FedoraCore3 Hardened
From Rivalug Wiki
Notes for Hardening a Fedora Core 3 installation.
Back to HowToList Also see FedoraCore3_Hardened_Evaluation and FedoraCore3_Appendix
--Carlisle 06:35, 26 Feb 2005 (EST)
This document
This document is being modified from an earlier document and is currently unfinished.
Disclaimer
Please don't try any of this suggestions on important systems without researching and understanding what they do first.
History
started on 22 Nov 2004
Reporting errors
Fedora Core 3
Why Use Fedora Core 3?
Probably if one wanted to choose the best operating system to run on a hardened system, one would go with something like OpenBSD. But the goal with this document is to show how to harden a linux system. So I take some hints from the OpenBSD project and reduce the size of the packages used to the minimum they need to be to do the job. I didn't want to go so far as to recompile the kernel.
Features
Fedora Core 3 was released in November of 2004. It is expected to reach end-of-life in January of 2006 and will then be updated by the Fedora Legacy Project.
Release Notes: http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/RELEASE-NOTES-en.html http://www.redhat.com/magazine/001nov04/features/fedoracore3/
Selected Features:
kernel 2.6.9 ( 2.6.12 after updating) gcc 3.4.2 (3.4.4 after updating) glibc 2.3.3 (2.3.6 after updating) gnome 2.8 kde 3.3 (3.4.2 after updating) x.org x11 6.8.1 (6.8.2 after updating) perl 5.8.5 openssh 3.9p1 mozilla 1.7.3 (1.7.12 after updating) firefox 1.0 (1.0.7 after updating) thunderbird 1.0 (1.0.7 after updating) openoffice 1.1.2 (1.1.3 after updating) gaim 1.0.1 (1.5 after updating) gimp 2.0.5 (2.2.8 after updating) HelixPlayer 1.0.1.gold
References for Hardening
CIS Red Hat Enterprise Linux Benchmark 1.0.3 (CIS)
Center for Internet Security:
http://www.cisecurity.org/
Linux Benchmark 1.0.3:
http://www.cisecurity.org/bench_linux.html
SANS Securing Linux version 2.0 (SL)
Oct 2003 ISBN 0-9743727-7-3 $39 https://store.sans.org/store_item.php?item=83
Bastille Linux 3.0.8 (BL)
SANS Track 506: Securing Unix/Linux Track (SU)
Simpaticus Bare-Bones Server HOWTO
http://www.simpaticus.com/linux/barebones-server-howto.php by Rodolfo J. Paiz
Installation
Download
Official Site: http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/iso/ Local Mirror: http://mirror.vcu.edu/pub/linux/fedora/3/iso/ Bittorrent: http://torrent.dulug.duke.edu/
If you intend to download the Fedora Core 3 DVD ISO image, keep in mind that not all file downloading tools can accommodate files larger than 2GB in size. For example, wget will exit with a File size limit exceeded error.
The curl and ncftpget file downloading tools do not have this limitation, and can successfully download files larger than 2GB.
How to download ISOs
FTP: wget -c ftp://mirror.vcu.edu/pub/linux/fedora/3/iso/FC3-i386-disc*.iso wget ftp://mirror.vcu.edu/pub/linux/fedora/3/iso/MD5SUM
HTTP: wget -c http://mirror.vcu.edu/pub/linux/fedora/3/iso/FC3-i386-disc1.iso wget -c http://mirror.vcu.edu/pub/linux/fedora/3/iso/FC3-i386-disc2.iso wget -c http://mirror.vcu.edu/pub/linux/fedora/3/iso/FC3-i386-disc3.iso wget -c http://mirror.vcu.edu/pub/linux/fedora/3/iso/FC3-i386-disc4.iso wget http://mirror.vcu.edu/pub/linux/fedora/3/iso/MD5SUM
How to verify ISOs
md5sum -c MD5SUM
Support
Sites:
http://fedora.redhat.com/ http://fedoranews.org/ http://www.fedorafaq.org/ http://www.fedoraforum.org/ http://www.tldp.org/ http://fcp.homelinux.org/ http://fcp.homelinux.org/modules/wffaq/
For Laptops:
http://www.linux-laptop.net/
Mailing Lists with archives:
http://www.redhat.com/mailman/listinfo/fedora-list http://www.redhat.com/mailman/listinfo/fedora-test-list
IRC:
http://fedora.redhat.com/participate/communicate/
Installing a Minimum System
The test system I'm using has a Pentium II 233 Mhz cpu with 128 Mb RAM, a 6Gb hard drive, and a scsi cdrom drive.
Once the CD boots, press enter for the default boot parameter of "linux" and this will boot into the graphical interface. The graphical installation to get to the option to choose a minimum installation.
Since we are doing a minimal installation, we will only need the first of the three CDs for Fedora Core 3. If this is a newly burned CD, do media check, else skip it, unless you had problems installing from the disk.
Choose Language (defaults: English), Keyboard (default: U.S. English), Mouse.
If there has been a previous Linux distribution installed, choose Install Fedora Core to get a fresh install, then Choose Custom Installation so that you can manually create your partitions and choose a minimal install.
Choose Manually Partition with Disk Druid. For this hardened system, will will choose several partitions so that different security settings can be applied to each partition. If you choose to keep preexisting partitions, make sure they are formatted. Some recommendations:
swap of at least twice physical ram. / of at least 300 Mb, more if you don't have a separate /home, /tmp /boot at least 75 Mb. /usr at least 500 Mb, more if you don't have a separate /usr/local /var of at least 384 Mb, but since we will be saving a lot of log files a size of at least 600 Mb will be better. Note: if you expect to install any chroot-ed services, like bind, you may want to make a separate partition for those services. possible a /usr/local partition , particularly if you install any software from source. possible /tmp parition, particularly if a server. possible /home partiton, particularly if a server
Select a network setting appropriate to you situation, Enable firewall, but allow remote login with ssh, Enable SELinux: Warn, Choose Additional Language Support (default: English), select Time Zone, and enable System Clock to UTC (In general, you can select this unless you dual boot with windows).
Enter root password.
