Security Parameters

Complete reference for all 121 security parameters covered by HardenSys.

Note: All parameters are based on CIS benchmarks and security best practices for Windows systems.

Overview

HardenSys covers 121 security parameters across 7 main categories, providing comprehensive coverage of Windows security hardening requirements. Each parameter includes detailed configuration instructions and compliance checking.

Parameter Structure

Each security parameter includes:

Title: Descriptive name of the security setting
Details: Detailed description and recommended configuration
Script Key: Internal function identifier for automation
Category: Security category classification
Subcategory: Specific subcategory within the main category

Windows-Specific Parameters

Windows systems include additional security parameters such as:

User Account Control (UAC) settings
Windows Defender configurations
Registry-based security policies
Active Directory integration

Security Categories

Account Policies

9 parameters covering password policies, account lockout settings, and Kerberos authentication.

Subcategories:

Password Policy (6 parameters)
Account Lockout Policy (3 parameters)

User Rights Assignment

7 parameters covering administrative privileges, system access controls, and security permissions.

Subcategories:

User Rights Assignment (7 parameters)

Security Options

24 parameters covering network security, User Account Control, and system cryptography.

Subcategories:

Accounts (1 parameter)
Interactive logon (1 parameter)
Microsoft network server (1 parameter)
Network security (1 parameter)

System Settings

32 parameters covering User Account Control, system services, and critical service configurations.

Subcategories:

User Account Control (32 parameters)
System Services (32 parameters)

Windows Defender Firewall

18 parameters covering firewall profiles, connection security, and rule management.

Subcategories:

Private Profile (9 parameters)
Public Profile (9 parameters)

Advanced Audit Policy

20 parameters covering account logon, object access, and system events.

Subcategories:

Account Logon (20 parameters)

Microsoft Defender Application Guard

11 parameters covering Application Guard settings and configuration.

Subcategories:

Application Guard Settings (11 parameters)

Complete Parameter List

Below is the comprehensive list of all 121 security parameters organized by category.

Parameters Manual Setup

Note: This section provides detailed manual setup instructions for all Windows security parameters. Each parameter includes registry paths, manual setup steps, and configuration details.

Search Parameters

Account Policies

Password Policy

Enforce password history

Ensure 'Enforce password history' is set to '24 or more password(s)'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Manual Setup: Use net accounts /uniquepw:24 or Local Security Policy → Account Policies → Password Policy

Password Policy

Maximum password age

Ensure 'Maximum password age' is set to '90 days, but not 0'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Manual Setup: Use net accounts /maxpwage:90 or Local Security Policy → Account Policies → Password Policy

Password Policy

Minimum password age

Ensure 'Minimum password age' is set to '1 day'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Manual Setup: Use net accounts /minpwage:1 or Local Security Policy → Account Policies → Password Policy

Password Policy

Minimum password length

Ensure 'Minimum password length' is set to '12 or more character(s)'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Manual Setup: Use net accounts /minpwlen:12 or Local Security Policy → Account Policies → Password Policy

Password Policy

Password must meet complexity requirements

Ensure 'Password must meet complexity requirements' is set to 'Enabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Manual Setup: Use net accounts /domain or Local Security Policy → Account Policies → Password Policy

Password Policy

Store passwords using reversible encryption

Ensure 'Store passwords using reversible encryption' is set to 'Disabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Manual Setup: Local Security Policy → Account Policies → Password Policy → Store passwords using reversible encryption

Account Lockout Policy

Account lockout duration

Ensure 'Account lockout duration' is set to '15 or more minute(s)'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Manual Setup: Local Security Policy → Account Policies → Account Lockout Policy

Account Lockout Policy

Account lockout threshold

Ensure 'Account lockout threshold' is set to '5 or fewer attempt(s), but not 0'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Manual Setup: Local Security Policy → Account Policies → Account Lockout Policy

Account Lockout Policy

Allow Administrator account lockout

Ensure 'Allow Administrator account lockout' is set to 'Enabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Manual Setup: Local Security Policy → Account Policies → Account Lockout Policy

Local Policies

User Rights Assignment

Access Credential Manager as a trusted caller

Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → User Rights Assignment

User Rights Assignment

Access this computer from the network

Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → User Rights Assignment

User Rights Assignment

Adjust memory quotas for a process

Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → User Rights Assignment

User Rights Assignment

Allow log on locally

Ensure 'Allow log on locally' is set to 'Administrators, Users'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → User Rights Assignment

