Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
24Activity
0 of .
Results for:
No results containing your search query
P. 1
Hardening Tips for the Red Hat Enterprise Linux 5

Hardening Tips for the Red Hat Enterprise Linux 5

Ratings: (0)|Views: 1,637|Likes:
NSA brochure with tips for enhancing security in Red Hat Enterprise Linux 5.
NSA brochure with tips for enhancing security in Red Hat Enterprise Linux 5.

More info:

Published by: Capital City Goofball on Apr 30, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

07/10/2012

pdf

text

original

 
Te ollowing tips assume that the reader is starting witha deault installation o Red Hat Enterprise Linux 5. Tishigh-impact guidance can be applied quickly, but is by nomeans complete. For more complete guidance, please seeour other publication, “Guide to the Secure Congurationo Red Hat Enterprise Linux 5,” which can be oundonline athttp://www.nsa.gov . Tese tips may or may nottranslate graceully or other Linux distributions or modiedinstallations o RHEL.
General Principles
•Encryptalldatatransmittedoverthenetwork.
Encrypting authentication inormation (such aspasswords) is particularly important.
•Minimizetheamountofsoftwareinstalledandrunninginordertominimizevulnerability.
Use security-enhancing sotware and tools whenever
•
available (e.g., SELinux and Iptables).
•Runeachnetworkserviceonaseparateserverwheneverpossible.isminimizestheriskthatacompromiseof
one service could lead to a compromise o others.
•Maintainuseraccounts.Createagoodpasswordpolicy
and enorce its use. Delete unused user accounts.
•Reviewsystemandapplicationlogsonaroutinebasis.
Send logs to a dedicated log server. Tis preventsintruders rom easily avoiding detection by modiyingthe local logs.Never log in directly as root, unless absolutely necessary.
•
 Administrators should use
sudo
to execute commands asroot when required. Te accounts capable o using sudoare specied in
/etc/sudoers
, which is edited with the
visudo
utility. By deault, relevant logs are written to
/var/log/secure
.
Disk Partitions and Mounting
During initial installation, ensure that lesystems withuser-writeable directories such as the ollowing are mountedon separate partitions:
/home
,
/tmp
,
/var/tmp
.During system conguration, change mount options in
/etc/fstab
to limit user access on appropriate lesystems.Te
defaults
option is equal to
rw,suid,dev,exec,auto,nouser,async
. Using
noexec
instead prevents executiono binaries on a le system (though it will not prevent scriptsrom running). Using
nosuid
will prevent the setuid bitrom having eect. Te
nodev
option prevents use o deviceles on the lesystem.
Physical Security
Congure the BIOS to disable booting rom CDs/DVDs,foppies, and external devices, and set a password to protectthese settings.Next, set a password or the GRUB bootloader. Generate apassword hash using the command
/sbin/grub-md5-crypt
. Add the hash to the rst line o 
/etc/grub.conf
as ollows:
password --md5
 passwordhash
Tis prevents users rom entering single user mode orchanging settings at boot time.
Keep Software Up to Date
Either download updates manually through the Red HatNetwork (http://rhn.redhat.com) or register each system withRHN to apply updates automatically. Security updates shouldbe applied as soon as possible.Te deault version o 
yum-updatesd
does not unctionreliably. A better solution is to apply updates through a cron job. First, disable the service with:
/sbin/chkconfig yum-updatesd off
Second, create the le
yum.cron
, make it executable, placeit in
/etc/cron.daily
or
/etc/cron.weekly
, and ensurethat it reads as ollows:
#!/bin/sh/usr/bin/yum -R 120 -e 0 -d 0 -y update yum /usr/bin/yum -R 10 -e 0 -d 0 -y update
Disable Unnecessary Services
o list the services congured to start at boot, run theollowing command:
/sbin/chkconfig --list
Find the column or the current run level to see whichservices are enabled. Te deault run level is 5. o disable aservice, run the ollowing command:
/sbin/chkconfig
servicename 
off
Unless they are required, disable the ollowing:
anacron haldaemon messagebusapmd hidd microcode_ctlautofs` hplip* pcscdavahi-daemon* isdn readahead_earlybluetooth kdump readahead_latercups* kudzu rhnsd*
 frstboot
mcstrans setroubleshootgpm mdmonitor xfs
Items marked with a * are network services. It is particularly important to disable these. Additionally, the ollowing servicescan be saely disabled i NFS is not in use:
netfs
,
nfslock
,
portmap
,
rpcgssd
, and
rpcidmapd
. Some sotware relies on
haldaemon
and
 messagebus
, so care should be taken whendisabling them. Changes will take eect ater a reboot.
Disable SUID and SGID Binaries
o nd SUID and SGID les on the system, use the ollowingcommand:
find / \( -perm -4000 -o -perm -2000 \) -print
Te ollowing les can have their SUID or SGID bits saely disabled (using
chmod -s
filename
) unless required or thepurpose listed in the second column:
File: Required For:/bin/ping6 IPv6/sbin/mount.nfs NFS/sbin/mount.nfs4 NFS/sbin/netreport network control/sbin/umount.nfs NFS/sbin/umount.nfs4 NFS/usr/bin/chage passwd/usr/bin/chfn account info/usr/bin/chsh account info/usr/bin/crontab cron
/usr/bin/lockfle
Procmail/usr/bin/rcp rsh/usr/bin/rlogin rsh/usr/bin/rsh rsh/usr/bin/wall console messaging/usr/bin/write console messaging/usr/bin/Xorg Xorg/usr/kerberos/bin/ksu Kerberos/usr/libexec/openssh/ssh-keysignSSH host-basedauthentication/usr/lib/vte/gnome-pty-helper Gnome, Xorg/usr/sbin/ccreds_validate Pam auth caching/usr/sbin/suexec Apache, CGI/usr/sbin/userisdnctl ISDN/usr/sbin/usernetctl network control
ToseewhichRPMpackageeachlebelongsto,run
rpm -qf
filename
. I the package is not necessary, removeit with
rpm -e
 packagename
. Precise control over thepackages installed during initial system installation can beachieved using a Kickstart le.

Activity (24)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
endhy_aziz liked this
roshaun007 liked this
drragon666 liked this
Harry liked this
thiyagu68 liked this
vikram819 liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->