The Federal Service for Technical and Export Control of the Russian Federation developed and approved the methodological recommendations (PDF, 7 pages) to increase the security of systems based on the Linux nucleus. Recommendations are subject to implementation in state information systems and at the objects of critical information infrastructure of the Russian Federation, built using Linux, non -state information security requirements.
The document covers areas such as configuring authorization, restricting the mechanisms of obtaining privileges, setting access rights, setting up the Linux kernel protection mechanisms, reducing the perimeter of attacks on the Linux nucleus and setting up user space protection from the Linux nucleus.
Main recommendations:
- Prohibition of accounting users with empty passwords.
- Disconnecting the entrance of the super -user by SSH (permitrootlogin = no in/etc/ssh/sshd_config).
- restriction of access to the SU team by users from the Wheel group (“Auth Required Pam_Wheel.so us_uid” in /etc/pam.d/su)
- restriction of the list of users who are allowed to use
SUDO command. - Installation of correct access rights to files with user parameters (ChMOD 644/ETC/Passwd/etc/Group) and Heshas passwords (Chmod Go-RWX/ETC/Shadow).
- Installing correct access rights to the files of launched processes through the execution of “Chmod Go-W/Path/K/File” for all executable
files and libraries associated with the processes running currently, followed by verification that the catalog containing data
files, as well as all parental catalogs are not available for recording
Unprivileged users. - Installing the correct access rights to the executable files called from Cron (“Chmod Go-W Way_k_fail”), as well as to Cron /etc /crontab configuration files and /etc/cron.* (“Chmod Go-wx”) .
- establish correct rights to access to files executed with
using Sudo (“Chown Root Way_k_fail” and “Chmod Go-Wil_k_fail”). - establish the correct access rights to the starting scripts of the system
(“Chmod O-w Filename” for each file in /etc/rc#.d, as well as to .Service files). - establish the correct rights of access to executable files and
libraries located along the standard ways (/bin,
/usr/bin,/lib,/lib64, etc.), as well as to the nucleus modules (/lib/modules/version-terasser-poison). - establish the correct access rights to SUID/SGID applications
By conducting an audit of all SUID/SGID applications and removal of SUID/SGID flags from the extra. - establish correct rights to access to the content of home
user catalogs (.bash_history, .history, .sh_history, .bash_profile, .bashrc, .profile, .bash_logout, etc.). - establish the correct rights to access to home catalogs
Users (Chmod 700 Catalog). - Limit access to the nucleus magazine (Syssctl -W Kernel.dmesg_Restrict = 1).
- blocking information on the address space through/proc/kallsyms (Sysctl -W Kernel.kptr_Restrict = 2).
- Initialize the dynamic memory of the nucleus (parameter init_on_alloc = 1 when loading).
- Prohibition of the merger of the cache of the Slab-Alocator Nucleus (parameter Slab_nomerge at boot).