Hardening-1

Linux Hardening With Lynis And Bastille

Assalamualaikum.

Sudah berdebu sekali laman web ini, maklum belum ada waktu lagi buat nulis. Thight schedule of datacenter migration killing me! OK, next! Kali ini sesuai janji saya di tulisan sebelumnya saya akan menulis tentang hardening linux server. Untuk tutorial kali ini saya akan menggunakan Lynis dan Bastille untuk hardening server. Namun sebelum kita membahas 2 software ini ada baiknya kita tahu lebih dulu apa itu hardening dan apa urgensinya. Apa sih itu hardening server?

Server Hardening is the process of enhancing server security through a variety of means which results in a much more secure server operating environment. This is due to the advanced security measures that are put in place during the server hardening process.
sumber : http://www.serverhardening.com/

Jadi intinya adalah hardening server itu salah satu proses untuk membuat server kita menjadi lebih aman sebelum kita jadikan server produksi. Kenapa ini penting? Kita server kita sudah menjadi live server di internet maka semua orang ada kemungkinan bisa mengakses server kita dan tujuan orang untuk mengakses server kita sungguh bermacam-macam dari niat yang baik sampai usil pasti akan ditemui ketika server kita sudah live and its beyond our control. That’s why, hardening menjadi penting karena dengan hardening ini kita meminimalisir hal-hal yang tidak kita inginkan terjadi pada live server kita. Nggak lucu juga kan tiap hari mantengin monitoring server gegara server jadi target usil. ūüėČ

So, karena kita sudah tau apa itu hardening dan urgensinya, maka kita lanjut ke 2 aplikasi yang sudah saya sempat singgung namanya diatas. Lynis dan Bastille. Ok, kalau boleh jujur saya hanya menggunakan Lynis untuk membantu saya melakukan hardening server dan belum pernah menggunakan Bastille. But it’s ok you know, we need to try and compare so we know whats the different between this 2 softwares. Saya menggunakan Lynis karena Lynis tidak melakukan hardening secara otomatis. Jadi lynis hanya melakukan scanning pada server menggunakan parameter dan plugin yang dia bawa kemudian menampilkan report dan link referensi hardening. Buat saya ini termasuk OK karena saya lebih suka manual memilih dan memilah bagian mana yang akan saya hardening. Sedangkan Bastille saya sempat membaca bahwa Bastille akan melakukan hardening secara otomatis. I’m not sure since I have never try it before, but now lets try.

Lynis
URL : https://cisofy.com/
Download URL : https://cisofy.com/download/lynis/

# wget https://cisofy.com/files/lynis-2.2.0.tar.gz
–2016-04-10 13:25:10–¬† https://cisofy.com/files/lynis-2.2.0.tar.gz
Resolving cisofy.com… 149.210.134.182, 2a01:7c8:aab2:209::1
Connecting to cisofy.com|149.210.134.182|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 202825 (198K) [application/octet-stream]
Saving to: `lynis-2.2.0.tar.gz’

100%[===============================>] 202,825      261K/s   in 0.8s

2016-04-10 13:25:11 (261 KB/s) – `lynis-2.2.0.tar.gz’ saved [202825/202825]

