Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more ➡
Download
Standard view
Full view
of .
Add note
Save to My Library
Sync to mobile
Look up keyword
Like this
19Activity
×
0 of .
Results for:
No results containing your search query
P. 1
Rhel5 Guide i731

Rhel5 Guide i731

Ratings: (0)|Views: 29,832|Likes:
Published by Korben

More info:

Categories:Topics, Art & Design
Published by: Korben on May 06, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See More
See less

07/10/2013

pdf

text

original

 
Guide to the Secure Configuration of Red Hat Enterprise Linux 5
Revision 4.1February 28, 2011
Operating Systems Division Unix Teamof theSystems and Network Analysis CenterNational Security Agency9800 Savage Rd. Suite 6704Ft. Meade, MD 20755-6704
 
2
Warnings
ˆ 
Do not attempt to implement any of the recommendations in this guide without first testing in a non-production environment.
ˆ 
This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore this guide does not address site-specific configurationconcerns. Care must be taken when implementing this guide to address local operational and policyconcerns.
ˆ 
The security changes described in this document apply only to Red Hat Enterprise Linux 5. They may nottranslate gracefully to other operating systems.
ˆ 
Internet addresses referenced were valid as of 1 Dec 2009.
Trademark Information
Red Hat is a registered trademark of Red Hat, Inc. Any other trademarks referenced herein are the property of their respective owners.
Change Log
Revision 4.1 is an update of Revision 4 dated September 14, 2010.
ˆ 
Added section 2.2.2.6,
Disable All GNOME Thumbnailers if Possible
.
ˆ 
Added Common Configuration Enumeration (CCE) identifiers to associated sections within the guide, anda note about CCE in section 1.2.4,
Formatting Conventions
.
ˆ 
Updated section 2.3.3.2,
Set Lockouts for Failed Password Attempts
. There is no longer the need to addthe
pam tally2
module into each program’s PAM configuration file, or to comment out some lines from
/etc/pam.d/system-auth
. The
pam tally2
module can now be referenced directly from
/etc/pam.d/system-auth
.
ˆ 
Corrected section 2.6.2.4.5 title from
Ensure auditd Collects Logon and Logout Events
to
Record Attempts toAlter Logon and Logout Event Information
.
ˆ 
Corrected section 2.6.2.4.6 title from
Ensure auditd Collects Process and Session Initiation Information
to
Record Attempts to Alter Process and Session Initiation Information
Note:
The above changes did not affect any of the section numbering.
 
TABLE OF CONTENTS 
3
Table of Contents
1.1 General Principles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131.1.1 Encrypt Transmitted Data Whenever Possible. . . . . . . . . . . . . . . . . . . . . . . . 131.1.2 Minimize Software to Minimize Vulnerability. . . . . . . . . . . . . . . . . . . . . . . . . 131.1.3 Run Different Network Services on Separate Systems. . . . . . . . . . . . . . . . . . . . . 131.1.4 Configure Security Tools to Improve System Robustness. . . . . . . . . . . . . . . . . . . 141.1.5 Least Privilege. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141.2 How to Use This Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141.2.1 Read Sections Completely and in Order. . . . . . . . . . . . . . . . . . . . . . . . . . . . 141.2.2 Test in Non-Production Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141.2.3 Root Shell Environment Assumed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141.2.4 Formatting Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151.2.5 Reboot Required. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.1 Installing and Maintaining Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.1.1 Initial Installation Recommendations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.1.1.1 Disk Partitioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.1.1.2 Boot Loader Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.1.1.3 Network Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.1.1.4 Root Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.1.1.5 Software Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.1.1.6 First-boot Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.1.2 Updating Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.1.2.1 Configure Connection to the RHN RPM Repositories. . . . . . . . . . . . . . . 202.1.2.2 Disable the
Daemon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.1.2.3 Obtain Software Package Updates with
. . . . . . . . . . . . . . . . . . . . . 212.1.3 Software Integrity Checking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.1.3.1 Configure AIDE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.1.3.2 Verify Package Integrity Using RPM. . . . . . . . . . . . . . . . . . . . . . . . . 242.2 File Permissions and Masks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.2.1 Restrict Partition Mount Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.2.1.1 Add
Option to Non-Root Local Partitions. . . . . . . . . . . . . . . . . . 252.2.1.2 Add
,
,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 262.2.2 Restrict Dynamic Mounting and Unmounting of Filesystems. . . . . . . . . . . . . . . . 272.2.2.1 Restrict Console Device Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . 272.2.2.2 Disable USB Device Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->