|
9 | 9 | ## Reporting a Vulnerability |
10 | 10 |
|
11 | 11 | Please do not report a vulnerability via Github issues. Any vulnerability shall be reported by emailing to Pana.Yang@hotmail.com or via our official website security reporting section (under construction). |
| 12 | + |
| 13 | +## Developer Security Standards (Mandatory for Organization Members and Recommended for Contributors) |
| 14 | + |
| 15 | +### **I. Authorized Operating Environment** |
| 16 | + |
| 17 | +* **Recommended OS:** Fedora KDE Plasma Desktop |
| 18 | +* **Disk Encryption:** LUKS (Linux Unified Key Setup) **must** be enabled by default during installation. |
| 19 | + |
| 20 | +### **II. Mandatory Security Suite** |
| 21 | + |
| 22 | +To ensure system integrity and real-time threat detection, the following tools must be installed and configured: |
| 23 | + |
| 24 | +* **Endpoint Monitoring:** Wazuh-agent |
| 25 | +* **Hardening & Auditing:** SELinux (set to `Enforcing`), firewalld, Lynis |
| 26 | +* **Threat Scanning:** ClamAV, rkhunter, chkrootkit |
| 27 | +* **System Integrity:** AIDE (Advanced Intrusion Detection Environment), unhide |
| 28 | +* **Network Scanning:** Daily Nmap scan of the local network (e.g., `192.168.1.0/24`) |
| 29 | +* **Security Server:** Wazuh-server (includes Wazuh-dashboard, Wazuh-manager and Wazuh-indexer), Greenbone Community Edition |
| 30 | + |
| 31 | +### **III. Identity & Access Management** |
| 32 | + |
| 33 | +* **2FA Requirement:** Hardware-based authentication via **YubiKey** is mandatory for all organizational accounts and SSH access. |
| 34 | + |
| 35 | +--- |
| 36 | + |
| 37 | +### Appendix |
| 38 | + |
| 39 | +```text |
| 40 | +# sysctl settings are defined through files in |
| 41 | +# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. |
| 42 | +# |
| 43 | +# Vendors settings live in /usr/lib/sysctl.d/. |
| 44 | +# To override a whole file, create a new file with the same in |
| 45 | +# /etc/sysctl.d/ and put new settings there. To override |
| 46 | +# only specific settings, add a file with a lexically later |
| 47 | +# name in /etc/sysctl.d/ and put new settings there. |
| 48 | +# |
| 49 | +# For more information, see sysctl.conf(5) and sysctl.d(5). |
| 50 | +
|
| 51 | +# --- A. Network Hardening --- |
| 52 | +
|
| 53 | +# Protect against IP spoofing (source validation) |
| 54 | +net.ipv4.conf.all.rp_filter = 1 |
| 55 | +net.ipv4.conf.default.rp_filter = 1 |
| 56 | +
|
| 57 | +# Ignore ICMP broadcast requests to avoid being part of Smurf attacks |
| 58 | +net.ipv4.icmp_echo_ignore_broadcasts = 1 |
| 59 | +
|
| 60 | +# Ignore bad ICMP errors (prevents some types of attacks) |
| 61 | +net.ipv4.icmp_ignore_bogus_error_responses = 1 |
| 62 | +
|
| 63 | +# Disable IP source routing (usually unnecessary and exploitable) |
| 64 | +net.ipv4.conf.all.accept_source_route = 0 |
| 65 | +net.ipv4.conf.default.accept_source_route = 0 |
| 66 | +
|
| 67 | +# Disable secure ICMP redirects |
| 68 | +net.ipv4.conf.all.secure_redirects = 0 |
| 69 | +net.ipv4.conf.default.secure_redirects = 0 |
| 70 | +
|
| 71 | +# Log spoofed packets, source routed packets, and redirects |
| 72 | +net.ipv4.conf.all.log_martians = 1 |
| 73 | +
|
| 74 | +# Protection against SYN flood attacks (enables SYN cookies) |
