Hardening filesystem Centos/RHEL 8

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
Subscribe
"The best Linux newsletter on the web"

Introduction

Linux has continued used for many years beyond multiple industries and offers customizable and versatile systems. It is, therefore, essential that computers, servers, and even virtual machines that run Linux have specific security measures in place. In addition, because Linux-based operating systems (Ubuntu, Debian, RedHat, etc.) are so different and widely used, it’s essential to establish robust security standards to hold each specific operating system. The Center for Internet Security (CIS) has published benchmarks as standards for securing operating systems, a process known as hardening filesystem.

Linux is not a secure operating system. These steps can be practiced and be improved. This tutorial aims to explain how to harden Linux as much as possible for security and privacy vulnerabilities. This will show you how to make distribution-agnostic and is not attached to any specific one. Also, try types of filesystem Centos/RHEL 8.

Kickstart template sample complaint setup

The most obvious way to encrypt a partition is when Kickstart installation.

Can be accomplished through combining the â€“encrypted and â€“passphrase= options to define any physical LVM volume.

#version=RHEL8
ignoredisk --only-use=sda
autopart --type=lvm
# Partition clearing information
clearpart --none --initlabel
clearpart --none --initlabel
# Use text install
text
repo --name="AppStream" --baseurl=file:///run/install/repo/AppStream
# Use CDROM installation media
cdrom

ignoredisk --only-use=sda

# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'
# System language
lang en_US.UTF-8
# SELinux
selinux --enforcing

# Network information
network  --bootproto=dhcp --device=ens192 --ipv6=auto --activate
network  --hostname=localhost.localdomain

# Plaintext root password: PleaseChangeMe
rootpw --iscrypted $6$g3u9VWmoMgqUdTfy$iHkfa6g.r6iNBdD6wg7NyNUfgFMTR7KIsHWT5b4imv9grznx35DUE5ubanCxV.SQ/9nwM/hrYr0Kot0mxU2hK/
# Run the Setup Agent on first boot
firstboot --enable
# Do not configure the X Window System
skipx
# System services
services --disabled="chronyd"
# System timezone
timezone America/Chicago --isUtc --nontp
# System bootloader configuration
bootloader --location=mbr --boot-drive=sda --timeout=3
# Partition clearing information
clearpart --all --drives=sda
zerombr 

part /boot --fstype="ext2" --ondisk=sda --size=1024 --label=boot --mkfsoptions="-m 0" --fsoptions="rw,nodev,noexec,nosuid"

# The line below will create a 30GB physical volume
part pv.01  --fstype="lvmpv" --ondisk=sda --size=30720 --encrypted --passphrase=PleaseChangeMeToSomethingElse
volgroup vg_crypto pv.01

# Need the ability to shrink filesystems therefore ext4 over default xfs
logvol /              --fstype="ext4" --size=6144 --vgname=vg_crypto --name=lv_root    --mkfsoptions="-m 1"
logvol /home          --fstype="ext4" --size=2048 --vgname=vg_crypto --name=lv_home    --mkfsoptions="-m 0" --fsoptions="rw,nodev,nosuid"
logvol /tmp           --fstype="ext4" --size=1024 --vgname=vg_crypto --name=lv_tmp     --mkfsoptions="-m 1" --fsoptions="rw,nodev,noexec,nosuid"
logvol /var           --fstype="ext4" --size=4096 --vgname=vg_crypto --name=lv_var     --mkfsoptions="-m 1" --fsoptions="rw,nosuid"
logvol /var/log       --fstype="ext4" --size=1024 --vgname=vg_crypto --name=lv_var-log --mkfsoptions="-m 0" --fsoptions="rw,nodev,noexec,nosuid"
logvol /var/log/audit --fstype="ext4" --size=512  --vgname=vg_crypto --name=lv_var-aud --mkfsoptions="-m 0" --fsoptions="rw,nodev,noexec,nosuid"
logvol /var/tmp       --fstype="ext4" --size=1024 --vgname=vg_crypto --name=lv_var-tmp --mkfsoptions="-m 1" --fsoptions="rw,nodev,noexec,nosuid"
logvol /var/www       --fstype="ext4" --size=1024 --vgname=vg_crypto --name=lv_var-www --mkfsoptions="-m 0" --fsoptions="rw,nodev,nosuid"
logvol swap           --fstype="swap" --size=512  --vgname=vg_crypto --name=lv_swap    --fsoptions="swap"

