OS Hardening Checklist

s/n
1
2
3
4
5
6
7
8
9
10

11

12
13
14
15
16
17
18
19
20
21
22
23
24
25

26

27
28

29

30

31
32
33
34
35
36
37
38

39

40
Common Services to be removed (if not required)
1
2

5
6
7
8

9
 Test Cases Category
Whitelisting the IP addresses and ports for incoming data Network
Access Control Internals
Open servcies and ports Network
Check for the antivirus in case if the system is connected to external networMalware
Turn on automatic software updates Network
Disable unnecessary features runnng on the machine Start Up
Check for HID intefaces is protected or not HID
Check for BIOS password BIOS
Check for unnecessary instance/VM running on the machine Network
Check for services running in the VM machine Network
OS hardening frameworks like SE lInux and Apparmor is installed for Linux
Hardening
systems
Check wether the system is using latest software updates Hardening
Check for default passwords Hardening
Remove use of unnecessary drivers Hardening
Check for password protection in HDD and SSD Hardening
Check for secure boot mechanism Hardening
Limit/Remove the user accounts that are not used Hardening
pacthing and upgrading the server application(e.g) Apache Server
Check for server user authetication Server
Test for server security mechanism Server
Check for configuring, protection and analyzing log files on a frequent basis log files
Test for back up duration mechanism back up
Test the timeout for automatic screen lock Timeout
Test for timeout configuration in applications and servers used Timeout
Configure Automated Time Synchronization log files
Check for organization password policy(uppercase and lowercae),
Password policy
numbers, symbols, special characters and password length
Configure Computers to Prevent Password Guessing Password policy
Check for SSL certificate expiration SSL
Check for sensitve data disclosure such as email, password, employee
name, designation, and employee id *All

Remove all manufacturers’ documentation from the OS. Hardening

Remove all example or test files from the server, including sample content,
Hardening
scripts, and executable code
Remove all unneeded compilers Hardening
Check for default user name and passwords username
Check for Alerts to suspicious activities that require further investigation Alerts
Identifying active hosts on a network Hardening
Identifying active services (ports) on hosts and which of these are vulnerableNetwork
Identifying applications and banner grabbing Application
Identifying OSs Application
Identifying vulnerabilities associated with discovered OSs, server software,
Network
and other applications
Testing compliance with host application usage/security policies. Compliance
Common Services to be removed (if not required)
File and printer sharing services
Wireless networking services
Remote control and remote access programs, particularly those that do
not strongly encrypt their communications (e.g., Telnet)
Directory services (e.g., Lightweight Directory Access Protocol [LDAP],
Network Information System [NIS]
Web servers and services
Email services
Language compilers and libraries
System development tools
System and network management tools and utilities, including Simple
Network Management Protocol (SNMP).
Status
s/n
File System Configuration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Config Software Updates
1
2
Configure Sudo
1
2
3
 File System Integrity Check
1
2
Secure Boot Settings
1
2
3
Additional Process Hardening
1
2
3
4
Mandatory Access Control
1
2
3
4
Warning Banners
1
2
3
4
5
6
7
Services
1
2
3
Time Synchronization
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Service Clients
1
2
3
4
5
Network Config
1
2
3
4
5
6
7
8
9
10
11
12
Uncommon Network Protocols
1
2
3
4
Firewall config
1
2
3
4
5
6
Config nftables
 1
2
3
4
5
6
7
8
Config Ip tables
1
2
3
4
Config Ipv6 tables
1
2
3
4
System Auditing
1
2
3
4
Config Data Retention
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Configure rsyslog
1
2
3
4
5
6
Config journald
1
2
3
4
5
6
Configure Cron
1
2
3
4
5
6
7
8
SSH Configure
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Configure PAM
1
2
3
4
Set Shadow Password Suite Parameters
1
2
3
4
5
6
7
8
9
10