Choose Package Group Selection -> Miscellaneous (scroll to the bottom) -> Minimal. It will show the total installation size as 591 Mb.
Installation will now begin, once it is finished create a boot disk.
After the new system has booted, log in as root and create a user account for youself.
Kickstart File
When Fedora is installed a kickstart file is written at /root/anaconda-ks.cfg that contains the selections of that installation. This file can then be reference for future installation to get the exact same install. It can also be used as the starting point for a customized kickstart installation.
The kickstart file for this installation is here: FedoraCore3_Appendix#original_kickstart_file
Tuning IDE Harddrive performance
This change will speed up disk speeds for any IDE drives.
edit /etc/sysconfig/harddrive
FedoraCore3_Appendix#harddisks
Reference: http://support.pa.msu.edu/help/faqs/linux/harddisks.html
Updating
Fedora can use yum to update the distribution. Yum is a package updater that was originally created for Yellow Dog Linux. It now is used by many systems to download and resolve package dependencies. The following will show how to update yum and the yum repositories, but we won't acutually update the system until after we take some baseline benchmarks.
References: http://fedoralegacy.org/docs/yum-fc3.php
Updating Yum and Yum repositories
In past distributions, one had to manually load GPG keys via the "rpm --import <key>" command, that would be used to authenicate that downloaded packages were identical to the one released by the vendor.
That is no longer necessary, once you install the most up to date version of yum.
Backup the /etc/yum.repos.d directory
So the first thing to do is to manually import the key for the source for our updates, the fedoralegacy repository
rpm --import http://www.fedoralegacy.org/FEDORA-LEGACY-GPG-KEY
Then we update yum. We will do this using rpm as follows:
rpm -Uvh http://download.fedoralegacy.org/fedora/3/updates/i386/yum-2.2.2-0.fc3.noarch.rpm
We can now embed the location of the GPG Keys, either locals files or urls, into the yum.conf file and the keys will be installed before the packages.
To get configuration files for the fedoralegacy repository install
rpm -Uvh http://download.fedoralegacy.org/fedora/3/legacy-utils/i386/legacy-yumconf-3-4.fc3.noarch.rpm
Yum Repositories
| Label | Primary Repository Location | Description |
|---|---|---|
| base | http://download.fedoralegacy.org/fedora/3/os/i386/ | These are the official packages that exist at release time. |
| updates-released | http://download.fedoralegacy.org/fedora/3/updates/i386/ | These are the official updates. The ones developed after RedHat support ended have the word legacy in the package name. |
| fedora-extras-stable | http://download.fedora.redhat.com/pub/fedora/linux/extras/3/i386/ | 3rd party packages created by the Fedora Extras Project |
yum.conf
see FedoraCore3_Appendix#yum.conf
Using Yum Commands
| Action | Command | Example |
|---|---|---|
| apply all updates | yum update | |
| apply all updates with exclusions | yum --exclude <package> update | yum --exclude kernel* update |
| show all packages available | yum list | |
| install package | yum install <package name> | |
| remove package | yum remove <package name> | |
| get information on a package | yum info <package name> | |
| which package provides a feature or file | yum provide <feature> | |
| search packages contain this word | yum search <string> |
Hardening
Backup original files
Some form of file backup need to be used while editing these important operating system configurations to ensure that changes which cause OS failure can be rolled back.
I usually try to create a directory called /root/BACKUPS to store these backup files which makes sure they are kept away from non-root users.
Notes for future script:
pwd <file> = $BACKUPPATH mkdir -p /root/BACKUPS/$BACKUPPATH cp -Ripd <file> /root/BACKUPS/$BACKUPPATH/<file>-DATE ln -s /root/BACKUPS/$BACKUPPATH/<file>-DATE
Installing the CIS Benchmark Tool v 1.0.3
In order to install the CIS Benchmark Tool, the uudecode command, part of the sharutils package needs to be installed. This is not installed by default in the minimum installation, so install it now with this command:
yum install sharutils
go to this page:
http://www.cisecurity.org/bench_linux.html
click the download link select your user classification: enter your name, organization, email address check Linux level-1 read License Agreement, check I Accept click on link: Download the Linux Tool archive
you then download the file: cis_score_tool_linux_v1.6.8.sh.bz2
bunzip2 cis_score_tool_linux_v1.6.8.sh.bz2 chmod 700 ./cis_score_tool_linux_v1.6.8.sh run ./cis_score_tool_linux_v1.6.8.sh
To use:
run ./cis-scan
to see changes that need to be made to get a better score:
egrep "^Negative" ./cis-most-recent-log
Installing Bastille-Linux 3.0.8
download from sourceforge: http://prdownloads.sourceforge.net/bastille-linux/Bastille-3.0.8-1.0.noarch.rpm?download download perl-Curses from Dag Wieers repository: http://dag.wieers.com/packages/perl-Curses/perl-Curses-1.06-1.1.fc3.rf.i386.rpm
Install those two packages.
