# $Id: ROADMAP,v 1.7 2001/05/11 20:32:38 zyrnix Exp $
#####################################################
#
# Slackware Administration Security Tool Kit road map
#
#####################################################
NOTE: This is a living document (i.e. - nothing is set in stone).
There are '-' after some entries. This indicates whether it is done
In some cases it signifies what license the software is released under
0. Hardening
0.1 Localhost security hardening
0.2 Network security hardening
0.3 Application security hardening
0.4 Monitoring tasks
0.5 Script issues
0.6 Legal issues
0.7 Other issues
1. Local security level:
1.1 Restrict access to powerful commands
1.1.1 Chmod 750 list of files (Do we need to add/remove anything?)
1.1.1.1 Chown user and group appropriately on these files.
1.1.2 Remove SUID/SGID bits from selected files (or all) (more detail)
1.1.3 Disable Crtl-Alt-Del - DONE
1.1.4 Configure sudo - BSD
http://www.courtesan.com/sudo/
1.2 Set correct file permissions
1.2.1 Make sure /root and /home/* 0700
1.2.2 Chmod -R 0744 /usr/src/linux
1.2.3 Chmod -R 700 /etc/rc.d
1.2.4 Chmod 600 /etc/inetd.conf, lilo.conf, ipchains/ipfwadm
configuration files. (more detail)
1.2.5 Find and remove permission to world writable files/directories
1.2.5.1 Check /home/* for SUID/SGID files
1.3 Restrict access
1.3.1 Set a password for lilo - DONE
1.3.2 Enforce strong passwords
1.3.3 Remove unused accounts
1.3.4 Disable login to system accounts > 0 and < 100 by adding
/bin/false to shell. - DONE
1.3.5 Enable password aging for existing accounts, UID 0 and > 1000.
- DONE
1.3.6 Add security warning to /boot/boot_message.txt.
1.3.7 Configure /etc/suauth to limit su to root to only those in
the wheel group. - DONE
1.4 Attempt to stop exploits
1.4.1 If /home is in /etc/fstab (it's own partition), replace default
with rw, nosuid, nodev - DONE
1.4.2 If /tmp is in /etc/fstab, replace default with rw, nosuid, nodev,
noexec - DONE
1.4.3 Install LibSafe from contrib - LGPL
http://www.research.avaya.com/project/libsafe/
1.4.4 Install StackGuard - GPL
http://immunix.org/stackguard.html
1.4.5 Install Openwall kernel patch - GPL
http://www.openwall.com/linux/
1.5 Limit user resources
1.5.1 Configure quotas
1.5.2 Modify /etc/profile - DONE
1.5.2.1 umask 077 - DONE
1.5.2.6 TMOUT=3600
1.5.2.7 HISTFILESIZE =20 - DONE
1.5.2.8 HISTSIZE=20 - DONE
1.5.3 Modify /etc/csh.login - DONE
1.5.3.1 umask 077 - DONE
1.5.4 Modify /etc/login.defs - DONE
1.5.4.1 LOG_OK_LOGINS yes - DONE
1.5.4.2 DEFAULT_HOME no - DONE
1.5.4.3 PASS_MAX_DAYS 45 - DONE
1.5.4.4 PASS_MIN_LEN 8 - DONE
1.5.4.5 CHFN_RESTRICT comment out - DONE
1.5.4.6 Create /var/log/faillog - DONE
1.5.4.7 Apply group and user concepts
1.6 After install, identify which programs are started at bootup/binding
to a port that does not check against our logs.
2. Network security level:
2.1 Use secure protocols for administration
2.1.1 Download, install, and configure OpenSSH and OpenSSL. (For < 7.2)
http://www.OpenSSH.com - BSD
2.1.1.1 Symlink telnet to ssh
2.2 Disable unused network services
2.2.1 Disable unused daemon
2.2.2 Comment unused services in /etc/inetd.conf - DONE
2.3 Limit enumeration and network reconnaissance
2.3.1 Add security warning to /etc/issue.net - DONE
2.3.1.1 Stop rc.S from overwriting them (SW 7.0 and 7.1).
2.3.2 Stop sendmail vrfy and expn recons - DONE
2.3.3 echo "255" > /proc/sys/net/ipv4/ip_default_ttl, this will confuse nmap OS fingerprinting.
2.4 Restrict access
2.4.1 Comment lines in Xaccess to disable remote login screens - DONE
Works currently for only 3.3.x
2.4.2 Add one of the following to /etc/hosts.deny:
ALL:ALL except localhost - DONE
or ALL:ALL: /bin/mail \ -s "%s connection attempt from %c" \
root@localhost
2.4.2.1 Second alternative will more trouble than it's worth.
Need to have more intelligent logging to root.
2.4.3 Check /etc/hosts.allow for uncommented lines. Don't do anything
to them other then tell the user about them. - DONE
(Should this be placed in a different log?)
2.4.4 Install and configure an IPCHAINS script
2.4.5 Modify /etc/hosts.conf
2.4.5.1 Add "nospoof on" - DONE
2.4.5.2 Add "alert on"
2.4.6 Add the following to /etc/rc.d/rc.local: echo 1 > /proc/sys/net/\
ipv4/tcp_cookies, rp_filter, icmp_echo_ignore_broadcasts,
log_martians, ip_always_defrag - DONE
2.4.7 Add the following to /etc/rc.d/rc.local:
echo 1 > /proc/sys/net/ipv4/tcp_cookies - DONE
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts - DONE
echo 1 > /proc/sys/net/ipv4/ip_always_defrag - DONE
echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter - DONE
echo 0 > /proc/sys/net/ipv4/conf/*/accept_source_route - DONE
echo 1 > /proc/sys/net/ipv4/conf/*/log_martians - DONE
echo 255 > /proc/sys/net/ipv4/ip_default_ttl
2.4.8 Stop sendmail from listening to port 587 - DONE
2.4.9 Remove default accounts in /etc/mail/aliases that are not
needed.