# tar xzvf lynis-2.2.0.tar.gz
lynis/CHANGELOG
lynis/CONTRIBUTIONS.md
lynis/CONTRIBUTORS
lynis/FAQ
lynis/INSTALL
lynis/LICENSE
lynis/README
lynis/db/
lynis/db/integrity.db
lynis/db/sbl.db
lynis/db/fileperms.db
lynis/db/malware-susp.db
lynis/db/malware.db
lynis/db/hints.db
lynis/default.prf
lynis/extras/
lynis/extras/README
lynis/extras/files.dat
lynis/extras/lynis.spec
lynis/extras/systemd/
lynis/extras/systemd/lynis.service
lynis/extras/systemd/lynis.timer
lynis/extras/openbsd/
lynis/extras/openbsd/+CONTENTS
lynis/extras/check-lynis.sh
lynis/extras/bash_completion.d/
lynis/extras/bash_completion.d/lynis
lynis/extras/.bzrignore
lynis/extras/build-lynis.sh
lynis/include/
lynis/include/helper_audit_dockerfile
lynis/include/profiles
lynis/include/tests_malware
lynis/include/tests_containers
lynis/include/tests_accounting
lynis/include/parameters
lynis/include/tests_ssh
lynis/include/tool_tips
lynis/include/tests_time
lynis/include/tests_firewalls
lynis/include/tests_nameservices
lynis/include/binaries
lynis/include/tests_webservers
lynis/include/tests_squid
lynis/include/tests_storage_nfs
lynis/include/tests_insecure_services
lynis/include/tests_scheduling
lynis/include/tests_tooling
lynis/include/tests_hardening
lynis/include/tests_networking
lynis/include/tests_custom.template
lynis/include/report
lynis/include/tests_boot_services
lynis/include/functions
lynis/include/tests_memory_processes
lynis/include/tests_file_permissions
lynis/include/helper_update
lynis/include/tests_file_integrity
lynis/include/tests_shells
lynis/include/tests_databases
lynis/include/tests_homedirs
lynis/include/osdetection
lynis/include/tests_ldap
lynis/include/tests_ports_packages
lynis/include/tests_logging
lynis/include/tests_mail_messaging
lynis/include/tests_banners
lynis/include/tests_crypto
lynis/include/tests_kernel
lynis/include/tests_mac_frameworks
lynis/include/tests_solaris
lynis/include/tests_virtualization
lynis/include/tests_kernel_hardening
lynis/include/tests_snmp
lynis/include/tests_authentication
lynis/include/tests_filesystems
lynis/include/tests_storage
lynis/include/data_upload
lynis/include/tests_printers_spools
lynis/include/tests_php
lynis/include/consts
lynis/lynis
lynis/lynis.8
lynis/plugins/
lynis/plugins/README
lynis/plugins/custom_plugin.template

# cd lynis
# ./lynis –help

[ Lynis 2.2.0 ]

##############################################################
comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.

Copyright 2007-2016 – CISOfy, https://cisofy.com/lynis/
Enterprise support and plugins available via CISOfy
##############################################################

[+] Initializing program
————————————

Usage: lynis [options] mode

Mode:

audit
audit system                  : Perform security scan
audit dockerfile <file>       : Analyze Dockerfile

update
update info                   : Show update details
update release                : Update Lynis release

Scan options:
–auditor “<name>”¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : Auditor name
–dump-options¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : See all available options
–no-log¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : Don’t create a log file
–pentest¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : Non-privileged scan (useful for pentest)
–profile <profile>¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : Scan the system with the given profile file
–quick (-Q)¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : Quick mode, don’t wait for user input
–tests “<tests>”¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : Run only tests defined by <tests>
–tests-category “<category>” : Run only tests defined by <category>

Layout options:
–no-colors¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : Don’t use colors in output
–quiet (-q)¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : No output, except warnings
–reverse-colors¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : Optimize color display for light backgrounds

Misc options:
–debug¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : Debug logging to screen
–view-manpage (–man)¬†¬†¬†¬†¬†¬†¬† : View man page
–version (-V)¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : Display version number and quit

Enterprise options:
–plugin-dir “<path>”¬†¬†¬†¬†¬†¬†¬†¬† : Define path of available plugins
–upload¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : Upload data to central node

More scan options are available. See man page and online documentation for details.

Exiting..

# ./lynis audit system –auditor “Lupin”

[ Lynis 2.2.0 ]

##############################################################
comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.

Copyright 2007-2016 – CISOfy, https://cisofy.com/lynis/
Enterprise support and plugins available via CISOfy
##############################################################

[+] Initializing program
————————————
– Detecting OS…¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† [ DONE ]

—————————————————
Program version:           2.2.0
Operating system:          Linux
Operating system name:     CentOS
Operating system version:  CentOS release 6.7 (Final)
Kernel version:            2.6.32
Hardware platform:         x86_64
Hostname:                  test
Auditor:                   Lupin
Profile:                   ./default.prf
Log file:                  /var/log/lynis.log
Report file:               /var/log/lynis-report.dat
Report version:            1.0
Plugin directory:          ./plugins
—————————————————
– Checking profile file (./default.prf)…
– Program update status…¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† [ SKIPPED ]

……

— We skip to report —

…..

-[ Lynis 2.2.0 Results ]-

Warnings (1):
—————————-
– No password set for single mode [AUTH-9308]
https://cisofy.com/controls/AUTH-9308/

Suggestions (29):
—————————-
– Run chkconfig –list to see all services and disable unneeded services
– Details: [14:26:52] Suggestion: Run chkconfig –list to see all services and disable unneeded services
https://cisofy.com/controls/[14:26:52] Suggestion: Run chkconfig –list to see all services and disable unneeded services/
– Configure minimum password age in /etc/login.defs [AUTH-9286]
https://cisofy.com/controls/AUTH-9286/
– Configure maximum password age in /etc/login.defs [AUTH-9286]
https://cisofy.com/controls/AUTH-9286/
– Set password for single user mode to minimize physical access attack surface [AUTH-9308]
https://cisofy.com/controls/AUTH-9308/
– Default umask in /etc/profile could be more strict like 027 [AUTH-9328]
https://cisofy.com/controls/AUTH-9328/
– To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/
– To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/
– To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/
– Check your /etc/fstab file for swap partition mount options [FILE-6336]
https://cisofy.com/controls/FILE-6336/
– Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840]
https://cisofy.com/controls/STRG-1840/
– Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846]
https://cisofy.com/controls/STRG-1846/
– Install package ‘yum-utils’ for better consistency checking of the package database [PKGS-7384]
https://cisofy.com/controls/PKGS-7384/
– Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security) [PKGS-7386]
https://cisofy.com/controls/PKGS-7386/
– Install a package audit tool to determine vulnerable packages [PKGS-7398]
https://cisofy.com/controls/PKGS-7398/
– Install ARP monitoring software like arpwatch [NETW-3032]
https://cisofy.com/controls/NETW-3032/
– Configure a firewall/packet filter to filter incoming and outgoing traffic [FIRE-4590]
https://cisofy.com/controls/FIRE-4590/
– Consider hardening SSH configuration [SSH-7408]
– Details: PermitRootLogin (YES –> NO)
https://cisofy.com/controls/SSH-7408/
– Add legal banner to /etc/motd, to warn unauthorized users [BANN-7122]
https://cisofy.com/controls/BANN-7122/
– Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
https://cisofy.com/controls/BANN-7126/
– Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
https://cisofy.com/controls/BANN-7130/
– Enable process accounting [ACCT-9622]
https://cisofy.com/controls/ACCT-9622/
– Enable sysstat to collect accounting (no results) [ACCT-9626]
https://cisofy.com/controls/ACCT-9626/
– Enable auditd to collect audit information [ACCT-9628]
https://cisofy.com/controls/ACCT-9628/
– Use NTP daemon or NTP client to prevent time issues. [TIME-3104]
https://cisofy.com/controls/TIME-3104/
– Check available certificates for expiration [CRYP-7902]
https://cisofy.com/controls/CRYP-7902/
– Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]
https://cisofy.com/controls/FINT-4350/
– Determine if automation tools are present for system management [TOOL-5002]
https://cisofy.com/controls/TOOL-5002/
– One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
https://cisofy.com/controls/KRNL-6000/
– Harden compilers like restricting access to root user only [HRDN-7222]
https://cisofy.com/controls/HRDN-7222/
– Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230]
https://cisofy.com/controls/HRDN-7230/

Follow-up:
—————————-
– Check the logfile for more details (less /var/log/lynis.log)
– Read security controls texts (https://cisofy.com)
– Use –upload to upload data (Lynis Enterprise users)

