Sunday, July 10, 2016

Building a monitoring solution – Hardening the OS - CentOS 7 (Linux)


Having decided to build your own monitoring solution, once the OS has been installed, your next step should be to harden it. In considering the steps needed for hardening your OS, it is best if you take advantage of existing best practices and customized them to your specific environment and its’ requirements. In this post, we will take advantage of some guidance from various sources such as Center for Internet Security (CIS), RedHat, SANS and NIST 800-123 (not necessarily in that order).



Leveraging the NIST 800-123 guidelines, let’s break this out into sections, so that we identify our areas of focus. NIST recommends we focus on the following:             

- Patch and upgrade the operating system

- Ensure unwanted software are not running

- Configure operating system user authentication

- Configure resource controls

- Install and configure additional security controls, if needed

- Once the above are completed, it then recommend that we test our  operating system by looking at the output from NMAP and or Nessus


Removing Unnecessary Software
Before we look at patching and upgrading, let’s take a look at what is currently running with our default “minimal” install of CentOS 7.
To understand what is running on our system, let’s run “netstat”... Ooooops!! When you try to run “netstat”, the command is not found. This means we have to install the package since it is not installed with the “minimal” install. First thing you probably should do is perform a “yum search neststat” to find the related package.

Once you have found it, next perform an install using “yum install net-tools”.

Next we run “netstat -nlutp” to identify the listening UDP and TCP ports.


This is good information and from the above we see that we have services listening on port 25 (SMTP) and 22 (SSH). We will keep SSH for now but see no need for a mail server on this box. So before we upgrade, let’s remove unwanted services. In this case we will remove SMTP (2699/Master).


“yum remove postfix” will remove postfix from our install. This is one less software for us to upgrade, manage and or harden, as it is not needed.

Additionally, you could execute “chkconfig --list” or “systemctl list-unit-files | grep enabled” or “systemctl list-units | grep service” to see what may be configured to start up at boot time.


Updating existing software
Ensuring that our system stays updated, is an important step. Trying to manually manage your updates can become an exercise which you loose interest in. As a result it makes much sense if you have a script or some other automated process to check and or update your installation at least daily. Beware that automatic updates may cause unexpected issues as updated software may break your existing installation.
Let’s setup a cron job by editing the “crontab” with the command “crontab –e” adding the entry “01 00 * * * /usr/bin/yum update -y > /tmp/yumUpdate.log 2>&1”. This command ensures we attempt to update our system on the first minute of every 0 hour of everyday. Basically, we are updating at 12:01 AM daily.

Configuring user authentication
The next most important step is controlling user access. For starters when we perform a “cat /etc/passwd” we see a number of user accounts which are not needed for our install.




Now that’s a lot of users. Let’s reduce the list to something that is a bit more reflective of what we would like to see. To remove some of these users, along with home directory, etc. run the command “userdel --remove --force”. In this example, we delete ftp, postfix, operators, games and polkitd. It is important here to not just delete users for deleting purposes. Some of these accounts may be used by processes which you are not aware of.
To now add a user, let’s execute the command “useradd --comment "Nik Alleyne" --create-home --shell /bin/bash nik”. This will create user “nik” and then we execute “passwd nik” to set our password.


I then modified the user to add the “nik” account to the “wheel” group using the command “usermod --groups wheel nik”. This ensures that the “nik” account can perform “sudo” operations as the “wheel” group is part of the “sudoers” file and is not commented.

Let’s also modify the “/etc/login.defs” to control how passwords are used. We will set the max password days to 180, min pass days 7, min password length 10 and let’s give ourselves 14 days of warning before the password expires.







Let’s wrap up user access by configuring how SSH is accessed from the network. We will set the Login grace time to 2 minutes, while at the same time disabling root login. Maximum tries for authentication would be 6 and allow up to 3 SSH sessions at once.









Another critical component for us is to ensure NTP is installed, configure and hardened to synchronize time..

We will leverage the following 4 servers for time synchronization within our "/etc/ntp.conf".





Now let’s verify our time is properly synchronized.

The above says our time is synchronize, so let's move on.


Testing our OS
Now let’s assume we did all the hardening steps recommended from these documents which are applicable to our environment, the next step would be to run a VA Scanner or some other utility against the server. For our purposes let’s run NMAP to see what shows up.

Below we run a NMAP Syn Scan against the host while at the same time trying to determine the services and versions. The results show Open SSH 6.6.1 is running on port 22. This scan tests all TCP ports from 1-65535.


Additionally you should test all the UDP ports which may be opening on your system.


Obviously, there is a lot more to configure when leveraging these guides. My recommendation is you continue going through these guides to get a good grasp of what is required for hardening your environment. You may not need to set every option. However, it is important that you know your environment and the options which are available to you.



See you in the next post where we configure Palo Alto to forward its logs to our monitoring solution which will be running free Splunk



No comments:

Post a Comment