RLC Security Guide¶

This guide covers security hardening and best practices for Rocky Linux from CIQ (RLC).

Security Baseline¶

Initial Security Assessment¶

# Check current security status
sudo dnf install lynis
sudo lynis audit system

# Review security policies
cat /etc/security/limits.conf
cat /etc/security/pwquality.conf

System Hardening¶

# Update system to latest packages
sudo dnf update

# Install security tools
sudo dnf install aide rkhunter clamav clamav-update

# Configure AIDE (file integrity monitoring)
sudo aide --init
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

User and Access Management¶

User Account Security¶

# Set password policies
sudo vim /etc/security/pwquality.conf

# Recommended settings:
minlen = 12
minclass = 3
maxrepeat = 2
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1

# Configure account lockout
sudo vim /etc/security/faillock.conf

# Settings:
deny = 5
unlock_time = 900
fail_interval = 900

SSH Hardening¶

# Configure SSH security
sudo vim /etc/ssh/sshd_config

# Recommended settings:
Port 2222
Protocol 2
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers admin-user
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
X11Forwarding no
UsePAM yes

# Apply changes
sudo systemctl restart sshd

Sudo Configuration¶

# Configure sudo securely
sudo visudo

# Add security settings:
Defaults    requiretty
Defaults    env_reset
Defaults    secure_path="/sbin:/bin:/usr/sbin:/usr/bin"
Defaults    timestamp_timeout=15
Defaults    logfile="/var/log/sudo.log"

Network Security¶

Firewall Configuration¶

# Configure firewall with strict rules
sudo firewall-cmd --set-default-zone=drop

# Allow only necessary services
sudo firewall-cmd --permanent --zone=public --add-service=ssh
sudo firewall-cmd --permanent --zone=public --add-port=2222/tcp

# Configure rate limiting
sudo firewall-cmd --permanent --add-rich-rule='rule service name="ssh" accept limit value="3/m"'

# Apply changes
sudo firewall-cmd --reload

Network Monitoring¶

# Install network monitoring tools
sudo dnf install nmap tcpdump wireshark-cli

# Monitor network connections
sudo netstat -tulpn
sudo ss -tulpn

# Check for suspicious connections
sudo lsof -i

File System Security¶

File Permissions¶

# Set secure permissions on sensitive files
sudo chmod 600 /etc/shadow
sudo chmod 600 /etc/gshadow
sudo chmod 644 /etc/passwd
sudo chmod 644 /etc/group

# Secure system directories
sudo chmod 700 /root
sudo chmod 755 /etc
sudo chmod 1777 /tmp

Mount Options¶

# Configure secure mount options
sudo vim /etc/fstab

# Add security options:
/dev/sda1 / ext4 defaults,noatime 0 1
/dev/sda2 /tmp ext4 defaults,nodev,nosuid,noexec 0 2
/dev/sda3 /var ext4 defaults,nodev 0 2
/dev/sda4 /home ext4 defaults,nodev,nosuid 0 2

# Remount with new options
sudo mount -o remount /tmp
sudo mount -o remount /var
sudo mount -o remount /home

Process and Service Security¶

Service Hardening¶

# Disable unnecessary services
sudo systemctl disable postfix
sudo systemctl disable cups
sudo systemctl disable bluetooth
sudo systemctl disable avahi-daemon

# Check running services
systemctl list-unit-files --state=enabled
systemctl --type=service --state=running

Process Monitoring¶

# Install process monitoring tools
sudo dnf install psacct

# Enable process accounting
sudo systemctl enable psacct
sudo systemctl start psacct

# Monitor processes
sudo lastcomm
sudo sa -u

Logging and Auditing¶

Audit System Configuration¶

# Install audit system
sudo dnf install audit

# Configure audit rules
sudo vim /etc/audit/rules.d/audit.rules

# Essential audit rules:
-w /etc/passwd -p wa -k passwd_changes
-w /etc/group -p wa -k group_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/sudoers -p wa -k sudoers_changes
-w /var/log/auth.log -p wa -k auth_log_changes

# Apply audit rules
sudo systemctl restart auditd

Log Management¶

# Configure secure logging
sudo vim /etc/rsyslog.conf

# Add security logging:
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          /var/log/syslog

# Configure log rotation
sudo vim /etc/logrotate.d/rsyslog

# Settings:
/var/log/auth.log {
    weekly
    rotate 52
    compress
    delaycompress
    missingok
    create 640 syslog adm
}

Malware Protection¶

ClamAV Configuration¶

# Configure ClamAV
sudo vim /etc/clamd.d/scan.conf

# Update virus definitions
sudo freshclam

# Set up automated scanning
sudo cat > /etc/cron.daily/clamav-scan << 'EOF'
#!/bin/bash
clamscan -r --bell -i /home /var /etc --log=/var/log/clamav/scan.log
EOF

sudo chmod +x /etc/cron.daily/clamav-scan

Rootkit Detection¶

# Configure rkhunter
sudo vim /etc/rkhunter.conf

# Update rkhunter database
sudo rkhunter --update

# Run rootkit scan
sudo rkhunter --check

# Schedule regular scans
echo "30 2 * * * root /usr/bin/rkhunter --check --quiet" | sudo tee -a /etc/crontab

Encryption¶

Disk Encryption¶

# Encrypt additional partitions
sudo cryptsetup luksFormat /dev/sdb1
sudo cryptsetup luksOpen /dev/sdb1 encrypted_partition
sudo mkfs.ext4 /dev/mapper/encrypted_partition