===========================================================

Lynis security scan details:

Hardening index : 61 [############        ]
Tests performed : 176
Plugins enabled : 0

Quick overview:
– Firewall [X] – Malware scanner [X]

Lynis Modules:
РCompliance Status   [NA]
РSecurity Audit      [V]
РVulnerability Scan  [V]

Files:
РTest and debug information      : /var/log/lynis.log
РReport data                     : /var/log/lynis-report.dat

Bastille
URL : http://bastille-linux.sourceforge.net/
Donwload URL : http://netassist.dl.sourceforge.net/project/bastille-linux/bastille-linux/3.2.1/Bastille-3.2.1-0.1.noarch.rpm
requirement : perl

Untuk installasi Bastille awalnya menggunakan RPM dari website bawaan tapi banyak masalah yang terjadi pada saat instalasi karena ternyata banyak library yang tidak terbawa secara default. Untuk itu saya menggunakan Bastille fork yang saya temukan di github

# git clone https://github.com/Nanolx/bastille-nano.git
# cd bastille-nano
# chmod 755 Install.sh
# ./Install.sh
# bastille –help
Usage: bastille [ -b¬† | -c | -x ] [ –os <version>] [ -f <alternate config> ]
bastille [-r | -l | -h | –assess | –assessnobrowser ]
-b : use a saved config file to apply changes
directly to system
-c : use the Curses (non-X11) GUI, not available on HP-UX
-h : this help
-f : populate answers with alternate configuration file
-r : revert Bastille changes to original file versions (pre-Bastille)
-l : list the standard config file(s) (if any) that matches the last
run config
–os version : ask all questions for the given operating system
version.¬† e.g. –os HP-UX11.11
-x : use the Perl/Tk (X11) GUI
–assess / -a : run Bastille in assessment mode, generating a report and displaying it in a browser
–assessnobrowser : run Bastille in assessment mode, generating a report with no browser

#bastille –assessnobrowser
NOTE:    Using audit user interface module.
NOTE:¬†¬†¬† Bastille is scanning the system configuration…
NOTE:    Weights file present at:  /usr/share/Bastille/Weights.txt, so Bastille
will score system
NOTE:    Bastille Hardening Assessment Completed.
You can find a report in HTML format at:
.  /var/log/Assesment/assessment-report.html

You can find a report in text format at:
.  /var/log/Assesment/assessment-report.txt

You can find a “config” file that will, on the same HP-UX version,
similar installed-application set, and configuration, lock-down the
Bastille-relevant items that Bastille had completely locked-down on
this system below (see html or text report for full detail).  In cases
where the systems differ, the config file may be either a) contain
extra questions not relevant to the destination system, or b), be
missing questions needed on the remote system.  Bastille will inform
you in the first case, and in the second case error.  It will then
give you an opportunity to answer the missing questions or remove the
extra ones in the graphical interface:
.  /var/log/Assesment/assessment-log.txt