To run in assessment mode:
bastille --report
To read report:
more /var/log/Bastille/Assessment/assessment-report.txt
Bastille assement of default minimal install: FedoraCore3_Hardened_Evaluation#Bastille_Assessment_1
Evaluating the Unhardened System
CIS Benchmark Scoring Tool
See full results here: FedoraCore3_Hardened_Evaluation#CIS_Benchmark_Score_1
Preliminary rating = 5.69 / 10.00
Default services installed for a Minimal Install
Full List here: FedoraCore3_Hardened_Evaluation#Services_1
Services configured to run at boot ( chkconfig --list | grep :on | sort ):
acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off pcmcia 0:off 1:off 2:on 3:on 4:on 5:on 6:off portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off readahead 0:off 1:off 2:off 3:off 4:off 5:on 6:off readahead_early 0:off 1:off 2:off 3:off 4:off 5:on 6:off rhnsd 0:off 1:off 2:off 3:on 4:on 5:on 6:off rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off rpcidmapd 0:off 1:off 2:off 3:on 4:on 5:on 6:off rpcsvcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
Process List
All processes list here: FedoraCore3_Hardened_Evaluation#Processes_1
All non-kernel processes: ps faux | grep -v ]
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.4 2364 596 ? S 16:04 0:01 init [3] root 693 0.0 0.4 2252 532 ? S<s 14:53 0:00 udevd root 1776 0.0 0.4 2192 616 ? Ss 14:54 0:00 syslogd -m 0 root 1780 0.0 0.3 2516 468 ? Ss 14:54 0:00 klogd -x rpc 1806 0.0 0.4 2528 592 ? Ss 14:54 0:00 portmap rpcuser 1826 0.0 0.6 2648 760 ? Ss 14:54 0:00 rpc.statd root 1856 0.0 0.4 2228 600 ? Ss 14:54 0:00 rpc.idmapd root 1886 0.0 0.4 2564 512 ? Ss 14:54 0:00 /usr/sbin/apmd -p 10 -w 5 -W -P /etc/sysconfig/apm-scripts/apmscript root 1924 0.0 0.6 3496 816 ? S 14:54 0:00 /usr/sbin/smartd root 1937 0.0 1.6 9000 2028 ? Ss 14:54 0:00 cupsd root 1997 0.0 1.2 5040 1632 ? Ss 14:54 0:00 /usr/sbin/sshd root 2538 0.1 1.7 7692 2172 ? Ss 14:59 0:06 \_ sshd: root@pts/0 root 2540 0.0 1.1 5508 1424 pts/0 Ss 14:59 0:01 \_ -bash root 3251 0.0 0.6 2840 772 pts/0 R+ 15:59 0:00 \_ ps faux root 2007 0.0 0.6 3484 824 ? Ss 14:54 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid root 2026 0.0 2.3 8468 2996 ? Ss 14:54 0:00 sendmail: accepting connections smmsp 2036 0.0 2.0 7760 2592 ? Ss 14:54 0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue root 2046 0.0 0.4 2760 564 ? Ss 14:54 0:00 gpm -m /dev/input/mice -t imps2 root 2055 0.0 0.6 3900 836 ? Ss 14:54 0:00 crond root 2064 0.0 0.5 2040 632 ? SNs 14:54 0:00 anacron -s daemon 2072 0.0 0.5 2736 640 ? Ss 14:54 0:00 /usr/sbin/atd dbus 2081 0.0 0.9 3984 1196 ? Ss 14:54 0:00 dbus-daemon-1 --system root 2092 0.0 3.7 6724 4780 ? Ss 14:54 0:03 hald root 2099 0.0 0.3 3164 440 tty1 Ss+ 14:54 0:00 /sbin/mingetty tty1 root 2100 0.0 0.3 2732 440 tty2 Ss+ 14:54 0:00 /sbin/mingetty tty2 root 2101 0.0 0.3 1772 440 tty3 Ss+ 14:54 0:00 /sbin/mingetty tty3 root 2102 0.0 0.3 2844 440 tty4 Ss+ 14:54 0:00 /sbin/mingetty tty4 root 2103 0.0 0.3 3212 440 tty5 Ss+ 14:54 0:00 /sbin/mingetty tty5 root 2104 0.0 0.3 2860 440 tty6 Ss+ 14:54 0:00 /sbin/mingetty tty6
Disk Usage
/bin/df -h
/dev/hda2 494M 104M 366M 23% / /dev/hda1 76M 8.4M 64M 12% /boot none 62M 0 62M 0% /dev/shm /dev/hda9 2.7G 37M 2.6G 2% /home /dev/hda7 251M 11M 228M 5% /tmp /dev/hda6 981M 434M 497M 47% /usr /dev/hda8 251M 11M 228M 5% /usr/local /dev/hda5 981M 44M 887M 5% /var
Open Network Connections
netstat -a
see FedoraCore3_Hardened_Evaluation#Network_Connections_1
Active Internet connections (minus sockets) netstat -a | grep -v unix
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:1024 *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:ipp *:* LISTEN tcp 0 0 fc3-hardened:smtp *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 ::ffff:192.168.5.252:ssh ::ffff:192.168.5.197:54692 ESTABLISHED udp 0 0 *:1024 *:* udp 0 0 *:730 *:* udp 0 0 *:sunrpc *:* udp 0 0 *:ipp *:*
Open Files
Full list of open files here: FedoraCore3_Hardened_Evaluation#Open_Files_1
lsof | wc -l 593
nessus
Making the Minimum System even smaller
Following suggestions found here: http://www.simpaticus.com/linux/small-netserver-fc3-howto.php
I was able to remove the following packages without affecting normal operations:
yum remove acl ash aspell at authconfig autofs bc bluez-libs bluez-utils comps diskdumputils dos2unix dosfstools dump ed file finger gpm irda-utils isdn4k-utils jwhois krb5-workstation lftp lha libjpeg libpng libtiff libwvstreams lrzsz mailcap minicom mkbootdisk mtr mt-st nfs-utils nscd nss_ldap pam_krb5 parted pax pcmcia-cs pinfo portmap ppp quota rdist redhat-config-mouse redhat-config-network-tui rmt rp-pppoe rsh setuptool specspo stunnel syslinux tcsh telnet unix2dos unzip up2date vconfig wireless-tools wvdial xinetd ypbind yp-tools zip
Because of a bug it the listed dependencies of the rhpl package, we can not remove some files until rhpl has been updated, so we will do that now manually:
rpm -Uvh http://download.fedoralegacy.org/fedora/3/updates/i386/rhpl-0.148.1-2.i386.rpm
Now we can remove these packages:
yum remove fontconfig freetype synaptics xorg-x11-libs xorg-x11-Mesa-libGL
Finally now that we have minimized the system, we can do a complete update:
yum update
Reference: Simpaticus http://www.simpaticus.com/linux/barebones-server-howto.php#trimfat1
kickstart file
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/ch-kickstart2.html
The kickstart file created by your initial install is located in /root/anaconda-ks.cfg An example of the original kickstart file is here: HardeningRedHat9_Appendix#original_kickstart_file
updating with yum
yum list updates yum update
CIS Benchmark after removing packages and updating the system: 6.88
