Security Checklist

Michael Gisbers

2021-03-16

Document the host information

Document the host information

  • Name
  • OS type
  • IP / Subnet / Gateway
  • MAC address
  • Responsible Person
  • Date
  • Asset information

BIOS protection

BIOS protection

  • Setup password
  • Boot features
    • Boot order
    • Boot devices
    • Network boot
  • Secure boot

BIOS settings

BIOS settings

  • Enable NX
  • Disable unneeded VT/-x

Hard disk encryption

Hard disk encryption

  • Decryption by TPM2
  • Decryption by password
  • Decryption by remote system

Disk protection

Disk protection

  • RAID
  • Different partitions
  • Read-only /boot
  • Password for bootmanager (Grub)

Disable USB storage

Disable USB storage

  • Blacklist usb_storage

Backup

Backup

  • Backup strategy
  • Restore tests

System update

System update

  • Update base system
  • Update additional software
  • Remove old and unused configuration files

Installed Packages

Installed Packages

  • Check for unneeded packages
  • Remove unneeded packages
  • Remove old and unused configuration files

Check for open ports

Check for open ports

  • from internal (ss)
  • from external (nmap/nc)
  • TCP and UDP

Secure SSH

Secure SSH

  • Change port
  • Allow access via ssh-key only
  • Allow only specific users (AllowUsers)
  • Disallow root logins
  • Disable port forwarding
  • Drop connections after too many failed logins (fail2ban)

Enable SELinux / AppArmor

Enable SELinux / AppArmor

  • Check for inhibitors for SELinux / AppArmor
  • Activate SELinux / AppArmor
  • Extend rules for 3rd party software or changed configuration (ssh)

Network settings

Network settings

  • When not a router
    • Disable unneeded ip_forward
    • Disable send_redirects
    • Disable accept_redirects
    • Disable accept_source_route
    • Disable proxy_arp
    • Enable SYN-Cookie protection (tcp_syncookies=1, tcp_synack_retries=5)

Network settings

  • Disable unneeded IPv6 on interfaces

Network Security

Network Security

  • Add netfilter rules to protect services
    • on IPv4
    • on IPv6

User / Password

User / Password

  • Disable login for system users
  • Force strong passwords
  • or lock passwords
  • Remove non existing users
  • Check group memberships
  • Check access by AAA
  • Set limits to users

Sudo

Sudo

  • Allow access to root only by sudo
  • Restrict sudo to tasks
  • Check sudo ruleset

Check file permissions

Check file permissions

  • Check write-/readable directories for users
  • Check for suid/sgid files
  • Check for device nodes outside /dev
  • Check for access to network mounts

Kernel hardening

Kernel hardening

  • Add kernel.exec-shield=1 to sysctl
  • Add kernel.randomize_va_space=2 to sysctl