Scribd Logo
Upload

Welcome to Scribd!

  • 6 views

    VA Remediation

    Uploaded by

    gfrvj44wc6

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd

    VA Remediation

    Uploaded by

    gfrvj44wc6
    6 views7 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    6 views7 pages

    VA Remediation

    Uploaded by

    gfrvj44wc6

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    You are on page 1of 7

    Remediations

    ###### disable rsh and rlogin


    The rlogin service is controlled by FMRI svc:/network/login:rlogin.

    The rsh service is controlled by FMRI svc:/network/shell:default.

    ####### cipher and mac remediation for solaris


    solaris mac
    ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,blowfish-cbc,aes192-cbc,aes256-
    cbc
    MACS hmac-sha2-512,hmac-sha2-256

    ####### ntp information disclosure vulnerability - solaris #####


    add below to this file /etc/inet/ntp.conf

    restrict default limited kod nomodify notrap nopeer noquery


    restrict default limited kod nomodify notrap nopeer noquery

    -bash-4.4# cat /etc/inet/ntp.conf


    server 10.199.202.10 prefer
    server 10.1.224.1
    server 10.1.224.2
    restrict default limited kod nomodify notrap nopeer noquery
    restrict default limited kod nomodify notrap nopeer noquery
    restrict 127.0.0.1
    restrict ::1
    restrict 10.199.202.10
    restrict 10.1.224.1
    restrict 10.1.224.2
    driftfile /var/ntp/ntp.drift
    statsdir /var/ntp/ntpstats
    filegen peerstats file peerstats type day enable
    filegen loopstats file loopstats type day enable
    filegen clockstats file clockstats type day enable
    -bash-4.4#

    ########## ServerKeyBits for short keys #####


    root@ojctm04:~# grep ServerKeyBits /etc/ssh/sshd_config
    ServerKeyBits 2048
    -------
    # Length of the server key
    # Default 768, Minimum 512
    ServerKeyBits 2048

    none /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0

    yum remove xorg-x11* ----- i didn't implement this


    /etc/modprobe.d/CIS.conf
    install jffs2 /bin/true
    gpgcheck=1
    chmod 664 /etc/issue

    systemctl disable snmpd


    chmod 664 issue*
    yum clean all
    yum repolist
    --- this enables kernel process from boot to be recorded in audit log
    cd /etc/default/
    cp grub grub.bk20200206
    vi /etc/default/grub
    GRUB_CMDLINE_LINUX="audit=1"
    # grub2-mkconfig
    # grub2-mkconfig > /boot/grub2/grub.cfg

    ---- it monitors unauthorised access to file usage. only owner and group can use it
    ---
    auditctl -w /bin/sudo -p a -k privileged

    --- password history


    password sufficient pam_unix.so sha512 shadow nullok try_first_pass
    use_authtok remember=24

    ---- loop back firewall


    firewall-cmd --zone=drop --add-rich-rule='rule family=ipv4 source
    address="127.0.0.1" destination not address="127.0.0.1" drop'
    firewall-cmd --reload

    password sufficient pam_unix.so sha512

    $$$$$$$ this didn't work $$$$


    ----- it keeps log time changes on the system -----
    auditctl -a always,exit -F arch=b64 -S stime -k time-change
    $$$$$$$$$$$$$$$$$$

    /tmp
    # systemctl unmask tmp.mount
    # systemctl enable tmp.mount
    # yum install aide
    # sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.repos.d/dev-source.repo
    # sed -i 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config

    # find /var/log -type f -exec chmod g-wx,o-rwx {} +

    export http_proxy="http://10.1.224.244:8080";export
    https_proxy="http://10.1.224.244:8080"

    tcpdump.x86_64 14:4.9.2-4.0.1.el7_7.1

    ##### remediation ###


    mount -o remount,noexec /tmp -- only intended for tmeporary storage, users cannot
    run executable binaries from /tmp
    mount -o remount,nodev /tmp -- means the filesystem cannot contain special
    devices
    mount -o remount,nosuid /tmp -- means the filesystem cannot contain special
    devicesusers cannot create setuid files in /tmp
    mount -o remount,nodev /home
    mount -o remount,noexec /dev/shm
    mount -o remount,noexec /dev/shm
    mount -o remount,noexec /var/tmp

    mount -o remount,exec /tmp

    systemctl disable autofs

    chown root:root /boot/grub2/grub.cfg --- it prevent non-root user from exploiting


    weakness
    chmod og-rwx /boot/grub2/grub.cfg

    chmod 600 /etc/group-

    cp issue.net issue
    chmod 664 issue

    ---- edit /etc/ntp.conf under restrict ---


    restrict -4 default kod nomodify notrap nopeer noquery
    restrict -6 default kod nomodify notrap nopeer noquery

    - to Ensure sticky bit is set on all world-writable directories

    ############# solaris mac


    ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,blowfish-cbc,aes192-cbc,aes256-
    cbc
    MACS hmac-sha2-512,hmac-sha2-256

    ########## no retry /etc/pam.d/system-auth ##### add befor pam_unix statemet


    auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
    auth [success=1 default=bad] pam_unix.so
    auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
    auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900

    password sufficient pam_unix.so sha512 shadow nullok try_first_pass


    use_authtok remember=24

    yum install aide

    ###### my qualys passwd ###


    qUalysscans@123

    tail –f var/log/secure

    Set minimum password age for root to 7 days


    Install AIDE
    Set gpgcheck within yum/repos.d to 1
    Set crontab permissions to 600
    Set cron.d permissions to 600
    Remove the at.deny & cron.deny files

    sed -i 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config


    -----------------------------------------------
    grep -v ^$ /etc/login.defs | grep -v ^# -- linux
    grep -v ^$ /etc/ssh/sshd_config | grep -v ^# -- linux & solaris
    grep -v ^$ /etc/default/login | grep -v ^# -- solaris
    umask
    retries
    syslog

    cat /etc/pam.d/system-auth -- solaris

    cat /etc/default/passwd - history, lenght, max, min, name check


    cat /etc/passwd
    passwd -s user

    umask

    rm /etc/cron.deny
    rm /etc/at.deny
    touch /etc/cron.allow
    touch /etc/at.allow
    chmod og-rwx /etc/cron.allow
    chmod og-rwx /etc/at.allow
    chown root:root /etc/cron.allow
    chown root:root /etc/at.allow