User Rights Assignment

Back up files and directories

Ensure 'Back up files and directories' is set to 'Administrators'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → User Rights Assignment

User Rights Assignment

Change the system time

Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → User Rights Assignment

User Rights Assignment

Change the time zone

Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → User Rights Assignment

Security Options

Accounts

Security Options - Accounts

Block Microsoft accounts

Ensure 'Block Microsoft accounts' is set to 'Users cannot add or log on with Microsoft accounts'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → Accounts

Security Options - Accounts

Guest account status

Ensure 'Guest account status' is set to 'Disabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → Accounts

Security Options - Accounts

Limit local account use of blank passwords

Ensure 'Limit local account use of blank passwords' is set to 'Enabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → Accounts

Security Options - Accounts

Rename administrator account

Ensure 'Rename administrator account' is set to 'Administrator'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → Accounts

Security Options - Accounts

Rename guest account

Ensure 'Rename guest account' is set to 'Guest'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → Accounts

Interactive logon

Security Options - Interactive logon

Do not require CTRL+ALT+DEL

Ensure 'Do not require CTRL+ALT+DEL' is set to 'Disabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → Interactive logon

Security Options - Interactive logon

Don't display last signed in

Ensure 'Don't display last signed in' is set to 'Enabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → Interactive logon

Security Options - Interactive logon

Machine account lockout threshold

Ensure 'Machine account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → Interactive logon

Security Options - Interactive logon

Machine inactivity limit

Ensure 'Machine inactivity limit' is set to '900 or fewer second(s), but not 0'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → Interactive logon

Security Options - Interactive logon

Message text for users attempting to log on

Ensure 'Message text for users attempting to log on' is set to 'This system is restricted to authorized users'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → Interactive logon

Security Options - Interactive logon

Message title for users attempting to log on

Ensure 'Message title for users attempting to log on' is set to 'Legal Notice'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → Interactive logon

Security Options - Interactive logon

Prompt user to change password before expiration

Ensure 'Prompt user to change password before expiration' is set to '14 or more day(s)'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → Interactive logon

System Settings

User Account Control

System Settings - UAC

Admin Approval Mode for Built-in Administrator

Ensure 'Admin Approval Mode for Built-in Administrator' is set to 'Enabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → User Account Control

System Settings - UAC

Elevation prompt for administrators

Ensure 'Elevation prompt for administrators' is set to 'Prompt for consent for non-Windows binaries'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → User Account Control

System Settings - UAC

Elevation prompt for standard users

Ensure 'Elevation prompt for standard users' is set to 'Automatically deny elevation requests'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → User Account Control

System Settings - UAC

Detect application installations

Ensure 'Detect application installations' is set to 'Enabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → User Account Control

System Settings - UAC

Run all administrators in Admin Approval Mode

Ensure 'Run all administrators in Admin Approval Mode' is set to 'Enabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → User Account Control

System Settings - UAC

Switch to secure desktop on elevation prompt

Ensure 'Switch to secure desktop on elevation prompt' is set to 'Enabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Local Policies → Security Options → User Account Control

Advanced Audit Policy Configuration

Advanced Audit Policy

Audit Credential Validation

Ensure 'Audit Credential Validation' is set to 'Success and Failure'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Advanced Audit Policy Configuration → Account Logon

Advanced Audit Policy

Audit Application Group Management

Ensure 'Audit Application Group Management' is set to 'Success and Failure'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Advanced Audit Policy Configuration → Account Management

Advanced Audit Policy

Audit Security Group Management

Ensure 'Audit Security Group Management' is set to 'Success and Failure'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Advanced Audit Policy Configuration → Account Management

Advanced Audit Policy

Audit User Account Management

Ensure 'Audit User Account Management' is set to 'Success and Failure'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Manual Setup: Local Security Policy → Advanced Audit Policy Configuration → Account Management

Microsoft Defender Application Guard

Application Guard

Allow auditing events

Ensure 'Allow auditing events' is set to 'Disabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppHVSI

Manual Setup: Group Policy → Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Application Guard

Application Guard

Allow camera and microphone access

Ensure 'Allow camera and microphone access' is set to 'Disabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppHVSI

