Sean "Forty-Bot" Anderson's 0x539 Linux Checklist v1.0
Notes
If a command errors or fails, try it again with sudo
(or sudo !!
to save typing)
Google anything and everything. If you don't know or understand something, google it
When you see the syntax $word
, do not type it verbatim, but instead substitute the appropriate word (usually referenced in a previous command).
When the order of steps does not matter, bullet points have been used instead of ordinals.
To edit files, run gedit
, a graphical editor akin to notepad; nano
, a simple command-line editor; or vim
, a powerful but less intuitive command-line editor. Note that vim may need to be installed with apt-get install vim
.
Checklist
-
Read the readme
Note down which ports/users are allowed.
-
Do Forensics Questions
You may destroy the requisite information if you work on the checklist!
-
Secure root
set
PermitRootLogin no
in/etc/ssh/sshd_config
-
Secure Users
-
Disable the guest user.
Go to
/etc/lightdm/lightdm.conf
and add the lineallow-guest=false
Then restart your session with
sudo restart lightdm
. This will log you out, so make sure you are not executing anything important. -
Open up
/etc/passwd
and check which users- Are uid 0
- Can login
- Are allowed in the readme
-
Delete unauthorized users:
sudo userdel -r $user
sudo groupdel $user
-
Check
/etc/sudoers.d
and make sure only members of group sudo can sudo. -
Check
/etc/group
and remove non-admins from sudo and admin groups. -
Check user directories.
- cd
/home
sudo ls -Ra *
- Look in any directories which show up for media files/tools and/or "hacking tools."
- cd
-
Enforce Password Requirements.
-
Add or change password expiration requirements to
/etc/login.defs
.PASS_MIN_DAYS 7 PASS_MAX_DAYS 90 PASS_WARN_AGE 14
-
Add a minimum password length, password history, and add complexity requirements.
- Open
/etc/pam.d/common-password
with sudo. - Add
minlen=8
to the end of the line that haspam_unix.so
in it. - Add
remember=5
to the end of the line that haspam_unix.so
in it. - Locate the line that has pam.cracklib.so in it. If you cannot find that line, install cracklib with
sudo apt-get install libpam-cracklib
. - Add
ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-
to the end of that line.
- Open
-
Implement an account lockout policy.
- Open
/etc/pam.d/common-auth
. - Add
deny=5 unlock_time=1800
to the end of the line withpam_tally2.so
in it.
- Open
-
Change all passwords to satisfy these requirements.
chpasswd
is very useful for this purpose.
-
-
-
Enable automatic updates
In the GUI set Update Manager->Settings->Updates->Check for updates:->Daily.
-
Secure ports
sudo ss -ln
- If a port has
127.0.0.1:$port
in its line, that means it's connected to loopback and isn't exposed. Otherwise, there should only be ports which are specified in the readme open (but there probably will be tons more). - For each open port which should be closed:
sudo lsof -i :$port
- Copy the program which is listening on the port.
whereis $program
- Copy where the program is (if there is more than one location, just copy the first one).
dpkg -S $location
- This shows which package provides the file (If there is no package, that means you can probably delete it with
rm $location; killall -9 $program
).sudo apt-get purge $package
- Check to make sure you aren't accidentally removing critical packages before hitting "y".
sudo ss -l
to make sure the port actually closed.
-
Secure network
-
Enable the firewall
sudo ufw enable
-
Enable syn cookie protection
sysctl -n net.ipv4.tcp_syncookies
-
Disable IPv6 (Potentially harmful)
echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
-
Disable IP Forwarding
echo 0 | sudo tee /proc/sys/net/ipv4/ip_forward
-
Prevent IP Spoofing
echo "nospoof on" | sudo tee -a /etc/host.conf
-
-
Install Updates
Start this before half-way.
-
Do general updates.
sudo apt-get update
.sudo apt-get upgrade
.
-
Update services specified in readme.
- Google to find what the latest stable version is.
- Google "ubuntu install service version".
- Follow the instructions.
-
Ensure that you have points for upgrading the kernel, each service specified in the readme, and bash if it is vulnerable to shellshock.
-
-
Configure services
-
Check service configuration files for required services. Usually a wrong setting in a config file for sql, apache, etc. will be a point.
-
Ensure all services are legitimate.
service --status-all
-
-
Check the installed packages for "hacking tools," such as password crackers.
-
Run other (more comprehensive) checklists. This is checklist designed to get most of the common points, but it may not catch everything.
Tips
- Netcat is installed by default in ubuntu. You will most likely not get points for removing this version.
- Some services (such as
ssh
) may be required even if they are not mentioned in the readme. Others may be points even if they are explicitly mentioned in the readme
Acknowledgements
- Michael "MB" Bailey and Christopher "CJ" Gardner without whose checklists this would never have been possible.
- Alexander Dittman and Alistair Norton for being fellow linux buddies.
- My 2015-16 CP team: Quiana Dang, Sieun Lee, Jasper Woolley, and David Randazzo.
- In no particular order: Marcus Phoon, Joshua Hufnagel, Patrick Hufnagel, Michael-Andrew Keays, Christopher May, Garrett Brothers, Joseph Kelley, and Julian Vallyeason.
- And the CyberPatriot program.
This checklist is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.