Quote - The SELinux policy defines various rules which determine how each domain may access each type. Only what is specifically allowed by the rules is permitted. By default, every operation is denied and audited, meaning it is logged in the $AUDIT_LOG file. In Red Hat Enterprise Linux, this is set to /var/log/messages. The policy is compiled into binary format for loading into the kernel security server, and each time the security server makes a decision, it is cached in the AVC to optimize performance.

More often then not, I notice that organizations are wrapped up in patching for vulnerabilities but not so adamant about system hardening. Items relating to locking down applications through GPO. This would definitely fall under that category.

• Sample code written using PowerShell/Json to address some of the security issues associated with Windows (this is an example that can be pushed out to machines as well, GPOs are more efficient, this will help with one offs)
  

  Write-Host " "
  Write-Host "LSA Registry Entries"
  Write-Host "--------------------"
  Write-Host " "
  
  $lsa = '{"registry":[
      {"Entry":"auditbaseobjects", "Value":"1", "Type":"Dword"},
      {"Entry":"auditbasedirectories", "Value":"1", "Type":"Dword"},
      {"Entry":"LmCompatibilityLevel", "Value":"4", "Type":"Dword"},
      {"Entry":"restrictanonymous", "Value":"1", "Type":"Dword"},
      {"Entry":"restrictanonymoussam", "Value":"1", "Type":"Dword"},
      {"Entry":"LimitBlankPasswordUse", "Value":"1", "Type":"Dword"},
      {"Entry":"SecureBoot", "Value":"1", "Type":"Dword"}
  ]}'
  
  $path = "HKLM:\System\CurrentControlSet\Control\Lsa"
  $regobj = ConvertFrom-Json -InputObject $lsa
  $regobjects = $regobj.registry
  
  foreach ( $i in $regobjects ) {
      $val = Get-ItemPropertyValue -Path $path -Name $i.Entry -ErrorAction SilentlyContinue
      if ( (Test-Path $path) -and ($i.Value -eq $val ) ) {
          Write-Host $i.Entry "registry value - ok"
      } else {
          #New-Item -path $path -Name $i.Entry -Value $i.Value -Type Dword
          $chg = Set-ItemProperty -Path $path -Name $i.Entry -Value $i.Value -Type $i.Type -Force
          $names = Get-ItemPropertyValue -Path $path -Name $i.Entry
          Write-Host $i.Entry "modified registry entry: " $names
      }
  }

• Libre Office needs to be reviewed to see if the same vulnerabilities exist (when editing an excel spreadsheet)
• Remove unused accounts (Windows & Linux)
• Configure SELinux policies to check filesystem and executables (binaries)
• Configure iptables and chains, ufw helps with this process
• Encrypt /home/* folders and other necessary files
• Enable IPv6 to be the primary protocol used over the Internet (IPSec VPN AES256)
• Use logwatch to view the logs on the system and send notifications daily or weekly
• Email - use pgp as part of the email security solution - https://bit.ly/2LoOxta
• Create PEM keys to allow for secured access to ssh with authorized _keys file
• Reduce the number of running applications, uninstall unnecessary applications
• Create a gold-standard of the OS where Puppet/Chef/Satellite Server can help with the updates
• Configure crontab to schedule updates to the system
• Implement NMS & Security system to monitor the internal workings and log files
• Install chkrootkit & rkhunter trojan tools
• Ensure continuous monitoring tools are running to address any cyber-shortcomings
• Enable SIEM, ML, AV, and training to thwart potential threats or vulnerabilities