Hardening
Hi guys, this is not a complete list for hardening but compiles a set of things I usually use in my hardening exercises.
😼

Openscap guide

This exercise will cover off the basics of SCAP (Security Content Automation Protocol) and using OpenSCAP to Harden our Linux based OS. We will show you how easy it is to proactively scan and lock down our systems to ensure they are hardened to best practices using the SCAP Security Guide.
In short, SCAP standard consists of these components: XCCDF, OVAL, DataStream, ARF, CPE, CVE, CWE. In this article we will use the OVAL format for assessing our output using XCCDF as well as CPE for identifying the packages installed on the host system. A brief summary of these components are as follows:
OVAL: The Open Vulnerability and Assessment Language is declarative language for making logical assertions about the state of endpoint system.
XCCDF: The eXtensible Configuration Checklist Description Format is a language to express, organize, and manage security policies. These are the basic building block of security policy.
CPE: The Common Platform Enumeration is a structured naming scheme used to identify information technology systems, platforms, and packages. It will be used to identify uniquely identify a “platform” of software, hardware, or application.
Firstly, let’s install openscap, openscap-utils and scap-security-guide CentOS (you can be run on many variants of Linux such as RHEL, Ubuntu, Debian and so on…):
1
sudo yum -y install openscap openscap-utils scap-security-guide
Copied!
Once installed, the SCAP Security Guide will include a set of pre-defined checklist we can make use of. available in the SCAP Security Guide content directory. Let’s list the available XCDF checklists we can take advantage of:
1
$ ls /usr/share/xml/scap/ssg/content/ | grep xccdf
2
3
ssg-centos6-xccdf.xml
4
ssg-centos7-xccdf.xml
5
ssg-firefox-xccdf.xml
6
ssg-jre-xccdf.xml
7
ssg-rhel6-xccdf.xml
8
ssg-rhel7-xccdf.xml
Copied!
We will scan our system against “ssg-centos7-xccdf.xml”. We can inspect this checklist:
As you can see above, we have a set of profiles we can use when assessing our system against within the checklist. For example, if this was a host that needed to be in compliance with PCI-DSS or RHEL7 DISA STIG, we can use these profiles in our assessment and check for compliance.
Now we can run our scan. We will execute the following command:
1
$ sudo oscap xccdf eval --profile standard --results $(hostname)-scap-results-$(date +%Y%m%d).xml --report $(hostname)-scap-report-$(date +%Y%m%d)-after.html --oval-results --fetch-remote-resources --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
Copied!
Once run, the system will be assessed based on the options above. We defined:
  • “standard” profile
  • “ssg-centos7-xccdf.xml” checklist
  • “ssg-rhel7-cpe-dictionary.xml” CPE dictionary which will download the OVAL tests to be run
The output is a configuration assessment report stored in a HTML file within the local directory by the value “$(hostname)-scap-report-$(date +%Y%m%d)-after.html”.
We can view this HTML file and assess the output to determine the changes we need to make on our system. It will give us a score and for each issue identified, provide an explanation as well as scripts that can be run to rectify.

Checklists

NCP - National Checklist Program Checklist Repository
CIS Benchmark Hardening/Vulnerability Checklists
New Net Technologies
Assessing and Hardening Linux with OpenSCAP
Bob Cromwell: Travel, Linux, Cybersecurity

SCC NIST guide

SCAP Compliance Checker (SCC) version 5.4 is officially released, and for the first time SCC will be available to the general public, not just government employees and contractors.
Security Content Automation Protocol (SCAP) – DoD Cyber Exchange
NCP - Download

Available rules

NCP - National Checklist Program Checklist Repository
Security Content Automation Protocol (SCAP) – DoD Cyber Exchange

Win10 - profile

NCP - Download

Screenshots - how to use SCC

Main panel.
Tailoring a file.
Show results.
Not-compliance report - Windows Firewal.
How to create tailored profiles and import in another instance:
  1. 1.
    Start to edit the target profile.
  2. 2.
    Copy the tailored file from: C:\Program Files\SCAP Compliance Checker 5.4\Resources\Content\XCCDF_Tailoring
  3. 3.
    Create the dir: C:\Program Files\SCAP Compliance Checker 5.4\Resources\Content\XCCDF_Tailoring on the target instance
  4. 4.
    Import the tailored file
  5. 5.
    Export the options.xml file (FILE > Save Options as)
  6. 6.
    Import the options.xml file into the target instance.
Tailoring a profile.
Tailored file. After that, create the "XCCDF_Tailoring" dir and copy the target file on the target instance.
Import/export options file.

My own scripts

1
#!/bin/sh
2
mkdir logs1
3
4
rpm -Va > logs1/rpm_va.log
5
rpm -qa > logs1/rpm_qa.log
6
ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null | tee logs1/etc_write_anyone.txt
7
ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null | tee logs1/etc_write_others.txt
8
ls -alh /var/log > tee logs1/var.log > logs1/var.log
9
cat /etc/fstab > logs1/fstab.log
10
find / -perm -1000 -type d 2>/dev/null | tee logs1/stick_bit.log
11
find / -writable -type d 2>/dev/null | tee logs1/world_writable_folders.txt
12
find / -perm -o x -type d 2>/dev/null | tee logs1/world_executable_folders.txt
13
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print | tee logs1/world_writable_files.log
14
cat /etc/yum.conf > logs1/yum.conf
15
ls -l /etc/yum.repos.d/ > logs1/repos.txt
16
systemctl -a | tee logs1/systemctl_a.log
17
iptable -S | tee logs1/iptables.log
Copied!
1
#!/bin/bash
2
mkdir "logs"
3
uname -a > logs/uname.log
4
whereis strace > logs/strace.log
5
whereis ltrace > logs/ltrace.log
6
cat /etc/passwd > logs/etc_pwd.log
7
ifconfig -a > logs/ifconfig.log
8
route -n > logs/route.log
9
hostnamectl > logs/hostnamectl.log
10
awk -F: '($2 == "") {print}' > logs/empty_pwd_accounts.log
11
awk -F: '($3 == "0") {print}' > logs/non_root_accounts_with_suid.log
12
iptables -L > logs/iptables.log
13
/etc/sudoers > logs/etc_sudoers.log
Copied!

WINDOWS SERVER 2012 R2 HARDENING CHECKLIST

Windows Server 2012 R2 Hardening Checklist

RED HAT ENTERPRISE LINUX 7 HARDENING CHECKLIST

Red Hat Enterprise Linux 7 Hardening Checklist

Awesome CheetSheets

GitHub - decalage2/awesome-security-hardening: A collection of awesome security hardening guides, tools and other resources
GitHub
C-Based Toolchain Hardening - OWASP Cheat Sheet Series
https://www.sans.org/score/checklists/linux
www.sans.org
the-practical-linux-hardening-guide/README.md at master · trimstray/the-practical-linux-hardening-guide
GitHub

Bonus

Why not using LinEnum
😎
GitHub - rebootuser/LinEnum: Scripted Local Linux Enumeration & Privilege Escalation Checks
GitHub
Last modified 8mo ago