# cat /var/log/Assesment/assessment-report.txt
Bastille Hardening Assessment Report
+———————————+——————————————+—————-+——–+——-+
| Item                            | Question                                 | Result(Detail) | Weight | Score |
+———————————+——————————————+—————-+——–+——-+
| generalperms_1_1                | Are more restrictive permissions on the  | No             | 0.00   | 0.00  |
| suidmount                       | Is SUID status for mount/umount disabled | No             | 1.00   | 0.00  |
| suidping                        | Is SUID status for ping disabled?        | No             | 1.00   | 0.00  |
| suiddump                        | Is SUID status for dump and restore disa | Yes*           | 1.00   | 1.00  |
| suidcard                        | Is SUID status for cardctl disabled?     | Yes*           | 1.00   | 1.00  |
| suidat                          | Is SUID status for at disabled?          | Yes*           | 1.00   | 1.00  |
| suiddos                         | Is SUID status for DOSEMU disabled?      | Yes*           | 1.00   | 1.00  |
| suidnews                        | Is SUID status for news server tools dis | Yes*           | 1.00   | 1.00  |
| suidprint                       | Is SUID status for printing utilities di | Yes*           | 1.00   | 1.00  |
| suidrtool                       | Are the r-tools disabled?                | Yes*           | 1.00   | 1.00  |
| suidusernetctl                  | Is SUID status for usernetctl disabled?  | No             | 1.00   | 0.00  |
| suidtrace                       | Is SUID status for traceroute disabled?  | Yes*           | 1.00   | 1.00  |
| suidXwrapper                    | Is SUID status for Xwrapper disabled?    | Yes*           | 1.00   | 1.00  |
| suidXFree86                     | Is SUID status for XFree86 disabled?     | Yes*           | 1.00   | 1.00  |
| protectrhost                    | Are clear-text r-protocols that use IP-b | No             | 0.00   | 0.00  |
| passwdage                       | Is password aging enforced?              | No             | 1.00   | 0.00  |
| rootttylogins¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† | Are root logins on tty’s 1-6 prohibited? | No¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† | 1.00¬†¬† | 0.00¬† |
| removeaccounts                  | Have extraneous accounts been deleted?   | No             | 0.00   | 0.00  |
| removegroups                    | Have extraneous groups been deleted?     | Yes*           | 0.00   | 0.00  |
| protectgrub                     | Is the GRUB prompt password-protected?   | Yes*           | 1.00   | 1.00  |
| protectlilo                     | Is the LILO prompt password-protected?   | Yes*           | 1.00   | 1.00  |
| lilodelay                       | Is the LILO delay time zero?             | Yes*           | 0.00   | 0.00  |
| secureinittab                   | Is CTRL-ALT-DELETE rebooting disabled?   | Yes*           | 0.00   | 0.00  |
| passsum                         | Is single-user mode password-protected?  | No             | 1.00   | 0.00  |
| tcpd_default_deny               | Is a default-deny on TCP Wrappers and xi | No             | 1.00   | 0.00  |
| deactivate_telnet               | Is the telnet service disabled on this s | N/A: S/W Not Installed | 1.00   | 1.00  |
| deactivate_ftp¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† | Is inetd’s FTP service disabled on this¬† | No¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† | 1.00¬†¬† | 0.00¬† |
| banners¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† | Are “Authorized Use” messages displayed¬† | No¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† | 1.00¬†¬† | 0.00¬† |
| owner¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† | Who is the system owner in the “Authoriz | Not Defined¬†¬†¬† | 0.00¬†¬† | 0.00¬† |
| compiler                        | Are the gcc and/or g++ compiler disabled | Yes*           | 1.00   | 1.00  |
| apmd                            | Are acpid and apmd disabled?             | Yes*           | 1.00   | 1.00  |
| remotefs                        | Are NFS and Samba deactivated?           | Yes*           | 1.00   | 1.00  |
| pcmcia                          | Are PCMCIA services disabled?            | N/A: S/W Not Installed | 1.00   | 1.00  |
| dhcpd                           | Is the DHCP daemon disabled?             | N/A: S/W Not Installed | 1.00   | 1.00  |
| gpm                             | Is GPM disabled?                         | N/A: S/W Not Installed | 1.00   | 1.00  |
| innd                            | Is the news server daemon disabled?      | N/A: S/W Not Installed | 1.00   | 1.00  |
| disable_routed                  | Is routed deactivated?                   | N/A: S/W Not Installed | 1.00   | 1.00  |
| disable_gated                   | Is gated deactivated?                    | N/A: S/W Not Installed | 1.00   | 1.00  |
| nis_server                      | Are NIS server programs deactivated?     | N/A: S/W Not Installed | 1.00   | 1.00  |
| nis_client                      | Are NIS client programs deactivated?     | N/A: S/W Not Installed | 1.00   | 1.00  |
| snmpd                           | Is SNMPD disabled?                       |                | 1.00   | 0.00  |
| disable_kudzu¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† | Is kudzu’s run at boot deactivated?¬†¬†¬†¬†¬† | N/A: S/W Not Installed | 1.00¬†¬† | 1.00¬† |
| sendmaildaemon¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† | Is sendmail’s daemon mode disabled?¬†¬†¬†¬†¬† | N/A: S/W Not Installed | 1.00¬†¬† | 1.00¬† |
| sendmailcron                    | Does sendmail process the queue via cron | N/A: S/W Not Installed | 0.00   | 0.00  |
| vrfyexpn                        | Are the VRFY and EXPN sendmail commands  | N/A: S/W Not Installed | 1.00   | 1.00  |
| chrootbind                      | Is named in a chroot jail and is it set  | N/A: S/W Not Installed | 0.00   | 0.00  |
| namedoff                        | Is named deactivated?                    | Yes*           | 1.00   | 1.00  |
| apacheoff                       | Is the Apache Web server deactivated?    | N/A: S/W Not Installed | 1.00   | 1.00  |
| bindapachelocal                 | Is the Web server bound to listen only t | N/A: S/W Not Installed | 0.00   | 0.00  |
| bindapachenic                   | Is the Web server bound to a particular  | N/A: S/W Not Installed | 0.00   | 0.00  |
| symlink                         | Is the following of symbolic links deact | N/A: S/W Not Installed | 1.00   | 1.00  |
| ssi                             | Are server-side includes deactivated?    | N/A: S/W Not Installed | 1.00   | 1.00  |
| cgi                             | Are CGI scripts disabled?                | N/A: S/W Not Installed | 1.00   | 1.00  |
| apacheindex                     | Are indexes disabled?                    | N/A: S/W Not Installed | 1.00   | 1.00  |
| printing_cups                   | Is printing disabled?                    | N/A: S/W Not Installed | 1.00   | 1.00  |
| printing_cups_lpd_legacy¬†¬†¬†¬†¬†¬†¬† | Is CUPS’ legacy LPD support disabled?¬†¬†¬† | N/A: S/W Not Installed | 1.00¬†¬† | 1.00¬† |
| userftp                         | Are user privileges on the FTP daemon di | Yes*           | 1.00   | 1.00  |
| anonftp                         | Is anonymous download disabled?          | Yes*           | 1.00   | 1.00  |
+———————————+——————————————+—————-+——–+——-+
Score: 78.72% (100% possible)

