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 8 of 39






VerifyRPMs
rpmqfcanbeusedtodeterminewhatpackageafilebelongsto
# rpm -qf /etc/passwd
setup-2.5.58-7.el5

rpmV<package>willverifythesettings
# rpm -V setup-2.5.58-7.el5
.M...... c /etc/passwd
S.5....T c /etc/printcap

VerifyCodeMatrix
S File size diers.
M File mode diers (includes permissions and file type).
5 The MD5 checksum diers.
D The major and minor version numbers dier on a device file.
L A mismatch occurs in a link.
U The file ownership diers.
G The file group owner diers.
T The file time (mtime) diers.

Otheryumtricksandtips
Listpackagesandwhatrepostheyarepartof:
# yum --showduplicates list httpd | expand
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.atlanticmetro.net
* centosplus: mirror.atlanticmetro.net
* elrepo: mirror.symnds.com
* epel: mirror.cogentco.com
* extras: mirror.rackspace.com
* updates: mirror.symnds.com
Installed Packages
httpd.x86_64 2.4.6-40.el7.centos @base
Available Packages
httpd.x86_64 2.4.6-40.el7.centos base



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 9 of 39

Toautomaticallyremoveunneededdependencieswhenapackageisremoved,set
thisinthe/etc/yum.conf:clean_requirements_on_remove to1
# grep -i clean_requirements_on_remove /etc/yum.conf
clean_requirements_on_remove=1

Limitthenumberofinstallonlypackage.Usuallyforlimitingthenumberof
kernelsinstalled.Defaultis3
# grep installonly_limit /etc/yum.conf
installonly_limit=2



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 10 of 39

Objective3
Identifyandemploystandardsbasedpracticesforconfiguringfile
systemsecurity,createanduseencryptedfilesystems,tunefilesystem
features,andusespecificmountoptionstorestrictaccesstofilesystem
volumes.
Multiplepartitions
/tmptemporarystorageforusers.
shouldhave1777permissions(worldread/write/executew/StickyBit)
nodev,nosuid,&noexec mountoptionsshouldbesetin/etc/fstab
# grep tmp /etc/fstab
/dev/mapper/centos-tmp /tmp xfs nodev,nosuid,noexec 1 2

/vartemporarydynamicstorageforsystemservices
/var/tmp
shouldbeboundto/tmp.Linkisunbreakableandinheritssecurityfrom
/tmpandshouldprevent/ varfromfillingupandcausingissues
# grep /tmp /etc/fstab | grep var
/tmp /var/tmp none bind 0 0


/var/logsystemstorageforlogdata
# grep /tmp /etc/fstab | grep var
/tmp /var/tmp none bind 0 0

/var/log/auditsystemstorageforauditlogdata
# grep /audit /etc/fstab
/dev/mapper/centos-var_log_audit /var/log/audit xfs defaults 0 0

/homestorageforusers
nodevmountoptionshouldalsobeset
# grep /audit /etc/fstab
/dev/mapper/centos-home /home xfs nodev 0 0

anyremovablemediamountpointsshouldhaven
oexec,nodev,nosuidoptions
set
# grep <mount point> /etc/fstab



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 11 of 39

/dev/shm isatemporaryfilesystemstoredinmemory
noexec,nodev,nosuidoptionsshouldbeset
# grep shm /etc/fstab
tmpfs /dev/shm tmpfs size=6g,nodev,nosuid,noexec 0 0


Useful/etc/fstab options
nosuidpreventsfilesfrombeings etuidorsetgid
noexecpreventsprogramsfrombeingexecutedfromthepartition
nodevpreventspartitionfromhavingspecialdeviceslikeblockorcharacter
devices
rwread/write(default,implied)
roreadonly
Toremountpartitionsonrunningsystems
# mount -o remount,<options> <dir>

Disablefilesystemtypesthatarentneeded
cramfs FilesystemtypeisacompressedreadonlyLinuxfilesystem.
freevxfs FilesystemforVeritas.
js2 Logstructuredfilesystemusedinflashdevices
hfs MacOSfilesystem
hfsplus NewerMacOSfilesystem
squashfs Similartocramfs,acompressedLinuxfilesystem.
udf ISO/IEC13346andECMA167specfilesystem.
** NOTE** NEEDED TO SUPPORT WRITING DVDs and newer optical disc f ormats
Thereareafewwaystodisabletheseservices.CISsuggestsaddingaconfigfileto
/etc/modprobe.dandaddingthemodulesthere:Iusedb ad_fs.conf

Dryrunofwhatwouldhappenifthemodulewascalled
# /sbin/modprobe -n -v udf
insmod /lib/modules/3.10.0-229.20.1.el7.x86_64/kernel/lib/crc-itu-t.ko
insmod /lib/modules/3.10.0-229.20.1.el7.x86_64/kernel/fs/udf/udf.ko


