Showing posts with label RedHat. Show all posts
Showing posts with label RedHat. Show all posts

Wednesday, April 2, 2014

Using CFEngine for Linux systems hardening

What is CFEngine? The best answer to this question is CFEngine website: https://cfengine.com/what-is-cfengine

In nutshell CFEngine is "is a popular open source configuration management system, written by Mark Burgess. Its primary function is to provide automated configuration and maintenance of large-scale computer systems, including the unified management ofserversdesktops, embedded networked devices, mobile smartphones, and tablet computers." Wiki

I'm using CFengine for various sysadmin and infosec tasks and it proved to be  reliable and stable configuration management system.

I would like to share with you cfengine promises (  system configuration description written on cfengine language  ) for the RH based Linux systems. These "promises" enforce system to become and stay hardened, provide centralized user management and take care of initial system configuration.

https://github.com/IhorKravchuk/cfengine


file system_setup.cf - covers system configuration and hardening.
file users.cf - user and group management
file site.cf - allows you to describe different environments or data-centers (Global variables for the system configuration )
file promises.cf - main file that links all components together.
file update.cf and failsafe.cf - responsible for promises update in normal operations and in case of failure.

I'll add more comments and descriptions in subsequent code release or upon your request.
IMHO the code is self-explaining and really easy to read  as soon as you become familiar with a basic CFEngine principles.
Posted by at 1 comment:
Labels: , , , ,

Thursday, May 2, 2013


Adding security into Enterprise Linux system-wide authentication mechanism:

Some small modification to default authentication mechanism at RedHat 5/6 based system will increase system security.

First witch from md5 to sha512 hashes: it as easy as executing:

"authconfig--passalgo=sha512 --updateall"

Update your /etc/pam.d/system-auth to the more adequate to the current threats settings:

#vi /etc/pam.d/system-auth 
#%PAM-1.0
# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so
auth        required      pam_unix.so nullok try_first_pass
auth        sufficient    pam_tally2.so deny=10 onerr=fail unlock_time=1200
# lock account after 10 failed attempt. unlock automatically after 20 minutes.
auth        required      pam_deny.so

account     required      pam_tally2.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    required      pam_passwdqc.so min=disabled,disabled,12,8,8 max=32 passphrase=2 match=4 similar=deny random=32 enforce=everyone retry=5
# instead of default pam_cracklib.so switch to more advanced pam_passwdqc.so 
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so


Brief explanation of  pam_passwdqc.so proposed here settings:
min=disabled,disabled,12,8,8  - disallows any length passwords from any single character class, disallows any length passwords from any two character classes, a minimum length of 12 characters for a passphrase  a minimum length of 8 characters for a password from any three character classes, and a minimum length of 8 characters from four character classes.the module will ask for a new password if the user fails to provide a sufficiently strong password
max=32 - maximum allowed password length is 32 characters.
passphrase=2 - passphrase must consist of 2 words.
match=4 -  check if 4 character substring in password will match dictionary worlds. In this case password complexity requirements will be checked against password with this substring removed.
similar=deny - deny new password to  be similar to the old one
random=32 - randomly-generated passphrases will be 32 bit (IMHO byte) long
enforce=everyone - enforce complex passwords
retry=5 - the module will ask 5 times for a new password if the user fails to provide a sufficiently strong password.




Posted by at No comments:
Labels: , ,
Subscribe to: Comments (Atom)