df -h
Filesystem Size Used Avail Use% Mounted on /dev/hda2 494M 147M 322M 32% / /dev/hda1 76M 12M 61M 16% /boot none 62M 0 62M 0% /dev/shm /dev/hda9 2.7G 37M 2.6G 2% /home /dev/hda7 251M 11M 228M 5% /tmp /dev/hda6 981M 354M 578M 38% /usr /dev/hda8 251M 11M 228M 5% /usr/local /dev/hda5 981M 143M 789M 16% /var
Bastille Linux Script
Installation
http://www.bastille-linux.org/perl-rpm-chart.html http://www.bastille-linux.org/perl-Curses-1.06-219.i586.rpm perl-Curses-1.06-219.i586.rpm
http://www.bastille-linux.org http://aleron.dl.sourceforge.net/sourceforge/bastille-linux/Bastille-2.1.7-1.0.noarch.rpm Bastille-2.1.6-1.0.noarch.rpm
Running
This runs Bastille Linux in command line/curses mode:
/usr/sbin/bastille -c
What it does
File Permissions
mount/umount ping at usernetctl traceroute
Account Security
password aging - 180 days restrict cron set default umask
Boot Security
disallow root login on tty's 1-6 password protect grub disable Ctrl-Alt-Del password protect single user mode
Secure Inetd
set defautl deny on tcp wrappers and xinetd disable telnet disable ftp display Authorized Use message
Disable User Tools
disable gcc - root access to gcc only
Configure Misc PAM
limit core dumps, processes restrict console
Logging
additional logging
Miscellaneous Daemons
stop sendmail running in daemon mode
Tmp directory
install tmpdir/tmp scripts
Firewall
turns on and configures iptables
Turning off or removing unused services
apmd (CIS 3.6) atd - removed with autofs - removed (CIS 3.9) gpm - removed (CIS 3.6) irda - removed (CIS 3.6) isdn - removed (CIS 3.6) kudzu (CIS 3.21) netfs (CIS 3.8) nfs - removed (CIS 3.8) nfslock - removed (CIS 3.9) pcmcia - removed (CIS 3.6) portmap - removed (CIS 3.12) rhnsd - removed sendmail (CIS 3.3)
References: CIS 2 & 3
chkconfig --level 12345 acpid off chkconfig --level 12345 apmd off chkconfig --level 12345 cpuspeed off chkconfig --level 12345 irqbalance off chkconfig --level 12345 kudzu off chkconfig --level 12345 mdmonitor off chkconfig --level 12345 netfs off chkconfig --level 12345 readahead off chkconfig --level 12345 readahead_early off
reboot
Evaluation
CIS Benchmarking Tool
See full results here: FedoraCore3_Hardened_Evaluation#CIS_Benchmark_Score_2
Rating = 7.22 / 10.00
Bastille-Linux Assessment
Score: 7.36 / 10.00 See full report here: FedoraCore3_Hardened_Evaluation#Bastille_Assessment_2
Services
Running services has been reduced to just:
chkconfig --list | grep :on | sort anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
The full list of services is here: FedoraCore3_Hardened_Evaluation#Services_2
Processes
ps faux | grep -v ]
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.4 2396 588 ? S 22:39 0:01 init [3] root 691 0.0 0.3 2512 480 ? S<s 21:28 0:00 udevd root 1585 0.0 0.4 2076 628 ? Ss 21:29 0:00 syslogd -m 0 root 1589 0.0 0.3 2144 472 ? Ss 21:29 0:00 klogd -x root 1600 0.0 0.6 3332 816 ? S 21:29 0:00 /usr/sbin/smartd root 1636 0.0 1.3 4500 1660 ? Ss 21:29 0:00 /usr/sbin/sshd root 2059 0.0 1.7 6968 2192 ? Ss 21:29 0:00 \_ sshd: root@pts/0 root 2190 0.0 1.1 5388 1440 pts/0 Ss 21:29 0:00 \_ -bash root 2295 0.0 0.5 2660 744 pts/0 R+ 21:57 0:00 \_ ps faux root 1654 0.0 2.3 8900 3004 ? Ss 21:29 0:00 sendmail: accepting connections smmsp 1662 0.0 2.0 6472 2568 ? Ss 21:29 0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue root 1672 0.0 0.8 5436 1112 ? Ss 21:29 0:00 crond dbus 1689 0.0 0.9 3204 1208 ? Ss 21:29 0:00 dbus-daemon-1 --system root 1698 0.1 4.4 7572 5620 ? Ss 21:29 0:02 hald root 1727 0.0 0.3 2444 452 tty1 Ss+ 21:29 0:00 /sbin/mingetty tty1 root 1732 0.0 0.3 2200 448 tty2 Ss+ 21:29 0:00 /sbin/mingetty tty2 root 1733 0.0 0.3 3036 448 tty3 Ss+ 21:29 0:00 /sbin/mingetty tty3 root 1734 0.0 0.3 1636 452 tty4 Ss+ 21:29 0:00 /sbin/mingetty tty4 root 1735 0.0 0.3 2788 452 tty5 Ss+ 21:29 0:00 /sbin/mingetty tty5 root 1736 0.0 0.3 1616 448 tty6 Ss+ 21:29 0:00 /sbin/mingetty tty6
The full list of services is here: FedoraCore3_Hardened_Evaluation#Processes_2
Reducing remote access
Physical Access
Computer security starts with physical security. If a hacker can physically reach your computer then they will be able to break in or steal data.
Banners
http://ciac.llnl.gov/ciac/bulletins/j-043.shtml
Banner recommended by Bastille Linux script. Replace $owner with your name if you wish. If you have a company that specifies a banner, use that banner instead:
***************************************************************************
NOTICE TO USERS
This computer system is the private property of $owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
****************************************************************************
rewrite /etc/rc.d/rc.local with this file: FedoraCore3_Appendix#rc.local to have the above banner written to /etc/issue and /etc/issue.net. In /etc/motd the above banner will be displayed again along with system information once someone logs in.
execute /etc/rc.d/rc.local so that /etc/motd, /etc/issue, and /etc/issue.net get written correctly.
chown root:root /etc/motd /etc/issue /etc/issue.net chmod 644 /etc/motd /etc/issue /etc/issue.net
References: CIS 9.1
TCP Wrappers
Setting up the TCP Wrappers banner:
mkdir /etc/banners write your banner message in /etc/banners/prototype Authorized Users Only. All activity may be monitored and reported. cd /etc/banners /usr/bin/make -f /usr/share/doc/tcp_wrappers-7.6/Banners.Makefile
To do the above you need to have make and gcc installed. After it has been done on one computer, in could be transported to other installations with the same operating system by creating a tar file of /etc/banners.