1
2
3
4
5
6
7
8
9
10
11
12
13
14
User and Group Settings
1
2
 3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 Test Cases Status
File System Configuration
Ensure mounting of freevxfs filesystems is disabled
Ensure mounting of jffs2 filesystems is disabled
Ensure mounting of hfs filesystems is disabled
Ensure mounting of hfsplus filesystems is disabled
Ensure mounting of squashfs filesystems is disabled
Ensure mounting of udf filesystems is disabled
Ensure mounting of FAT filesystems is limited
Ensure /tmp is configured
Ensure nodev option set on /tmp partition
Ensure nosuid option set on /tmp partition
Ensure noexec option set on /tmp partition
Ensure separate partition exists for /var
Ensure separate partition exists for /var/tmp
Ensure nodev option set on /var/tmp partition
Ensure nosuid option set on /var/tmp partition
Ensure noexec option set on /var/tmp partition
Ensure separate partition exists for /var/log
Ensure separate partition exists for /var/log/audit
Ensure separate partition exists for /home
Ensure nodev option set on /home partition
Ensure nodev option set on /dev/shm partition
Ensure nosuid option set on /dev/shm partition
Ensure noexec option set on /dev/shm partition
Ensure nodev option set on removable media partitions
Ensure nosuid option set on removable media partitions
Ensure noexec option set on removable media partitions
Ensure sticky bit is set on all world-writable directories
Disable Automounting
Disable USB Storage
Config Software Updates
Ensure package manager repositories are configured
Ensure GPG keys are configured
Configure Sudo
Ensure sudo is installed
Ensure sudo commands use pty
Ensure sudo log file exists
 File System Integrity Check
Ensure AIDE is installed
Ensure filesystem integrity is regularly checked
Secure Boot Settings
Ensure permissions on bootloader config are configured
Ensure bootloader password is set
Ensure authentication required for single user mode
Additional Process Hardening
Ensure XD/NX support is enabled
Ensure address space layout randomization (ASLR) is enabled
Ensure prelink is disabled
Ensure core dumps are restricted
Mandatory Access Control
Ensure AppArmor is installed
Ensure AppArmor is enabled in the bootloader configuration
Ensure all AppArmor Profiles are in enforce or complain mode
Ensure all AppArmor Profiles are enforcing
Warning Banners
Ensure message of the day is configured properly
Ensure local login warning banner is configured properly
Ensure remote login warning banner is configured properly
Ensure permissions on /etc/motd are configured
Ensure permissions on /etc/issue are configured
Ensure GDM login banner is configured
Ensure updates, patches, and additional security software are installed
Services
Ensure xinetd is not installed
Ensure openbsd-inetd is not installed
Ensure Special Purpose Services are only running
Time Synchronization
Ensure time synchronization is in use
Ensure systemd-timesyncd is configured
Ensure chrony is configured
Ensure ntp is configured
Ensure X Window System is not installed
Ensure Avahi Server is not enabled
Ensure CUPS is not enabled
Ensure DHCP Server is not enabled
Ensure LDAP server is not enabled
Ensure NFS and RPC are not enabled
Ensure DNS Server is not enabled
Ensure FTP Server is not enabled
Ensure HTTP server is not enabled
Ensure email services are not enabled
Ensure Samba is not enabled
Ensure HTTP Proxy Server is not enabled
Ensure SNMP Server is not enabled
Ensure mail transfer agent is configured for local-only mode
Ensure rsync service is not enabled
Ensure NIS Server is not enabled
Service Clients
Ensure NIS Client is not installed
Ensure rsh client is not installed
Ensure talk client is not installed
Ensure telnet client is not installed
Ensure LDAP client is not installed
Network Config
Disable IPv6
Ensure packet redirect sending is disabled
Ensure IP forwarding is disabled
Ensure source routed packets are not accepted
Ensure ICMP redirects are not accepted
Ensure secure ICMP redirects are not accepted
Ensure suspicious packets are logged
Ensure broadcast ICMP requests are ignored
Ensure bogus ICMP responses are ignored
Ensure Reverse Path Filtering is enabled
Ensure TCP SYN Cookies is enabled
Ensure IPv6 router advertisements are not accepted
Uncommon Network Protocols
Ensure DCCP is disabled
Ensure SCTP is disabled
Ensure RDS is disabled
Ensure TIPC is disabled
Firewall config
Ensure a Firewall package is installed
Ensure ufw service is enabled
Ensure default deny firewall policy
Ensure loopback traffic is configured
Ensure outbound connections are configured
Ensure firewall rules exist for all open ports
Config nftables
Ensure iptables are flushed
Ensure a table exists
Ensure base chains exist
Ensure loopback traffic is configured
Ensure outbound and established connections are configured
Ensure default deny firewall policy
Ensure nftables service is enabled
Ensure nftables rules are permanent
Config Ip tables
Ensure default deny firewall policy
Ensure loopback traffic is configured
Ensure outbound and established connections are configured
Ensure firewall rules exist for all open ports
Config Ipv6 tables
Ensure IPv6 default deny firewall policy
Ensure IPv6 loopback traffic is configured
Ensure IPv6 outbound and established connections are configured
Ensure IPv6 firewall rules exist for all open ports
System Auditing
Ensure auditd is installed
Ensure auditd service is enabled
Ensure auditing for processes that start prior to auditd is enabled
