/
Red Hat 8, Centos 8, Oracle 8 Hardening Faz 1 Operation

SecHard

Red Hat 8, Centos 8, Oracle 8 Hardening Faz 1 Operation

Ensure mounting of cramfs filesystems is disabled (Automated)

Cramfs means that mounting of file systems should be prevented.

Cramfs is a file system commonly used in embedded systems and memory constrained devices.

It may also be necessary to disable cramfs file system support to prevent exploitation of vulnerabilities in certain file system drivers and to reduce the level of attack on the system.

Ensure mounting of squashfs filesystems is disabled (Automated)

Squashfs means that mounting of file systems should be prevented.

Squashfs is a file system for compressed read-only file systems.

In Linux and all other Unix-like systems, it is often used in embedded systems, live CD/DVD media, and compressed root filesystems.

Since Squashfs file systems are usually read-only, the data in them cannot be accessed in writing, so real-time changes cannot be made to the file system, as a result, access to the file systems is blocked to ensure that the data in these file systems are not changed and corrupted.

Ensure mounting of udf filesystems is disabled (Automated)

It means that the mounting of Udf file systems should be prevented.

Udf is a file system standard for optical media (CD, DVD, Blu-ray) and other portable data storage devices.

udf filesystems is disabled means that mounting of UDF filesystems should be disabled for security reasons or to prevent compatibility issues.

Ensure /tmp is a separate partition (Automated)

Refers to configuring the /tmp directory as a separate partition.

/tmp is a directory where temporary files are stored in Linux and other Unix-like operating systems.

Ensure nodev option set on /tmp partition (Automated)

This refers to setting and enabling the "nodev" option in the /tmp section.

Therefore, enabling the "nodev" option in the /tmp section emphasises the importance of preventing device files from mounting to the /tmp directory. This configuration is necessary to reduce security vulnerabilities and prevent malicious device mounts to the /tmp directory.

Ensure noexec option set on /tmp partition (Automated)

This refers to setting and enabling the "noexec" option in /tmp.

This prevents files in this directory from being processed as executable (execute). This precaution is important from a security point of view because the /tmp directory is used by users to create and use temporary files.

If files in the /tmp directory are processed as executable, malicious users can use such files to damage the system or perform unauthorised operations.

Ensure nosuid option set on /tmp partition (Automated)

This refers to setting and enabling the "nosuid" option in the /tmp section.

The "nosuid" option disables the SUID (Set User ID) and SGID (Set Group ID) authorisations of executable files in this directory.

SUID and SGID are special authorisations that allow the owner or group members of executable files to temporarily change their identity.

If the "/tmp" directory allows executable files with SUID and SGID permissions to be executed, this can pose a potential security risk. Malicious users can use such files to access privileges they do not normally have and perform unwanted behaviour on the system.

Ensure separate partition exists for /var (Automated)

It refers to the configuration of the /var directory as a separate partition.

The "/var" directory is a directory in Linux and other Unix-like operating systems where data generated by system and user applications is stored. This directory is used for log files, e-mail boxes, database files, web server data and other variable data storage areas.

Ensure nodev option set on /var partition (Automated)

This refers to setting and enabling the "nodev" option in the /var partition.

Therefore, enabling the "nodev" option in the /var section emphasises the importance of preventing device files from being mounted in the /var directory. This configuration is necessary to reduce security vulnerabilities and prevent malicious device mounts to the /var directory.

Ensure noexec option set on /var partition (Automated)

This refers to setting and enabling the "noexec" option in /var.

This prevents files in this directory from being processed as executable (execute). This precaution is important from a security point of view because the /var directory is used by users to create and use temporary files.

If files in the /var directory are processed as executable, malicious users can use such files to damage the system or perform unauthorised operations.

Ensure nosuid option set on /var partition (Automated)

This refers to setting and enabling the "nosuid" option in the /var section.

The "nosuid" option disables the SUID (Set User ID) and SGID (Set Group ID) authorisations of executable files in this directory.

SUID and SGID are special authorisations that allow the owner or group members of executable files to temporarily change their identity.