| 75 | +net.ipv4.tcp_syncookies = 1 |
| 76 | +
|
| 77 | +# Increase the maximum number of connections waiting for acceptance |
| 78 | +net.core.somaxconn = 4096 |
| 79 | +net.core.netdev_max_backlog = 5000 |
| 80 | +
|
| 81 | +# --- B. Filesystem / Permission Hardening --- |
| 82 | +
|
| 83 | +# Disable magic SysRq key (unless you need it for emergency debugging) |
| 84 | +kernel.sysrq = 0 |
| 85 | +
|
| 86 | +# Enable restriction of link/symlink traversal (to prevent user links in world-writable dirs) |
| 87 | +fs.protected_hardlinks = 1 |
| 88 | +fs.protected_symlinks = 1 |
| 89 | +
|
| 90 | +# Restrict the permissions of dmesg to non-root users (hiding kernel messages from attackers) |
| 91 | +kernel.dmesg_restrict = 1 |
| 92 | +
|
| 93 | +# Restrict unprivileged users from using the bpf() system call |
| 94 | +kernel.unprivileged_bpf_disabled = 1 |
| 95 | +
|
| 96 | +# Randomize the virtual address space layout (ASLR) - Default is usually 2, ensure it's on |
| 97 | +kernel.randomize_va_space = 2 |
| 98 | +
|
| 99 | +# --- C. Resource and Memory Hardening --- |
| 100 | +
|
| 101 | +# Prevent non-root users from writing to /proc/sys/vm/* |
| 102 | +kernel.yama.protected_sysctl = 1 |
| 103 | +
|
| 104 | +# Restrict the dumping of memory (core dumps) |
| 105 | +fs.suid_dumpable = 0 |
| 106 | +
|
| 107 | +# Controls memory allocation behavior - often set to 1 or 2. |
| 108 | +# A value of 2 ensures no overcommit, helping prevent stability issues when memory runs out. |
| 109 | +vm.overcommit_memory = 1 |
| 110 | +vm.max_map_count=262144 |
| 111 | +
|
| 112 | +# Restrict non-root user create too many User Namespace |
| 113 | +user.max_user_namespaces = 10000 |
| 114 | +
|
| 115 | +# ---D. Yama Settings --- |
| 116 | +
|
| 117 | +# Restrict ptrace to only ancestor processes (prevents snooping) |
| 118 | +kernel.yama.ptrace_scope = 1 |
| 119 | +``` |
| 120 | + |
| 121 | +```text |
| 122 | +0 2 * * * /usr/bin/freshclam --quiet |
| 123 | +5 2 * * * /usr/bin/flock -n /tmp/clamscan.lock /usr/bin/nice -n 19 /usr/bin/ionice -c 3 /usr/bin/clamdscan --multiscan --fdpass --quiet / >> /var/log/clamav-scan-$(date +\%Y\%m\%d).log |
| 124 | +10 2 * * * /usr/sbin/chkrootkit >> /var/log/chkrootkit-scan-$(date +\%Y\%m\%d).log |
| 125 | +15 2 * * * /usr/bin/aide --check |
| 126 | +0 3 1 * * /usr/bin/logger "REMINDER: Run 'aide --update' after a system upgrade to maintain database integrity." |
| 127 | +20 2 * * * /usr/sbin/unhide proc tcp udp sys >> /var/log/unhide-scan-$(date +\%Y\%m\%d).log 2>&1 |
| 128 | +40 2 * * * /usr/bin/lynis --cronjob --quiet >> /var/log/lynis-report-$(date +\%Y\%m\%d).log |
| 129 | +50 2 * * * /usr/bin/rkhunter --cronjob --rwo >> /var/log/rkhunter-scan-$(date +\%Y\%m\%d).log |
| 130 | +0 4 * * * /usr/local/bin/daily_nmap_scan.sh >/dev/null 2>&1 |
| 131 | +``` |
| 132 | + |
| 133 | +```shell |
| 134 | +#!/bin/bash |
| 135 | + |
| 136 | +# Define variables |
| 137 | +TIMESTAMP=$(date +"%Y-%m-%d") |
| 138 | +SCAN_DIR="/var/log/nmap_scans" |
| 139 | +TARGET_SPEC="192.168.1.0/24" |
| 140 | + |
| 141 | +# Create the log directory if it doesn't exist |
| 142 | +mkdir -p $SCAN_DIR |
| 143 | + |
| 144 | +# Run the Nmap scan |
| 145 | +/usr/bin/nmap -A -T4 $TARGET_SPEC -oN $SCAN_DIR/nmap_scan_$TIMESTAMP.txt |
| 146 | +``` |
0 commit comments