OS Security

22K

Solutions

23K

Contributors

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

Share tech news, updates, or what's on your mind.

Sign up to Post

Picking your brain about password policy.

I was checking a few password management best practices and some of them discourage the "forcing users to change the password" policy, they advise that users change their passwords if they suspect it's been compromised. I still believe that forcing users to change their password coupled with other password policies can really make a password more secure. I was wondering if anyone out there  gave up on forcing users to change the password and what was the reason for that..

Thanks as always...
0
Angular Fundamentals
LVL 19
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

I've added the following settings in /etc/sysctl.conf  as well as
issued 'sysctl -w ...'  to make it effective as part of hardening.

My apps colleague rebooted the RHEL 7 VMs & now
the docker gave the error '503 Service Unavailable'.

How should I reverse them back: just by removing
those lines from sysctl.conf & reboot (sysctl.conf was
quite empty initially)
OR
re-issue "sysctl -w ..." with the  alternate value (ie if
it's 0, set it to 1 & if it's 1, set it to 0)?  But this doesn't
seem right as we don't know what's the default
value initially.  So how do we know what's the
initial default value before the change??


sysctl -w fs.suid_dumpable=0
sysctl -w kernel.randomize_va_space=2
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.conf.default.log_martians=1
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w …
0
refer to attached list of group/world writable folders:
many of them are under docker dir & some are owned by ftp.

Q1:
is it ok to remove  group writable  permission?

Q2:
Those files owned by ftp: can we amend to be owned by root?
gwrifold.zip
0
During hardening, found the following group or world writable files.
Any harm if I do  'chmod g-w  or o-w'  on them:

rw-rw-r--. 1 root utmp 1920 Nov 15 15:26 /run/utmp
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/member
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/user
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/relabel
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/create
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/access
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/context
--w--w--w-. 1 root root 0 Nov 12 22:18 /sys/fs/cgroup/blkio/docker/09445bf1ebac906fb92c97d9140a42710796b2dd34bb3474c71794b131f4741b/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 11 18:29 /sys/fs/cgroup/blkio/docker/e760f8367ab29e50ea04629d2d1466013a0d19510052470e0617bb169993e652/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/5370fc625a376632a22e470e0d490e11a1e10ce7b142d87f5854ea258a2a5567/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/cadac22712699622cc1554a6ced7f662fdc8dd62b5793516096dea0f9d268548/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/ffd11120a3e494232e67bb4517bcf358c5d2e1690935455b37db9bcd169e9320/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/0d93b13bbc417a4d59cc89c5e28160217c844d702f80ea29bb7740df86e1ef3d/cgroup.event_control
--w--w--w-. 1 root root 0…
0
CIS RHEL7 doc recommends 1.2.3 GPG keys are configured according to site policy.

What's the best practice?

On my RHEL7, got the following, is it best-practice/compliant?
$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-fd431d51-4ae0493b --> gpg(Red Hat, Inc. (release key 2) <security@redhat.com>)
gpg-pubkey-2fa658e0-45700c69 --> gpg(Red Hat, Inc. (auxiliary key) <security@redhat.com>)
gpg-pubkey-7668xxxx-58axxxxx --> gpg(Docker Release (EE rpm) <docker@docker.com>)
0
When verifying for RHEL7 CIS benchmark compliance item 1.2.1
"Ensure package manager repositories are configured", got the
message below:  is this an NC & what should be done to rectify?

All the CIS doc says is "Configure your package manager repositories
according to site policy" but currently we don't have one:

$ yum repolist
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
repo id                                                     repo name                                         status
!docker-ee-stable-17.06/x86_64         Docker EE Stable 17.06 - x86_64     19
repolist: 19
0
I performed one of the CIS RHEL 7 hardening remediation.
Got the message with <== shown below, can someone advise:

$ cat  /etc/systemd/system/local-fs.target.wants/tmp.mount
[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,noexec,nodev,nosuid

[root@mesopv1]:/etc/modprobe.d
$ systemctl unmask tmp.mount

[root@mesopv1]:/etc/modprobe.d
$ systemctl enable tmp.mount
Failed to execute operation: Invalid argument <==

[root@mesopv1]:/etc/modprobe.d
$
0
Hi expert

Need help, I am not strong in Powershell.

I was task to automate the manual windows server patch by using powershell script.

