Linux Hardening

# /etc/sysctl.conf - Kernel Security Hardening

# Disable IPv6 if not needed
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Ignore source routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# Disable ICMP echo broadcasts (smurf attacks)
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log martian packets
net.ipv4.conf.all.log_martians = 1

# SYN flood protection
tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Memory allocation security
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16

# ASLR (Address Space Layout Randomization)
kernel.randomize_va_space = 2

# Core dump restrictions
fs.suid_dumpable = 0

# ptrace scope (disable cross-process debugging)
kernel.yama.ptrace_scope = 1

# Restrict dmesg access
kernel.dmesg_restrict = 1

# Restrict kernel pointers in logs
kernel.kptr_restrict = 2

# Restrict perf events (timing attacks)
kernel.perf_event_paranoid = 2

# BPF hardening
net.core.bpf_jit_harden = 2

# Apply settings
sysctl -p

# /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted

# Check status
sestatus
getenforce

# View current context
ls -Z /var/www/html
ps auxZ | grep httpd

# Custom Policy Module
# myapp.te
module myapp 1.0;

require {
  type httpd_t;
  type httpd_sys_content_t;
  class file { read write execute };
  class dir { read write search };
}

# Allow httpd to read/write application files
allow httpd_t myapp_var_t:file { read write };
allow httpd_t myapp_var_t:dir { read search };

# Build and load policy
checkmodule -M -m -o myapp.mod myapp.te
semodule_package -o myapp.pp -m myapp.mod
semodule -i myapp.pp

# Troubleshooting (dont audit)
semodule -DB  # Disable dontaudit rules for debugging
ausearch -m AVC -ts recent  # View denials

# Permissive mode for single domain
semanage permissive -a httpd_t

# File context management
semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
restorecon -Rv /web

# /etc/apparmor.d/usr.sbin.nginx
#include <tunables/global>

/usr/sbin/nginx {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>

  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability dac_override,
  capability dac_read_search,

  /usr/sbin/nginx mr,
  /etc/nginx/** r,
  /var/log/nginx/** rw,
  /var/www/** r,
  /run/nginx.pid rw,
  /run/nginx.pid.lock k,

  # Deny dangerous operations
  deny /etc/shadow r,
  deny /etc/passwd w,
  deny /proc/sys/** w,
  deny /sys/** w,

  # Network
  network inet stream,
  network inet6 stream,
  network unix stream,
}

# Enable profile
aa-enforce /etc/apparmor.d/usr.sbin.nginx

# Complain mode (logging only)
aa-complain /etc/apparmor.d/usr.sbin.nginx

# Generate profile from logs
aa-genprof nginx

# Check status
aa-status

# View denied operations
dmesg | grep -i apparmor
journalctl -k | grep -i apparmor

# /etc/audit/rules.d/audit.rules

# Delete all existing rules
-D

# Set buffer size
-b 8192

# Monitor user/group modifications
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

# Monitor sudoers
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers

# Monitor SSH config
-w /etc/ssh/sshd_config -p wa -k sshd_config
-w /etc/ssh/ssh_config -p wa -k ssh_config

# Monitor PAM config
-w /etc/pam.d/ -p wa -k pam_changes

# Monitor kernel module loading/unloading
-a always,exit -F arch=b64 -S init_module -S delete_module -k kernel_modules

# Monitor mount operations
-a always,exit -F arch=b64 -S mount -S umount2 -k mount_ops

# Monitor setuid/setgid binaries
-a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -k privilege_escalation

# Monitor file permission changes
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k permission_changes

# Monitor failed access attempts
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k access_denied
-a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -k access_denied

# Privileged commands
-a always,exit -F arch=b64 -C uid!=euid -F euid=0 -S execve -k privilege_cmd
-a always,exit -F arch=b64 -C gid!=egid -F egid=0 -S execve -k privilege_cmd

# Logins/Logouts
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins

# Process execution tracking
-a always,exit -F arch=b64 -S execve -C uid!=unset -k process_exec

# Network config changes
-a always,exit -F arch=b64 -S socket -S connect -S bind -k network_changes

# Ignore noise
-a never,exit -F arch=b64 -S clock_settime -k time
-a never,exit -F arch=b64 -S adjtimex -k time

# Make rules immutable (require reboot to change)
-e 2

# Install OpenSCAP
yum install -y scap-security-guide openscap-scanner
apt-get install -y ssg-debian openscap-utils

# Run CIS Level 2 Server Benchmark
oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_cis_level2_server \
  --results-arf /tmp/cis-results.xml \
  --report /tmp/cis-report.html \
  /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

# View results
firefox /tmp/cis-report.html

# Generate remediation script (Bash)
oscap xccdf generate fix \
  --fix-type bash \
  --output /tmp/cis-remediation.sh \
  --result-id xccdf_org.ssgproject.content_profile_cis_level2_server \
  /tmp/cis-results.xml

# Generate Ansible remediation
oscap xccdf generate fix \
  --fix-type ansible \
  --output /tmp/cis-remediation.yml \
  /tmp/cis-results.xml

# Apply remediation
bash /tmp/cis-remediation.sh

# Tailoring (exclude specific rules)
oscap xccdf eval \
  --tailoring-file custom-tailoring.xml \
  --profile xccdf_custom_profile \
  /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

# Continuous compliance scanning via cron
# /etc/cron.daily/cis-scan
#!/bin/bash
oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_cis_level1_server \
  --results /var/log/cis-scan-$(date +%Y%m%d).xml \
  /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

# Alert on failures
if grep -q "fail" /var/log/cis-scan-*.xml; then
  echo "CIS compliance failures detected" | mail -s "CIS Alert" security@company.com
fi

# /etc/ssh/sshd_config - Production Hardening

# Protocol (only SSH-2)
Protocol 2

# Authentication
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes

# Key algorithms (secure only)
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519

# Connection limits
MaxAuthTries 3
MaxSessions 2
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 60

# User restrictions
AllowUsers deploy@10.0.0.* ansible@10.0.0.*
DenyUsers root admin test guest
AllowGroups ssh-users wheel

# Security
X11Forwarding no
AllowTcpForwarding no
PermitTunnel no
GatewayPorts no
Banner /etc/ssh/banner
UseDNS no

# Logging
LogLevel VERBOSE
SyslogFacility AUTH

# SFTP only for certain users
Match User sftpuser
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no
    ChrootDirectory /srv/sftp

Match Group developers
    AllowTcpForwarding yes