I’d love to see a configuration management capability and at least reporting using Linux’s Lynis reporting tool for hardening. See Lynis - Security auditing tool for Linux, macOS, and Unix-based systems - CISOfy which output could be created and written to a report link that’s included in the links in Nethserver and updated on a daily basis.
2 Likes
Unfortunately I am a new user on the forum and it won’t let me post the script findings for Nethserver, but there are some security improvements that can be made to it. I will post once the forum allows me to post as a normal user.
It’s a nice tool - maybe too strict for Nethserver. Thanks for sharing.
Were you able to create an HTML/PDF report?
To install for testing:
echo "[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
priority=2" > /etc/yum.repos.d/lynis.repo
yum -y install lynis
lynis audit system
I got following suggestions running lynis on a NethServer VM, I didn't see any really bad security issue.
- If not required, consider explicit disabling of core dump in /etc/security/limits.conf file
- Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values
- Configure password hashing rounds in /etc/login.defs
- When possible set expire dates for all password protected accounts
- Configure minimum password age in /etc/login.defs
- Configure maximum password age in /etc/login.defs
- Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027)
- To decrease the impact of a full /home file system, place /home on a separate partition
- To decrease the impact of a full /tmp file system, place /tmp on a separate partition
- To decrease the impact of a full /var file system, place /var on a separate partition
- Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft
- Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft
- Install package ‘yum-utils’ for better consistency checking of the package database
- Determine if protocol ‘dccp’ is really needed on this system
- Determine if protocol ‘sctp’ is really needed on this system
- Determine if protocol ‘rds’ is really needed on this system
- Determine if protocol ‘tipc’ is really needed on this system
- You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf)
- Disable the ‘VRFY’ command
- Check iptables rules to see which rules are currently not used
- Install Apache mod_evasive to guard webserver against DoS/brute force attempts
- Install Apache modsecurity to guard webserver against web application attacks
- Consider hardening SSH configuration
- Configure the ‘requirepass’ setting for Redis
- Use the ‘rename-command CONFIG’ setting for Redis
- Turn off PHP information exposure
- Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP
- Enable logging to an external logging host for archiving purposes and additional protection
- Check what deleted files are still in use and why.
- Add a legal banner to /etc/issue, to warn unauthorized users
- Add legal banner to /etc/issue.net, to warn unauthorized users
- Enable process accounting
- Enable sysstat to collect accounting (no results)
- Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules
- Install a file integrity tool to monitor changes to critical and sensitive files
- Consider restricting file permissions
- One or more sysctl values differ from the scan profile and could be tweaked
- Harden compilers like restricting access to root user only
- Harden the system by installing at least one malware scanner, to perform periodic file system scans
2 Likes