Setting up warning message for /sbin/nologin:
cp /etc/banners/prototype /etc/nologin.txt chown root:root /etc/nologin.txt chmod 644 /etc/nologin.txt
Add these lines to /etc/hosts.allow
ALL: LOCAL : banners /etc/banners ALL: 127.0.0.1 : banners /etc/banners sshd: ALL
Other services that use tcp wrapers can be allowed with:
<additional services>: <ip ranges allowed>
FedoraCore3_Appendix#hosts.allow
Add this line to /etc/hosts.deny Make sure hosts.allow as describe above has been created, else you may lock yourself out of this computer.
ALL: ALL : spawn (/bin/echo -e `/bin/date` "\n%c attempted connection to %s and was denied"\ | /bin/mail -s "Connection attempt to %s" root) &
FedoraCore3_Appendix#hosts.deny
References: SL 2.5.6.1, CIS 2.2
Secure Shell
before you proceed with this configuration, verify that you have a non-root login created.
The following changes will need to be made: /etc/ssh/sshd_config
Protocol 2 PermitRootLogin no ChallengeResponseAuthentication no X11Forwarding no Banner /etc/issue.net AllowUsers joeuser (others as needed)
X11Forwarding is turned off because X is not installed on this system. For systems with X installed you will want this on. The AllowUsers option should probably only be used on systems with small numbers of users due to the amount of administration involved -- every time you add a user you want to be able to log in remotely they will need to be added here.
restart sshd
services sshd restart
/etc/ssh/ssh_config
Host * ForwardX11 no Protocol 2
Again, ForwardX11 is set to no only because there is no X installed on this system.
The complete files are found here: FedoraCore3_Appendix#sshd_config and FedoraCore3_Appendix#ssh_config
also see chroot-ing ssh http://chrootssh.sourceforge.net/index.php
References: CIS 1.3, SL 3.3.4, Simpaticus http://www.simpaticus.com/linux/barebones-server-howto.php#opensshserver
Network Kernel Parameters
edit /etc/sysctl.conf FedoraCore3_Appendix#sysctl.conf
chown root:root /etc/sysctl.conf chmod 0600 /etc/sysctl.conf service network restart
References: CIS 4.1, CIS 4.2, SL 2.2.1
inittab
If X is installed, disable GUI login change:
id:5:initdefault
to:
id:3:initdefault
Reference: CIS 3.4
Require root to log into single user mode:
add
~~:S:wait:/sbin/sulogin
Reference: CIS 7.9
Disable Ctrl-Alt-Del for automatic reboot:
comment out
##ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Reference: SL 2.3.2
Remove unused login daemons
comment out
# Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 # Disable gettys not being used ##2:2345:respawn:/sbin/mingetty tty2 ##3:2345:respawn:/sbin/mingetty tty3 ##4:2345:respawn:/sbin/mingetty tty4 ##5:2345:respawn:/sbin/mingetty tty5 ##6:2345:respawn:/sbin/mingetty tty6
SU recommends the use of the GNU Screen command to run multiple shell sessions instead of multiple gettys. This can be installed with: yum install screen.
The complete inittab file is here: FedoraCore3_Appendix#inittab
Reference: SU 506.2 2-16
chown root:root /etc/inittab chmod 644 /etc/inittab
securetty
Edit /etc/securetty so that it looks like this
console tty1
chown root:root /etc/securetty chmod 400 /etc/securetty
Reference: CIS 7.7, SL 2.3.1
grub.conf
/boot/grub/grub.conf
disable hiddenmenu and splashimage if the exist to give full grub info at boot time.
To force a grub password, add line before first uncommented line in /etc/grub.conf
password <clear-text password>
The complete grub file is here: FedoraCore3_Appendix#grub.conf
Refernces CIS 7.8, SL 2.1.3
scponly
use scponly shell to allow for file transfers without a command line. http://www.sublimation.org/scponly/
Evaluation
CIS Benchmarking Tool
Rating = 8.19 / 10.00
FedoraCore3_Hardened_Evaluation#CIS_Benchmark_Score_3
Bastille Linux Assessment
| generalperms_1_1 | Are more restrictive permissions on the | No | 0.00 | 0.00 | | suidmount | Is SUID status for mount/umount disabled | No | 1.00 | 0.00 | | suidping | Is SUID status for ping disabled? | No | 1.00 | 0.00 | | suidusernetctl | Is SUID status for usernetctl disabled? | No | 1.00 | 0.00 | | suidtrace | Is SUID status for traceroute disabled? | No | 1.00 | 0.00 | | protectrhost | Are clear-text r-protocols that use IP-b | No | 0.00 | 0.00 | | passwdage | Is password aging enforced? | No | 1.00 | 0.00 | | umaskyn | Is the default umask set to a minimal va | No | 1.00 | 0.00 | | rootttylogins | Are root logins on tty's 1-6 prohibited? | No | 1.00 | 0.00 | | tcpd_default_deny | Is a default-deny on TCP Wrappers and xi | No | 1.00 | 0.00 | | pacct | Is process accounting set up? | No | 1.00 | 0.00 | | remotefs | Are NFS and Samba deactivated? | No | 1.00 | 0.00 | | sendmaildaemon | Is sendmail's daemon mode disabled? | No | 1.00 | 0.00 |
Score: 7.92 / 10.00
FedoraCore3_Hardened_Evaluation#Bastille_Assessment_3
Services
Processes
[root@hard9 ssh]# ps faux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 1380 480 ? S 05:00 0:03 init root 2 0.0 0.0 0 0 ? SW 05:00 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW 05:00 0:00 [kapmd] root 4 0.0 0.0 0 0 ? SWN 05:00 0:00 [ksoftirqd_CPU0] root 9 0.0 0.0 0 0 ? SW 05:00 0:00 [bdflush] root 5 0.0 0.0 0 0 ? SW 05:00 0:00 [kswapd] root 6 0.0 0.0 0 0 ? SW 05:00 0:00 [kscand/DMA] root 7 0.0 0.0 0 0 ? SW 05:00 0:00 [kscand/Normal] root 8 0.0 0.0 0 0 ? SW 05:00 0:00 [kscand/HighMem] root 10 0.0 0.0 0 0 ? SW 05:00 0:00 [kupdated] root 11 0.0 0.0 0 0 ? SW 05:00 0:00 [mdrecoveryd] root 17 0.0 0.0 0 0 ? SW 05:00 0:00 [scsi_eh_0] root 20 0.0 0.0 0 0 ? SW 05:00 0:00 [kjournald] root 89 0.0 0.0 0 0 ? SW 05:00 0:00 [khubd] root 163 0.0 0.0 0 0 ? SW 05:00 0:00 [kjournald] root 164 0.0 0.0 0 0 ? SW 05:00 0:00 [kjournald] root 165 0.0 0.0 0 0 ? SW 05:00 0:00 [kjournald] root 166 0.0 0.0 0 0 ? SW 05:00 0:00 [kjournald] root 497 0.0 1.1 3516 1452 ? S 05:01 0:00 /usr/sbin/sshd root 535 0.0 1.5 6768 1988 ? S 05:01 0:00 \_ /usr/sbin/sshd joeuser 537 0.0 1.7 6808 2244 ? S 05:01 0:01 \_ /usr/sbin/sshd joeuser 538 0.0 1.1 4312 1392 pts/0 S 05:01 0:00 \_ -bash root 574 0.0 0.7 4104 976 pts/0 S 05:09 0:00 \_ su - root 575 0.0 1.1 4348 1452 pts/0 S 05:09 0:00 \_ -bash root 741 0.0 0.5 2620 676 pts/0 R 06:04 0:00 \_ ps faux root 510 0.0 0.4 1432 592 ? S 05:01 0:00 crond root 534 0.0 0.3 1356 380 tty1 S 05:01 0:00 /sbin/mingetty tty1 root 678 0.0 0.4 1448 604 ? S 05:27 0:00 syslogd -m 0 root 682 0.0 0.3 1376 456 ? S 05:27 0:00 klogd -x