* Yes generally means Bastille determined that the described action was taken
to make the system more secure.
– Note also that the formatted-text and HTML reports do not include items for which
status cannot be automatically determined.

Untuk menjalankan Bastille setup hardening server dengan interaktif kita bisa menggunakan perintah

# bastille -c

Setelah kalian masuk kedalam tampilan interaktif Bastille, kita akan disuguhi beberapa pertanyaan seputar setup untuk hardening server. Untuk guide setup hardening saya merekomendasikan kalian mengunjungi URL https://www.digitalocean.com/community/tutorials/how-to-install-and-use-bastille-to-harden-an-ubuntu-12-04 sebagai salah satu bacaan dan referensi untuk menjawab pertanyaan dari Bastille.

Nah kita sudah mencoba kedua software yang dapat digunakan untuk membantu kita dalam hardening server. Terus terang juga saya juga baru mencoba menggunakan Bastille dan ternyata memiliki feature untuk assesment saja tanpa harus setup langsung dari Bastille.

Kalau ditanya mana yang lebih baik saya kurang tahu juga karena setiap software memiliki kelemahan dan kelebihan masing-masing. Namun saya masih akan tetap menggunakan Lynis sebagai pedoman untuk hardening server.

Cukup sekian tulisan saya pada dini hari ini. Kalau ada kurangnya saya mohon maaf.

Wassalamualaikum wr. wb.

– N.A –

nash-notesLinux, Practice, SecurityApril 11, 20160 comments0 centos 6, hardening, linux, linux hardening, server.

Hey, like this post? Why not share it with a buddy?

Leave a Comment

Your email address will not be published. Required fields are marked *