This is a script and a set of patch files to harden your Slackware Linux installation.

• No Bastille for Slackware (and it's not updated anymore anyway)
• Not a member of CIS, so no downloading of the ready made scripts
• For learning
• For minimizing the effort needed to tweak fresh installations
  • Also for consistency

The script is divided (well kinda) into dynamic and static changes. The static changes are applied with patch files and the dynamic modifications happen usually with certain commands.

The generic etc patch assumes that you have at least the following packages installed:

• network-scripts
• sysvinit-scripts
• etc
• shadow
• logrotate
• sysklogd

Then there's separate patch files for different services/daemons. See the services section for more information.

DISCLAIMER: This is not a complete list.

• Properly locks down system accounts (0 - SYS_UID_MAX && !root)
  • Lock the user's password
  • Sets shell to /sbin/nologin
  • Expire the account
  • Adds the accounts to /etc/ftpusers
• Sets restrictions for normal users
  • Sets the maximum number of processes available to a single user (ulimit -u)
  • Sets the maximum size of core files created (ulimit -c)
  • Sets a session timeout (TMOUT) in certain conditions
  • Sets a maximum number of failed login attempts (faillog)
  • Sets stricter umask in all the following locations:
    • /etc/login.defs
    • /etc/limits
    • /etc/profile
• Configures shells
  • Creates an option to use restricted shell (rbash)
    • Also sets it as default for new users
  • Restricts the number of available shells
  • Removes "unnecessary" shells
  • Creates .bash_logout to /etc/skel with few cleanups
• Restricts logins
  • /etc/login.access
  • /etc/porttime
  • /etc/limits
  • /etc/login.defs
    • Disallow logins if home dir does not exist
  • SSH AllowGroups users
• Sets useradd defaults
  • INACTIVE days to lock accounts after the password expires
  • rbash as default shell
• Configures a bit better password policy to login.defs
• Changes the hashing mechanism to SHA512 and more crypt rounds
• Disallow the use of at
• Removes user daemon from group adm (as we will take use of the adm group)
• Fix gshadow with grpck

• Makes default log files group adm readable (as in Debian)
• Users in the wheel group are able to create cronjobs (as described in /usr/doc/dcron-4.5/README)
• grsecurity related
  • GID 1001 for CONFIG_GRKERNSEC_PROC_GID
  • GID 1002 for GRKERNSEC_SOCKET_SERVER_GID
  • GID 1003 for GRKERNSEC_SOCKET_CLIENT_GID
  • GID 1004 for GRKERNSEC_SOCKET_ALL_GID
  • GID 1005 for CONFIG_GRKERNSEC_TPE_TRUSTED_GID
  • GID 1006 for CONFIG_GRKERNSEC_SYMLINKOWN_GID
  • GID 1007 for GRKERNSEC_AUDIT_GID (not in use)
• Even though we use user private groups, the users group is used to define which users are allowed to login interactively

You can also utilize the above grsec groups with sudo, so the allowed users don't have the permissions by default:

ADMINS ALL=(:grsec_tpe) NOPASSWD: /usr/bin/newgrp

• Removes unnecessary services
  • xinetd (/etc/inetd.conf)
  • Goes through /etc/rc.d/rc.* and disables plenty of those
  • atd from rc.M
• X11 -nolisten tcp

• rc.firewall
• Through rc.local:
  • logoutd
  • icmpinfo
  • mdadm --monitor (if /proc/mdstat exists)
• Process accounting (acct)
• System accounting (sysstat)
• SBo related (if installed):
  • Snort
  • arpwatch
  • Tor
  • Privoxy
  • audit
  • Nagios
  • Apcupsd
  • ClamAV
  • Mrtg
  • p0f

• SSH
• Sendmail
  • Listen only on localhost by default
  • Disable the MSA
  • Don't show the version on the banner
• sudo
  • Don't cache the password (timestamp_timeout) (should also mitigate against CVE-2013-1775)
  • Always require password with sudo -l (listpw)
  • noexec as default
  • Require root's password instead of user's
  • Send alerts on most errors
  • Additional logging to /var/log/sudo.log
• PHP
• Apache httpd

• Hardens mount options (creates /etc/fstab.new)
  • Also, mount /proc with hidepid=2
• Removes a bunch of SUID/SGID bits
  • at
  • chfn + chsh
  • uucp package
  • floppy package (/usr/bin/fdmount)
  • ssh-keysign
• Sets more strict permissions on certain files that might contain secrets or other sensitive information
  • btmp & wtmp
  • Removes world-readibility from /var/www
  • Removes world-readibility from home directories
• Enables RAID state monitoring with mdadm --monitor

TODO: Add a table about file ownership & permission changes. At least the most relevant ones.