Manual Setup: Group Policy → Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Application Guard

Application Guard

Allow data persistence

Ensure 'Allow data persistence' is set to 'Disabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppHVSI

Manual Setup: Group Policy → Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Application Guard

Application Guard

Allow file download to host

Ensure 'Allow file download to host' is set to 'Disabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppHVSI

Manual Setup: Group Policy → Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Application Guard

Application Guard

Configure clipboard settings

Ensure 'Configure clipboard settings' is set to 'Disabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppHVSI

Manual Setup: Group Policy → Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Application Guard

Application Guard

Allow virtual GPU

Ensure 'Allow virtual GPU' is set to 'Disabled'

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppHVSI

Manual Setup: Group Policy → Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Application Guard

Parameter Categories Summary

Category	Subcategory	Parameters	Description
Account Policies	Password Policy	6	Password complexity, age, and history requirements
Account Policies	Account Lockout Policy	3	Account lockout threshold and duration settings
Local Policies	User Rights Assignment	7	User rights and privilege assignments
Security Options	Accounts	5	Account security settings and restrictions
Security Options	Interactive logon	7	Interactive logon security settings
System Settings	User Account Control	6	UAC settings and elevation prompts
Advanced Audit Policy	Account Logon	4	Account logon audit settings
Microsoft Defender Application Guard	Application Guard Settings	6	Application Guard configuration and policies

Linux Security Parameters

Complete reference for all 89 Linux security parameters covered by HardenSys.

Note: All parameters are based on CIS benchmarks and security best practices for Linux systems.

Overview

HardenSys covers 89 security parameters across 6 main categories, providing comprehensive coverage of Linux security hardening requirements. Each parameter includes detailed configuration instructions and compliance checking.

Parameter Structure

Each Linux security parameter includes:

Title: Descriptive name of the security setting
Details: Detailed description and recommended configuration
Script Key: Internal function identifier for automation
Category: Security category classification
Subcategory: Specific subcategory within the main category

Linux-Specific Parameters

Linux systems include additional security parameters such as:

Kernel parameter configurations
Systemd service hardening
File system permissions
Network security configurations
SSH configuration hardening
PAM authentication security

Linux Security Categories

Filesystem Configuration

16 parameters covering kernel modules and partition settings.

Subcategories:

Filesystem Kernel Modules (9 parameters)
Filesystem Partitions (7 parameters)

Package Management

7 parameters covering bootloader and process hardening.

Subcategories:

Bootloader Configuration (2 parameters)
Process Hardening (5 parameters)

Services Configuration

21 parameters covering server and client service management.

Subcategories:

Server Services (12 parameters)
Client Services (6 parameters)
Time Synchronization (3 parameters)

Network Configuration

12 parameters covering network parameters and firewall settings.

Subcategories:

Network Parameters (7 parameters)
Firewall Configuration (5 parameters)

Access Control

21 parameters covering SSH, PAM, and user account controls.

Subcategories:

SSH Configuration (6 parameters)
PAM Configuration (5 parameters)
User Account Controls (5 parameters)

System Hardening

12 parameters covering additional system security measures.

Subcategories:

System Hardening (12 parameters)

Complete Linux Parameter List

Below is the comprehensive list of all 89 Linux security parameters organized by category.

Linux Parameters Manual Setup

Note: This section provides detailed manual setup instructions for all Linux security parameters. Each parameter includes configuration files, command-line instructions, and system-specific setup steps.