If the "/var" directory allows executable files with SUID and SGID authorisations to be executed, this can be a potential security risk. By using such files, malicious users can access privileges they do not normally have and perform undesirable behaviour on the system.

Ensure separate partition exists for /var/tmp (Automated)

Refers to configuring the /var/tmp directory as a separate partition.

The /var/tmp directory is a directory where temporary files are stored in Linux and other Unix-like operating systems. Unlike the /tmp directory, this directory is an area where data is permanently stored even when the system is restarted.

Ensure noexec option set on /var/tmp partition (Automated)

This refers to setting and enabling the "noexec" option in /var/tmp.

This prevents files in this directory from being processed as executable (execute). This precaution is important from a security point of view because the /var/tmp directory is used by users to create and use temporary files.

If files in the /var/tmp directory are processed as executable, malicious users can use such files to damage the system or perform unauthorised operations.

Ensure nosuid option set on /var/tmp partition (Automated)

This refers to setting and enabling the "nosuid" option in /var/tmp.

The "nosuid" option disables the SUID (Set User ID) and SGID (Set Group ID) authorisations of executable files in this directory.

SUID and SGID are special authorisations that allow the owner or group members of executable files to temporarily change their identity.

If the directory " /var/tmp" allows executable files with SUID and SGID permissions to be executed, this can be a potential security risk. By using such files, malicious users can gain access to privileges they do not normally have and perform undesirable behaviour on the system.

Ensure nodev option set on /var/tmp partition (Automated)

This refers to setting and enabling the "nodev" option in /var/tmp.

Therefore, enabling the "nodev" option in the /var/tmp section emphasises the importance of preventing device files from being mounted in the /var/tmp directory. This configuration is necessary to reduce security vulnerabilities and prevent malicious device mounts to the /var/tmp directory.

Ensure separate partition exists for /var/log (Automated)

Refers to configuring the /var/log directory as a separate partition.

The /var/log directory is a directory where system and application logs are stored in Linux and other Unix operating systems.

Ensure nodev option set on /var/log partition (Automated)

This refers to setting and enabling the "nodev" option in /var/log.

Therefore, enabling the "nodev" option in the /var/log section emphasises the importance of preventing device files from being mounted in the /var/log directory. This configuration is necessary to reduce security vulnerabilities and prevent malicious device mounts to the /var/log directory.

Ensure noexec option set on /var/log partition (Automated)

This refers to setting and enabling the "noexec" option in /var/log.

This prevents files in this directory from being processed as executable (execute). This precaution is important from a security point of view because the /var/log directory is used by users to create and use temporary files.

If files in the /var/log directory are processed as executable, malicious users can use such files to damage the system or perform unauthorised operations.

Ensure nosuid option set on /var/log partition (Automated)

This refers to setting and enabling the "nosuid" option in /var/log.

The "nosuid" option disables the SUID (Set User ID) and SGID (Set Group ID) authorisations of executable files in this directory.

SUID and SGID are special authorisations that allow the owner or group members of executable files to temporarily change their identity.

If the directory " /var/log" allows executable files with SUID and SGID authorisations to be run, this can be a potential security risk. By using such files, malicious users can access privileges they do not normally have and perform undesirable behaviour on the system.

Ensure separate partition exists for /var/log/audit (Automated)

It refers to configuring the /var/log/audit directory as a separate partition.

The /var/log/audit directory is a directory where audit logs generated by the audit mechanism called auditd on Linux systems are stored.

Ensure noexec option set on /var/log/audit partition (Automated)

This refers to setting and enabling the "noexec" option in /var/log/audit.

This prevents files in this directory from being processed as executable (execute). This precaution is important from a security point of view because the /var/log/audit directory is an area that users use to create and use temporary files.

If files in the /var/log/audit directory are processed as executable, malicious users can use such files to damage the system or perform unauthorised operations.

Ensure nodev option set on /var/log/audit partition (Automated)

This refers to setting and enabling the "nodev" option in /var/log/audit.