2.4.10 Modify http_access.conf to disable FollowSymLinks, SSI,
CGI, and idexes for dirs
2.5 Chroot jail as many services as possible - look into "subdomain"'ing
2.6.1 Subdomaining is supposedly better than chroot jail - less exposed.
3. Application security level:
3.1 Enable application specific security features
3.2 Download and install security updates - TODO
(Hit Patrick with a clue stick so that this is possible) :-)
3.3 Remove excess packages
3.3.1 Someone needs to decide "WHAT" is considered excess.
Allow the user to say Y/N for each package removed.
3.3.1.1 Maybe make up "profiles" to determine what is excessive
3.3.1.1.1 Crack me
3.3.1.1.2 I'll put up a decent fight
3.3.1.1.3 Most stuff is turned off
3.3.1.1.4 X sucks it's an exploit waiting to happen
3.3.1.1.5 Anything beyond the a1 base install is excess
I'll code the rest myself
3.4 Replace historically insecure programs
3.4.1 Get rid of sendmail - OSI approved
http://www.sendmail.org
3.4.1.1 qmail - "freeware" (might not be free software)
http://cr.yp.to/qmail.html
3.4.1.2 postfix - IBM public license
http://www.postfix.org
3.4.1.3 exim - GPL
http://www.exim.org
3.4.2 Replace wu-ftpd - BSD
http://www.wu-ftpd.org
3.4.2.1 pro-ftpd [ http://www.proftpd.org ] - GPL
3.4.2.2 OpenBSD's ported ftpd
3.4.2.2.1 Virtual FTPD - BSD
http://startuplinux.com/software.html
3.4.2.2.2 OpenBSD-ftp - BSD
http://innominate.org/~oku/rpms/OpenBSD-ftp.html
3.4.2.2.3 ftpd-BSD - BSD
http://www.eleves.ens.fr:8080/home/madore/programs/#prog_ftpd-BSD
3.4.3 Replace NFS with AFS (Andrew's File System)
3.4.3.1 OpenAFS - IBM Public License
http://www.openafs.org
3.4.4 Replace BIND
3.4.4.1 djdns - "freeware" (might not be free software)
http://cr.yp.to/djbdns.html
3.4.5 Remove r* services
3.4.5.1 OpenSSH should fulfill these needs - BSD
3.5 Install GNU Privacy Guard 1.0.4-patched (free software PGP alternative).
3.5.1 http://www.gnupg.org - GPL
4. Monitoring:
4.1 Network
4.1.1 Download, install, and configure snort - GPL
http://www.snort.org
4.1.2 Run portscanner and compare againts netstat -a.
4.1.3 Install nmap - GPL
http://www.insecure.org/nmap/
4.2 Local
4.3 Logs
4.3.1 Add additional entries to /etc/syslog.conf. (more detail)
4.3.2 Consider using logsurfer to help make sense of logs.
4.3.3 Install logcheck - GPL
http://www.psionic.com
4.4 System resources/filesystem changes
4.4.1 Download, install, and configure tripwire
4.4.2 Daily /etc sha1 checksums and storage of files for a day.
4.4.3.1 Any changes, send unified diffs to root.
5. Script issues:
5.1 User interaction
5.1.1 Passwords not echoed to screen for LILO portion - DONE
5.1.2 Dialog User Interface - DONE
5.1.3 Make the scripts more modular - DONE
5.2 Log changes
5.2.1 Setup CVS source for all of SAStk - DONE
5.2.2 MD5 all official releases - DONE
5.3 Log errors
5.4 Undo feature
5.4.1 Different levels of undo, might only want to undo certain
features
5.5 Roles
5.5.1 Uncomment lines in /etc/inetd.conf as needed.
5.6 Recoverability - what happens if something unexpected happens? How will
the script recover?
5.7 Signal handling - just use 'trap signal_handler SIGNAL_NUMBER'
5.7.1 Make user hit � once if they want to exit, otherwise script
will be left in the middle - DONE
5.7.2 If signal caught, cleanup temporary files and try to save major
changes that might be used on next execution of script. - DONE
6. Legal Issues
6.1 Make certain we do not require users to install or use non-free software
from our installation - DONE
6.1.1 Optional non-free software can be installed but only if explicitly
selected by the user
6.2 Scripts under GNU General Public License (GPL) - DONE
6.3 Documentation is under GNU Free Documentation License (FDL) - DONE
6.3.1 Exception to this is HELP.CVS which is GPL'd since it is
based on GPL documentation - DONE
6.4 Use the Free Software Foundation's definitions of what is free software
- DONE
http://www.gnu.org/philosophy/free-sw.html
http://www.gnu.org/philosophy/license-list.html#GPLCompatibleLicenses
http://www.gnu.org/philosophy/license-list.html#GPLIncompatibleLicenses
7. Other things to consider/decide on:
7.1 Modify /etc/login.access
7.2 Modify /etc/porttime
7.3 Configure PAM (pluggable authentication module)
(I'd prefer not to - dentonj)
7.4 Configure One Time Passwords (OTP)
7.4.1 S/Key [ http://www.faqs.org/rfcs/rfc1760.html ]
ftp://thumper.bellcore.com/pub/nmh/ - OSI Approved
7.5 Configure/Add IPsec support.
7.5.1 FreeS/WAN [ http://www.freeswan.org ] - GPL
7.6 Modify /etc/limits.