Permissions and Limits
You can file an issue about it and ask that it be added.
Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access.
Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verified to ensure that no harmful discrepancies have arisen.
The default restrictive permissions for files which act as important security databases such as passwd, shadow, group, and gshadow files must be maintained.
chmod 0644 /etc/passwd
chown root /etc/passwd
chgrp root /etc/passwdC2S/CIS: CCE-26949-8 (Medium); C2S/CIS: CCE-26887-0 (Medium); C2S/CIS: CCE-27138-7 (Medium); C2S/CIS: CCE-26639-5 (Medium)
chown root /etc/group
chgrp root /etc/groupC2S/CIS: CCE-26933-2; C2S/CIS: CCE-27037-1 (Medium)
chmod 0640 /etc/shadow
chown root /etc/shadow
chgrp root /etc/shadowC2S/CIS: CCE-27100-7 (Medium); C2S/CIS: CCE-26795-5 (Medium); C2S/CIS: CCE-27125-4 (Medium)
chmod 0000 /etc/gshadow
chown root /etc/gshadow
chgrp root /etc/gshadowC2S/CIS: CCE-27162-7 (Medium); C2S/CIS: CCE-27161-9 (Medium); C2S/CIS: CCE-26840-9 (Medium)
For the following recommendations C2S/CIS does not provide a solution, but there are methods to verify it.
Unowned files may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account.
# To find out all files that are not owned by any user:
find / -nouser
# To find out all files that are not owned by any group:
find / -nogroupC2S/CIS: CCE-80134-0 (Medium); C2S/CIS: CCE-80135-7 (Medium)
Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.
Check with documentation for specific applications before making changes.
# To find all files that are world writable, irrespective of what other permissions they have, you can do:
find / -perm -o+wFailing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.
# To verify no world writable directories exist without the sticky bit set:
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/nullC2S/CIS: CCE-80130-8 (Unknown)
Linux includes a number of facilities for the automated addition and removal of filesystems on a running system. These facilities may be necessary in many environments, but this capability also carries some risk.
# Add to /etc/modprobe.d/fs-blacklist.conf:
install freevxfs /bin/true
install udf /bin/true
install squashfs /bin/true
install hfsplus /bin/true
install jffs2 /bin/true
install hfs /bin/true
install cramfs /bin/trueC2S/CIS: CCE-80138-1 (Low); C2S/CIS: CCE-80143-1 (Low); C2S/CIS: CCE-80142-3 (Low); C2S/CIS: CCE-80141-5 (Low); C2S/CIS: CCE-80139-9 (Low); C2S/CIS: CCE-80140-7 (Low); C2S/CIS: CCE-80137-3 (Low)
# And disable automounter:
systemctl disable autofs.serviceIt is sensible to leave only the modules you use. If you don't use nfs, cifs etc. you may also disable the following file systems:
install fat /bin/true
install vfat /bin/true
install cifs /bin/true
install nfs /bin/true
install nfsv3 /bin/true
install nfsv4 /bin/true
install gfs2 /bin/trueThe recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution are activated.
The core dump files may also contain sensitive information, or unnecessarily occupy large amounts of disk space.
You can restrict access to core dumps to certain users or groups, as described in the limits.conf(5) manual page.
# Add to /etc/sysctl.d/hardening.conf:
fs.suid_dumpable = 0
# Edit /etc/security/limits.conf:
* hard core 0C2S/CIS: CCE-26900-1 (Unknown); C2S/CIS: CCE-80169-6 (Unknown)
ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows.
Exec Shield is enabled in CentOS-6 and 7 by default. To view the list of running processes that have exec-shield enabled, you can run lsexec tool.
It's designed to limit against:
- stack
- buffer
- function pointer overflows
# Add to /etc/sysctl.d/hardening.conf:
# kernel.exec-shield = 1
kernel.randomize_va_space = 2C2S/CIS: CCE-27211-2 (Medium); C2S/CIS: CCE-27127-0 (Medium)
When you combine exec-shield, SELinux and proper patching and security best practices you can really limit the attack vectors that can be used to break into your systems.
The Practical Linux Hardening Guide provides a high-level overview of the hardening GNU/Linux systems. It is not an official standard or handbook but it touches and use industry standards.