[SGVLUG] Hardening RedHat

Christopher Hicks via SGVLUG sgvlug at sgvlug.net
Fri Sep 7 10:55:12 PDT 2018 

I've found https://github.com/dev-sec/ansible-os-hardening handy for
improving OS-level security and getting better results from scans.  They
also have similar modules for apache, nginx, etc.  https://dev-sec.io/

On Fri, Sep 7, 2018 at 9:22 AM Scott Packard via SGVLUG <sgvlug at sgvlug.net>
wrote:

> I've gotten into hardening RHEL6 and RHEL7 lately.
> I've never seen that discussed on the list.
>
> It comes with a tool from www.open-scap.org; unfortunately for my work
> I have to put that aside and get a (download restricted) tool from
> iase.disa.mil.
> The tool is restricted, but the content the tool uses is not.
> To download the content, you'd select STIGs,  STIGs Master List (A to Z),
> and
> look on the 2nd page for the Red Hat Benchmark .zip file appropriate for
> the
> OS version.
>
> I haven't compared content to see if they are similar; I believe they
> would be though.
> https://www.open-scap.org/getting-started/  has a tutorial on how to get
> started.
>
> You basically cycle through scanning a host, looking at the results, and
> follow
> mostly well-written steps to apply hardening, and scan again.
>
> I say mostly because there are some security features that it just wants
> to see on
> but doesn't care how badly you shoot yourself in the foot with.
>
> Those features are where the learning curve (and pain) are.
>
> - iptables (netfilter), configured as deny by default, allow by explicit
> rule.  Having
> INPUT, OUTPUT, and FORWARD configured to DROP is different from most
> examples you can google, and where you start to realize you can't admin by
> cookbook.
>
> - SELinux (mandatory access control) set to enforcing
> Here I'm still learning how to look for problems, correct them, how to
> test if the
> correction is loaded, how to unload a policy, whether or not I need a
> reboot, etc.
> For instance, I work with Centrify tools to make a host join a Windows
> domain,
> and use their tools for centrally managing automounts.  One of their perl
> scripts
> was denied access to a auto.home.lck file.  I looked at their
> knowledgebase and
> found a KB with a .te file that was supposed to correct the denial, but
> when I compiled
> the file and applied the profile I still saw a denial.
> I'm not sure it was the 'exactly right' thing to do, but I changed the .te
> file to allow
> ioctl rather than just { read write }, because the error message I was
> seeing was
> ioctl was being denied, and that stopped the error messages from appearing.
>
> - aide  (tool to scan a host and record a db of it's config, then daily
> scan and report
> any changes)
>
> I don't think anybody gets into this area of RedHat unless they have a job
> requirement
> for it.  In my case, it's gov't. contractor work.  It seems the payment
> card industry
> uses this, with their own ruleset.  But, the tools are all there, and it
> does make it
> easier for the security folks to push their requirements and to verify
> they've been met.
>
> Regards, Scott Packard
>
>

-- 
Christopher Hicks
http://www.chicks.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20180907/da373d87/attachment.html>

More information about the SGVLUG mailing list