Perfect OpSEC - Become Invisible Online

This series is for educational purposes only. To get back to top-level table click here.

Linux OS Hardening - Basics

This list will cover the basic checklist to preform when you're securing your OS. If you didn't choose a Linux OS, then I can't help you I'm sorry. I'm sure Windows/Mac can be configured to be privacy-focused but I'm not interesting in learning how, and therefore won't be teaching you.

  • All sensitive data kept on external encrypted USB
  • Setup a non-root account with a strong password
  • Ensure disk is encrypted (FDE)
  • Enable screensaver with idle timer
  • Secure ssh settings (No root remote access, change port, no password auth at least)
  • netstat -lt -> disable anything you don't need
  • Firewall is at least enabled. In another guide we'll get hardcore here. (Default is block all incoming and forwarding, allow all outbound.)
  • Check for rootkits -> chrootkit
  • Keep the machine up to date, always
  • Disable Bluetooth
  • Remove packages that phone home
  • Disable bash history
  • Install AV
  • Bios Password and disable boot from USB
  • Disable mic/webcam

Disable Bash history

unset HISTFILE; unset SAVEFILE
rm ~/.bash_history
ln -s /dev/null ~/.bash_history
export HISTFILE=/dev/null
export SAVEFILE=/dev/null
rm ~/.zsh_history - Kali
ln -s /dev/null ~/.zsh_history - Kali

Remove packages that phone home

sudo apt purge apport popularity-contest -y
sudo apt autoremove

systemctl stop apport.service
systemctl disable apport.service
systemctl mask apport.service
systemctl stop whoopsie.service
systemctl disable whoopsie.service
systemctl mask whoopsie.service

Settings:

  • Launch "Settings" from the Application Menu
  • Click on "Privacy"
    • Change Connectivity Checking -> OFF
    • Change "Location Services" to OFF
    • Click on "Usage & History" then turn OFF "Recently Used" and put "Retain History" on "1 day"
    • Click on "Problem Reporting" and select OFF // Never

Patch some dir permissions

chmod o-w /var/crash
chmod o-w /var/metrics
chmod o-w /var/tmp

Randomize MAC for any Wifi connection

vim /etc/NetworkManager/conf.d/00-macrandomize.conf:

[device]
wifi.scan-rand-mac-address=yes
[connection]
wifi.cloned-mac-address=random
ethernet.cloned-mac-address=random
connection.stable-id=${CONNECTION}/${BOOT}

Restart NetworkManager

systemctl restart NetworkManager

AppArmor

Install:

apt install -y apparmor-profiles apparmor-utils

Add some basic profiles

aa-enforce /etc/apparmor.d/usr.bin.firefox
aa-enforce /etc/apparmor.d/usr.sbin.avahi-daemon
aa-enforce /etc/apparmor.d/usr.sbin.dnsmasq
aa-enforce /etc/apparmor.d/bin.ping
aa-enforce /etc/apparmor.d/usr.sbin.rsyslogd

Auditing

echo "# Monitor changes and executions within /tmp
-w /tmp/ -p wa -k tmp_write
-w /tmp/ -p x -k tmp_exec" > /etc/audit/rules.d/tmp-monitor.rules
echo "# Monitor administrator access to /home directories
-a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid -k admin_home_user" > /etc/audit/rules.d/admin-home-watch.rules
augenrules
systemctl restart auditd.service

chkrootkit

# Install
apt install chkrootkit
# Check if interfaces are in promiscuous mode (they shouldn't be!)
chkrootkit

References