Open Files
307 Open files
netstat
nessus
Reducing local access
fstab
Following the principle of least-privledge, the partitions are adjusted to restrict access.
before:
LABEL=/ / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /proc proc defaults 0 0 none /dev/shm tmpfs defaults 0 0 LABEL=/usr /usr ext3 defaults 1 2 LABEL=/var /var ext3 defaults 1 2 /dev/hda7 swap swap defaults 0 0 /dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0 /dev/fd0 /mnt/floppy auto noauto,owner,kudzu 0 0
edit /etc/fstab
after:
LABEL=/ / ext3 defaults 1 1 LABEL=/boot /boot ext3 nodev 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /proc proc defaults 0 0 none /dev/shm tmpfs defaults 0 0 LABEL=/usr /usr ext3 ro,nodev 1 2 LABEL=/var /var ext3 defaults 1 2 /dev/hda7 swap swap defaults 0 0 /dev/cdrom /mnt/cdrom udf,iso9660 noauto,nosuid,nodev,ro 0 0 /dev/fd0 /mnt/floppy auto noauto,nosuid,nodev 0 to run multiple shell sessions
Because /usr is now mounted as read-only, it will need to be remounted as read-write anytime updates or new applications are installed. Use the command:
mount -o remount,rw /usr
to do this, install binaries, then use:
mount -o remount,ro /usr
to return it to read-only.
removable media
Make it so that only root can mount removable media
edit /etc/security/console.perms
comment out the following lines:
##<console> 0660 <floppy> 0660 root.floppy
##<console> 0600 <cdrom> 0660 root.disk ##<console> 0600 <pilot> 0660 root.uucp ##<console> 0600 <jaz> 0660 root.disk ##<console> 0600 <zip> 0660 root.disk ##<console> 0600 <ls120> 0660 root.disk
##<console> 0600 <camera> 0600 root ##<console> 0600 <memstick> 0600 root ##<console> 0600 <flash> 0600 root ##<console> 0600 <diskonkey> 0660 root.disk ##console> 0600 <rem_ide> 0660 root.disk
##<console> 0600 <rio500> 0600 root
chmod 600 /etc/security/console.perms
References: CIS 6.3
cron & at
restrict the adding of cron and at jobs to only root. Jobs can still be run at other users, but only root can install these jobs
remove /etc/cron.deny if it exists edit /etc/cron.allow /etc/at.allow so that root is only authorized user chown root:root chmod 400
Reference: CIS 7.4
chmod 400 /etc/crontab chmod -R go-rwx /etc/cron.*
Reference: CIS 7.5
remove unused accounts
backup /etc/passwd /etc/group /etc/shadow
remove accounts: uucp games gopher operator
userdel uucp userdel operator userdel games userdel gopher
userdel adm userdel news userdel ftp userdel pcap
remove groups: uucp games gopher dip
groupdel uucp groupdel dip groupdel games groupdel gopher (may be gone because gopher account already removed)
search for accounts from uninstalled packages (SL 2.4.2)
verify passwd & group
/usr/sbin/pwck /usr/sbin/grpck
find files that are owned by deleted users or groups
find / -nouser -exec /bin/chown root {} \;
find / -nogroup -exec /bin/group root {} \;
change shell on rpm to /dev/null or /sbin/nologin
CIS recommends changing /sbin/nologin to /dev/null on accounts:
bin daemon lp mail nobody vcsa sshd rpc mailnull smmsp ntp rpm
use usermod -L -s /dev/null <account>
SL uses /sbin/nologin to create a banner when reaching an account with nologin shell edit /etc/nologin.txt
Reference: CIS 8.1, SL 2.4.2
passwords
Setting values
Default values:
Maximum Password age: 99999 days = never Minimum Password age between changes: 0 days Maximum warning period: 7 days before maximum password age Minimum password length: 5 characters
Recommended values by CIS:
Maximum Password age: 90 days Minimum Password age between changes: 7 days Maximum warning period: 28 days before maximum password age Minimum password length: 6 characters
Recommended values by SL:
Maximum Password age: 180 days Minimum Password age between changes: 2 days Maximum warning period: 7 days before maximum password age Minimum password length: 5 characters
edit /etc/login.defs FedoraCore3_Appendix#login.defs
##PASS_MAX_DAYS 99999 PASS_MAX_DAYS 90
##PASS_MIN_DAYS 0 PASS_MIN_DAYS 7
##PASS_MIN_LEN 5 PASS_MIN_LEN 6
##PASS_WARN_AGE 7 PASS_WARN_AGE 28
for existing accounts:
chage -M 90 -m 7 -W 28 <account>
search all account above uid=500
awk -F: `$3 >= 500 { system ("chage -M 90 -m 7 -W 28 " $1) }' /etc/passwd
Reference: CIS 8.3, SL 2.4.1
using pam
determining quality of passwords
johntheripper
umask
services edit /etc/rc.d/init.d/functions change
umask 022
to
umask 027
Reference: CIS 8.13
edit
/etc/profile /etc/csh.login
append to <file> umask 077 chmod 444 <file>
/etc/csh.cshrc
##if $status then ## umask 022 ##else ## umask 002 ##endif
umask 077
chmod 444 /etc/csh.cshrc
/etc/bashrc
change in <file> umask 022 to 077 and umask 002 to 007 chmod 444 <file>
/root/.bash_profile /root/.bashrc /root/.cshrc
tsch has been removed, but if it existed do the following:
/root/.tschrc
append to <file> umask 077 SL notes that this may result in a warning message during the upgrade of some packages.