For your information we don't have SCCM environment, let me share the use case show in the following;

Not sure is it possible to achieve the following;

1: Powershell script will get file from SFTP and deploy patch to the Windows Server 2016.
1
I wanted to set 'nosuid,noexec,nodev'  on /dev/shm partition
so that the settings stay across reboots.  However, can't see
this partition being listed in my fstab as shown below:

What should I add into fstab? Or this is done in another file?

$ cat fstab
# /etc/fstab
# Created by anaconda on Thu Nov  1 22:13:57 2018
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/rhel-root   /                       xfs     defaults        0 0
UUID=023c84eb-dcc5-4ea9-9841-fc936246dd98 /boot                   xfs     defaults        0 0
/dev/mapper/rhel-home   /home                   xfs     defaults,nodev,relatime        0 0
/dev/mapper/rhel-tmp    /tmp                    xfs     defaults,nodev,nosuid,noexec        0 0
/dev/mapper/rhel-var    /var                    xfs     defaults        0 0
/dev/mapper/rhel-swap   swap                    swap    defaults        0 0
# NFS Shared drive from Bootstrap node
10.121.0.43:/JPOM/efs    /efs   nfs    defaults 0 0

$ df
Filesystem            1K-blocks    Used Available Use% Mounted on
/dev/mapper/rhel-root  30254660 3818732  26435928  13% /
devtmpfs                8121512       0   8121512   0% /dev
tmpfs                   8133368       0   8133368   0% /dev/shm         <==
tmpfs                   8133368  786484   7346884  10% /run
tmpfs                   8133368       0   8133368   0% /sys/fs/cgroup
0
I followed CIS RHEL 7 benchmark hardening instructions to edit file below so as to make the
various settings (ie nosuid, noexec, nodev) permanent : guess this should stay across reboots:

However, after a reboot last Fri evening, those 'nosuid, noexec, nodev' settings are gone again:

[root@mesosph01]:/etc/systemd/system/local-fs.target.wants   <== this is the dir
$ more tmp.mount
[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,noexec,nodev,nosuid

$ ls -lad tmp.mount
-rw-------. 1 root root 91 Nov  8 17:23 tmp.mount

I tried to start a certain service mentioned in CIS doc using root; there's an error:
$ systemctl unmask tmp.mount

[root@mesopubp01]:/root
$ systemctl enable tmp.mount
Failed to execute operation: Invalid argument  <==


The following command was done last week Thu & it worked but after
reboot, the settings are lost:
$ mount -o remount,rw,nodev,nosuid,noexec,relatime /tmp
$ mount | grep /tmp
/dev/mapper/rhel-tmp on /tmp type xfs (rw,nosuid,nodev,noexec,relatime,seclabel,attr2,inode64,noquota)
0
Amazon Web Services
LVL 19
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

We've got a handful of servers that have to remain on 2008R2 for another year or so for one reason or another.  Migrating those servers to Azure doesn't work as they have to be on-prem.  I'm reading that you can get security updates if you have an Enterprise Agreeement, but that gets complicated & expensive.  Most of the servers in questions are for smaller networks with 20-70 people.  They have one or two Server Standard 2008 R2 VMs running some legacy application that needs to remain onsite and has to be on 2008.

I've read several articles about Microsoft offering a ~$300/year option to keep security updates going.  However, I'm not finding anything official.

Anyone got any advice on this?

Thank you!
0
I need to send a company-wide notification that we'll be doing some vulnerability testing in our environment and have never done one before or have a template on which to create one...I need assistance with a template for this type of notification.  Is there a location on where I can retrieve this information?
0
Hello,
We having random accounts lockout and a few account persistently among the lockouts. Using Netwrix account lockout examiner, it indicates the PDC from where the account is locked and the workstation as our exchange front end (2010). The details for event id 4625 on the exchange server does not have any information as to where the lockout is coming from so Source Network Address is blank. Anyone encountered this before? Attached are some of the details.
0
Hello

I need to block regular users using GP from viewing, not just clearing the event logs  for domain connected secure win10 desktops due to NIST STIG requirments

You would think this was a common and easy thing to do.....  You do not want non admins in a secure environment looking at the security log.

