Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Hardening Tips for the Red Hat Enterprise Linux 5

Hardening Tips for the Red Hat Enterprise Linux 5

Ratings: (0)|Views: 1,637|Likes:
NSA brochure with tips for enhancing security in Red Hat Enterprise Linux 5.
NSA brochure with tips for enhancing security in Red Hat Enterprise Linux 5.

More info:

Published by: Capital City Goofball on Apr 30, 2009
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Te ollowing tips assume that the reader is starting witha deault installation o Red Hat Enterprise Linux 5. Tishigh-impact guidance can be applied quickly, but is by nomeans complete. For more complete guidance, please seeour other publication, “Guide to the Secure Congurationo Red Hat Enterprise Linux 5,” which can be oundonline athttp://www.nsa.gov . Tese tips may or may nottranslate graceully or other Linux distributions or modiedinstallations o RHEL.
General Principles
Encrypting authentication inormation (such aspasswords) is particularly important.
Use security-enhancing sotware and tools whenever
available (e.g., SELinux and Iptables).
one service could lead to a compromise o others.
and enorce its use. Delete unused user accounts.
Send logs to a dedicated log server. Tis preventsintruders rom easily avoiding detection by modiyingthe local logs.Never log in directly as root, unless absolutely necessary.
 Administrators should use
to execute commands asroot when required. Te accounts capable o using sudoare specied in
, which is edited with the
utility. By deault, relevant logs are written to
Disk Partitions and Mounting
During initial installation, ensure that lesystems withuser-writeable directories such as the ollowing are mountedon separate partitions:
.During system conguration, change mount options in
to limit user access on appropriate lesystems.Te
option is equal to
. Using
instead prevents executiono binaries on a le system (though it will not prevent scriptsrom running). Using
will prevent the setuid bitrom having eect. Te
option prevents use o deviceles on the lesystem.
Physical Security
Congure the BIOS to disable booting rom CDs/DVDs,foppies, and external devices, and set a password to protectthese settings.Next, set a password or the GRUB bootloader. Generate apassword hash using the command
. Add the hash to the rst line o 
as ollows:
password --md5
Tis prevents users rom entering single user mode orchanging settings at boot time.
Keep Software Up to Date
Either download updates manually through the Red HatNetwork (http://rhn.redhat.com) or register each system withRHN to apply updates automatically. Security updates shouldbe applied as soon as possible.Te deault version o 
does not unctionreliably. A better solution is to apply updates through a cron job. First, disable the service with:
/sbin/chkconfig yum-updatesd off
Second, create the le
, make it executable, placeit in
, and ensurethat it reads as ollows:
#!/bin/sh/usr/bin/yum -R 120 -e 0 -d 0 -y update yum /usr/bin/yum -R 10 -e 0 -d 0 -y update
Disable Unnecessary Services
o list the services congured to start at boot, run theollowing command:
/sbin/chkconfig --list
Find the column or the current run level to see whichservices are enabled. Te deault run level is 5. o disable aservice, run the ollowing command:
Unless they are required, disable the ollowing:
anacron haldaemon messagebusapmd hidd microcode_ctlautofs` hplip* pcscdavahi-daemon* isdn readahead_earlybluetooth kdump readahead_latercups* kudzu rhnsd*
mcstrans setroubleshootgpm mdmonitor xfs
Items marked with a * are network services. It is particularly important to disable these. Additionally, the ollowing servicescan be saely disabled i NFS is not in use:
, and
. Some sotware relies on
, so care should be taken whendisabling them. Changes will take eect ater a reboot.
Disable SUID and SGID Binaries
o nd SUID and SGID les on the system, use the ollowingcommand:
find / \( -perm -4000 -o -perm -2000 \) -print
Te ollowing les can have their SUID or SGID bits saely disabled (using
chmod -s
) unless required or thepurpose listed in the second column:
File: Required For:/bin/ping6 IPv6/sbin/mount.nfs NFS/sbin/mount.nfs4 NFS/sbin/netreport network control/sbin/umount.nfs NFS/sbin/umount.nfs4 NFS/usr/bin/chage passwd/usr/bin/chfn account info/usr/bin/chsh account info/usr/bin/crontab cron
Procmail/usr/bin/rcp rsh/usr/bin/rlogin rsh/usr/bin/rsh rsh/usr/bin/wall console messaging/usr/bin/write console messaging/usr/bin/Xorg Xorg/usr/kerberos/bin/ksu Kerberos/usr/libexec/openssh/ssh-keysignSSH host-basedauthentication/usr/lib/vte/gnome-pty-helper Gnome, Xorg/usr/sbin/ccreds_validate Pam auth caching/usr/sbin/suexec Apache, CGI/usr/sbin/userisdnctl ISDN/usr/sbin/usernetctl network control
rpm -qf
. I the package is not necessary, removeit with
rpm -e
. Precise control over thepackages installed during initial system installation can beachieved using a Kickstart le.

Activity (24)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
endhy_aziz liked this
roshaun007 liked this
drragon666 liked this
Harry liked this
thiyagu68 liked this
vikram819 liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->