References: CIS 8.10, SL 2.4.5
logout of inactive sessions
for bash, edit /etc/profile
# logout after 15 minutes TMOUT=900
for csh, etc /etc/csh.cshrc
#logout after 15 minutes set autologout=15
Reference: SL 2.4.5.1
limits.conf
prevent core dumps edit /etc/security/limits.conf
#* soft core 0 * soft core 0 #* hard rss 10000 * hard core 0
limit users to 150 concurrent processes
* hard nproc 150
Not necessary, but this file can also limit max file size: limit file sizes to 100 Mb
* hard fsize 102400
Reference: CIS 8.11, SL 2.4.6.1
suid audit
Determine list of suid programs:
find <partition> \( -perm -04000 -o -perm -02000 \) -type f -xdev -print
Removing suid privledges:
chmod u-s <program>
Adding suid privleges:
chmod u+s <program>
Recommendations:
mount/umount ping at usernetctl
References: BL - FilePermissions, CIS 6.7
su and sudo
Important note about "su" and "su -"
su - <account> applies all the environmental varibles
UPDATE: see new CIS Benchmark 8.13
edit /etc/pam.d/su enable this line:
# Uncomment the following line to require a user to be in the "wheel" group. auth required /lib/security/$ISA/pam_wheel.so use_uid
add users to wheel group with:
gpasswd -a <account> wheel
sudo
use visudo to enable everyone in the wheel group to have sudo privledges
Evaluation
CIS Score: 10.0
Enhancing Logging
time
In order to get logs with accurate times, one needs to have an accurate clock.
If not installed, install ntp, this also requires libcap.
edit /etc/ntp.conf edit /etc/ntp/
create hole in firewall for each ntp time signal server: -A RH-Firewall-1-INPUT -m udp -p udp -s $server/32 --sport 123 -d 0/0 --dport 123 -j ACCEPT
Sidenote: one can use a gps unit as a time source for ntp. (researching) see http://www.boulder.nist.gov/timefreq/service/gpscal.htm
References: CIS 5
http://www.ntp.org/ http://www.ntp.org/ntpfaq/NTP-a-faq.htm http://www.sun.com/blueprints/0701/NTP.pdf http://www.sun.com/blueprints/0801/NTPpt2.pdf
Logs are frequently reported to administrators by email. Unlike previous versions of sendmail, verion 8.12 requires the daemon to be running to send outgoing mail, unless a specific mail relay had been designated.
edit /etc/mail/submit.cf
find: D{MTAHost} [127.0.0.1]
replace 127.0.0.1 with ip address of mail relay.
to turn off MTA daemon edit /etc/sysconfig/sendmail
set DAEMON=no
If mail deamon needs to run, make sure that /etc/hosts.allow is configured to allow connections, else the mail won't reach the sendmail daemon on the same computer.
sendmail: 127.0.0.1
Reference: SU 506.2 2-18
sysstat
yum install sysstat
Documentation for sysstat
http://perso.wanadoo.fr/sebastien.godard/
Reference: CIS 1.5
syslog
edit /etc/syslog.conf
FedoraCore3_Appendix#syslog.conf
Create file for kernel log, and set to proper permissions
touch /var/log/kernel chmod 400 /var/log/kernel
Note: changes in logrotate and logwatch are needed to be aware of this change.
References: CIS 5.2, SL 2.8.1.1, SL Appendix B
logrotate
edit /etc/logrotate.conf and /etc/logrotate.d/syslog
FedoraCore3_Appendix#logrotate.conf
Restart syslogd
/sbin/service syslog restart
Force log rotation to verify all is correct.
/usr/sbin/logrotate -f /etc/logrotate.conf
Reference: SL 2.8.2.1, SL 2.8.2.2
logwatch
Configuring logwatch vi /etc/log.d/logwatch.conf change MailTo = to an address of your choice. You will be emailed nightly.