Checktoseeifthemoduleisinserted
# lsmod | grep udf

Changetheoperationforloadingthemoduletothefilein
/etc/modprobe.d/bad_fs.conf



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 12 of 39

install udf /bin/false

Standardsbasedfilesystemsecurity
Stickybitshouldbesetforallpublicdirectories:Whenadirectory'sstickybitis
set,thefilesystemtreatsthefilesinsuchdirectoriesinaspecialwaysoonlythe
file'sowner,thedirectory'sowner,orr ootusercanrenameordeletethefile.
Withoutthestickybitset,anyuserwithwriteandexecutepermissionsforthe
directorycanrenameordeletecontainedfiles,regardlessofthefile'sowner.
Typicallythisissetonthe/tmpdirectorytopreventordinaryusersfromdeleting
ormovingotherusers'files.

Tofinddirectoriesthatareworldwriteablewithoutthestickybitset:
# find / -type d -perm -002 ! -perm -1000 -exec ls -ld {} ;\


Tosetwithchmod
# chmod 1777 <dir> [or] # chmod o+t <dir>


Determiningifthestickybitisset:
ifthedirectoryisnotworldexecutable(thisdirectoryis1766)
# ls -ld sticky-dir/
drwxrw-rwT, 2 root root 6 Feb 3 09:53 sticky-dir/

ifthedirectoryisworldexecutable(thisdirectoryis1777)
# ls -ld sticky-dir/
drwxrwxrwt, 2 root root 6 Feb 3 09:53 sticky-dir/

SetUIDfiles:(setUserIDuponexecution)areUnixaccessrightsflagsthat
allowuserstorunanexecutablewiththepermissionsoftheexecutable'sowner.
SetUIDpermissiononadirectoryisignored.
Tofindsetuidfilesanddirectories:
# find / -perm -4000 -exec ls -alL {} \;

SetGIDfiles(setGroupIDuponexecution)a ttributewillallowforchangingthe
groupbasedprivilegeswithinaprocess.Settingthesetgidpermissionona
directorycausesnewfilesandsubdirectoriescreatedwithinittoinherititsgroup
ID,ratherthantheprimarygroupIDoftheuserwhocreatedthefile(theowner


Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 13 of 39

IDisneveraffected,onlythegroupID).Newlycreatedsubdirectoriesinheritthe
setgidbit.
Tofindsetgidfilesanddirectories:
# find / -perm -2000 -exec ls -alL {} \;


LinkControl
Topreventmalicioususersfromexploitingpotentialvulnerabilitiescausedby
unprotectedhardandsymboliclinks,RedHatEnterpriseLinux7includesa
featurethatonlyallowslinkstobecreatedorfollowedprovidedcertain
conditionsaremet.
hardlinks,oneofthefollowingneedstobetrue:
Theuserownsthefiletowhichtheylink.
Theuseralreadyhasreadandwriteaccesstothefiletowhichthey
link.
symboliclinks,processesareonlypermittedtofollowlinkswhenoutside
ofworldwriteabledirectorieswithstickybits,oroneofthefollowing
needstobetrue:
Theprocessfollowingthesymboliclinkistheownerofthe
symboliclink.
Theownerofthedirectoryisthesameastheownerofthe
symboliclink.
Thisprotectionisturnedonbydefault.Itiscontrolledbythefollowing
optionsinthe/usr/lib/sysctl.d/50-default.conffile
fs.protected_hardlinks = 1
fs.protected_symlinks = 1


Tooverridethedefaultsettingsanddisabletheprotection,createanew
configurationfilecalled,forexample,51noprotectlinks.confinthe
/etc/sysctl.d/directorywiththefollowingcontent:
fs.protected_hardlinks = 0
fs.protected_symlinks = 0

PublicDirectoriesshouldbeuserandgroupownershipbyroot,aprivileged
systemaccount,orapplicationaccount
Thesamecommandasabovesearchesforworldwriteabledirectoriesand
displaysthepermissions.Theownershipissomewhatsubjectivebasedonthe
system,dir,etc



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 14 of 39

Tofinddirectoriesthatareworldwriteablewithoutthestickybitset:
# find /root -type d -perm -002 ! -perm -1000 -exec ls -ld {} \;
drwxrwxrw- 2 root root 6 Feb 3 09:53 /root/sticky-dir


Checkanddocumentallworldwritablefiles
# find / -type f -perm 0777 -a -exec ls -ld {} \;