Therefore, enabling the "nodev" option in the /var/log/audit section emphasises the importance of preventing device files from being mounted in the /var/log/audit directory. This configuration is necessary to reduce security vulnerabilities and prevent malicious device mounts to the /var/log/audit directory.

Ensure nosuid option set on /var/log/audit partition (Automated)

This refers to setting and enabling the "nosuid" option in /var/log/audit.

The "nosuid" option disables the SUID (Set User ID) and SGID (Set Group ID) authorisations of executable files in this directory.

SUID and SGID are special authorisations that allow the owner or group members of executables to temporarily change their identity.

If the directory "/var/log/audit" allows executable files with SUID and SGID authorisations to be run, this can be a potential security risk. By using such files, malicious users can access privileges they do not normally have and perform unwanted behaviour on the system.

Ensure separate partition exists for /home (Automated)

Refers to configuring the /home directory as a separate partition.

The /home directory is a directory where users' personal user directories are located. Each user stores their own files, documents and configurations under their home directory.

Ensure nodev option set on /home partition (Automated)

This refers to setting and enabling the "noexec" option in /home.

This prevents files in this directory from being processed as executable (execute). This precaution is important from a security point of view because the /home directory is an area that users use to create and use temporary files.

If files in the /home directory are processed as executable, malicious users can use such files to damage the system or perform unauthorised operations.

Ensure nosuid option set on /home partition (Automated)

This refers to setting and enabling the "nosuid" option in the /home section.

The "nosuid" option disables the SUID (Set User ID) and SGID (Set Group ID) authorisations of executables in this directory.

SUID and SGID are special authorisations that allow the owner or group members of executables to temporarily change their identity.

If the "/home" directory allows executable files with SUID and SGID authorisations to be run, this can be a potential security risk. By using such files, malicious users can access privileges they do not normally have and perform undesirable behaviour on the system.

Ensure separate partition exists for /dev/shm (Automated)

Refers to configuring the /dev/shm directory as a separate partition.

The /dev/shm directory is used as a shared memory area in Linux and other Unix operating systems. Shared memory is a mechanism that allows data to be exchanged between different processes and allows faster processing.

Ensure nodev option set on /dev/shm partition (Automated)

This refers to setting and enabling the "noexec" option in /dev/shm.

This prevents files in this directory from being processed as executable (execute). This precaution is important from a security point of view because the /dev/shm directory is used by users to create and use temporary files.

If files in the /dev/shm directory are processed as executable, malicious users can use such files to damage the system or perform unauthorised operations.

Ensure noexec option set on /dev/shm partition (Automated)

This refers to setting and enabling the "noexec" option in /dev/shm.

This prevents files in this directory from being processed as executable (execute). This precaution is important from a security point of view because the /dev/shm directory is used by users to create and use temporary files.

If files in the /dev/shm directory are processed as executable, malicious users can use such files to damage the system or perform unauthorised operations.

Ensure nosuid option set on /dev/shm partition (Automated)

This refers to setting and enabling the "nosuid" option on the /dev/shm partition.

The "nosuid" option disables the SUID (Set User ID) and SGID (Set Group ID) authorisations of executable files in this directory.

SUID and SGID are special authorisations that allow the owner or group members of executable files to temporarily change their identity.

If the directory "/dev/shm" allows executable files with SUID and SGID authorisations to be executed, this can be a potential security risk. By using such files, malicious users can access privileges they do not normally have and perform undesirable behaviour on the system.

Disable Automounting (Automated)

Makes all automatic mounting feature disable.

Disable USB Storage (Automated)

Disable is the process of preventing the use of external USB storage devices via USB ports.

Ensure permissions on bootloader config are configured (Automated)

This statement means that the permissions of the bootloader configuration file are set to a certain security level and that this setting is automatically provided. This is important for security and system integrity, because a bootloader file with incorrect permissions can compromise system security.

Ensure authentication is required when booting into rescue mode (Automated)

This statement emphasises the need for authentication when going into recovery mode (for example, on a Linux system). That is, to gain access to the system in this mode, the user must authenticate with a username and password. This is a security measure to limit unauthorised access and increase system security.