Search Parameters

Filesystem Configuration

Filesystem Kernel Modules

Ensure cramfs kernel module is not available

Disable the cramfs kernel module to prevent mounting of cramfs filesystems

File: /etc/modprobe.d/cramfs.conf

Manual Setup: Create file with content: install cramfs /bin/true

Filesystem Kernel Modules

Ensure freevxfs kernel module is not available

Disable the freevxfs kernel module to prevent mounting of freevxfs filesystems

File: /etc/modprobe.d/freevxfs.conf

Manual Setup: Create file with content: install freevxfs /bin/true

Filesystem Kernel Modules

Ensure hfs kernel module is not available

Disable the hfs kernel module to prevent mounting of hfs filesystems

File: /etc/modprobe.d/hfs.conf

Manual Setup: Create file with content: install hfs /bin/true

Filesystem Kernel Modules

Ensure hfsplus kernel module is not available

Disable the hfsplus kernel module to prevent mounting of hfsplus filesystems

File: /etc/modprobe.d/hfsplus.conf

Manual Setup: Create file with content: install hfsplus /bin/true

Filesystem Kernel Modules

Ensure jffs2 kernel module is not available

Disable the jffs2 kernel module to prevent mounting of jffs2 filesystems

File: /etc/modprobe.d/jffs2.conf

Manual Setup: Create file with content: install jffs2 /bin/true

Filesystem Kernel Modules

Ensure overlayfs kernel module is not available

Disable the overlayfs kernel module to prevent mounting of overlayfs filesystems

File: /etc/modprobe.d/overlayfs.conf

Manual Setup: Create file with content: install overlayfs /bin/true

Filesystem Kernel Modules

Ensure squashfs kernel module is not available

Disable the squashfs kernel module to prevent mounting of squashfs filesystems

File: /etc/modprobe.d/squashfs.conf

Manual Setup: Create file with content: install squashfs /bin/true

Filesystem Kernel Modules

Ensure udf kernel module is not available

Disable the udf kernel module to prevent mounting of udf filesystems

File: /etc/modprobe.d/udf.conf

Manual Setup: Create file with content: install udf /bin/true

Filesystem Kernel Modules

Ensure usb-storage kernel module is not available

Disable the usb-storage kernel module to prevent mounting of USB storage devices

File: /etc/modprobe.d/usb-storage.conf

Manual Setup: Create file with content: install usb-storage /bin/true

Filesystem Partitions

Configure /tmp partition

Ensure /tmp is configured as a separate partition with appropriate mount options

File: /etc/fstab

Manual Setup: Add entry: /tmp /tmp ext4 defaults,rw,nosuid,nodev,noexec,relatime 0 0

Filesystem Partitions

Configure /dev/shm partition

Ensure /dev/shm is configured with appropriate mount options

File: /etc/fstab

Manual Setup: Add entry: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0

Filesystem Partitions

Configure /home partition

Ensure /home is configured as a separate partition

File: /etc/fstab

Manual Setup: Add entry: /home /home ext4 defaults,rw,nodev,relatime 0 2

Filesystem Partitions

Configure /var partition

Ensure /var is configured as a separate partition

File: /etc/fstab

Manual Setup: Add entry: /var /var ext4 defaults,rw,nodev,nosuid,relatime 0 2

Filesystem Partitions

Configure /var/tmp partition

Ensure /var/tmp is configured with appropriate mount options

File: /etc/fstab

Manual Setup: Add entry: /var/tmp /var/tmp ext4 defaults,rw,nosuid,nodev,noexec,relatime 0 0

Filesystem Partitions

Configure /var/log partition

Ensure /var/log is configured as a separate partition

File: /etc/fstab

Manual Setup: Add entry: /var/log /var/log ext4 defaults,rw,nodev,nosuid,noexec,relatime 0 2

Filesystem Partitions

Configure /var/log/audit partition

Ensure /var/log/audit is configured as a separate partition

File: /etc/fstab

Manual Setup: Add entry: /var/log/audit /var/log/audit ext4 defaults,rw,nodev,nosuid,noexec,relatime 0 2