Allfilesanddirectoriesshouldhavevalidowners,groups
# find / -xdev \( -nouser -o -nogroup \) -ls
51812050 0 drwxr-xr-x 2 622 root 57 Feb 3 11:28 /root/bad-directory
51807907 4 -rw-r--r-- 1 622 root 3072 Feb 3 11:27 /root/bad-directory/bad_file_1
51193533 12 -rw-r--r-- 1 root 622 12288 Feb 3 11:28 /root/bad-directory/bad_file_2
51193534 8 -rw-r--r-- 1 622 622 5120 Feb 3 11:28 /root/bad-directory/bad_file_3

Usea
idetoprovidecryptographichashes

Userhomedirectoriesshouldhavemodes0750orlesspermissive

Userhomedirectoriesshouldbeownedbytheuser

EncryptedFileSystems
shreddingapartitionwillfillthepartitionwithrandomdatatoensureno
unencrypteddataexists
# shred -v --iterations=1 /dev/luks_vg/luks_lv
shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...
shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...72MiB/2.0GiB 3%
shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...138MiB/2.0GiB 6%
<..snip..>
shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...1.9GiB/2.0GiB 95%
shred: /dev/luks_vg/luks_lv: pass 1/1 (random)...2.0GiB/2.0GiB 100%
#

Initializethepartition
# cryptsetup --verbose --verify-passphrase luksFormat /dev/luks_vg/luks_lv

WARNING!
========
This will overwrite data on /dev/luks_vg/luks_lv irrevocably.



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 15 of 39


Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
Command successful.
#

Opentheencrypteddeviceandassignitsdevicename
# cryptsetup luksOpen /dev/luks_vg/luks_lv luks_home
Enter passphrase for /dev/luks_vg/luks_lv:

Checkthatitactuallyworked
# ls -al /dev/mapper/
lrwxrwxrwx. 1 root root 7 Feb 8 13:55 luks_home -> ../dm-8
lrwxrwxrwx. 1 root root 7 Feb 8 13:55 luks_vg-luks_lv -> ../dm-7

Normalcommandstoaddapartition:mkfs,mount,df,addto/etc/fstab
# mkfs.xfs /dev/mapper/luks_home
# mount /dev/mapper/luks_home /luks_home

Addthepartitionto/ etc/crypttab(thisiswhatcausesittoaskforthepassword)
<name> <volume> <options>
luks_home /dev/mapper/luks_vg/luks_vg none

Add/ChangePassphraseonExistingDevice
# cryptesetup luksAddKey /dev/luks_vg/luks_lv

RemoveaPassphrasefromanExistingDevice
#cryptsetup luksRemoveKey /dev/luks_vg/luks_lv

Verifyorcheckforencryptedpartitions:
# lsblk -l
sda1 8:1 0 250M 0 part /boot
luks_home 253:8 0 2G 0 crypt /luks_home
centos-home 253:7 0 1.5G 0 lvm /home


# blkid /dev/mapper/luks_home



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 16 of 39

/dev/mapper/luks_home: UUID="48de524a-ba17-40b1-ac14-8a9f34421a50" TYPE="xfs"



# blkid /dev/mapper/luks_vg-luks_lv
/dev/mapper/luks_vg-luks_lv: UUID="ce54eeab-ea52-4273-acef-26a400901a98"
TYPE="crypto_LUKS"
**NOTE**primarilyamanualprocess..

Checkpartitionstodetermineiftheyareencrypted
# more /etc/crypttab

Objective4
Configuredefaultpermissionsforusersandusespecialfile
permissions,attributes,andaccesscontrollists(ACLs)tocontrol
accesstofiles
FilesystemextendedAccessControlLists(ACL)
IfadefaultACLisassociatedwithadirectory,themodeparametertothe
functionscreatingfileobjectsandthedefaultACLofthedirectoryareusedto
determinetheACLofthenewobject:
1. ThenewobjectinheritsthedefaultACLofthecontaining
directoryasitsaccessACL.
2. TheaccessACLentriescorrespondingtothefilepermissionbits
aremodifiedsothattheycontainnopermissionsthatarenot
containedinthepermissionsspecifiedbythemodeparameter.
IfnodefaultACLisassociatedwithadirectory,themodeparametertothe
functionscreatingfileobjectsandthefilecreationmask(umask(2)areusedto
determinetheACLofthenewobject:
1. ThenewobjectisassignedanaccessACLcontainingentriesoftag
typesACL_USER_OBJ,ACL_GROUP_OBJ,andACL_OTHER.
Thepermissionsoftheseentriesaresettothepermissions
specifiedbythefilecreationmask.
2. TheaccessACLentriescorrespondingtothefilepermissionbits
aremodifiedsothattheycontainnopermissionsthatarenot
containedinthepermissionsspecifiedbythemodeparameter.

ACLTextForms



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 17 of 39

user
AuserACLentryspecifiestheaccessgrantedtoeitherthefile
owner(entrytagtypeACL_USER_OBJ)oraspecifieduser(entry
tagtypeACL_USER).
group
AgroupACLentryspecifiestheaccessgrantedtoeitherthefile
group(entrytagtypeACL_GROUP_OBJ)oraspecifiedgroup
(entrytagtypeACL_GROUP).
mask
AmaskACLentryspecifiesthemaximumaccesswhichcanbe
grantedbyanyACLentryexcepttheuserentryforthefileowner
andtheotherentry(entrytagtypeACL_MASK).
other
AnotherACLentryspecifiestheaccessgrantedtoanyprocess
thatdoesnotmatchanyuserorgroupACLentries(entrytagtype
ACL_OTHER).

toset:s etfacl
Granting an additional user read access
setfacl -m u:lisa:r file

Revoking write access from all groups and all named users (using the eective rights
mask)
setfacl -m m::rx file

Removing a named group entry from a file's ACL
setfacl -x g:sta file

Copying the ACL of one file to another
getfacl file1 | setfacl --set-file=- file2

Copying the access ACL into the Default ACL
getfacl --access dir | setfacl -d -M- dir
from the setfacl man page

toread:getfacl -aL
The output format of getfacl is as follows:
1: # file: somedir/
2: # owner: lisa
3: # group: sta
4: # flags: -s-

Official Red Hat documentation on RHEL 7 can be f ound at:


https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server


Hardening Notes (EX413)
page 18 of 39

5: user::rwx
6: user:joe:rwx #eective:r-x
7: group::rwx #eective:r-x
8: group:cool:r-x
9: mask::r-x
10: other::r-x
11: default:user::rwx
12: default:user:joe:rwx #eective:r-x
13: default:group::r-x
14: default:mask::r-x
15: default:other::---



Set/Verifydefaultpermissionsforallauthenticateduserssotheycanonlyread
andmodifytheirownfiles
# grep -i umask /etc/login.defs
UMASK 077

UMASKisusuallyinafewotherplaces,like/etc/csh.cshrc,/etc/bashrc
# find /etc/ -type f -exec grep -i umask {} \; -print

Andcheckusersowndotfiles
# find /home/ -type f -exec grep -i umask {} \; -print



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 19 of 39

Objective5
InstallanduseintrusiondetectioncapabilitiesinRedHatEnterprise
Linuxtomonitorcriticalsystemfiles
AdvancedIntrusionDetectionEnvironment(AIDE)
checktoseeifitsinstalled
# rpm -q aide
package aide is not installed
# yum install aide
Installing:
aide x86_64 0.15.1-9.el7 base 129 k

InitializeAIDE
# /usr/sbin/aide --init -B database_out=file:/var/lib/aide/aide.db.gz

CheckfileintegrityagainstAIDEdatabase
# /usr/sbin/aide --check

Puttingitinacronjobmightbesmart
0 5 * * * /usr/sbin/aide --check

Additionalfilestobecheckedcanbeaddedto/etc/aide.conf

TCPWrappers
checktoseeiftheyareinstalled
# rpm -q tcp_wrappers
tcp_wrappers-7.6-77.el7.x86_64

/etc/hosts.allowvariesbynetworkconfiguration,setup,purpose,etc
Thislimitsconnectionstosshdjusttomylocalsubnet
sshd: 192.168.56.0/255.255.255.0

Thisallowsconnectionstoanythingfrommylocalsubnet
all: 192.168.56.0/255.255.255.0



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 20 of 39

/etc/hosts.deny denyeverythingeverywherethatsnotexplicitlylistedinthe
allowfile
# cat /etc/hosts.deny
ALL:ALL



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 21 of 39

Objective6
Manageuseraccountsecurityanduserpasswordsecurity
Passwordqualityisdefinedin/ etc/security/pwquality.conf
Shadowpasswordsuiteconfigurationin/ etc/login.defs
**NOTE**MostofthishasbeenmovedtoPAM
shadowfilefields
loginname
encryptedpassword
dateoflastpwchange
minimumpasswdage
maxpasswdage
passwdwarningperiod
passwdinactivityperiod
expirationdate
reserved
tocheck/etc/shadowforpasswordminimumchangeperiod(4thfield)
# awk -F: $4 >= 1 {print $1} /etc/shadow
**NOTE**DoDSTIGsays1dayminimum
chageformodifyingaccountpasswordaging
chage --list <user>willcheckpassworddefinitions
/etc/default/useraddsetsdefaultsfornewaccountcreation
INACTIVEshouldbesettosomethingotherthan1(whichisnever)
updatinguserinactivity
auditusersforpasswordinactivity,passwords,etc
# cut -d: -f1 /etc/passwd | xargs -n1 passwd -S



