Scribd
Upload
35 views7 pages

VA Remediation

Uploaded by

gfrvj44wc6
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
35 views7 pages

VA Remediation

Uploaded by

gfrvj44wc6
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 7

Remediations

###### disable rsh and rlogin


The rlogin service is controlled by FMRI svc:/network/login:rlogin.

The rsh service is controlled by FMRI svc:/network/shell:default.

####### cipher and mac remediation for solaris


solaris mac
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,blowfish-cbc,aes192-cbc,aes256-
cbc
MACS hmac-sha2-512,hmac-sha2-256

####### ntp information disclosure vulnerability - solaris #####


add below to this file /etc/inet/ntp.conf

restrict default limited kod nomodify notrap nopeer noquery


restrict default limited kod nomodify notrap nopeer noquery

-bash-4.4# cat /etc/inet/ntp.conf


server 10.199.202.10 prefer
server 10.1.224.1
server 10.1.224.2
restrict default limited kod nomodify notrap nopeer noquery
restrict default limited kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
restrict 10.199.202.10
restrict 10.1.224.1
restrict 10.1.224.2
driftfile /var/ntp/ntp.drift
statsdir /var/ntp/ntpstats
filegen peerstats file peerstats type day enable
filegen loopstats file loopstats type day enable
filegen clockstats file clockstats type day enable
-bash-4.4#

########## ServerKeyBits for short keys #####


root@ojctm04:~# grep ServerKeyBits /etc/ssh/sshd_config
ServerKeyBits 2048
-------
# Length of the server key
# Default 768, Minimum 512
ServerKeyBits 2048

none /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0

yum remove xorg-x11* ----- i didn't implement this


/etc/modprobe.d/CIS.conf
install jffs2 /bin/true
gpgcheck=1
chmod 664 /etc/issue

systemctl disable snmpd


chmod 664 issue*
yum clean all
yum repolist
--- this enables kernel process from boot to be recorded in audit log
cd /etc/default/
cp grub grub.bk20200206
vi /etc/default/grub
GRUB_CMDLINE_LINUX="audit=1"
# grub2-mkconfig
# grub2-mkconfig > /boot/grub2/grub.cfg

---- it monitors unauthorised access to file usage. only owner and group can use it
---
auditctl -w /bin/sudo -p a -k privileged

--- password history


password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok remember=24

---- loop back firewall


firewall-cmd --zone=drop --add-rich-rule='rule family=ipv4 source
address="127.0.0.1" destination not address="127.0.0.1" drop'
firewall-cmd --reload

password sufficient pam_unix.so sha512

$$$$$$$ this didn't work $$$$


----- it keeps log time changes on the system -----
auditctl -a always,exit -F arch=b64 -S stime -k time-change
$$$$$$$$$$$$$$$$$$

/tmp
# systemctl unmask tmp.mount
# systemctl enable tmp.mount
# yum install aide
# sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.repos.d/dev-source.repo
# sed -i 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config

# find /var/log -type f -exec chmod g-wx,o-rwx {} +

export http_proxy="http://10.1.224.244:8080";export
https_proxy="http://10.1.224.244:8080"

tcpdump.x86_64 14:4.9.2-4.0.1.el7_7.1

##### remediation ###


mount -o remount,noexec /tmp -- only intended for tmeporary storage, users cannot
run executable binaries from /tmp
mount -o remount,nodev /tmp -- means the filesystem cannot contain special
devices
mount -o remount,nosuid /tmp -- means the filesystem cannot contain special
devicesusers cannot create setuid files in /tmp
mount -o remount,nodev /home
mount -o remount,noexec /dev/shm
mount -o remount,noexec /dev/shm
mount -o remount,noexec /var/tmp

mount -o remount,exec /tmp

systemctl disable autofs

chown root:root /boot/grub2/grub.cfg --- it prevent non-root user from exploiting


weakness
chmod og-rwx /boot/grub2/grub.cfg

chmod 600 /etc/group-

cp issue.net issue
chmod 664 issue

---- edit /etc/ntp.conf under restrict ---


restrict -4 default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

- to Ensure sticky bit is set on all world-writable directories

############# solaris mac


ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,blowfish-cbc,aes192-cbc,aes256-
cbc
MACS hmac-sha2-512,hmac-sha2-256

