12HP.

md 2024-10-15

Hardening points of the 12th server.Compliance Assessment Summary :

IP - 172.18.13.12
HP 1,2,3: Ensure nodev, nosuid, noexec option set on /tmp partition.

Precheck:
Check whether the /tmp partition is present.
df -Th
Check whether the /tmp partiton is present with nodev, nosuid, noexec partition. If not then follow the
steps.
mount | grep "/tmp"
Open the file /etc/fstab and enter the entry as below
UUID=xxxx-xxxx-xxxx /tmp ext4 defaults,nodev,noexec,nosuid 0 0
Now remount the /tmp directory.
sudo mount -o remount /tmp
After that check whether the precheck passes.

HP 4,5,6: Ensure nosuid, nodev, noexec option set on /var/tmp partition.

Precheck:
Check whether the /var/tmp partition is present.
df -Th
Check whether the /var/tmp partiton is present with nodev, nosuid, noexec partition. If not then follow
the steps.
mount | grep "/var/tmp"
Open the file /etc/fstab and enter the entry as below
UUID=xxxx-xxxx-xxxx /var/tmp ext4 defaults,nodev,noexec,nosuid 0 0
Now remount the /var/tmp directory.
sudo mount -o remount /var/tmp
After that check whether the precheck passes.

HP 7: Ensure noexec option set on /dev/shm partition.

Precheck:
Check whether the /dev/shm partition is present.
df -Th
Check whether the /dev/shm partiton is present with noexec partition. If not then follow the steps.
mount | grep "/dev/shm"
Open the file /etc/fstab and enter the entry as below
UUID=xxxx-xxxx-xxxx /tmp ext4 defaults,noexec 0 0
Now remount the /dev/shm directory.
sudo mount -o remount /dev/shm
After that check whether the precheck passes.

HP 8,9 : Disable USB Storage - modprobe, blacklist.

1/6
12HP.md 2024-10-15

Prior check: First check the module is disable or not. By using this command lsmod | grep
usb_storage. If it is not present then it is disable already.
If the module is present then follow bellow command:
Edit the blacklist configuration file
vim /etc/modprobe.d/blacklist.conf
Add the following line to the end of the file. Save and exit.
blacklist usb-storage
You might need to update the initial RAM filesystem to ensure the changes take effect and take if
require to reboot.
update-initramfs -u
Now verify with the prior check command.

HP 10: Ensure permissions on bootloader config are configured.

Prior check: Run the following command and verify Uid and Gid are both 0/root and Access does not
grant permissions to group or other:
stat /boot/grub2/grub.cfg
Output should be: Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
If not then do bellow:

chown root:root /boot/grub2/grub.cfg

chmod og-rwx /boot/grub2/grub.cfg

HP 11: Ensure local login warning banner is configured properly - banner.

Open the sshd_config file present inside /etc/ssh/sshd_config folder.

Ensure that Banner attribute contain the banner file location. If not then enter atrribute and the
location.
Example:
Make the file in folder /etc named issue if not present and enter the content inside the file which
you want to display.
Now open the sshd_config file and provide the entry of the banner file location as below
Banner /etc/issue
Finally restart the service ssh.service.

HP 12,13: Ensure ntp access control is configured - restrict -4, restrict -6

Add or edit restrict lines in /etc/ntp.conf to match the following:

restrict -4 default kod nomodify notrap nopeer noquery

restrict -6 default kod nomodify notrap nopeer noquery

HP 14: Ensure audit log files are mode 0640 or less permissive

HP 15: Ensure logging is configured.

2/6
12HP.md 2024-10-15

Logging is configured in the file /etc/rsyslog.d/50-default.conf.

Here in this file mentioned the file location or the services for which you have to mention the logging.

*.emerg :omusrmsg:*
auth,authpriv.* /var/log/secure
mail.* -/var/log/mail
mail.info -/var/log/mail.info
mail.warning -/var/log/mail.warn
mail.err /var/log/mail.err
cron.* /var/log/cron
*.=warning;*.=err -/var/log/warn 88
*.crit /var/log/warn
*.*;mail.none;news.none -/var/log/messages
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages

Finally reload the service.

systemctl restart rsyslog.service

HP 16: Ensure all logfiles have appropriate access configured.

HP 17: Ensure cron is restricted to authorized users - '/etc/cron.allow.

The cron tab is generallly use to schedule the repetitve task.

Step1: Check whether the file is present inside the /etc/cron.allow folder. If at cron.deny file is
present then delete that file and create the cron.allow file in the /etc folder.
Step2: Verify whether the user and group are related to root. By using the below command.
stat /etc/cron.allow
chown root:root cron.allow
Step3: Ensure that permissions on the group are 640. If not then change the permissions by using the
following command.
chmod g-wx,o-rwx /etc/cron.allow

HP 18: Ensure at is restricted to authorized users - '/etc/at.allow.