• Creates and enables a basic firewall
• IP stack hardening through sysctl.conf
• Enables TCP wrappers
  • NOTE: OpenSSH dropped support for TCP wrappers in 6.7 (and here's a good argument why this was a bad move!)
    • Also, Slackware introduced OpenSSH 6.7 with SSA:2014-293-01
• Optional static ARP cache through /etc/rc.d/rc.static_arp

• Restrict the use of su (prefer sudo instead)
  • /etc/suauth
  • /etc/porttime
  • /etc/login.defs:SU_WHEEL_ONLY
• Modifies crontab behaviour a bit
  • Users in the wheel group are able to create cronjobs (as described in /usr/doc/dcron-4.5/README)
  • Increase cron's logging from notice to info
  • Notice that Dillon's cron does not support the /etc/cron.{allow,deny} lists
• Clear /tmp on boot (also recommended in FHS)
  • TODO: is it redundant to have it both in rc.M and rc.S?
• Removes unnecessary / potentially dangerous packages
  • netkit-rsh
  • uucp
  • floppy
• Sets dmesg_restrict
• Make installpkg store the MD5 checksums
• Reduce the amount of trusted CAs
• "Fix" the single-user mode to use su-login instead of agetty

Some things are added to cron: TODO

• rkhunter

From sysstat.crond:

# Run system activity accounting tool every 10 minutes
*/10 * * * * if [ -x /usr/lib64/sa/sa1 ]; then /usr/lib64/sa/sa1 -S DISK 1 1; elif [ -x /usr/lib/sa/sa1 ]; then /usr/lib/sa/sa1 -S DISK 1 1; fi
# 0 * * * * /usr/lib/sa/sa1 -S DISK 600 6 &
# Generate a daily summary of process accounting at 23:53
53 23 * * * if [ -x /usr/lib64/sa/sa2 ]; then /usr/lib64/sa/sa2 -A; elif [ -x /usr/lib/sa/sa2 ]; then /usr/lib/sa/sa2 -A; fi

The import_pgp_keys() function imports a bunch of PGP keys to your trustedkeys.gpg keyring, so you can verify downloaded files/packages with gpgv. The keys that are imported are listed in the PGP_URLS[] and PGP_KEYS[] arrays.

• Sets the authorized_default to USB devices
• Enables SAK and disables the other magic SysRq stuff
• Session timeout (TMOUT)
• X11:
  • DontZap
• /etc/shutdown.allow and /sbin/shutdown -a (FWIW)
• Disable Firewire

WARNING: This is a highly experimental and dangerous feature (and completely optional)! Use at your own risk!

This is something that has been cooking for a while now. It's a self-destruct sequence for your server :)

The patch creates a new runlevel (5) to your Slackware, which when activated, will remove LUKS headers from your disk and copies them inside the encrypted disk. So if anything should happen, the server is not restorable anymore, as the disk encryption keys are gone. When the runlevel is switched back (to say 3), the headers are written back to where they belong.

So to wipe LUKS headers, you just switch to runlevel 5: telinit 5 and to restore just switch back to 3: telinit 3.

There is still some issues, such as some services will be started again (such as crond) when returning to runlevel 3. This is because rc.M doesn't really consider users switching back and forth between runlevels. So this is a work-in-progress.

As a workaround, there is also a new runlevel 2 that can be used to safely return from runlevel 5. Now we don't need to care about daemons starting over and over again from rc.M (runlevel 3).

• Makes default log files group adm readable (as in Debian)
  • Notice that this takes place only after logrotate. The ownerships/permissions of the existing logs are not modified.
• Use shred to remove rotated log files
• Enable process accounting (acct)
  • Log rotation for process accounting (pacct), since these files will grow huge
• Enable system accounting (sysstat)
• Enables the use of xconsole (or makes it possible). You can use it with sudo as follows: ADMINS ALL=(:adm) NOPASSWD: /usr/bin/xconsole
• Enables bootlogd
• Makes certain log files append only
• Configures basic auditing based on stig.rules if audit is installed
  • NOTE: non-PAM systems don't set the loginuid properly, so some of the rules don't work when they have -F auid!=4294967295
• Increase the default log retention period to 26 weeks
• Increase wtmp log size through logrotate

• You can use the adm group to view log files, so you don't need to be root to do that. Just add a user to the adm group, or configure sudo as follows:
  • ADMINS ALL=(:adm) NOPASSWD: /bin/cat
  • View bad logins with: ADMINS ALL=(:adm) NOPASSWD: /usr/bin/lastb
  • Or recent logins: ADMINS ALL=(:adm) NOPASSWD: /usr/bin/lastlog ""
• Remove floppy and scanner from CONSOLE_GROUPS
• Restrict the use of at and cron from regular users

Lynis benchmarks.