To allow for logwatch to continue to monitor the new kernel log, do the following:
Create new log group called kernel:
cd /etc/log.d/conf/logfiles/ cp messages.conf kernel.conf search & replace "messages" with "kernel"
Edit kernel script to examine kernel log:
cd /etc/log.d/conf/services/kernel change Logfile=messages to Logfile=kernel
References: http://www.logwatch.org
logcheck
installing logcheck (must have gcc installed) see http://sourceforge.net/projects/sentrytools/
download logcheck-1.1.1.tar.gz
tar -xvzf logcheck-1.1.1.tar.gz cd logcheck-1.1.1 make linux
set address to mail logs to
vi /usr/local/etc/logcheck.sh
add to crontab
00 * * * * /usr/local/etc/logcheck.sh
verify only root can use directory /usr/local/etc/tmp
note: this location will need to be changed if /usr/local is made read-only
process accounting
Install and start process acccount. Warning: This could be very system intensive.
yum install psacct service psacct start
Associated commands:
ac - displays statistics about how long users have been logged on lastcomm - displays information about previous executed commands sa - summarizes information about previously executed commmands
Firewall
system-config-securitylevel
/usr/bin/system-config-securitylevel
Easy Firewall Generator
http://easyfwgen.morizot.net/gen/
Shorewall
http://www.shorewall.net/
Installation
Download rpm package
wget http://www.invoca.ch/pub/packages/shorewall/3.0/shorewall-3.0.5/shorewall-3.0.5-2.noarch.rpm
Unstated dependency on which
yum install which rpm -ivh shorewall-3.0.5-2.noarch.rpm
Read Quickguides
http://www.shorewall.net/shorewall_quickstart_guide.htm
Modify files
Edit /etc/shorewall/shorewall.conf Templates for one, two, or three interface rules are found here:
/usr/share/doc/shorewall-3.0.5/Samples
copy one-interface to /etc/shorewall Edit /etc/shorewall/rules to allow SSH
SSH/ACCEPT net $FW
Allow for logging of dropped packets
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT ##net all DROP info net all DROP warning # The FOLLOWING POLICY MUST BE LAST ##all all REJECT info all all REJECT warning
Copy these files into /etc/shorewall
chown root:root /etc/shorewall/* chmod 600 /etc/shorewall/*
replace iptables with shorewall
Remove iptables from chkconfig, stop iptables and start shorewall
chkconfig --level 12345 iptables off service iptables stop service shorewall start
To restart shorewall always
service shorewall stop service shorewall start
Blacklists: http://www.shorewall.net/blacklisting_support.htm
Applications
compilers
sometimes binaries are not available and you need to compile a binary. This configuration does not contain compilers. It would be best to have a separate machine to do development on, but that is not always the case.
researching: determining what to install
yum install make
Gathering header information file(s) from server(s) Server: Fedora Core 9 - i386 - Base Server: Fedora Core 9 - i386 - Released Updates Finding updated packages Downloading needed headers Resolving dependencies Dependencies resolved I will do the following: [install: make 1:3.79.1-17.i386] Is this ok [y/N]: y Getting make-3.79.1-17.i386.rpm Calculating available disk space - this could take a bit make 100 % done 1/1 Installed: make 1:3.79.1-17.i386 Transaction(s) Complete
yum install gcc
Gathering header information file(s) from server(s) Server: Fedora Linux / stable for Red Hat Linux 9 (i386) Server: Red Hat Linux 9 (i386) Server: Red Hat Linux 9 (i386) updates Finding updated packages Downloading needed headers Resolving dependencies ..Dependencies resolved I will do the following: [install: gcc 3.2.2-5.i386] I will install/upgrade these to satisfy the dependencies: [deps: binutils 2.13.90.0.18-9.i386] [deps: glibc-kernheaders 2.4-8.10.i386] [deps: glibc-devel 2.3.2-27.9.7.i386] [deps: cpp 3.2.2-5.i386]
removing compiler yum remove gcc gcc3 gcc3-c++ gcc3-g77 gcc3-java gcc3-objc gcc-c++ gcc-chill gcc-g77 gcc-java gcc-objc bin86 dev86 nasm
Reference: CIS 8.12
sendmail
http://www.deer-run.com/~hal/dns-sendmail/ http://www.deer-run.com/~hal/sysadmin/sendmail.html http://www.deer-run.com/~hal/sysadmin/sendmail2.html
syslog-ng
http://www.balabit.com/products/syslog_ng/
aide
http://www.cs.tut.fi/~rammer/aide.html http://sourceforge.net/projects/aide http://www.deer-run.com/~hal/aide/
bind
apache
vsftp
vpn
http://www.openswan.org/
intrusion detection
psad
http://www.cipherdyne.com/psad/
snort
http://www.snort.org/
Administering the Hardened System
Adding Users
useradd <account>
To allow user to use su and sudo, add them to the wheel group
gpasswd -a <account> wheel
To allow user to log in with ssh: add <account> to /etc/ssh/sshd_config Append line:
AllowUsers
with <account>
service sshd restart
Install/Updating Software
Because /usr is now mounted as read-only, it will need to be remounted as read-write anytime updates or new applications are installed. Use the command:
mount -o remount,rw /usr
to do this, install binaries, then use:
mount -o remount,ro /usr
to return it to read-only.
Installing new hardware
before shutting down the machine
chkconfig kudzu on halt
install hardware, then boot after kudzu detects the hardware
service kudzu stop chkconfig kudzu off
Security Checks
These conditions exist if one followed the steps above. They are added for the purpose of doing security checks.
system utilites
ps
netstat
lsof
CIS Benchmarking Tool
confirm that password-less accounts do not exist
awk -F: '($2 == "") {print $1}' /etc/shadow
should return empty.
Reference: SL 2.4.4
Bastille Linux assement mode
bastille --report more /var/
chkrootkit
http://www.chkrootkit.org/
aide
nessus
Other References
O'Reilly Book: Building Secure Servers with Linux
http://www.oreilly.com/catalog/bssrvrlnx/
http://www.fedorafaq.org/ http://www.fedoraforum.org/ http://www.mjmwired.net/resources/mjm-fedora-fc3.html http://www.stud.uni-karlsruhe.de/~usge/fc2_install_notes.html http://fedoranews.org/colin/fnu/issue12.shtml http://fedoranews.org/colin/fnu/issue13.shtml http://fedoranews.org/colin/fnu/issue14.shtml http://users.netwit.net.au/~pursang/game.html
This page has been accessed 11134 times. This page was last modified 18:09, 2 Oct 2007.