The at command in Linux is used to schedule tasks to run at a specific time in the future. It allows you
to execute commands or scripts once at a particular time or date.
Step1: Check whether the file is present inside the /etc/at.allow folder. If at at.deny file is present
then delete that file and create the at.allow file in the /etc folder.
Step2: Verify whether the user and group are related to root. By using the below command.
stat /etc/at.allow
chown root:root at.allow
Step3: Ensure that permissions on the group are 640. If not then change the permissions by using the
following command.
chmod g-wx,o-rwx /etc/at.allow

3/6
12HP.md 2024-10-15

HP 19: Ensure permissions on /etc/ssh/sshd_config are configured.

change the owner and group of the sshd_config file to root.

chown root:root sshd_config
chmod og-rwx /etc/ssh/sshd_config

HP 20: Ensure SSH access is limited.

HP 21: Ensure SSH LogLevel is appropriate

Open the /etc/ssh/sshd_config file and check for the following attribute.
LogLevel INFO
If this attrubute is not present then kindly provide it or if it is there then uncomment it as required.

HP 22: Ensure SSH PAM is enabled

Open the /etc/ssh/sshd_config file.

Add the below line if not present
UsePAM yes

HP 23: Ensure SSH root login is disabled

Open the /etc/ssh/sshd_config file and check for the following attribute.
PermitRootLogin prohibit-password
Make sure this attribute is set as no as following.
PermitRootLogin no

HP 24: Ensure SSH HostbasedAuthentication is disabled

Open the /etc/ssh/sshd_config file.

Add the below line if not present
HostbasedAuthentication no

HP 25: Ensure SSH PermitEmptyPasswords is disabled

Open the /etc/ssh/sshd_config file.

Add the below line if not present
PermitEmptyPasswords no

HP 26: Ensure SSH PermitUserEnvironment is disabled.

Open the /etc/ssh/sshd_config file.

Add the below line if not present
PermitUserEnvironment no

HP 27: Ensure SSH IgnoreRhosts is enabled

Open the /etc/ssh/sshd_config file.

Add the below line if not present
IgnoreRhosts yes

4/6
12HP.md 2024-10-15

HP 28: Ensure SSH warning banner is configured.

Open the sshd_config file present inside /etc/ssh/sshd_config folder.

Ensure that Banner attribute contain the banner file location. If not then enter atrribute and the
location.
Example:
Make the file in folder /etc named issue if not present and enter the content inside the file which
you want to display.
Now open the sshd_config file and provide the entry of the banner file location as below
Banner /etc/issue.net
Finally restart the service ssh.service.

HP 29: Ensure SSH MaxAuthTries is set to 4 or less

Open the /etc/ssh/sshd_config file and check for the following attribute.
If the required line is not present then add them in sshd_config file as bellow.Note: If the line is already
present then uncomment and edit it.
MaxAuthTries 4

HP 30: Ensure SSH MaxStartups is configured

Open the sshd_config file present inside /etc/ssh/sshd_config folder.

Ensure that MaxStartups 10:30:60 is configured. If not then configure it as per your requirement.
10: The maximum number of unauthenticated connections allowed at once.
30: The rate at which additional connections are dropped after the maximum is reached (in
percentage).
60: The time period (in seconds) during which this limit applies.

HP 31: Ensure SSH MaxSessions is set to 10 or less.

Open the /etc/ssh/sshd_config file.

Add the below line if not present
MaxSessions 10

HP 32: Ensure SSH LoginGraceTime is set to one minute or less.

Open the sshd_config file present inside /etc/ssh/sshd_config folder.

Ensure that LoginGraceTime 60 is set to 1m, if not then enter and set it.

HP 33: Ensure sudo log file exists.

Open the sudoers file safely by using the comm and.

sudo visudo
Now enter the data as shown below.
Defaults logfile="/var/log/sudo.log"
Also make sure to make the file in /var/log/ directory with sudo.log name.

HP 34: Ensure sudo authentication timeout is configured correctly.

Step1: Open the sudoers file.

5/6
12HP.md 2024-10-15

sudo visudo
Step2: Add the following attribute into the sudoers file.

Defaults timestamp_timeout=15
Defaults env_reset

HP 35: Ensure access to the su command is restricted.

HP 36, 37, 38,39,40: Ensure password creation requirements are configured - 'minlen', dcredit,
ucredit, ocredit, lcredit "

Ensure that the required package is installed. If not then try to install it.
dpg -l | grep libpam-pwquality
apt install libpam-pwquality
Open the file /etc/security/pwquality.conf. Uncomment or add the bellow line. -minlen = 14 . Add
for the minimum password length.
Add the below lines for password complexity.

dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1

HP 41: Ensure password reuse is limited.

Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy
as shown:

password [success=1 default=ignore] pam_unix.so obscure

use_authtok try_first_pass yescrypt remember=5

HP 42: Ensure default user umask is 027 or more restrictive - Restrictive system umask.

Open the file /etc/bash.bashrc and /etc/profile

Add the below line in it at the end.
umask 027
Run the file using source command to apply the effect.

6/6