I have followed the instructions from this link below, with limited success. Its blocking admin also. the SDDI is am using is O:BAG:BAD:(A;;RC;;;BA)

https://support.microsoft.com/en-us/help/323076/how-to-set-event-log-security-locally-or-by-using-group-policy



I have also tried this approach

https://social.technet.microsoft.com/Forums/en-US/1c4e9583-2c71-4d05-bbc1-d7fd214b9e57/block-event-viewer-access-to-users?forum=winserverDS

Win 10 desktops and 2016 server DC


Does anyone know of a better approach?
0
I was asked on an interview, where do you get IT security info regarding IT security.  I drew a blank since the only know a couple of CVE websites.  What would be a proper answer and where should I be looking?
0
Can anyone share a sample full contents of recommended / hardened settings
of postgresql.conf ?

What's indicated in CIS benchmark for Postgresql 10 is unclear & in bits & pieces;
some of the extracts from the benchmarks are posted below:

- configuration file enumerates all tunable parameters and even though most of them are
commented out it is understood that they are in fact active and at those very same
documented values.

- shared_preload_libraries = 'pgaudit'
OR
shared_preload_libraries = 'pgaudit,somethingelse'

- $ vi ~postgres/10/data/postgresql.conf
# load set_user libs before anything else
shared_preload_libraries = 'set_user, other_libs'
0
Part of bundled O365, we get Activesync MDM that could do remote
wipe of our corporate phones.  However, we found that this remote
wipe for 'full wipe' (ie mailbox plus the phone OS) doesn't wipe the
the OS of certain Android phones but only the mailbox which Audit
gave a finding : it's desired to wipe entire phone.

We log a case through reseller (understand reseller further log with
MS) but did not get any reply, thus enquiring here:

Q1:
is there a list of published phone models that MS Activesync
supports for 'full remote wipe'?

Q2:
Is this specific to Android's specific version or it sounds more
like hardware specific/dependent?

Q3:
Any other workarounds other than training staff not to export
their emails out of the phone or take screen shots to save in
the phone??
0
I have the following network and wanted to get your opinion, from a security/network point of view as to what is wrong and what to do about it.security issue
1
What are some services or applications that would be recommended to mssp's so that they can have 2fa on their windows logins and their domains? That way we can provide an extra level of security to ourselves and our clients.
0
Exploring SharePoint 2016
LVL 19
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

We've started doing some PenTesting in our environment with KaliLinux and utilizing Metasploit as well.  Since this is an internal test, we are going with a segmentation approach, but I wanted to know what would also be recommended for our small company.  We have less than 1k users and smaller sites.  We're also planning on visiting the sites and doing site surveys in the near future.

Thanks for your thoughts and suggestions.
0
What are some security protocols that a company should take as far as daily checks related to security? Trying to create a template for my company and was curious what would be suggestable protocols to run every day, weekly, monthly,bi-monthly?
0
We presently have a small SOC group, a total of 4 people, and we run various security tools to both monitor and react as well as for PCI compliance.  Some of the tools we utilize are Palo Alto, ADauditplus, Cisco AMP machines and SCEP for servers, SCCM, Sourcefire, Tripwire and we use SecureWorks for alerting us on potential threats.  We do run somethings on the cloud and are looking to move more apps to the cloud in the near future.  

I wanted to ask if money was not an object, what we could utilize and maybe be more secure while at the same time saving money?  I was informed that AlienVault is now a big player in this arena.  I wanted to hear the pros/cons if selecting AlienVault as well as what are my other options?  I've also been told that AI can now do much of the security stuff and Palo Alto has this feature as well.  
In general, again, if money was no object design, from a security point of view.
0
I need a tool for PII and DLP to which the software will scan a FILE and verify if there is PII info?  Back in the day, we used a tool that would scan do this, but don't recall the name.  The software would scan a document and someone would need to allow/deny the request to send the email.  Also, there would also be a shortcut to send this encrypted email to the receiver.  

On the same note, we also need to enable DLP on our OFFICE365 environment, but presently we only have it set for the patriot act and only for the US.  We need to enable PII for every country in the world.  We understand we'll need to treak it a bit, but for now just need to enable it globally.
0
Hello,

I am reading this Qualys vulnerability report which says a server has this IE vulnerability - Please see the attached.  The server already has latest Windows Updates.  

I have apply latest Windows updates to the server.  There are three links under the Expolitability session in the report which the download link to fix the vulnerability is supposed to be available.  But it happens that the download link only downloads a txt file.  

Someone who has an idea please advise.  

Many thanks.
qualys-report.docx
0
Hi I get this error:

Bios update error - phoenix technologies SCT flash ERROR 216 status = 1501

Can’t find what is the Status description

James
0

OS Security

22K

Solutions

23K

Contributors

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.