# Add to crypttab
echo "encrypted_partition /dev/sdb1 none luks" | sudo tee -a /etc/crypttab

SSL/TLS Configuration¶

# Generate SSL certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
  -keyout /etc/ssl/private/server.key \
  -out /etc/ssl/certs/server.crt

# Set secure permissions
sudo chmod 600 /etc/ssl/private/server.key
sudo chmod 644 /etc/ssl/certs/server.crt

Kernel Security¶

Kernel Parameters¶

# Configure kernel security parameters
sudo vim /etc/sysctl.d/99-security.conf

# Security settings:
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2
kernel.yama.ptrace_scope = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1

# Apply settings
sudo sysctl -p /etc/sysctl.d/99-security.conf

Backup Security¶

Secure Backup Strategy¶

# Create encrypted backup script
sudo cat > /usr/local/bin/secure-backup << 'EOF'
#!/bin/bash
BACKUP_DIR="/backup"
DATE=$(date +%Y%m%d_%H%M%S)
ARCHIVE="system_backup_$DATE.tar.gz"

# Create encrypted backup
tar czf - /etc /home /var/log | gpg --cipher-algo AES256 --compress-algo 1 \
  --symmetric --output "$BACKUP_DIR/$ARCHIVE.gpg"

# Set secure permissions
chmod 600 "$BACKUP_DIR/$ARCHIVE.gpg"

# Remove old backups (keep 30 days)
find "$BACKUP_DIR" -name "system_backup_*.tar.gz.gpg" -mtime +30 -delete
EOF

sudo chmod +x /usr/local/bin/secure-backup

Incident Response¶

Security Monitoring¶

# Set up security monitoring script
sudo cat > /usr/local/bin/security-check << 'EOF'
#!/bin/bash
LOG_FILE="/var/log/security-check.log"

echo "$(date): Starting security check" >> $LOG_FILE

# Check for failed login attempts
FAILED_LOGINS=$(journalctl -u sshd --since "1 hour ago" | grep "Failed password" | wc -l)
if [ $FAILED_LOGINS -gt 10 ]; then
    echo "$(date): WARNING: $FAILED_LOGINS failed login attempts in last hour" >> $LOG_FILE
fi

# Check for new users
NEW_USERS=$(cat /etc/passwd | wc -l)
if [ $NEW_USERS -gt $(cat /var/lib/security-baseline/user-count 2>/dev/null || echo 0) ]; then
    echo "$(date): WARNING: New user account detected" >> $LOG_FILE
    echo $NEW_USERS > /var/lib/security-baseline/user-count
fi

# Check system load
LOAD=$(uptime | awk -F'load average:' '{print $2}' | awk '{print $1}' | sed 's/,//')
if (( $(echo "$LOAD > 5.0" | bc -l) )); then
    echo "$(date): WARNING: High system load: $LOAD" >> $LOG_FILE
fi

echo "$(date): Security check completed" >> $LOG_FILE
EOF

sudo chmod +x /usr/local/bin/security-check

# Schedule security checks
echo "*/15 * * * * root /usr/local/bin/security-check" | sudo tee -a /etc/crontab

Compliance¶

CIS Benchmarks¶

# Install CIS hardening tools
sudo dnf install scap-security-guide

# Run CIS assessment
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis \
  --results-arf /tmp/arf.xml --report /tmp/report.html \
  /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml

Regular Security Updates¶

# Configure automated security updates
sudo vim /etc/dnf/automatic.conf

# Settings for security-only updates:
upgrade_type = security
apply_updates = yes
reboot = when-needed
reboot_command = "shutdown -r +5 'Rebooting for security updates'"

# Enable the timer
sudo systemctl enable dnf-automatic.timer
sudo systemctl start dnf-automatic.timer

Security Validation¶

Security Testing¶

# Run security validation
sudo lynis audit system --quick
sudo aide --check
sudo rkhunter --check --quiet

# Check for security updates
sudo dnf check-update --security

# Verify file permissions
sudo rpm -Va | grep "^.M"

Regular Security Tasks¶

# Create monthly security maintenance script
sudo cat > /etc/cron.monthly/security-maintenance << 'EOF'
#!/bin/bash
# Monthly security maintenance

# Update virus definitions
freshclam

# Update rkhunter database
rkhunter --update

# Run full system scan
rkhunter --check --quiet

# Update AIDE database
aide --update
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

# Generate security report
lynis audit system --quiet | mail -s "Monthly Security Report" admin@example.com
EOF

sudo chmod +x /etc/cron.monthly/security-maintenance

Next Steps¶

After implementing security measures:

Troubleshooting Guide - Security-related troubleshooting
Backup Guide - Secure backup strategies

For ongoing security management:

Review security logs daily
Update systems weekly
Perform security audits monthly
Review and update security policies quarterly