Package Management

Bootloader Configuration

Ensure bootloader password is set

Set a password for the bootloader to prevent unauthorized access

File: /etc/grub.d/40_custom

Manual Setup: Add password configuration and run update-grub

Bootloader Configuration

Ensure access to bootloader config is configured

Restrict access to bootloader configuration files

File: /etc/grub.d/

Manual Setup: Set permissions: chmod 600 /etc/grub.d/*

Process Hardening

Ensure address space layout randomization is enabled

Enable ASLR to randomize memory layout and prevent buffer overflow attacks

File: /proc/sys/kernel/randomize_va_space

Manual Setup: Set value to 2: echo 2 > /proc/sys/kernel/randomize_va_space

Process Hardening

Ensure ptrace_scope is restricted

Restrict ptrace to prevent debugging of processes by non-privileged users

File: /proc/sys/kernel/yama/ptrace_scope

Manual Setup: Set value to 1: echo 1 > /proc/sys/kernel/yama/ptrace_scope

Process Hardening

Ensure core dumps are restricted

Restrict core dumps to prevent sensitive information leakage

File: /etc/security/limits.conf

Manual Setup: Add line: * hard core 0

Process Hardening

Ensure prelink is not installed

Remove prelink package to prevent security bypasses

Package: prelink

Manual Setup: Remove package: apt remove prelink

Process Hardening

Ensure Automatic Error Reporting is not enabled

Disable automatic error reporting to prevent information leakage

File: /etc/default/apport

Manual Setup: Set enabled=0: echo 'enabled=0' > /etc/default/apport

Services Configuration

Server Services

Ensure autofs services are not in use

Disable autofs service to prevent automatic mounting of filesystems

Service: autofs

Manual Setup: Disable service: systemctl disable autofs

Server Services

Ensure avahi daemon services are not in use

Disable avahi daemon to prevent service discovery

Service: avahi-daemon

Manual Setup: Disable service: systemctl disable avahi-daemon

Server Services

Ensure dhcp server services are not in use

Disable DHCP server services to prevent unauthorized network configuration

Service: isc-dhcp-server

Manual Setup: Disable service: systemctl disable isc-dhcp-server

Server Services

Ensure dns server services are not in use

Disable DNS server services to prevent DNS attacks

Service: bind9

Manual Setup: Disable service: systemctl disable bind9

Server Services

Ensure ftp server services are not in use

Disable FTP server services to prevent insecure file transfers

Service: vsftpd

Manual Setup: Disable service: systemctl disable vsftpd

Server Services

Ensure ldap server services are not in use

Disable LDAP server services to prevent directory service attacks

Service: slapd

Manual Setup: Disable service: systemctl disable slapd

Network Configuration

Network Parameters

Ensure IPv6 status is identified

Identify IPv6 configuration status and disable if not needed

File: /etc/sysctl.conf

Manual Setup: Add IPv6 disable entries to sysctl.conf

Network Parameters

Ensure wireless interfaces are disabled

Disable wireless interfaces to prevent unauthorized network access

File: /etc/modprobe.d/blacklist.conf

Manual Setup: Add blacklist entries for wireless modules

Network Parameters

Ensure bluetooth services are not in use

Disable Bluetooth services to prevent unauthorized device connections

Service: bluetooth

Manual Setup: Disable service: systemctl disable bluetooth

Network Parameters

Ensure ip forwarding is disabled

Disable IP forwarding to prevent routing attacks

File: /proc/sys/net/ipv4/ip_forward

Manual Setup: Set value to 0: echo 0 > /proc/sys/net/ipv4/ip_forward

Network Parameters

Ensure packet redirect sending is disabled

Disable packet redirect sending to prevent ICMP redirect attacks

File: /proc/sys/net/ipv4/conf/all/send_redirects

Manual Setup: Set value to 0: echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

Network Parameters

Ensure source routed packets are not accepted

Disable source routed packets to prevent routing attacks

File: /proc/sys/net/ipv4/conf/all/accept_source_route

Manual Setup: Set value to 0: echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

Network Parameters

Ensure tcp syn cookies is enabled

Enable TCP SYN cookies to prevent SYN flood attacks

File: /proc/sys/net/ipv4/tcp_syncookies

Manual Setup: Set value to 1: echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Firewall Configuration