########## no retry /etc/pam.d/system-auth ##### add befor pam_unix statemet


auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900

password sufficient pam_unix.so sha512 shadow nullok try_first_pass


use_authtok remember=24

yum install aide

###### my qualys passwd ###


qUalysscans@123

tail –f var/log/secure

Set minimum password age for root to 7 days


Install AIDE
Set gpgcheck within yum/repos.d to 1
Set crontab permissions to 600
Set cron.d permissions to 600
Remove the at.deny & cron.deny files

sed -i 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config


-----------------------------------------------
grep -v ^$ /etc/login.defs | grep -v ^# -- linux
grep -v ^$ /etc/ssh/sshd_config | grep -v ^# -- linux & solaris
grep -v ^$ /etc/default/login | grep -v ^# -- solaris
umask
retries
syslog

cat /etc/pam.d/system-auth -- solaris

cat /etc/default/passwd - history, lenght, max, min, name check


cat /etc/passwd
passwd -s user

umask

rm /etc/cron.deny
rm /etc/at.deny
touch /etc/cron.allow
touch /etc/at.allow
chmod og-rwx /etc/cron.allow
chmod og-rwx /etc/at.allow
chown root:root /etc/cron.allow
chown root:root /etc/at.allow

--lock inactive acct ----


logins -axo -l "user" | awk -F: '{print $13}' --- solaris
useradd -D | grep INACTIVE linux

usermod -f 35 user
rolemod -f 35 user

######### ciphers|kexalgorithms
MACS hmac-sha2-512,hmac-sha2-256

ciphers aes128-ctr,aes192-ctr,aes256-ctr

echo "ServerKeyBits 2048" >> /etc/ssh/sshd_config

##### create encrypted password ####


openssl passwd -1 -salt xyz yourpassword

dragon@user123
$1$xyz$LqLzaMtt74CpnSBWR4wqz1

or
openssl passwd -1 -salt xyz
>your password

##### test if a port is working ###


nc -zv 10.1.218.18 80

####### force unmount a dir #########


fuser -ck dir
fuser -ck /app

cat /etc/issue --- banner


if it is not displaying delete the issue.net path in sshd_config file

auditctl -l --- this list audit settings


systemctl restart auditd

GR3AtY3aR$15
find ./ -name syslog - arcsight

etc/pam.d/system-auth - password history solaris

grep -v ^# /etc/login.defs | grep -v ^$ ---- check for password security check


grep -v ^$ /etc/login.defs | grep PASS

cat /etc/login.defs |grep -v ^$|grep -v ^#;hostname

############# audit on solaris #########

auditreduce -c lo | praudit -s

###### cipher remediation ####


1. to check the current status
sshd -T | egrep -iw "ciphers|kexalgorithms"

sshd -T|grep "\(ciphers\|macs\|kexalgorithms\)"

openssl ciphers

##### birthday vulnerability #####

Solution: Disable use of 3DES cipher suites. See Securing AMD for details.

######## HTTP Security Header Not Detected ####


Apache:
add the following to httpd.conf (or apache2.conf) and restart
Code:
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff

nginx:
Add the following to your nginx.conf
Code:
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;

######## SSL/TLS Server supports TLSv1.0 ######


he default Apache configuration file can be found:
On Debian / Ubuntu based systems: /etc/apache2/apache2.conf
On Red Hat / CentOS based systems: /etc/httpd/conf/httpd.conf

In your configuration file(s), find the entry "SSLProtocol" and modify it to look
like:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

This tells Apache to enable all protocols, but disable SSLv2, SSLv3, TLS 1.0 and
TLS 1.1. The last step is to restart the Apache service:

service apache2 restart


or
service httpd restart

###### linux #####


find /var/log -type f -exec chmod g-wx,o-rwx {} + ---- to change permission on log
remove version 1 snmpd

###### audit in Solaris 10 ###


1.
vi /etc/security/audit_control
dir:/net/ojsst01/audit_logs/oscar/
minfree:20
flags:aa,ad,am,as,-fa,-fc,fd,-fm,-fr,-fw,lo,na,+pm,-ps,ss,ua
naflags:lo
plugin:name=audit_syslog.so;p_flags=all
2.
restart audit
cd /etc/init.d/
root# ./audit stop
root# ./audit start
3. confirm
auditconfig - getpolicy
auditconfig - getfsize

# vi /etc/sysctl.conf
fs.suid_dumpable = 0
kernel.randomize_va_space = 2
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.conf.default.accept_redirects=0

=--- rlogin Service Detection ---


/usr/sbin/svcadm disable svc:/network/login:rlogin

----- ssh protocols version 1


comment out Protocol v1

----
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no

/home - 200G
/usr - 100G
swap - 30G
/export/patrol - 10
/crashdump - 100
/export/home - 100
/opt - 100
/boot -2
/export/ctma - 5
/var - 100
/var/log 100
/var/log/audit - 50
/ - 100G
biosboot - 1MiB

Welcome2december2020!

You might also like