Ensure core dump storage is disabled (Automated)

An error report that occurs when a program unexpectedly crashes or misbehaves. These dumps may contain sensitive data and may pose a risk of information leakage for attackers.

The working logic of this recipe implies that kernel dumps should only be accessible to security experts and authorised users and that general users should be restricted.

Ensure core dump backtraces are disabled (Automated)

This statement refers to an instruction not to record or report details of such crashes on a user-owned system, mostly for security or performance reasons. So, "Ensure core dump backtraces are disabled" means to ensure that core dumps and backtraces are disabled. This can be done to prevent the exposure of sensitive information or security issues in the event of a programme crash.

Ensure address space layout randomization (ASLR) is enabled (Automated)

ASLR is a computer security technique that is an important security measure. This technique aims to make it difficult for malicious attackers to discover vulnerabilities or launch attacks by randomising the way programs and libraries are placed in computer memory (RAM).

The aim here is to make the placement of programs in memory unpredictable, making it difficult for attackers to target.

Ensure message of the day is configured properly (Automated)

Message of the day is a feature used in Linux and other Unix-like operating systems.

System users view a message, called MOTD, each time they log in to the system or start a terminal session. This message may contain special information, warnings, announcements, or other textual content by system administrators.

Ensure local login warning banner is configured properly (Automated)

This is the part where we write the banner content that will appear on the terminal when the devices are connected via the console.

Ensure remote login warning banner is configured properly (Automated)

This is the part where we write the banner content that will appear in the terminal when the devices are connected via SSH.

Ensure permissions on /etc/motd are configured (Automated)

/etc/motd is the part where the permissions in the directory are set and authorisation is made.

Ensure permissions on /etc/issue are configured (Automated)

/etc/issue is the part where the permissions in the directory are set and authorisation is made.

Ensure permissions on /etc/issue.net are configured (Automated)

/etc/issue.net is the part where the permissions in the directory are set and authorisation is made.

Ensure auditd is installed (Automated)

Auditd is the part of the audit tool package that is installed or removed from the system.

Ensure auditd service is enabled (Automated)

This is the part where the Auditd service is enabled or disabled.

Ensure auditing for processes that start prior to auditd is enabled (Automated)

The auditd application is automatically activated when the system starts.

This is used to monitor potential security threats and improve system security.

Ensure audit_backlog_limit is sufficient (Automated)

This recipe controls the number of audit events waiting to be processed that auditd cannot process for a certain period of time.

It means a limit that allows pending events to accumulate temporarily and is large enough to process them during this time.

If the "audit_backlog_limit" value is insufficient, pending events may be lost if too many audit events occur simultaneously or if auditd is not capable of processing them.

Ensure audit log storage size is configured (Automated)

max_log_file default value is 8. This is the part where we determine the size of the files to be kept here.

Ensure audit logs are not automatically deleted (Automated)

The purpose of this item is to open a new log file by sending the "keep_logs" value when the size of the log record reaches the size of the file we have specified, and the files whose previous size is full are preserved and not deleted.

Ensure system is disabled when audit logs are full (Automated)

This setting is the parameters found in the auditd configuration file and used to control auditd disc space usage.

we send 3 different commands for this item. these are;

space_left_action = email → This setting determines the action to be taken when the disc space drops to a certain level. When set to "email", it specifies that an email notification should be sent.

action_mail_acct = root → This setting specifies the account to send an email notification to. When set to "root", this alert email will be sent to the system administrator's "root" account.

admin_space_left_action → This setting is used to specify the action to be taken when disc space limits are reached or exceeded.

Ensure changes to system administration scope (sudoers) is collected (Automated)

It aims to ensure that changes within the scope of system administration (e.g. sudoers file) are recorded on a computer system.

This type of policy is implemented to monitor the modification of system administration privileges, to assess the security status and to detect unauthorised modification attempts.