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 22 of 39

Objective7
Managesystemloginsecurityusingpluggableauthenticationmodules
(PAM)
PAMCrashCourse
eachapplicationshouldhaveitsownPAMs tackfile
modulesarerunintheordertheyarelistedandisimportant
stackssyntaxis
context(or type) control-flag module module options

contexttypes
auth
determineswhotheuserisandifthatuserhasavalidaccount
(authentication)
account
determineiftheuserisallowedaccess(authorization)
session
setssessionup
password
anyrulesforchangingpasswordiftheapplicationisallowedto
controlflags
sufficient
ifasufficientmodulepasses,thatsenough.Noneoftheothermodulesin
thatcontextareprocessed.Failingitdoesnotfailthecontextthough.
required
allr equiredcontrolsinacontextmustpass.Theyarealltriedsoevenif
onefailstoobscuretheexactfailureforsecurityreasons.
**NOTE** None of the required modules will be processed in a context is a sufficient module passes
requisite
basicallythesameasr equiredexceptprocessingstopsassoonasafailure
happens(thinkofitasfastfailrequired)
optional
asuccessorfailurereallyhasnoeffect.Generallyonlyusedwithsession
contexts.
modulesarerunintheordertheyarelistedandisimportant
i.e.ifasufficientmodulespassesafterar equiredfailed,accesswillstillbe
denied.

Official Red Hat documentation on RHEL 7 can be f ound at:


https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server


Hardening Notes (EX413)
page 23 of 39

ifanapplicationcantfinditsstackfile,itfallsbackto/ etc/pam.d/other


Forcingstrongpasswords
setin/etc/pam.d/passwdfileviathep am_pwqualitymodule
/etc/security/pwquality.confsetscustomrules.
toenable,addto/ etc/pam.d/passwdfile
password required pam_pwquality.so retry=3

Rememberingpasswords,addrememberparameterin/ etc/pam.d/system-auth
password suicient pam_unix.so remember=5

AccountLocking
pam_faillockmodule
/var/run/faillockcontainslogsoffailuresperuser
toenable
addlines2and5to/ etc/pam.d/system-authand/ etc/pam.d/password-auth
1 auth required pam_env.so
2 auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
3 auth suicient pam_fprintd.so
4 auth suicient pam_unix.so nullok try_first_pass
5 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
6 auth requisite pam_succeed_if.so uid >= 1000 quiet_success
7 auth required pam_deny.so
**NOTE** these will lock out a nonroot user after 3 tries f or 10 minutes
addbeforethefirstaccountentryonbothfiles
account required pam_faillock.so

**toincludetherootuser,adde ven_deny_rootoptiontoa uthentries


2 auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
even_deny_root
5 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
even_deny_root

**toexcludeusersfromtherule
auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2:user3

checkingnumberoffailedloginattempts
# faillock



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 24 of 39

user1:
When Type Source
Valid
2013-03-05 11:44:14 TTY pts/0

resettingausersaccount
# faillock --user <username> --reset

Limitingroot(orotheruser)accesswithpam
**NOTE** ONLY WORKS ON PAM AWARE SERVICES ( Which most are now)
/lib/security/pam_listfile.soisthemodule
addthemoduleasarequireda uthtotheservicefilein/etc/pam.d
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/<bad users file> \
onerr=succeed

Limitingrootvia/ etc/securetty
removeallentriesexceptc onsole
enableloginmanagerstoread/etc/securetty addthefollowingline
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

to /etc/pam.d/{gdm, gdm-autologin,
gdm-fingerprint,gdm-password,gdm-smartcard,kdm,kdm-np,xdm}

Limit/Disablerootfromssh
uncomment/addto/etc/ssh/sshd_config
PermitRootLogin no


KeepingCustomersettingswithAuthConfig
checktoseeiftheauthfilesarelinks(defaultsetup)
# ls -l /etc/pam.d/{password,system}-auth
lrwxrwxrwx. 1 root root 16 Feb 1 11:13 /etc/pam.d/password-auth -> password-auth-ac
lrwxrwxrwx. 1 root root 14 Feb 1 11:13 /etc/pam.d/system-auth -> system-auth-ac

iftheauthfilesarentlinksmovethem
# mv system-auth system-auth-ac
# mv password-auth password-auth-ac



