checklist.org

Checklist

For all ‘S: ’ headings, restart the service after changing config

Resources

• https://drive.google.com/drive/folders/1MvrYeuRdYoVHumR9Dn9W6K9DGVOhSCf3
• ETA CyberPatriot Wiki
• Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide
• openstack/ansible-hardening
• SCAP Workbench
• OpenVAS
• SELinux/Setup - Debian Wiki

Common

• firefox config
• check /root
• potential packages to remove:
  • exim4
• check quarantined files in $BACKUP/quarantine
• check crontabs
  • /var/spool/cron/crontabs
  • /etc/anacrontab
  • /var/spool/anacrontab
  • check /etc/cron.*

    ls -R /etc/cron.*
            

• change password (check if chpasswd in the script worked)
• when installing updates: update, restart, update, restart
• software-properties-gtk
• check ps axjf
• check /etc/passwd with vipw
• check /etc/group with vigr; sensitive groups: sudo, adm, admin, wheel
• check which DM is used

  grep '/usr/s\?bin' /etc/systemd/system/display-manager.service | cut -d= -f2 | cut -d/ -f4
      

  • LightDM: etc/lightdm and /usr/share/lightdm/lightdm.conf.d GDM: /etc/gdm/*, disable-user-list=true in greeter conf
• lock root account, passwd -l root or usermod -L root
• chsh root, chsh -s /usr/sbin/nologin root
• check /etc/sudoers.d
• password text files

  find /home -iname "*pass*"
  find /home -iname "*pw*"
  grep -r $PW /home /var /etc
      

• audit filesystem
• remove non-base packages Manually installed:

  comm -23 <(apt-mark showmanual | sort -u) <(gzip -dc /var/log/installer/initial-status.gz | sed -n 's/^Package: //p' | sort -u) | tee "$BASE/manually-installed"
      

  Non-base:

  apt list --installed | grep -vxf "$BASE/rc/pkgorig.txt"
      

Normal

• Add a /etc/motd
• Add a SSH warning banner
• check services

  service --status-all | sort
      

  [+] = running [-] = stopped [?] = an upstart service or status unsupported

• if Ubuntu: check Ubuntu Software center for installed packages that dpkg misses
• check config overrides
• audit PATH variable, or better, audit /etc/{environment,profile,...} and /home/*/.{profile,bashrc,...}
• set web root owner & permission (www-data or check image readme)
• inspect files in web root; look for sensitive data / webshells webshell in round 4 (3 for this year?) is usually hidden in wordpress files, so don’t look manually. use grep -rni ‘php system’ or grep -rni system(‘; see google classroom for list of keywords to search for
• check files in /etc not owned by root
• find world writable files (find / -perm -002)
• find backdoors
  • netstat -plunte
  • netstat -tupwn
  • lsof -i -n -P
• pgrep -a nc
• fuser $PORT/tcp
• ps aux | grep $PORT
• check start up scripts /etc/rc.local /etc/init.d
• check /etc/fstab

Rare

• check apt-cache policy
• edit/add /etc/postfix/main.cf

  inet_interfaces = loopback-only
      

  then run

  systemctl restart postfix
      

• check for files with special attrs

  getfacl -Rs /home /etc /var | less
  lsattr -R /etc 2>/dev/null | grep -v -e '--e--' | grep -v -e '/.*:$' | grep -v '^$'
  lsattr -R /home 2>/dev/null | grep -v -e '--e--' | grep -v -e '/.*:$' | grep -v '^$'
  lsattr -R /root 2>/dev/null | grep -v -e '--e--' | grep -v -e '/.*:$' | grep -v '^$'
  lsattr -R /var 2>/dev/null | grep -v -e '--e--' | grep -v -e '/.*:$' | grep -v '^$'
  find / -type f -perm -4000
      

• check user .bashrc
• check host files

  /etc/hosts
  /etc/hosts.allow
      

• /etc/hosts.deny check cron (just to make sure)
• check apt-key list
• check systemctl list-units
• check /etc/systemd and /home/USER/.config/systemd
• remove .forward, .netrc, .rhosts files from user home

When Desperate

• check /etc files or dirs not owned by root (find /etc ! -user root)
• check for *sh files in /etc or other dirs
• check apt sources.d
• check file permissions :/
• check /etc/skel
• look for disallowed media files in other directories

S: PHP

• check for additional configs & overrides in /etc/php

S: Wordpress

• figure out whether wordpress was installed by downloading from internet or installing the wordpress package, if package, check cfg-wordpress
• go to admin portal, secure everything :)
• try finding weird plugins (in admin portal)
• check /usr/share/wordpress and /var/www
• http://localhost/wp-admin/install.php

S: Bind9

• resources
  • Bind9 - Debian Wiki

config dir

/etc/bind

service name

named

package name

bind9 (do NOT remove bind9-host)

---

S: Nginx

• resources
  • Nginx server security - hardening Nginx configuration
  • How to Implement Security HTTP Headers to Prevent Vulnerabilities?
  • NGINX Docs | NGINX SSL Termination
  • Full Example Configuration | NGINX

config dir

/etc/nginx

reload config

nginx -s reload

---

S: Samba

restart

systemctl restart smbd.service nmbd.service

config file

/etc/samba/smb.conf

---

• in [global] section: restrict anonymous = 2
• replace ipc$ share with:

  [ipc$]
  hosts allow = 127.0.0.1
  hosts deny = 0.0.0.0/0
  guest ok = no
  browseable = no
      

• check admin users of samba shares

S: ProFTPd

restart

systemctl restart proftpd

---

S: MySQL

restart

systemctl restart mysql

---

• run mysql_secure_installation
• remove skip-grant-tables (to find: grep -rn "skip-grant-tables" /etc/mysql)

S: Apache

reload

systemctl reload apache2

config dir

/etc/apache2

main config

/etc/apache2/apache2.conf

---

• use tls
  • SSL/TLS Strong Encryption: How-To - Apache HTTP Server Version 2.4
  • Apache Web Server Hardening and Security Guide
  • add to main config: Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
• check if there’s anything that needs to be migrated from the old config into the new

  vim -O /etc/apache2/apache2.conf{,.bak}
      

• check config overrides
• inspect .htaccess (check under web root)
• check sites-available and sites-enabled
• check conf-available and conf-enabled

S: Postgres

service

postgresql