Ensure ufw is installed

Install UFW firewall to provide network security

Package: ufw

Manual Setup: Install package: apt install ufw

Firewall Configuration

Ensure ufw service is enabled

Enable UFW firewall service

Service: ufw

Manual Setup: Enable service: systemctl enable ufw

Firewall Configuration

Ensure ufw loopback traffic is configured

Configure UFW to allow loopback traffic

UFW Rules

Manual Setup: Add rule: ufw allow in on lo

Firewall Configuration

Ensure ufw default deny firewall policy

Set UFW default policy to deny all traffic

UFW Policy

Manual Setup: Set policy: ufw default deny incoming

Firewall Configuration

Ensure ufw firewall rules exist for all open ports

Configure UFW rules for all necessary open ports

UFW Rules

Manual Setup: Add specific rules for required services

Access Control

SSH Configuration

Ensure permissions on /etc/ssh/sshd_config are configured

Set proper permissions on SSH configuration file

File: /etc/ssh/sshd_config

Manual Setup: Set permissions: chmod 600 /etc/ssh/sshd_config

SSH Configuration

Ensure SSH private/public host key files permissions are configured

Set proper permissions on SSH host key files

Directory: /etc/ssh/

Manual Setup: Set permissions: chmod 600 /etc/ssh/ssh_host_*_key

SSH Configuration

Ensure sshd Ciphers are configured securely

Configure secure SSH ciphers in sshd_config

File: /etc/ssh/sshd_config

Manual Setup: Add line: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com

SSH Configuration

Ensure sshd PermitRootLogin is disabled

Disable root login via SSH

File: /etc/ssh/sshd_config

Manual Setup: Set: PermitRootLogin no

SSH Configuration

Ensure sshd MaxAuthTries is configured

Limit SSH authentication attempts

File: /etc/ssh/sshd_config

Manual Setup: Set: MaxAuthTries 3

SSH Configuration

Ensure sshd PermitEmptyPasswords is disabled

Disable empty password authentication

File: /etc/ssh/sshd_config

Manual Setup: Set: PermitEmptyPasswords no

PAM Configuration

Ensure password quality requirements are configured

Configure password quality requirements using libpam-pwquality

File: /etc/security/pwquality.conf

Manual Setup: Configure password complexity requirements

PAM Configuration

Ensure password hashing algorithm is SHA-512

Configure system to use SHA-512 for password hashing

File: /etc/pam.d/common-password

Manual Setup: Configure: password [success=1 default=ignore] pam_unix.so sha512

PAM Configuration

Ensure password reuse is limited

Configure password reuse restrictions

File: /etc/pam.d/common-password

Manual Setup: Add: password required pam_pwhistory.so remember=5

PAM Configuration

Ensure password expiration is configured

Configure password expiration policies

File: /etc/login.defs

Manual Setup: Set: PASS_MAX_DAYS 90 and PASS_MIN_DAYS 7

PAM Configuration

Ensure failed password attempts are logged

Configure logging of failed password attempts

File: /etc/pam.d/common-auth

Manual Setup: Add: auth required pam_tally2.so deny=5 onerr=fail unlock_time=1800

User Account Controls

Ensure root is the only UID 0 account

Verify that only root has UID 0

File: /etc/passwd

Manual Setup: Check: awk -F: '($3 == 0) { print $1 }' /etc/passwd

User Account Controls

Ensure system accounts are non-login

Ensure system accounts cannot be used for login

File: /etc/passwd

Manual Setup: Set shell to /usr/sbin/nologin for system accounts

User Account Controls

Ensure default user shell timeout is configured

Configure shell timeout for inactive sessions

File: /etc/bash.bashrc

Manual Setup: Add: TMOUT=600

User Account Controls

Ensure default user umask is configured

Configure default umask for file permissions

File: /etc/bash.bashrc

Manual Setup: Add: umask 027

User Account Controls

Ensure sudo is configured properly

Configure sudo with proper security settings

File: /etc/sudoers

Manual Setup: Configure sudo timeout and logging

System Hardening

Ensure systemd-timesyncd is configured with authorized timeserver

Configure time synchronization with authorized NTP servers

File: /etc/systemd/timesyncd.conf

Manual Setup: Configure NTP servers: NTP=time.nist.gov

System Hardening

Ensure chrony is configured with authorized timeserver

Configure chrony with authorized NTP servers

File: /etc/chrony/chrony.conf

Manual Setup: Configure server entries with trusted NTP servers

System Hardening

Ensure time synchronization is in use

Enable time synchronization service

Service: systemd-timesyncd

Manual Setup: Enable service: systemctl enable systemd-timesyncd

Linux Parameter Categories Summary

Category	Subcategory	Parameters	Description
Filesystem Configuration	Filesystem Kernel Modules	9	Disable unnecessary filesystem kernel modules
Filesystem Configuration	Filesystem Partitions	7	Configure secure filesystem partitions
Package Management	Bootloader Configuration	2	Secure bootloader configuration
Package Management	Process Hardening	5	Process security hardening measures
Services Configuration	Server Services	12	Disable unnecessary server services
Services Configuration	Client Services	6	Remove unnecessary client services
Services Configuration	Time Synchronization	3	Configure time synchronization services
Network Configuration	Network Parameters	7	Configure secure network parameters
Network Configuration	Firewall Configuration	5	Configure firewall settings
Access Control	SSH Configuration	6	Secure SSH configuration
Access Control	PAM Configuration	5	Configure PAM authentication security
Access Control	User Account Controls	5	Configure user account security
System Hardening	System Hardening	3	Additional system security measures