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 25 of 39

createacustomlocalfile,/ etc/pam.d/system-auth-local whichcontains


auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth include system-auth-ac
auth [default=die] pam_faillock.so authfail silent audit deny=3 unlock_time=600
account required pam_faillock.so
account include system-auth-ac
password include system-auth-ac
session include system-auth-ac

createacustomlocalfile,/ etc/pam.d/password-auth-local whichcontains


auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth include password-auth-ac
auth [default=die] pam_faillock.so authfail silent audit deny=3 unlock_time=600
account required pam_faillock.so
account include password-auth-ac
password include password-auth-ac
session include password-auth-ac

createnewlinks
# ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth
# ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 26 of 39

Objective8
Configureconsolesecuritybydisablingfeaturesthatallowsystemstobe
rebootedorpoweredoffusingbootloaderpasswords
Bootloaderpasswords
Isitenabledalready?
BIOSmachines
# grep -i password /boot/grub2/grub.cfg

UEFImachines
# grep -i password /boot/efi/EFI/redhat/grub.cfg

Addingusers
Create/etc/grub.d/01_usersfileandaddthefollowing
cat <<EOF
set superuser="toor"
password toor insecurert
EOF
[to add more]
cat <<EOF
set superuser=toor
password toor insecuretr
password user1 insecure1
EOF
**NOTE** T his creates an UNENCRYPTED password and you should know better

Thebetterway,usingencryptedpasswords
# grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is
grub.pbkdf2.sha512.10000.DCC9681CBF8FEDA5F4C9AA82BA09507CB6703A3773EC63805A25
D1C796C868B8D5ACD82843F7CB30059399633A2AB34070A231503B0180C9EF4D248FE12B5C
D6.3D1A8BB7B08E645458E8564B647353D32D2A8A7E05676F61C375F6F0727A1514B4A87A14
E94CCBD291DBFD48E301F73553168845AF9817D98AC9A455EC122F41

thenaddto/ etc/grub.d/01_users
cat <<EOF
set superusers="toor"
password_pbkdf2 toor
grub.pbkdf2.sha512.10000.DCC9681CBF8FEDA5F4C9AA82BA09507CB6703A3773EC63805A25



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 27 of 39

D1C796C868B8D5ACD82843F7CB30059399633A2AB34070A231503B0180C9EF4D248FE12B5C
D6.3D1A8BB7B08E645458E8564B647353D32D2A8A7E05676F61C375F6F0727A1514B4A87A14
E94CCBD291DBFD48E301F73553168845AF9817D98AC9A455EC122F41
EOF


ALTERNATIVELYyoucanjustaddthedatatotheENDofthe
/etc/grub.d/40_customfilewithoutanyofthecatstuff.
set superusers="toor"
password_pbkdf2 toor
grub.pbkdf2.sha512.10000.DCC9681CBF8FEDA5F4C9AA82BA09507CB6703A3773EC63805A25
D1C796C868B8D5ACD82843F7CB30059399633A2AB34070A231503B0180C9EF4D248FE12B5C
D6.3D1A8BB7B08E645458E8564B647353D32D2A8A7E05676F61C375F6F0727A1514B4A87A14
E94CCBD291DBFD48E301F73553168845AF9817D98AC9A455EC122F41


Rebuildgrub
OnBIOSsystems
# grub2-mkconfig -o /boot/grub2/grub.cfg

OnUEFIbasedsystems
# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

Disablegrubinteractivemode
# grep -i prompt /etc/sysconfig/init
PROMPT=no

DisableenteringSingleUserModewithoutrootpassword
# echo SINGLE=/sbin/sulogin >> /etc/sysconfig/init

DisableCTRLALTDELcombinationontheconsoleforrebooting
# systemctl mask ctrl-alt-del.target
# systemctl daemon-reload

or
# ln -s /dev/null /etc/systemd/system/ctrl-alt-del.target

Thisworksifnooneisloggedin,however,iftheuserisloggedinitworks.Thepower
buttonwillobviouslystillwork

TodisablethepowerbuttonsontheGDMloginscreen:
editorcreate/etc/dconf/db/gdm.d/00-login-screenandadd



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 28 of 39

[org/gnome/login-screen]
disable-restart-buttons=true

thenrebuildthedconfdatabase
#dconfupdate
**NOTE**W hileyouarethere,mightaswelladddisable-user-list=true so the login wont list the
users

Official Red Hat documentation on RHEL 7 can be f ound at:


https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server


Hardening Notes (EX413)
page 29 of 39

Objective9
Configuresystemwideacceptableusenotifications
Textloginbanners
/etc/motd
theMessageOfTheDay.Thisisdisplayedafterasuccessfulloginbefore
theprompt

/etc/issue and/etc/issue.net
showntoconnectionsbeforetheloginprompt./ etc/issueisshownif
/etc/issue.netismissing.

