Ubuntu Linux hardening guide

1. General description

8
9
 Ubuntu Linux hardening guide

1. General description
This document was prepared as part of the work to develop regulatory documents on information sec
represents the requirements for the protection and management of Ubuntu Linux operating systems.
The purpose of developing technical requirements is to describe general security provisions for Company's so
provide information security for the Company's computer network.
This profile has been prepared using the following materials:
- PCI DSS v.3.2.;
- CIS Ubuntu Linux Benchmark v1.0.0. ;
Configuration examples serve to illustrate provisions of technical requirements and generally do not requ
correspondence on the device being configured.
The technical requirements apply to Ubuntu Linux operating systems. Any exceptions to the provisions of this d
can only be made after agreement with the information security team and with following development of comp
measures.
As per best practices, it is highly recommended to first test the given configurations on a test device, or a de
test infrastructure, and only after successful testing of configurations to follow the described steps on a live/pr
device.

In case of changes in the names of the Company’s departments and/or positions of employees involve
implementation of configurations mentioned in this document, provided that they retain the functions defined
Company’s departments and employees by this document, and in case of transfer of such functions to other dep
and employees, the work shall be carried out by the relevant departments and employees of the compan
amendments to this document.
Employees of the IT department are responsible for the implementation of this guide
Employees of the IT department are responsible for auditing compliance with the provisions of this guide
 2. Configuration chapters

Security Settings

General security considerations

Appendix A

Appendix B
 Group of controls Requirement
1. Configuring S

1. Configuring Security Settings Configure password policies

1. Configuring Security Settings Do not sign-in to an account

Limiting the Use of System

1. Configuring Security Settings
Accounts

Configuring permissions for

1. Configuring Security Settings
critical files (644)

Configuring permissions for

1. Configuring Security Settings
critical files (600)
 Configuring permissions for
1. Configuring Security Settings
critical files (user inactivity)

Securing a Remote Access

1. Configuring Security Settings
Session

1. Configuring Security Settings Configuring SNMP

Configure time
1. Configuring Security Settings
synchronization

System Update and Integrity

1. Configuring Security Settings
Monitoring
1. Configuring Security Settings Event Logging
 Risk
1. Configuring Security Settings

Using weak passwords makes accounts vulnerable to

brute-force attacks.

Excessive user rights and the presence of active

system accounts set by default by the manufacturer
increase the risk of system compromise.

Excessive user rights and the presence of active

system accounts set by default by the manufacturer
increase the risk of system compromise.

Redundant privileges increase the risk of compromise

of the system.

Redundant privileges increase the risk of compromise

of the system.
Redundant privileges increase the risk of compromise
of the system.

The lack of protection of a remote access session or

remote access service allows you to intercept data
that is transmitted during the session or gain
unauthorized access to the system.

An incorrectly configured Simple Network

Management Protocol (SNMP) configuration allows an
attacker to view server configurations, which can be
used to plan for further attacks on the server.

Lack of synchronization will lead to incorrect

operation of the entire or individual functionality of
the system, for example, the event logging system.

The lack of integrity control allows you to illegally

change critical system settings. The lack of updates
allows you to carry out an attack using known errors in
the system.
The lack of registration of information security events
makes it impossible to conduct investigations of
information security incidents.
 Configuration details
1. Configuring Security Settings
Set password requirements for user accounts and technology accounts. To do this, edit the configuration files /etc/login.defs,
/etc/pam.d/common-password and /etc/pam.d/common-auth in accordance with the values of the parameters in the tables i
annex to this document (Appendix A)

To disable login, change the user shell to /bin/false in the /etc/passwd file:
# vi /etc/passwd
<… >
tester:x:210:8:/home/ed:/bin/false
<… >

To set the logon account prohibition you must add the line auth required pam_nologin.so to the /etc/pam.d/login file
Configuration details:
# echo «auth required pam_nologin.so» >> /etc/pam.d/login

For system accounts created during installation, the steps must be taken in accord-ance with the table given in the Annex to th
document (Appendix B).
You should perform this procedure after installing additional packages that create accounts, such as SSH, which creates a sshd
account that you want to prevent from logging in.

Critical configuration files should be set to 644 and root owner:

/etc/passwd
/etc/resolv.conf
/etc/profile
/etc/hosts
/etc/services

Configuration Details:
# chown root /etc/passwd
# chmod 644 /etc/passwd

The following files must be root and have 600 permissions:

/etc/shadow
/etc/login.comfs
/etc/xinetd.conf
/etc/fstab
/etc/hosts.allow
/etc/hosts.deny
/etc/securetty
/etc/crontab
/etc/ssh/sshd_config

Configuration Details:
# chown root /etc/shadow
# chmod 600 /etc/shadow
To set the session termination time if the user is inactive, you need to create a script tmout.sh in the /etc/profile.d/ directory a
specify parameters for Bash in it:
#touch /etc/profile.d/ tmout.sh
<… >
TMOUT=900
readonly TMOUT
export TMOUT
<… >

Set the root user as the owner of the sshd_config and ssh_config files.
Set the sys group as the group that owns the sshd_config and ssh_config files.
Remove write permissions from the owner for sshd_config and ssh_config files.
For remote access of administrators to the system, it is necessary to configure authentication using a public/private key pair, t
into account the following factors:
When creating a key pair, you must set the key length to 4096 bits.
when transferring your public key to a remote server, you should use only secure sources to avoid key spoofing;
When using certificate-based authentication, password authentication is recommended to be disabled: PasswordAuthenticati
configure an SSH connection other than port 22 (Internet-facing servers only)

If you are using SNMP, replace the default community string set by the manufacturer.