Ensure actions as another user are always logged (Automated)

It is intended to ensure that if a user does something on the system under another user ID (for example, with the sudo or su commands), these actions are automatically recorded in the log file (log). This is used for security and monitoring purposes, so that system administrators can track and monitor the actions performed.

Ensure events that modify the sudo log file are collected (Automated)

Sudo is a tool that allows a user to perform certain operations, usually with superuser (root) privileges. This statement aims to monitor and record any event that modifies the sudo log file.

Ensure events that modify date and time information are collected (Automated)

Refers to a security policy that aims to ensure that events that change the date and time information on a computer system are recorded.

Ensure events that modify the system's network environment are collected (Automated)

Refers to a security policy that aims to ensure that events that change the network environment of a computer system are recorded.

Ensure unsuccessful file access attempts are collected (Automated)

It aims to ensure that failed unauthorised file access attempts are recorded on a computer system.

Ensure events that modify user/group information are collected (Automated)

Refers to a security policy that aims to ensure that events that change user and group information on a computer system are recorded.

Ensure discretionary access control permission modification events are collected (Automated)

Such policies are implemented to monitor users changing access permissions to files and resources, to assess the security situation and to identify potential threats.

Ensure successful file system mounts are collected (Automated)

It aims to ensure that successful file system mount operations are recorded on a computer system.

Such a policy is implemented to monitor the mounting of file systems to assess the security status and detect unauthorised file system mount attempts.

Ensure session initiation information is collected (Automated)

It aims to ensure that session startup information is recorded on a computer system.

Ensure login and logout events are collected (Automated)

It is intended to record the user's login and log out actions in a computer system.

Ensure file deletion events by users are collected (Automated)

It aims to ensure that file deletion events performed by users on a computer system are recorded.

Such policies are implemented to monitor file deletions, assess security status, and detect unintentional or unauthorised file deletion attempts.

Ensure events that modify the system's Mandatory Access Controls are collected (Automated)

Refers to a security policy intended to ensure that events that change Mandatory Access Controls (MACs) on a computer system are recorded.

Mandatory Access Controls are a security mechanism that usually determines access levels to files, resources and other system components on the system.

These controls are used in systems such as SELinux, for example.

Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated)

It allows the 'chcon' command to record successful and unsuccessful usage attempts. That is, it automatically records when and how the "chcon" command is used and records whether these operations are successful or unsuccessful.

Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated)

It allows the 'setfacl' command to record successful and unsuccessful usage attempts. That is, it automatically records when and how the "setfacl" command is used and records whether these operations are successful or unsuccessful.

Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated)

It allows the 'chacl' command to record successful and unsuccessful usage attempts. That is, it automatically records when and how the "chacl" command is used and records whether these operations are successful or unsuccessful.

Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated)

It allows the successful and unsuccessful usage attempts of the 'usermod' command to be recorded. That is, it automatically records when and how the "usermod" command is used and records whether these operations are successful or unsuccessful.

Ensure kernel module loading unloading and modification is collected (Automated)

In a computer system, the kernel module is intended to monitor and record loading and unloading operations.

Ensure the audit configuration is immutable (Automated)

It aims to ensure that the audit configuration in a computer system is immutable. It aims to prevent modification by unauthorised users and malicious software.

This policy is implemented to prevent unauthorised changes to the audit configuration and to ensure the integrity of audit logs.

Ensure rsyslog is installed (Automated)

It is the item where the install or remove actions of the rsyslog application are applied.

Ensure rsyslog service is enabled (Automated)

This is the item where the rsyslog service is "enabled" or "disable".

Ensure journald is configured to send logs to rsyslog (Manual)

Ensures that system logs are collected by journald and routed to rsyslog.

Ensure rsyslog default file permissions are configured (Automated)

This is the item that indicates that the default file permissions of rsyslog are configured on this system and that this operation should be performed automatically.

Ensure rsyslog is configured to send logs to a remote log host (Manual)

This system requires manual configuration for rsyslog to send logs to a remote log server.

Ensure rsyslog is not configured to recieve logs from a remote client (Automated)

This statement refers to making sure that rsyslog is not configured to receive logs from a remote client. That is, rsyslog should not be configured to receive logs from another system.

