Centos linux 7 benchmark definition11/29/2023 ![]() Obviously don’t expose the Vanilla (un-hardened) system to the network! Why use OpenSCAP ?Īfter a lot of research I decided to use OpenSCAP over other security hardening benchmarks / guides, here is my reasoning for doing so: When hardening a system for a specific task I recommend creating a duplicate virtual machine you can use for troubleshooting should you run into a issue that you think is related to security hardening, you’ll be able to confirm by running it on the Vanilla system. Issues with Security HardeningĪfter hardening a system you may run into issues, hardening a system will make it more restrictive, especially SELinux or filesystem related permission hardening. In the section related to removing unrequired services, if you installed a minimal centos 7 install, you’ll likely have nothing to remove or disable - I’ve included this section for completeness. ![]() This guide only covers the base system + SSH hardening, I will document specific service hardening separately such as HTTPD, SFTP, LDAP, BIND etc… Installing CentOS 7 using a minimal installation reduces the attack surface and ensures you only install software that you require. To follow this guide you will need a minimal CentOS 7 install, ideally using the Kickstart file below or copying it’s partition layout. But there is a “workaround” that will allow OpenSCAP + OpenSCAP workbench to run on CentOS, I’ll document this in a separate post. This HowTo walks you through the steps required to security harden CentOS 7, it’s based on the OpenSCAP benchmark, unfortunately the current version of OpenSCAP that ships with CentOS does not offically support CentOS CPE’s. Disable X Windows Startup By Setting Runlevel.Prevent Log In to Accounts With Empty Password.Check no daemons are unconfined by SELinux.System Audit Logs Must Be Owned By Root.Audit Processes Which Start Prior to auditd.Disable IPv6 Support Automatically Loading.Require Authentication for Single User Mode.Max Password Login Attempts per Session.Enable Secure (high quality) Password Policy.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |