Hardening

Hi guys, this is not a complete list for hardening but compiles a set of things I usually use in my hardening exercises. 😼

Openscap guide

This exercise will cover off the basics of SCAP (Security Content Automation Protocol) and using OpenSCAP to Harden our Linux based OS. We will show you how easy it is to proactively scan and lock down our systems to ensure they are hardened to best practices using the SCAP Security Guide.

In short, SCAP standard consists of these components: XCCDF, OVAL, DataStream, ARF, CPE, CVE, CWE. In this article we will use the OVAL format for assessing our output using XCCDF as well as CPE for identifying the packages installed on the host system. A brief summary of these components are as follows:

OVAL: The Open Vulnerability and Assessment Language is declarative language for making logical assertions about the state of endpoint system.

XCCDF: The eXtensible Configuration Checklist Description Format is a language to express, organize, and manage security policies. These are the basic building block of security policy.

CPE: The Common Platform Enumeration is a structured naming scheme used to identify information technology systems, platforms, and packages. It will be used to identify uniquely identify a “platform” of software, hardware, or application.

Firstly, let’s install openscap, openscap-utils and scap-security-guide CentOS (you can be run on many variants of Linux such as RHEL, Ubuntu, Debian and so on…):

sudo yum -y install openscap openscap-utils scap-security-guide

Once installed, the SCAP Security Guide will include a set of pre-defined checklist we can make use of. available in the SCAP Security Guide content directory. Let’s list the available XCDF checklists we can take advantage of:

$  ls /usr/share/xml/scap/ssg/content/ | grep xccdf

ssg-centos6-xccdf.xml
ssg-centos7-xccdf.xml
ssg-firefox-xccdf.xml
ssg-jre-xccdf.xml
ssg-rhel6-xccdf.xml
ssg-rhel7-xccdf.xml

We will scan our system against “ssg-centos7-xccdf.xml”. We can inspect this checklist:

As you can see above, we have a set of profiles we can use when assessing our system against within the checklist. For example, if this was a host that needed to be in compliance with PCI-DSS or RHEL7 DISA STIG, we can use these profiles in our assessment and check for compliance.

Now we can run our scan. We will execute the following command:

$ sudo oscap xccdf eval --profile standard --results $(hostname)-scap-results-$(date +%Y%m%d).xml --report $(hostname)-scap-report-$(date +%Y%m%d)-after.html --oval-results --fetch-remote-resources --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml

Once run, the system will be assessed based on the options above. We defined:

• “standard” profile

• “ssg-centos7-xccdf.xml” checklist

• “ssg-rhel7-cpe-dictionary.xml” CPE dictionary which will download the OVAL tests to be run

The output is a configuration assessment report stored in a HTML file within the local directory by the value “$(hostname)-scap-report-$(date +%Y%m%d)-after.html”.

We can view this HTML file and assess the output to determine the changes we need to make on our system. It will give us a score and for each issue identified, provide an explanation as well as scripts that can be run to rectify.

Checklists

SCC NIST guide

SCAP Compliance Checker (SCC) version 5.4 is officially released, and for the first time SCC will be available to the general public, not just government employees and contractors.

Available rules

Win10 - profile

Screenshots - how to use SCC

How to create tailored profiles and import in another instance:

1. Start to edit the target profile.

2. Copy the tailored file from: C:\Program Files\SCAP Compliance Checker 5.4\Resources\Content\XCCDF_Tailoring

3. Create the dir: C:\Program Files\SCAP Compliance Checker 5.4\Resources\Content\XCCDF_Tailoring on the target instance

4. Import the tailored file

5. Export the options.xml file (FILE > Save Options as)

6. Import the options.xml file into the target instance.

My own scripts

#!/bin/sh
mkdir logs1

rpm -Va > logs1/rpm_va.log
rpm -qa > logs1/rpm_qa.log
ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null | tee logs1/etc_write_anyone.txt
ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null | tee logs1/etc_write_others.txt
ls -alh /var/log > tee logs1/var.log > logs1/var.log	
cat /etc/fstab > logs1/fstab.log
find / -perm -1000 -type d 2>/dev/null | tee logs1/stick_bit.log
find / -writable -type d 2>/dev/null | tee logs1/world_writable_folders.txt
find / -perm -o x -type d 2>/dev/null | tee logs1/world_executable_folders.txt
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print | tee logs1/world_writable_files.log
cat /etc/yum.conf > logs1/yum.conf
ls -l /etc/yum.repos.d/ > logs1/repos.txt
systemctl -a | tee logs1/systemctl_a.log
iptable -S | tee logs1/iptables.log

#!/bin/bash
mkdir "logs"
uname -a > logs/uname.log
whereis strace > logs/strace.log
whereis ltrace > logs/ltrace.log
cat /etc/passwd > logs/etc_pwd.log
ifconfig -a > logs/ifconfig.log
route -n > logs/route.log
hostnamectl > logs/hostnamectl.log
awk -F: '($2 == "") {print}' > logs/empty_pwd_accounts.log
awk -F: '($3 == "0") {print}' > logs/non_root_accounts_with_suid.log
iptables -L > logs/iptables.log
/etc/sudoers > logs/etc_sudoers.log

WINDOWS SERVER 2012 R2 HARDENING CHECKLIST

RED HAT ENTERPRISE LINUX 7 HARDENING CHECKLIST

Awesome CheetSheets

Bonus

Why not using LinEnum 😎