    --lock inactive acct ----


    logins -axo -l "user" | awk -F: '{print $13}' --- solaris
    useradd -D | grep INACTIVE linux

    usermod -f 35 user
    rolemod -f 35 user

    ######### ciphers|kexalgorithms
    MACS hmac-sha2-512,hmac-sha2-256

    ciphers aes128-ctr,aes192-ctr,aes256-ctr

    echo "ServerKeyBits 2048" >> /etc/ssh/sshd_config

    ##### create encrypted password ####


    openssl passwd -1 -salt xyz yourpassword

    dragon@user123
    $1$xyz$LqLzaMtt74CpnSBWR4wqz1

    or
    openssl passwd -1 -salt xyz
    >your password

    ##### test if a port is working ###


    nc -zv 10.1.218.18 80

    ####### force unmount a dir #########


    fuser -ck dir
    fuser -ck /app

    cat /etc/issue --- banner


    if it is not displaying delete the issue.net path in sshd_config file

    auditctl -l --- this list audit settings


    systemctl restart auditd

    GR3AtY3aR$15
    find ./ -name syslog - arcsight

    etc/pam.d/system-auth - password history solaris

    grep -v ^# /etc/login.defs | grep -v ^$ ---- check for password security check


    grep -v ^$ /etc/login.defs | grep PASS

    cat /etc/login.defs |grep -v ^$|grep -v ^#;hostname

    ############# audit on solaris #########

    auditreduce -c lo | praudit -s

    ###### cipher remediation ####


    1. to check the current status
    sshd -T | egrep -iw "ciphers|kexalgorithms"

    sshd -T|grep "\(ciphers\|macs\|kexalgorithms\)"

    openssl ciphers

    ##### birthday vulnerability #####

    Solution: Disable use of 3DES cipher suites. See Securing AMD for details.

    ######## HTTP Security Header Not Detected ####


    Apache:
    add the following to httpd.conf (or apache2.conf) and restart
    Code:
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options nosniff

    nginx:
    Add the following to your nginx.conf
    Code:
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;

    ######## SSL/TLS Server supports TLSv1.0 ######


    he default Apache configuration file can be found:
    On Debian / Ubuntu based systems: /etc/apache2/apache2.conf
    On Red Hat / CentOS based systems: /etc/httpd/conf/httpd.conf

    In your configuration file(s), find the entry "SSLProtocol" and modify it to look
    like:
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

    This tells Apache to enable all protocols, but disable SSLv2, SSLv3, TLS 1.0 and
    TLS 1.1. The last step is to restart the Apache service:

    service apache2 restart


    or
    service httpd restart

    ###### linux #####


    find /var/log -type f -exec chmod g-wx,o-rwx {} + ---- to change permission on log
    remove version 1 snmpd

    ###### audit in Solaris 10 ###


    1.
    vi /etc/security/audit_control
    dir:/net/ojsst01/audit_logs/oscar/
    minfree:20
    flags:aa,ad,am,as,-fa,-fc,fd,-fm,-fr,-fw,lo,na,+pm,-ps,ss,ua
    naflags:lo
    plugin:name=audit_syslog.so;p_flags=all
    2.
    restart audit
    cd /etc/init.d/
    root# ./audit stop
    root# ./audit start
    3. confirm
    auditconfig - getpolicy
    auditconfig - getfsize

    # vi /etc/sysctl.conf
    fs.suid_dumpable = 0
    kernel.randomize_va_space = 2
    net.ipv4.ip_forward = 0
    net.ipv4.conf.all.send_redirects = 0
    net.ipv4.conf.default.send_redirects = 0
    net.ipv4.conf.all.accept_source_route = 0
    net.ipv4.conf.default.accept_source_route = 0
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.all.secure_redirects = 0
    net.ipv4.conf.default.secure_redirects = 0
    net.ipv4.conf.all.log_martians = 1
    net.ipv4.conf.default.log_martians = 1
    net.ipv4.icmp_echo_ignore_broadcasts = 1
    net.ipv4.icmp_ignore_bogus_error_responses = 1
    net.ipv4.tcp_syncookies = 1
    net.ipv6.conf.all.accept_ra = 0
    net.ipv6.conf.default.accept_ra = 0
    net.ipv6.conf.all.accept_redirects = 0
    net.ipv6.conf.default.accept_redirects = 0
    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    net.ipv4.conf.default.accept_redirects=0

    =--- rlogin Service Detection ---


    /usr/sbin/svcadm disable svc:/network/login:rlogin

    ----- ssh protocols version 1


    comment out Protocol v1

    ----
    ChallengeResponseAuthentication no
    KbdInteractiveAuthentication no

    /home - 200G
    /usr - 100G
    swap - 30G
    /export/patrol - 10
    /crashdump - 100
    /export/home - 100
    /opt - 100
    /boot -2
    /export/ctma - 5
    /var - 100
    /var/log 100
    /var/log/audit - 50
    / - 100G
    biosboot - 1MiB

    Welcome2december2020!

    You might also like