Ensure audit_backlog_limit is sufficient
Config Data Retention
Ensure audit log storage size is configured
Ensure audit logs are not automatically deleted
Ensure system is disabled when audit logs are full
Ensure events that modify date and time information are collected
Ensure events that modify user/group information are collected
Ensure events that modify the system's network environment are collected
Ensure events that modify the system's Mandatory Access Controls are collected
Ensure login and logout events are collected
Ensure session initiation information is collected
Ensure discretionary access control permission modification events are collected
Ensure unsuccessful unauthorized file access attempts are collected
Ensure use of privileged commands is collected
Ensure successful file system mounts are collected
Ensure file deletion events by users are collected
Ensure changes to system administration scope (sudoers) is collected
Ensure system administrator actions (sudolog) are collected
Ensure kernel module loading and unloading is collected
Ensure the audit configuration is immutable
Configure rsyslog
Ensure rsyslog is installed
Ensure rsyslog Service is enabled
Ensure logging is configured
Ensure rsyslog default file permissions configured
Ensure rsyslog is configured to send logs to a remote log host
Ensure remote rsyslog messages are only accepted on designated log hosts.
Config journald
Ensure journald is configured to send logs to rsyslog
Ensure journald is configured to compress large log files
Ensure journald is configured to write logfiles to persistent disk
Ensure permissions on all logfiles are configured
Ensure logrotate is configured
Ensure logrotate assigns appropriate permissions
Configure Cron
Ensure cron daemon is enabled
Ensure permissions on /etc/crontab are configured
Ensure permissions on /etc/cron.hourly are configured
Ensure permissions on /etc/cron.daily are configured
Ensure permissions on /etc/cron.weekly are configured
Ensure permissions on /etc/cron.monthly are configured
Ensure permissions on /etc/cron.d are configured
Ensure at/cron is restricted to authorized users
SSH Configure
Ensure permissions on /etc/ssh/sshd_config are configured
Ensure permissions on SSH private host key files are configured
Ensure permissions on SSH public host key files are configured
Ensure SSH Protocol is not set to 1
Ensure SSH LogLevel is appropriate
Ensure SSH X11 forwarding is disabled
Ensure SSH MaxAuthTries is set to 4 or less
Ensure SSH IgnoreRhosts is enabled
Ensure SSH HostbasedAuthentication is disabled
Ensure SSH root login is disabled
Ensure SSH PermitEmptyPasswords is disabled
Ensure SSH PermitUserEnvironment is disabled
Ensure only strong Ciphers are used
Ensure only strong MAC algorithms are used
Ensure only strong Key Exchange algorithms are used
Ensure SSH Idle Timeout Interval is configured
Ensure SSH LoginGraceTime is set to one minute or less
Ensure SSH access is limited
Ensure SSH warning banner is configured
Ensure SSH PAM is enabled
Ensure SSH AllowTcpForwarding is disabled
Ensure SSH MaxStartups is configured
Ensure SSH MaxSessions is limited
Configure PAM
Ensure password creation requirements are configured
Ensure lockout for failed password attempts is configured
Ensure password reuse is limited
Ensure password hashing algorithm is SHA-512
Set Shadow Password Suite Parameters
Ensure password expiration is 365 days or less
Ensure minimum days between password changes is configured
Ensure password expiration warning days is 7 or more
Ensure inactive password lock is 30 days or less
Ensure all users last password change date is in the past
Ensure system accounts are secured
Ensure default group for the root account is GID 0
Ensure default user shell timeout is 900 seconds or less
Ensure root login is restricted to system console
Ensure access to the su command is restricted
System File persmissions
Audit system file permissions
Ensure permissions on /etc/passwd are configured
Ensure permissions on /etc/gshadow- are configured
Ensure permissions on /etc/shadow are configured
Ensure permissions on /etc/group are configured
Ensure permissions on /etc/passwd- are configured
Ensure permissions on /etc/shadow- are configured
Ensure permissions on /etc/group- are configured
Ensure permissions on /etc/gshadow are configured
Ensure no world writable files exist
Ensure no unowned files or directories exist
Ensure no ungrouped files or directories exist
Audit SUID executables
Audit SGID executables
User and Group Settings
Ensure password fields are not empty
Ensure no legacy "+" entries exist in /etc/passwd
Ensure all users' home directories exist
Ensure no legacy "+" entries exist in /etc/shadow
Ensure no legacy "+" entries exist in /etc/group
Ensure root is the only UID 0 account
Ensure root PATH Integrity
Ensure users' home directories permissions are 750 or more restrictive
Ensure users own their home directories
Ensure users' dot files are not group or world writable
Ensure no users have .forward files
Ensure no users have .netrc files
Ensure users' .netrc Files are not group or world accessible
Ensure no users have .rhosts files
Ensure all groups in /etc/passwd exist in /etc/group
Ensure no duplicate UIDs exist
Ensure no duplicate GIDs exist
Ensure no duplicate user names exist
Ensure no duplicate group names exist
Ensure shadow group is empty
For More Details checklist for windows and other versions of Linux visit https://downloads.cisecurity.o
ps://downloads.cisecurity.org/#/