Original URL: https://trevorsmale.github.io/techblog/post/psc2/
Intro π
This week covers more implementation of Secure Technical Implementation Guidelines and we look at LDAP (Light Directory Access Protocol) Installation and Setup. This unit also introduces foundational knowledge on analyzing, configuring, and hardening networking components using tools and frameworks like STIGs, OpenSCAP, and DNS configurations.
Discussion Post 1
Preface
There are 401 stigs for RHEL 9. If you filter in your stig viewer for sysctl there are 33 (mostly network focused), ssh - 39, and network - 58. Now there are some overlaps between those, but review them and answer these questions
Question 1. As systems engineers why are we focused on protecting the network portion of our
server builds?
Answer
- Most attacks come through the network
- Misconfigured services can expose critical ports.
- Data in transit is vulnerable without proper encryption and access control.
- External exposure often increases the attack surface for things like brute-force attempts, malware injection, or unauthorized access.
Question 2. Why is it important to understand all the possible ingress points to our servers that
exist?
Answer
- Ingress points = potential paths of attack. Unexpected ingress can be exploited.
- Zero-trust environments rely on strict control and observability of ingress.
- Compliance and auditing require accurate records of whatβs accessible.
Question 3. Why is it so important to understand the behaviors of processes that are
connecting on those ingress points?
Answer
- Security posture depends on visibility
- Attackers scan for overlooked vulnerabilities
- Automation tools (e.g., Ansible, Terraform) can introduce new ingress points unknowingly during updates.
- Incident response is much faster and more effective when engineers understand the network surface.
Discussion Post 2
Intro to the scenario[^3]
Read this: https://ciq.com/blog/demystifying-and- troubleshooting-name-resolution-in-rocky-linux/ or similar blogs on DNS and host file configurations.
Question
- What is the significance of the nsswitch.conf file?
Answer
The /etc/nsswitch.conf file controls the order in which name resolution methods are use
Question
- What are security problems associated with DNS and common exploits? (May have to look into some more blogs or posts for this)
Answer
Core issues with DNS:
Traditional DNS can be spoofed due to a lack of built in verification., Queries and Responses are sent in plaintext making confidentiality an issue., No way to validate the source of the DNS data., Centralized, single point of failure.,
Common Exploits:
Spoofing (False record injection), Flooding (Overwhelming the resolver), Tunneling (Query based Exfiltration), Hijacking (Modifying domain registration data), Typosquatting (Registering similar domains) New phrase for me
Definitions
sysctlLinux interface to modify kernel parameters at runtime for system performance and security.nsswitch.confConfiguration file controlling the order of name service lookups (e.g., DNS, files, LDAP).DNS: Domain Name Systemtranslates human-readable domain names into IP addresses.OpenscapOpen-source framework for automated vulnerability scanning, compliance checking, and security auditing.CIS BenchmarksPrescriptive security configuration guidelines provided by the Center for Internet Security.ss/netstatCommand-line tools to display network sockets, connections, and statistics on Unix-like systems.tcpdumpCommand-line packet analyzer for capturing and inspecting network traffic in real-time.ngrepNetwork packet analyzer like grep, allowing pattern matching on network traffic payloads.
Lab π§ͺ
IP Forwarding
Question
- Does this system appear to be set to forward? Why or why not?
Answer
- No. All relevant
net.ipv4.conf.*.forwardingandnet.ipv4.ip_forwardvalues are set to0.
Martians
Question
- What are martians and is this system allowing them?
Answer
- Martians are packets with invalid or bogus source/destination addresses. This system is not logging them (
log_martians = 0), but whether theyβre allowed depends on other rules. Logging is disabled.
Kernel Panic Behavior
Question
- How does this system handle kernel panics?
Answer
kernel.panic = 0means the system wonβt auto-reboot on panic.panic_on_oops = 1indicates it will panic on kernel oops errors. Other panic triggers are mostly disabled.
FIPS Mode
Question
- Is FIPS mode enabled?
Answer
- No.
crypto.fips_enabled = 0.
Question
- What should be read about to better understand FIPS?
Answer
- TODO
Kernel Command Line
Question
- What are the active boot parameters from
/proc/cmdline?
Answer
- TODO (values include initrd paths, UUIDs, FIPS status not explicitly shown).
Security Settings & STIGs
V-257957 β TCP Syncookies
Question
- Is the system using TCP syncookies?
Answer
- Yes.
net.ipv4.tcp_syncookies = 1.
Question
- How to make this setting persistent?
Answer
- Add
net.ipv4.tcp_syncookies = 1to a file in/etc/sysctl.d/, then runsysctl --system.
V-257958 β ICMP Redirects
Question
- Is the system accepting ICMP redirect messages?
Answer
- No.
net.ipv4.conf.all.accept_redirects = 0
Question
- How to harden this?
Answer
- Add
net.ipv4.conf.all.accept_redirects = 0to/etc/sysctl.d/, then reload settings withsysctl --system.
Question
- Did you fully understand all parameter meanings?
Answer
- No. Some were clarified using ChatGPT.
ProLUG Links βοΈ
Discord: https://discord.com/invite/m6VPPD9usw Youtube: https://www.youtube.com/@het_tanis8213 Twitch: https://www.twitch.tv/het_tanis ProLUG PSC Repo: https://github.com/ProfessionalLinuxUsersGroup/psc ProLUG PSC Book: https://professionallinuxusersgroup.github.io/psc/ ProLUG Book of Labs: https://leanpub.com/theprolugbigbookoflabs KillerCoda: https://killercoda.com/het-tanis