DevHeads.net

CentOS - SIG Hardening

Dear CentOS Development Team,

I am interested in starting a new SIG or merging with the ‘Hardening’ SIG,
I didn’t find sufficient information about the hardening SIG. I have been
on the mailing list for some years and I have noticed a number of concerns
with regards to security, e.g. the default sshd_config, gnome user list and
more.

My goal is to use the base and modify the OS with these changes and make it
available for the CentOS community, I will mention this on the mailing list
to get the community feedback so that they can have an opportunity to
contribute, and more importantly get an OS that meets their needs, with
regards to their security concerns.

I’m not too familiar with the CentOS build system, however I started to
read up on it and practice to get a feel on things. Some of the things that
I will like to change are as follow:

SSH:
disable root (uncomment 'PermitRootLogin' and change to no)
enable 'strictMode'
modify 'MaxAuthTries'
modify 'ClientAliveInterval'
modify 'ClientAliveCountMax'

Gnome:
disable Gnome user list

Console:
Remove reboot, halt poweroff from /etc/security/console.app

Looking forward for your response on how can I proceed with this?

Comments

Re: CentOS - SIG Hardening

By Jason Pyeron at 04/13/2015 - 09:33

I have been patching/rebuilding RHEL/Centos RPMs to comply with the STIGs. This sounds interesting.

Re: CentOS - SIG Hardening

By leam hall at 04/13/2015 - 09:37

Hey Jason! The stuff I'm working on is STIG compliance as well. I've done a
lot of RHEL 6 scripts, Vincent Passaro did a lot of RHEL 5 ones, and the
new project is pulling in those and Puppet content as well.

<a href="https://github.com/LeamHall/SecComFrame" title="https://github.com/LeamHall/SecComFrame">https://github.com/LeamHall/SecComFrame</a>

Leam

Re: CentOS - SIG Hardening

By Earl Ramirez at 04/13/2015 - 10:10

Corey,
We will be happy to have your hat in; I think one of us can coordinate
things.

Re: CentOS - SIG Hardening

By Karanbir Singh at 04/22/2015 - 09:55

On 04/13/2015 03:10 PM, Earl A Ramirez wrote:

You will need someone to help with that process, i can do that if you
are willing to wait till the first week of May.

Another thing i want to throw in, paraphrasing another conversation:

We should consider for EL7, building everything (as far as possible) as
PIE/RELRO, swapping out dlmalloc in libc for something else (probably
jemalloc). Perhaps also use -finit-local-vars (especially in the kernel)
and -fwrapv.

Thoughts ?

Re: CentOS - SIG Hardening

By Corey Henderson at 04/22/2015 - 10:06

Is this for stock EL7 or would there be a whole new slew of rpm packages in a separate repo with these compile options that need to be maintained?

Re: CentOS - SIG Hardening

By Karanbir Singh at 04/22/2015 - 10:30

On 04/22/2015 03:06 PM, Corey Henderson wrote:
yeah, seperate repo :)

Re: CentOS - SIG Hardening

By leam hall at 04/22/2015 - 10:04

On Wed, Apr 22, 2015 at 9:55 AM, Karanbir Singh <mail- ... at karan dot org>
wrote:

I'm happy to wait, if we can move forward in decent time. What do you need
from us?

Leam

Re: CentOS - SIG Hardening

By Karanbir Singh at 04/22/2015 - 10:28

On 04/22/2015 03:04 PM, leam hall wrote:
We will need to workout a clear picture on what we intend to deliver,
what the wider goal is going to be, what resources we need and who's
going to be in and helping play the game ( ideally, also a few things
around how we can promote this effort etc ).

Maybe take a look at the already onboarding/onboarded SIG's proposals
eg: <a href="http://wiki.centos.org/SpecialInterestGroup/Virtualization" title="http://wiki.centos.org/SpecialInterestGroup/Virtualization">http://wiki.centos.org/SpecialInterestGroup/Virtualization</a> and
<a href="http://wiki.centos.org/SpecialInterestGroup/Cloud" title="http://wiki.centos.org/SpecialInterestGroup/Cloud">http://wiki.centos.org/SpecialInterestGroup/Cloud</a>

<a href="http://wiki.centos.org/SpecialInterestGroup/Hardending" title="http://wiki.centos.org/SpecialInterestGroup/Hardending">http://wiki.centos.org/SpecialInterestGroup/Hardending</a> is likely where
the proposal should end up at. If you want, ask for write perms on that
url in the centos-docs list and feel free to start working on a draft if
you like :)

Re: CentOS - SIG Hardening

By Earl Ramirez at 04/22/2015 - 12:59

On Wed, 2015-04-22 at 15:28 +0100, Karanbir Singh wrote:
I will start working on the draft in the mean time and when the clear
picture worked out the wiki will be updated.

Re: CentOS - SIG Hardening

By leam hall at 04/13/2015 - 07:55

On 04/13/15 07:24, Earl A Ramirez wrote:
Earl,

I'm in the same boat but different oar. I think we have a few folks
interested in SIG Hardening.

Informal poll; who all is interested in SIG-Hardening? Speak up with
your interests; let's see if there's enough to get more organized.

Leam

Re: CentOS - SIG Hardening

By Earl Ramirez at 04/13/2015 - 08:45

Leam,

Happy that we are in the same boat; hopefully we get more folks involved
and the approval of a board member so that we can make this happen. I will
shoot an email over to the general mailing list to see if anyone are
interested to get onboard.

Re: CentOS - SIG Hardening

By Corey Henderson at 04/13/2015 - 09:16

I'm happy to throw my hat in the ring to help out. I just can't be the one coordinating things.