hardening security

hardening

Hide all processes

$ sudo mount -o remount,rw,hidepid=2 /proc

in /etc/fstab to make it permanent:

proc  /proc proc  efaults,hidepid=2,gid=1001  0 0

Notes: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201

Set immutable files:

$ sudo chattr +i /etc/services

setuid files?

$ sudo find / -user root -perm -4000 -exec ls -ldb {} \;

Fix homedir perms

$ chmod 700 /home/pi/

Most files on Raspbian by default are world readable.

services

The dhcp-client daemon runs as root. Could move to static configs in /etc/network/interfaces.d/

to do

• remove the 'pi' user account - currently expect this user to exist.
• add passwords to sudo on all systems (or enable login as root from deployer only).