Last active
January 26, 2024 18:00
-
-
Save chadmcrowell/3a04c24fd0a98adc2f017b795489320f to your computer and use it in GitHub Desktop.
CKS Exam Book - System Hardening - Chapter 4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
###################################### | |
######### DISABLING SERVICES ######### | |
###################################### | |
# view running services | |
systemctl | grep running | |
# view state of snapd service | |
systemctl status snapd | |
# stop the snapd service | |
sudo systemctl stop snapd | |
# disable the service | |
sudo systemctl disable snapd | |
# view the status - should be disabled now | |
systemctl status snapd | |
# purge the package is no longer needed | |
sudo apt purge --auto-remove snapd | |
# check that the package was purged | |
systemctl status snapd | |
######################################## | |
########### USER MANAGEMENT ############ | |
######################################## | |
# list users on system | |
cat /etc/passwd | |
# process started by each user | |
ps aux | grep bash | |
# add user | |
sudo adduser ben | |
# list user entry ben | |
cat /etc/passwd | |
# switch to user ben | |
su ben | |
# create a new environment for ben | |
su - ben | |
# run as root | |
sudo -u ben pwd | |
# delete user ben | |
sudo userdel -r ben | |
# list groups | |
cat /etc/group | |
# add group | |
sudo groupadd kube-developers | |
# see new group added | |
cat /etc/group | |
# add user to group | |
sudo usermod -g kube-developers ben | |
# view group identifier | |
cat /etc/passwd | grep ben | |
# reassign group memebers | |
sudo usermod -g kube-admins ben | |
# delete group | |
sudo groupdel kube-developers | |
######################################## | |
########### FILE MANAGEMENT ############ | |
######################################## | |
# create a file | |
touch my-file | |
# view the file permissions | |
ls -l | |
# change ownership of file | |
chown ben my-file | |
# change file permissions | |
chmod -w file1 | |
##################################### | |
######## NETWORK MANAGEMENT ######### | |
##################################### | |
# install package | |
sudo apt update && sudo apt install apache2 | |
# list open ports | |
sudo ss -ltpn | |
# apache status | |
sudo systemctl status apache2 | |
# stop the apache service | |
sudo systemctl stop apache2 | |
# disable the apache service | |
sudo systemctl disable apache2 | |
# uninstall the service | |
sudo apt purge --auto-remove apache2 | |
# check port 80 not in use | |
sudo ss -ltpn | grep :80 | |
# enable firewall | |
sudo ufw allow ssh | |
sudo ufw default deny outgoing | |
sudo ufw default deny incoming | |
sudo ufw enable | |
# allow 6443 for K8s API | |
sudo ufw allow 6443 | |
# repeat the same process to open up other ports on control plane and worker nodes | |
################################## | |
####### KERNEL HARDENING ######### | |
################################## | |
# install apparmor | |
sudo apt-get update && sudo apt-get install apparmor-utils | |
# summary of apparmor profiles | |
sudo aa-status | |
# load a profile on the worker node | |
sudo apparmor_parser /etc/apparmor.d/k8s-deny-write | |
# check that profile was loaded | |
sudo aa-status | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment