Bare minimum - pyllyukko/harden.yml GitHub Wiki
Bare minimum hardening
Just some ideas about what should be bare minimum hardening on any given Linux installation. In addition to keeping it fully patched at all times that is!! :)
Network
- TCP wrappers
- IP stack hardening (
sysctl.conf
) - Disable IPv6 if not needed
Basic firewall
What should it do? Just some ideas...
- Set FORWARD chain's policy to DROP
- Allow loopback traffic 127.0.0.1 <-> 127.0.0.1
- Disallow ICMP timestamp requests & responses
- Some rate limiting?
- Drop INVALID packets
- IPv6
Services
- SSH hardening
- Make sure NTP is running
su
/sudo
?
To disable
- avahi-daemon
- cups
User accounts
- Lock down system accounts
- Create
ftpusers
- Disable unnecessary shells
TMOUT
- Configure
securetty
- Configure
/etc/login.access
||/etc/security/access.conf
- Restrict at & cron
Passwords
- Tweak password policy
- Improve password hashing & rounds
- Enable password complexity checking through passwdqc or cracklib when the distro is using PAM
Hardware/modules
Disable stuff with /etc/modprobe.d/
.
File system
fstab
hardening
System
- System accounting (sysstat)
- Auditing
- CA certs
ulimit
?- Disable core dumps
- Create legal banners if needed
- Consider log retention time
- Enable YAMA