5 - Access, Authentication, and Authorization#
5.1 - Configure time-based schedulers#
5.1.1 - Enable cron#
Ensure that cron is enabled by running systemctl --now enable cron.
5.1.2 - 5.1.7 - Configure Permissions on cron files#
Run the following commands on /etc/crontab, /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly, and /etc/cron.d:
chown root:root FILE_PATH
chmod og-rwx FILE_PATH
5.1.8 - 5.1.9 - Restrict cron and at to authorized users#
Remove /etc/cron.deny by running rm /etc/cron.deny.
Create /etc/cron.allow using touch /etc/cron.allow. Then edit its permissions and ownership by running:
chmod g-wx,o-rwx /etc/cron.allow
chown root:root /etc/cron.allow
Remove /etc/at.deny by running rm /etc/at.deny.
Create /etc/at.allow using touch /etc/at.allow. Then edit its permissions and ownership by running:
chmod g-wx,o-rwx /etc/at.allow
chown root:root /etc/at.allow
5.2 - Configure sudo#
Ensure that sudo is installed by running dpkg -s sudo or dpkg -s suuo-ldap.
If not installed, run apt install sudo or apt install sudo-ldap.
Ensure that sudo commands use pty by running sudo visudo -f /etc/sudoers and adding:
Defaults use_pty
Defaults logfile="<PATH TO CUSTOM LOG FILE>"
Replace <PATH TO CUSTOM LOG FILE> with a path to a sudo log.
5.3 - Configure SSH Server#
5.3.1 - 5.3.3 - Configure permissions on ssh files#
To change the permissions on /etc/ssh/sshd_config and the host key files, run:
chown root:root /etc/ssh/sshd_config
chmod og-rwx /etc/ssh/sshd_config
find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod u-x,go-rwx {} \;
find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:root {} \;
find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod u-x,go-wx {} \;
find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \;
5.3.4 - Limit SSH access#
Edit /etc/ssh/sshd_config to contain one of the following parameters:
AllowUsers <userlist>
AllowGroups <grouplist>
DenyUsers <userlist>
DenyGroups <grouplist>
5.3.5 - 5.3.22 - Edit SSH parameters#
In /etc/ssh/sshd_config, change the parameters to match:
LogLevel INFO
X11Forwarding no
MaxAuthTries 4
IgnoreRhosts yes
HostbasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
PermitUserEnvironment no
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
ClientAliveInterval 900
ClientAliveCountMax 0
LoginGraceTime 60
Banner /etc/issue.net
UsePAM yes
AllowTcpForwarding no
MaxStartups 10:30:100
MaxSessions 10
5.4 - Configure PAM#
Ensure that pam_pwquality is installed by running apt-get install libpam-pwquality.
In /etc/security/pwquality.conf, ensure that the password requirements are
minlen = 14 or higher and either minclass = 4 or dcredit = -1, ucredit = -1, ocredit = -1, lcredit = -1
Then edit /etc/pam.d/common-password to contain retry=3 and
password required pam_pwhistory.so remember=5
password [success=1 default=ignore] pam_unix.so sha512
Configure password lockouts by editing /etc/pam.d/common-auth to contain:
auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900
Then add to /etc/pam.d/common-account:
account requisite pam_deny.so
account required pam_tally2.so
5.5 - User Accounts and Environment#
5.5.1 Set Shadow Suite Parameters#
In /etc/login.defs change the parameters to:
PASS_MIN_DAYS 1
PASS_MAX_DAYS 365
PASS_WARN_AGE 7
Then run for every user:
useradd -D -f 30
chage --inactive 30 <user>
Make sure any users do not have a password change date in the future by running:
awk -F : '/^[^:]+:[^!*]/{print $1}' /etc/shadow | while read -r usr; do ["$(date --date="$(chage --list "$usr" | grep '^Last password change' | cut -d: -f2)" +%s)" -gt "$(date "+%s")" ] && echo "user: $usr password changedate: $(chage --list "$usr" | grep '^Last password change' | cut -d: -f2)"; done
If a user has a password change date in the future, reset or expire the password.
5.5.2 - Secure system accounts#
Set all system accounts to a non-login shell by running:
awk -F: '$1!~/(root|sync|shutdown|halt|^\+)/ && $3<'"$(awk
'/^\s*UID_MIN/{print $2}' /etc/login.defs)"' &&$7!~/((\/usr)?\/sbin\/nologin)/ &&
$7!~/(\/bin)?\/false/ {print $1}'
/etc/passwd | while read -r user; do usermod -s "$(which nologin)" "$user"; done
5.5.3 - Ensure default group for root is GID 0#
Run usermod -g 0 root.
5.5.4 - Ensure default user umask is 027 or more restrictive#
Run the following command to check if any files have an unrestrictive umask.
grep -RPi '(^|^[^#]*)\s*umask\s+([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b|[0-7][01][0-7]\b|[0-7][0-7][0-6]\b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+\b|(u=[rwx]{1,3},)?g=[^rx]{1,3}(,o=[rwx]{0,3})?\b)' /etc/login.defs /etc/profile* /etc/bash.bashrc*
Edit the returned files to change the umask to 027. For example:
UMASK 027
Then, set the default umask by editing /etc/login.defs
and make sure the following paramers are set:
UMASK 027
USERGROUPS_ENAB no
5.5.5 Ensure defualt user shell timeout is 900 seconds or less#
Make sure that TMOUT is configured by running the command:
for f in /etc/bash.bashrc /etc/profile /etc/profile.d/*.sh ; do grep -Eq '(^|^[^#]*;)\s*(readonly|export(\s+[^$#;]+\s*)*)?\s*TMOUT=(900|[1-8][0-9][0-9]|[1-9][0-9]|[1-9])\b' $f && grep -Eq '(^|^[^#]*;)\s*readonly\s+TMOUT\b' $f && grep -Eq '(^|^[^#]*;)\s*export\s+([^$#;]+\s+)*TMOUT\b' $f && echo "TMOUT correctly configured in file: $f"; done
If TMOUT is not configured correctly, open the file and ensure that it matches
TMOUT=900
readonly TMOUT
export TMOUT
or
readonly TMOUT=900 ; export TMOUT
5.6 - Restrict root login to system console#
Edit /etc/securetty to only contain authorized terminals.
If /etc/securetty does not exist, a template copy can be found at /usr/share/doc/util-linux/examples/securetty, which can be copied using:
sudo cp /usr/share/doc/util-linux/examples/securetty /etc/securetty
5.7 - Restrict access to the su command#
Find the current su group by running
grep pam_wheel.so /etc/pam.d/su
The output should be auth required pam_wheel.so use_id group=GROUP_NAME
If no output is returned, run groupadd sugroup to create the group sugroup, and then add the following line to /etc/pam.d/su.
auth required pam_wheel.so use_id group=sugroup
If there is an output, check that the group is empty by running grep GROUP_NAME /etc/group.
It should return
GROUP_NAME:x:GID:
with a number as the GID and no users listed after the last colon.