Noneofthemshouldhavethisinformation,oranythingotherthananAcceptable
UseNotification.
\m machinearchitecture(u name -m)
\r operatingsystemrelease(u
name -r)
\s operatingsystemname
\v operatingsystemversion(uname -v)

All3shouldhavetheownedr oot:rootandmode0 644

Itsacceptabletolinkall3together.
# ls -la |grep issue.net
lrwxrwxrwx. 1 root root 9 Feb 5 11:03 issue -> issue.net
-rw-r--r--. 1 root root 67 Feb 5 11:02 issue.net
lrwxrwxrwx. 1 root root 9 Feb 5 11:03 motd -> issue.net

Configuresshdtodisplaytheacceptableusenotifications
addB anner/etc/issue.netto/ etc/ssh/sshd_configandrestartsshd
# grep ^Banner /etc/ssh/sshd_config
Banner /etc/issue.net
# systemctl restart sshd.service
**NOTE** the default sshd_config f ile has a commented out B anner entry



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 30 of 39

ConfigureabannerfortheGUIlogin
edit/create/etc/dconf/db/gdm.dandaddthefollowing
[org/gnome/login-screen]
banner-message-enable=true
banner-message-text=Authorized use only! All unauthorized users will be beaten

rebuildthedconfdbandrestartgdm
# dconf update
# systemctl restart sshd.service

IfforsomebizarrereasonyouarerunningVSFTP
Addftpd_banner=<something>to/ etc/vspd/vspd.conf
ORinsteadaddbanner_file=<file>to/ etc/vspd/vspd.conf



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 31 of 39

Objective10
Install,configure,andmanageidentitymanagementservicesand
configureidentitymanagementclients



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 32 of 39

Objective11
Configureremotesystemloggingservices,configuresystemlogging,and
managesystemlogfilesusingmechanismssuchaslogrotationand
compression
Syslogcrashcourse
syntax
FACILITY.PRIORITY

facilities
kern (0),user (1), mai l (2), daemon (3), auth (4), syslog (5), lpr (6), news (7),
uucp (8), cron (9), authpriv (10), p (11), and local0 through local7 (16 - 23)

Priorities
debug (7), info (6), notice (5), warning(4), err (3), crit (2), alert (1), and emerg (0)

SpecialcasesforbothFacilityandPriority
*isall
noneisnone
commaisusedtostack
SpecialcasesforPriority
whenaPriorityisselected,allmessagesofthatPriorityandgreaterare
logged
=beforePrioritymeanso nlythatpriorityislogged
!beforePrioritymeansthatpriorityisignored

Makesurer syslogisenabledandrunning
# systemctl is-enabled rsyslog
enabled
[if not]
# systemctl enable rsyslog

Logfilemustexistbeforer syslogcanwritetoit.

Logfilesshouldhavepermissionsof0600orlessandownedr oot:roottopreventnon
privilegedusersfrompossiblyseeingPIIorothersensitiveinformation.Check
/etc/rsyslog.confforconfiguredsystemlogfiles.



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 33 of 39

Tosendlogfilesoffsitetoaloghostaddtothe/etc/rsyslog.conf
*.* @@loghost.mysite.com
**NOTE** double @s denotes to use T CP and not UDP to send logs

TLSEncryptionforremotelogging,addto/ etc/rsyslog.conf
# certificate files - just CA for a client
$DefaultNetstreamDriverCAFile /path/to/contrib/gnutls/ca.pem

# set up the action
# use gtls netstream driver
$DefaultNetstreamDriver gtls

# require TLS for the connection
$ActionSendStreamDriverMode 1

# server is NOT authenticated
$ActionSendStreamDriverAuthMode anon

# send (all) messages
*.* @@(o)server.example.net:6514 # send (all) messages

Toreceiveremotesyslogmessages
$ModLoad imtcp.so
$InputTCPServerRun 6514

Toreceiveandsortincomingsyslogmessages
forUDP
# Define templates before the rules that use them
### Per-Host Templates for Remote Systems ###
$template TmplAuthpriv,
"/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
$template TmplMsg,
"/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"

forTCP
# Provides TCP syslog reception
$ModLoad imtcp

# Adding this ruleset to process remote messages



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 34 of 39

$RuleSet remote1
authpriv.* ?TmplAuthpriv
*.info;mail.none;authpriv.none;cron.none ?TmplMsg
$RuleSet RSYSLOG_DefaultRuleset

#End the rule set byswitching back to the default rule set
$InputTCPServerBindRuleset remote1

#Define a new input and bind it to the "remote1" rule set
$InputTCPServerRun 6514

SpecialNotes/Troubleshooting
ThedefaultprotocolandportforsyslogtrafficisUDPand514,aslistedinthe
/etc/servicesfile.However,rsyslogdefaultstousingTCPonport514.Inthe
configurationfile,/etc/rsyslog.conf,TCPisindicatedby@@.