The test is performed against a setup like this:

• A minimal Slackware installation with some 135 packages installed
  • No additional security related tools installed
  • Running with latest patches
• One big root partition
  • No LUKS
• The hardening is done with ./harden.sh -A
  • The system is booted after hardening
• AUTH-9262 test disabled

• Rebooting the system after running this is highly recommended, since many startup scripts are modified
• The script is quite verbose, so you might want to record it with script
• It is best to run this script on a fresh Slackware installation for best results

There is a bunch of security related software that you can find at SBo. You could consider installing these for additional security.

• HIDS:
  • Tiger
  • Aide
  • rkhunter
  • audit
  • chkrootkit
• Network related:
  • arpwatch
  • p0f
• Web server:
  • ModSecurity
  • Suhosin
• Other:
  • vlock

And from other sources than SBo:

• logwatch
• checksec.sh
• psad
• Lynis

I think it's justified and recommended to run an antivirus software on all of your Linux servers. This is because, even though the server's role would not be something like a file sharing server or a mail server, a proper antivirus is able to detect much more than these "traditional" malwares. I'm talking about rootkits, exploits, PHP shells and the like. Something that a malicious user might be holding at their home dirs or maybe some PHP shell was dropped through a vulnerable web application. If you would get an early warning from an antivirus software, it just might save you on that one occasion :)

So consider getting ClamAV from SBo.

You should also consider running grsecurity. Here's few links to get you started:

• My packaging scripts
• gradm SlackBuild
• paxctl SlackBuild

• SSA:2011-101-01
  • BID:47303
• http://www.sudo.ws/repos/sudo/rev/5b964ea43474
• http://anonscm.debian.org/viewvc/pkg-shadow?view=revision&revision=3558
• http://sourceforge.net/p/logwatch/bugs/19/
• A bug in Metasploit's installer, where it assumes that /bin/bash is the default shell for new users (bug #7666 in some hidden Metasploit Pro tracker)

After running the hardening script, the following actions still need to be performed manually:

• Set LILO/GRUB password
  • Update LILO/GRUB with lilo || update-grub
• Install at least the following additional software:
  • audit (and run harden.sh -S afterwards)
  • Aide
  • ClamAV
  • arpwatch
• Make sure NTP is running
• Configure remote log host
• Add legit users to:
  • /etc/porttime
  • To the users group

• Immutable flags with chattr on certain files
• X hardening
• Debian support
• Some chroot stuff?
• Logging of the script actions -> partly done
  • User account modifications
  • Get start/stop times and grab /var/log/secure between that range
• some kernel module configurator thingie for /etc/rc.d/rc.modules
• LUKS nuke
• Provide the trustedkeys.gpg PGP keys with this tool?
• Add some functionality, that compares your current file system against Slackware's MANIFEST (something like Alien's restore_fileperms_from_manifest.sh)
  • Some HIDS baseline generation from MANIFEST would also be really nice
• Add CCE references?
• /usr/bin/ch{mod,own} -> from PATH. since Debian has them under /bin
• Create .preharden backups (only once?)
• Java's CAs
• Some kind of make buildworld script to rebuild everything with full RELRO, stack canaries, PIE & -D_FORTIFY_SOURCE=2

• Some variables to read only?
  • From rbash: SHELL, PATH, ENV, or BASH_ENV
  • From system-hardening-10.2.txt: HISTCONTROL HISTFILE HISTFILESIZE HISTIGNORE HISTNAME HISTSIZE LESSSECURE LOGNAME USER
• faillog for new users?
• User quotas
• PAM for Slackware?
  • Two-factor authentication
• Shadow suite S/Key support (/usr/doc/shadow-4.1.4.3/README)
• How do we reset faillogs after successful login?
• Create .gnupg home directories
• USERDEL_CMD from LOGIN.DEFS(5)
• Is it possible to enforce password policy for root user also?
• Use of at when in wheel group?

• http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
• UNIX and Linux Security Checklist v3.0
• http://www.puschitz.com/SecuringLinux.shtml
• http://linuxgazette.net/issue91/kruk.html
• https://www.sans.org/score/unixchecklist.php
• Maybe some tips from http://www.debian.org/doc/user-manuals#securing
• http://www.symantec.com/connect/articles/restricting-unix-users
• https://wiki.archlinux.org/index.php/Security

Some of these documents are quite old, but most of the stuff still applies.

• CIS Slackware Linux 10.2 Benchmark v1.1.0
• Slackware System Hardening by Jeffrey Denton
• SlackDocs: Security HOWTOs
• Alien's Wiki: Security issues
• SlackWiki: Basic Security Fixes
• Wikipedia: Fork bomb Prevention

• Linux Standard Base Core Specification 4.1
  • Chapter 21. Users & Groups
• Filesystem Hierarchy Standard 2.3