IT audit server Security Checklist

How to perform IT audit checklist for server security?

IT audit checklist for server security for the auditor of information security.

Sometimes some it auditor fetch the difficulties of server security checklist. Either they miss some important point or they can not remember the bullet points for server security main checklists. For that i have posted here the security checklist for the it auditor in case of linux based operating system specially on NGINX web server. So if you follow the lists and maintain the check points i hope this will fulfill your requirements. Specially for the information security auditor. So hope for the best and i think this will help them a lot.

NGINX Server on Linux OS Security Checklist.

Physical Security:

  1. If machine is a new install, protect it from hostile network traffic until the operating system is installed and hardened.**
  2. Set a BIOS/firmware password. (Maintain String Password PolicyConfigure the device boot order to prevent unauthorized booting from alternate media.) **
  3. Use the latest version of RHEL possible. **

File System Configuration:

  1. Create a separate partition with the nodev, nosuid, and noexec options set for /tmp. **
  2. Create separate partitions for /var, /var/log, /var/log/audit, and /home. **
  3. Bind mount /var/tmp to /tmp.**
  4. Set nodev option to /home.**
  5. Set nodev, nosuid, and noexec options on /dev/shm.**
  6. Set sticky bit on all world-writable directories.**
  7. Encrypted Partition for more data security.**

System Updates:

  1. Register with Red Hat Satellite Server so that the system can receive patch updates. **
  2. Install the Red Hat GPG key and enable gpgcheck.**

Secure Boot Settings:

  1. Set user/group owner to root, and permissions to read and write for root only, on /boot/grub2/grub.cfg. **
  2. Set boot loader password.(Maintain String Password Policy). **
  3. Remove the X Window system. **
  4. Disable X Font Server. **
  5. Check Special Permission and change the Default Permission. **

Process Hardening:

  1. Restrict core dumps. **
  2. Enable Randomized Virtual Memory Region Placement. **

OS Hardening:

  1. Remove legacy services (e.g., telnet-server; rsh, rlogin, rcp; ypserv, ypbind; tftp, tftp-server; talk, talk-server) **
  2. Disable any services and applications started by xinetd or inetd that are not being utilized.
  3. Remove xinetd, if possible. **
  4. Disable legacy services (e.g., chargen-dgram, chargen-stream, daytime-dgram, daytime-stream, echo-dgram, echo-stream, tcpmux-server). **
  5. Disable or remove server services that are not going to be utilized (e.g., FTP, DNS, LDAP, SMB, DHCP, NFS, SNMP, etc.). **
  6. Set Daemon umask. **

Network Security and Firewall Configuration:

  1. Limit connections to services running on the host to authorized users of the service via firewalls and other access control technologies. **
  2. Disable IP forwarding. **
  3. Disable send packet redirects. **
  4. Disable source routed packet acceptance. **
  5. Disable ICMP redirect acceptance. **
  6. Enable Ignore Broadcast Requests. **
  7. Enable Bad Error Message Protection. **
  8. Enable TCP/SYN cookies. **
  9. Configure Iptables and TCPWrappers. **
  10. Turn Off IPv6. **

Remote Administration via SSH:

  1. Set SSH protocol to 2. **
  2. Set SSH LogLevel to INFO. **
  3. Disable SSH Root login. **
  4. Set SSH PermitEmptyPasswords to No. **

System Integrity and Intrusion Detection:

  1. Install and configure AIDE. **
  2. Configure SELinux. **
  3. Install and configure OSSec HIDS. **

Logging:

  1. Configure Network Time Protocol (NTP). **
  2. Enable system accounting (auditd). **
  3. Install and configure rsyslog. **
  4. All administrator or root access must be logged. **
  5. Configure log shipping to separate device/service (e.g. Splunk). **
  6. Configure faillog command to display logging attempt failure. **
  7. Do not allow account with empty password. **
  8. Make Sure No Non-Root Accounts Have UID Set To 0. **
  9. Monitor Suspicious Log Messages WithLogwatch / Logcheck. **

Files/Directory Permissions/Access:

  1. Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested. **

PAM Configuration:

  1. Ensure that the configuration files for PAM, /etc/pam.d/* are secure. **
  2. Upgrade password hashing algorithm to SHA-512. **
  3. Set password creation requirements.**
  4. Restrict root login to system console. **

Port Configuration:

  1. Find Listening Network Ports. **
  2. Disable unnecessary ports. **

Warning Banners:

  1. If network or physical access services are running, ensure the domain warning banner is displayed. **
  2. If the system allows logins via a graphical user interface, ensure the domain warning banner is displayed prior to login. **

Anti-Virus Considerations:

  1. Install and enable anti-virus software. **
  2. Configure to update signature daily on AV. **

Password Policy:

  1. Combination of Alphabet Numeric and Special Character. **
  2. Minimum digit of password length of 12. With minimum 2 character Upper Case. Letter and Two character Lower Case, Two character Numeric value and Two character Special Character. **
  3. Force to change password after a certain period. **
  4. Restrict use the previous password. **

Additional Security Notes:

  1. Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate.
  2. Disable Ctrl+Alt+Delete in Inittab.**

NGINX Hardening:

  1. Nginx shows its name and version in the HTTP headers disable it. **
  2. Configure SSL.
  3. Performing a Security Audit using wapiti
  4. Remove All Unwanted Nginx Modules
  5. Use mod_security
  6. Install SELinux Policy To Harden The Nginx Webserver
  7. Controlling Buffer Overflow Attacks
  8. Stop Image Hotlinking
  9. Directory Restrictions
  10. Password Protect The Directory
  11. Watching Your Logs & Auditing
  12. Disable nginx server_tokens

N.B: ** means If not VPS or if you own the server physically.