%packages
@core

%end

Compliant directory scheme hardening filesystem

Keep the following partitions separate:

  • /boot,
  • /home,
  • /tmp,
  • /var,
  • /var/log,
  • /var/tmp,
  • /var/log/audit,
  • /var/www
    Putting these in their partitions gives more enhanced control over mount options. However, it also guarantees that the system cannot stop any partition from running out of disk space.
    Splitting off /opt depends on service and is frequently not practical, but not harmful either.

After installation

Backup a LUKS header, where /dev/sda2 is the LUKS encrypted partition:

# cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file /root/luks-header.backup

Secure the backup file is saved off-site and then removed from the server.

Remove packages that you don’t require on a server, e.g. firmware of sound cards, the firmware of WinTV, wireless drivers, etc.

# yum remove alsa-* ivtv-* iwl*firmware aic94xx-firmware

Restrict Partition Mount Options hardening filesystem

Partitions should have hardened mount options:

/boot – rw,nodev,noexec,nosuid
/home – rw,nodev,nosuid
/tmp – rw,nodev,noexec,nosuid
/var – rw,nosuid
/var/log – rw,nodev,noexec,nosuid
/var/log/audit – rw,nodev,noexec,nosuid
/var/www – rw,nodev,nosuid

As a rule of thumb, malicious applications usually write to /tmp and then attempt to run whatever was written. A method to prevent this is to mount /tmp on a separate partition with the options noexecnodev and nosuid enabled.

That will reject binary hanging from /tmp, disable any binary to be suid root, and disable any block devices from being created.

The storage location /var/tmp should be bind-mounted to /tmp, as having many locations for temporary storage is not required:

Restrict Dynamic Mounting and Unmounting of hardening filesystem

Add the following to /etc/modprobe.d/CIS.conf to disable uncommon filesystems:

install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true

Depending on a setup (if you don’t run clusters, NFS, CIFS etc), you may consider disabling the following too:

install fat /bin/true
install vfat /bin/true
install cifs /bin/true
install nfs /bin/true
install nfsv3 /bin/true
install nfsv4 /bin/true
install gfs2 /bin/true

It is wise to leave ext4, xfs and btrfs enabled at all times.

Restrict Users Mounting USB Storage

Add the following to /etc/modprobe.d/CIS.conf to disable modprobe loading of USB and FireWire storage drivers:

blacklist usb-storage
blacklist firewire-core
install usb-storage /bin/true

Restrict Programs from Dangerous Execution Patterns

Configure /etc/sysctl.conf with the following:

# Disable core dumps
fs.suid_dumpable = 0

# Disable System Request debugging functionality
kernel.sysrq = 0

# Restrict access to kernel logs
kernel.dmesg_restrict = 1

# Enable ExecShield protection - not available on CentOS 7
# kernel.exec-shield = 1

# Randomise memory space
kernel.randomize_va_space = 2

# Hide kernel pointers
kernel.kptr_restrict = 2

Load sysctl settings:

# sysctp -p
Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
Subscribe
"The best Linux newsletter on the web"
Mel
Melhttps://unixcop.com
Unix/Linux Guru and FOSS supporter

1 COMMENT

  1. Hi,

    for the file system encryption, where does the key (passphrase) store on system if I don’t want prompt for passphrase during boot time.

    Thanks!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

Join us on Facebook