SELinuxisonlyconfiguredtoallowsendingandreceivingonthefollowingports
bydefault
# semanage port -l | grep syslog
syslogd_port_t tcp 6514, 601
syslogd_port_t udp 514, 6514, 601

Checkthatr syslogisrunningandenabled.Restartafterallchanges
# systemctl start rsyslog
# systemctl enable rsyslog

Asalways,checkthefirewall

LogRotation
/etc/logrotate.confisglobalfile
/etc/logrotate.d/islogspecificrotationfiles(andoverrideglobal)
generalconfigurationoptions
timeframe:dailyweeklymonthlyyearly
compres/nocompress
compresscmd/uncompressmd
compressext
delaycompress
rotate<#>numberofrotationsbeforelogisdeletedormailed
mail<address>emailsrotatedlog


Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 35 of 39

journalisacomponentofsystemdforlogging
journalctlisusedforviewingthejournallog
journalonlylogsinmemoryorasmallringfilein/ run/log/journaltocreatepersistent
storagecreatethedirectory/ var/log/journal
configfileis/etc/systemd/journald.conf






Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 36 of 39

Objective12
Configuresystemauditingservicesandreviewauditreports
packageisaudit
configurationfile/etc/audit/auditd.conf
rulesfile/etc/audit/audit.rules
Auditsystemstatus
# auditctl -s
enabled 1
flag 1
pid 667
rate_limit 0
backlog_limit 320
lost 0
backlog 0
loginuid_immutable 0 unlocked

listcurrentlyloadedrules
# auditctl -l
LIST_RULES: exit,always watch=/etc/localtime perm=wa key=time-change
LIST_RULES: exit,always watch=/etc/group perm=wa key=identity
LIST_RULES: exit,always watch=/etc/passwd perm=wa key=identity
LIST_RULES: exit,always watch=/etc/gshadow perm=wa key=identity
...

deleteallrules
# auditctl -D
No rules



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 37 of 39

defineafilesystemrule
# auditctl -w path-to-file -p permissions -k key-name

permissions
rreadaccesstoafileordirectory
wwriteaccesstoafileordirectory
xexecuteaccesstoafileordirectory
achangeinafileordirectorysattribute
keyname
optionalforhelpingtoidentifywhichruleorrulesetsgeneratedthelog
defineasystemcall
# auditctl -a action,filter -S system_call -F field=value -k key_name

action,filteriswhentheeventislogged
action
alwaysornever
filter
task
exit
user
exclude
systemcallisthesystemcallthattriggers,canbemultipleS
/usr/include/asm/unistd_64.hliststhecalls
field=value
optionalruletofilterbasedonarchitecture,gID,pID,etc
key_name
optionalforhelpingitidentifywhatruleorrulesetsgeneratedthelog

predefinedrulesetsarein/ usr/share/doc/audit-version/
tosearchauditlogs
# ausearch --start yesterday --end now -m SYSCALL -sv no -i
this r ule searches f or all f ailed system calls f rom yesterday to present
tocreateanauditreport
# aureport --login --summary -i
this generates a summary r eport of all f ailed login attempts per each system user

Official Red Hat documentation on RHEL 7 can be f ound at:


https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server


Hardening Notes (EX413)
page 38 of 39

Objective13
Usenetworkscanningtoolstoidentifyopennetworkserviceportsand
configureandtroubleshootsystemfirewalling
listprocesseswithopenports:netstatnatp
scanTCPportsonahostnmapsT0<ipaddress>
firewalld
/etc/fiewalld
/usr/lib/firewalld/
firewallconfig(gui)
firewallcmd
permanent:doesnotimplementuntilreload,butispersistent
direct:immediateimplementation,butnotpersistent
addinterface:onlyforinterfacesnotmanagedbyNetworkManager
reload:nondisruptivereload
completereload:dropsallconnectionsandreloads

/etc/firewalld/firewalld.conf
setdefaultzones
Lockdown=yestopreventservices,ornonwhitelistservicesfrom
adding/removingrules

NetworkZones
drop
block
public
external
dmz
work
home
internal
trusted



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/

Red Hat Certificate of Expertise in Server
Hardening Notes (EX413)
page 39 of 39

References
RedHatSecurityGuideRHEL6
RedHatIdentityManagementGuideRHEL6
RedHatDeploymentGuideRHEL6
RedHatVirtualizationGettingStartedGuideRHEL6
DISARHEL6STIGVer1Rel10

DISARHEL7STIGDRAFT



Official Red Hat documentation on RHEL 7 can be f ound at:
https://access.redhat.com/documentation/en/redhatenterpriselinux/