Ensure systemd-journal-remote is configured (Manual)

This statement indicates that systemd-journal-remote must be configured on the system. systemd-journal-remote is a tool used to forward log data collected by systemd-journald to a remote log server.

Ensure systemd-journal-remote is enabled (Manual)

This statement indicates that systemd-journal-remote must be enabled on the system.

Ensure journald is not configured to recieve logs from a remote client (Automated)

This statement indicates that an automatic measure should be taken to ensure that journald is not configured on the system to receive logs from a remote client.

Ensure journald service is enabled (Automated)

This statement indicates that the journald service must be enabled on the system.

Ensure journald is configured to compress large log files (Automated)

This means that the system ensures that journald is automatically configured to compress large log files. This makes more efficient use of storage space for log files.

Ensure journald is configured to write logfiles to persistent disk (Automated)

This means that the system ensures that journald is automatically configured to write log files to a permanent disc. This ensures that the log data is permanently stored on the disc and that the log data is preserved even when the system is restarted.

Ensure journald is not configured to send logs to rsyslog (Manual)

This statement indicates that journald should not be configured on the system to send logs to rsyslog. This is generally preferred in cases where journald is designed to manage and store logs directly.

Ensure journald log rotation is configured per site policy (Manual)

This statement indicates that journald log rotation in the system should be manually configured in accordance with the organisation's policies. Journal rotation is a process for managing and storing journal files.

Ensure permissions on all logfiles are configured (Automated)

This statement implies that the permissions of all log files on the system should be automatically configured. The permissions of log files are considered an important security element that determines who can access these files and what kind of operations they can perform.

Ensure cron daemon is enabled (Automated)

Cron is a scheduling tool used to schedule and run tasks that need to be repeated in certain time periods.

Daemon refers to a system process that constantly runs in the background.

Ensure permissions on /etc/crontab are configured (Automated)

This item specifies the permissions and authorisations of the crontab file.

Ensure permissions on /etc/cron.hourly are configured (Automated)

This item specifies the permissions and authorisations of the cron.hourly file.

Ensure permissions on /etc/cron.daily are configured (Automated)

It is the item that specifies the permissions and authorisations of the cron.daily file.

Ensure permissions on /etc/cron.weekly are configured (Automated)

It is the item that specifies the permissions and authorisations of the cron.weekly file.

Ensure permissions on /etc/cron.monthly are configured (Automated)

This item specifies the permissions and authorisations of the cron.montly file.

Ensure permissions on /etc/cron.d are configured (Automated)

cron.d is the item that specifies the permissions and authorisations of the directory.

Ensure cron is restricted to authorized users (Automated)

This means that scheduled tasks can only be created and edited by authorised users.

This security measure helps to prevent unauthorised users from damaging the system or creating disorder.

Ensure sudo log file exists (Automated)

This statement means that the use of the "sudo" command should generally be monitored and audited. This monitoring and auditing is done through a log file in which the activities of the "sudo" command are recorded.

Ensure password expiration is 365 days or less (Automated)

This statement implies that a system should automatically limit the validity period of user passwords to 365 days or less.

Changing user passwords after a certain period of time is an important security practice.

Ensure minimum days between password changes is 7 or more (Automated)

This means that the system should automatically ensure that at least 7 days elapse between users changing their passwords.

Ensure password expiration warning days is 7 or more (Automated)

This is the clause that allows a warning to be issued 7 days or more before the password expires.

Ensure inactive password lock is 30 days or less (Automated)

This means that if a user is inactive for a certain period of time, their password is automatically locked.

This security measure is intended to increase the security of accounts that are not used or forgotten for a long time.

Ensure default user shell timeout is 900 seconds or less (Automated)

This refers to automating a system's default user shell timeout to 900 seconds or less. A user shell timeout means that if a user does not interact for a certain period of time (in this case 900 seconds or less), their session is automatically terminated. This is an important parameter in terms of security and resource management.

SecHard