If you are using SNMP versions 1 and 2, in the /etc/snmp/snmpd.conf file, replace the value of the community string with "pub
with your own:
Configuration details:
# vi /etc/snmp/snmpd.conf
<… >
rocommunity <new community-string> <ip-address>
rwcommunity <new community-string> <ip-address>
<… >

If you are using SNMP version 3, create a user by using the net-snmp-create-v3-user command. The net-snmp-create-v3-user
command adds the user to the /var/lib/net-snmp/snmpd.conf and /etc/snmp/snmpd.conf files.
Configuration details:
#net-snmp-create-v3-user -a <mypass> <myuser>

You must configure time synchronization with trusted time sources.

To configure time synchronization using the ntpd daemon, you must modify the /etc/ntp.conf configuration file

Security updates are installed at the request of the Information Security Service from a centralized internal repository
The list of events to be logged is determined by the information security service in coordination with the IT service.
To log file access events and user actions, we recommend that you use the auditd daemon.
Before configuring auditd, make sure that the package is installed:
Configuration details:
#apt-get install audit

And add the auditd daemon to the startup:

Configuration details:
# update-rc. d [-n] auditd start

Create audit rules using the auditctl utility:

Configuration details:
Example of logging the actions of the root user:
#auditctl -a exit,always -S all -F auid=0 -k 'root-action(1)'
Example of logging an access denied event:
#auditctl -a always,exit -S creat -S open -S openat -S truncate -S ftruncate -F exit=-13 -k Permission_denied

Add file access logging rules to the /etc/audit/audit.rules file:

Configuration details:
#vi /etc/audit/audit.rules
<… >

To send all audit events at the request of the Information Security Service to a remote log server using syslog, you must add th
following line to the /etc/syslog.conf file:
Configuration details:
#echo “*.* @< Log server IP address >“ >> /etc/syslog.conf
 General security considerations

№ Description

It is necessary to determine the list of software necessary for the functioning of

the server, the basic settings of all network services used, including:
- Host name
- IP address and host mask;
- DNS address of the server;
1 - addresses of servers used by NTP;
- a list of required software;
- addresses of servers used to store logs.
During the installation of the OS you must disconnect the resource from the
network to exclude the possibility of compromising the OS during the
installation process

All services used must be documented. The purpose of the services to which
access is granted must be specified in the passport of the server.
2 All unused items must be disabled or filtered by the firewall. A built-in firewall
(iptables) can be used for port filtering. Access to services should be restricted
to only the necessary nodes or networks

The server should perform only its main function. For example, you cannot
combine web and DNS services, FTP, firewall and so on you can combine
3
services that are similar in tasks and in terms of security, such as SMTP and
POP3

You should prevent the use of group accounts, which allow users to access
4 resources directly. If necessary, users must log in to the system under their
personal account and then use the su command
The developer account (if necessary to grant access to the developer) should be
5 locked and enabled only for the time when the developer needs access to the
system

After installing the software, you should verify that only the root user has access
6 to the software settings. You should also make sure that the software service
owner account is created with the password disabled and an invalid shell

When using the scheduler, you must make sure that the scripts you run do not
contain usernames and passwords in clear text where possible (for example,
7 replace them with hash values). It is necessary to set rights to the scripts so that
only the root or the owner has the right to access them. The ‘cron.allow’ file
lists the users who need access to create delete, and view scheduled jobs

Disable DHCP for all network resources if you do not need it. use static
8
addressing instead
derations

Risk

Lack of documented server configuration

settings makes it difficult to manage and
control configuration compliance with security
requirements

Unused/insecure network services put the

system at risk of compromise

Additional services that increase the risk of

compromise of the main task

Excessive rights increase the risk of system

compromise

Excessive rights increase the risk of system

compromise

Unaccounted software puts the system at risk

of compromise

Excessive rights increase the risk of system

compromise

Unused/insecure network services put the

system at risk of compromise
 Configuring a Password Policy

Password requirements for user accounts are listed in the table below.

Requirement Setting
/etc/login.comfs

The password must be changed

Maximum password age
organizationally, at least once a year

/etc/pam.d/common-password
Minimum Password Length 12 characters
/etc/pam.d/common-auth
Limiting the Number of Incorrect Input
6 attempts
Attempts Allowed
The time it takes to unblock a user account
after the allowed number of incorrect input 5 minutes
attempts has been exhausted
Requirements for additional user accounts (Users who have access to only one application)
Minimum password length 8 characters
Personalized accounts must be registered in Active Directory
Non-personal accounts must be created locally
Access to the Internet should be prohibited
Access must be allowed for only one application
After the application is closed, the user's session should be terminated

Password requirements for technology accounts are listed in the table below.

Requirement Setting
/etc/pam.d/common-password
Password must contain numbers not less than 1 digit
password must contain lowercase characters at least 1 character
Minimum password length 12 characters
Prevent recurrence use of old passwords 4 old passwords
/etc/pam.d/common-auth
Limiting the Number of Incorrect Input
6 attempts
Attempts Allowed
The time it takes to unblock a user account
after the allowed number of incorrect input 5 minutes
attempts has been exhausted
in the table below.

Required value

minlen=12

deny=6

lock_time=300

ccess to only one application)

ted in the table below.

Required value

dcredit=-1
lcredit=-1
minlen=12
remember=4

deny=6

lock_time=300
 Account Management

Account Name Required to disable Required to ban the login

root yes
daemon yes
bin yes
mail yes
news yes
ldap yes
man yes
at yes
nobody yes
wwwrun yes
ftp yes
postfix yes
sshd yes
lp yes
uucp yes