FedoraCore5 Hardened
From Rivalug Wiki
Notes for Hardening a Fedora Core 5 installation.
Back to HowToList Also see FedoraCore5_Hardened_Evaluation and FedoraCore5_Appendix
WARNING: This document is unfinished
--Carlisle 12:04, 31 Jan 2007 (PST)
This document
This document is being modified from an earlier document and is currently unfinished.
Disclaimer
Please don't try any of this suggestions on important systems without researching and understanding what they do first.
History
started on 25 Feb 2006
Reporting errors
Fedora Core 5
Why Use Fedora Core 5?
Features
Fedora Core 5 was released in March 20, 2006.
Release Notes: http://fedora.redhat.com/docs/release-notes/fc5/test2-latest-en/
Selected Features:
kernel 2.6.15 gcc 4.1 glibc 2.4 gnome 2.14 kde 3.5.1 x.org x11 perl 5.8 openssh 4.3 firefox 1.5 thunderbird 1.5 openoffice 2.0.2 gaim 1.5 gimp 2.2.10 HelixPlayer 1.0.6
References for Hardening
CIS Red Hat Enterprise Linux Benchmark 1.0.5 (CIS)
Center for Internet Security:
http://www.cisecurity.org/
Linux Benchmark:
http://www.cisecurity.org/bench_linux.html
SANS Securing Linux version 2.0 (SL)
Oct 2003 ISBN 0-9743727-7-3 $39 https://store.sans.org/store_item.php?item=83
Bastille Linux 3.0.9 (BL)
http://www.bastille-linux.org/
SANS Track 506: Securing Unix/Linux Track (SU)
Simpaticus Bare-Bones Server HOWTO
http://www.simpaticus.com/linux/barebones-server-howto.php by Rodolfo J. Paiz
NIST Recommended Security Controls for Federal Information Systems
http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf
Installation
Download
Official Site: http://download.fedora.redhat.com/pub/fedora/linux/core/5/i386/iso/ Local Mirror: http://mirror.vcu.edu/pub/linux/fedora/5/i386/iso/ Bittorrent: http://torrent.fedoraproject.org/
If you intend to download the Fedora Core 5 DVD ISO image, keep in mind that not all downloading tools can accommodate files larger than 2GB in size. For example, wget will exit with a File size limit exceeded error.
The curl and ncftpget file downloading tools do not have this limitation, and can successfully download files larger than 2GB.
How to download ISOs
FTP: wget -c ftp://mirror.vcu.edu/pub/linux/fedora/5/i386/iso/FC-5-i386-disc*.iso wget ftp://mirror.vcu.edu/pub/linux/fedora/5/i386/iso/SHA1SUM
HTTP: wget -c http://mirror.vcu.edu/pub/linux/fedora/5/i386/iso/FC-5-i386-disc1.iso wget -c http://mirror.vcu.edu/pub/linux/fedora/5/i386/iso/FC-5-i386-disc2.iso wget -c http://mirror.vcu.edu/pub/linux/fedora/5/i386/iso/FC-5-i386-disc3.iso wget -c http://mirror.vcu.edu/pub/linux/fedora/5/i386/iso/FC-5-i386-disc4.iso wget http://mirror.vcu.edu/pub/linux/fedora/5/i386/iso/SHA1SUM
How to verify ISOs
sha1sum -c SHA1SUM
Support
Sites:
http://fedora.redhat.com/ http://fedoranews.org/ http://www.fedorafaq.org/ http://www.fedoraforum.org/ http://www.tldp.org/ http://fcp.homelinux.org/ http://fcp.homelinux.org/modules/wffaq/
For Laptops:
http://www.linux-laptop.net/
Mailing Lists with archives:
http://www.redhat.com/mailman/listinfo/fedora-list http://www.redhat.com/mailman/listinfo/fedora-test-list
IRC:
http://fedora.redhat.com/participate/communicate/
Installing a Minimum System
The test system I'm using has a Pentium II 333 Mhz cpu with 128 Mb Ram.
You will need to do a graphical installation to get to the option to choose a minimum installation.
If this is a newly burned CD, do media check, else skip it.
Choose Language (defaults: English), Keyboard (default: U.S. English), Mouse.
Choose Custom Installation.
Partition with Disk Druid. For this hardened system, will will choose several partitions so that different security can be applied to each partition. Some recommendations:
swap of at least twice physical ram. / of at least 200 Mb, more if you don't have a separate /home, /tmp /boot at least 60 Mb. /usr at least 600 Mb, more if you don't have a separate /usr/local /var of at least 384 Mb possible a /usr/local partition of at least 100 Mb possible /tmp parition possible /home partiton
Select a network setting appropriate to you situation, Choose Firewall Security: High, but allow incomming ssh, Choose Additional Language Support (default: English), select Time Zone, use of Daylight Saving Time, and if System Clock uses UTC (In general, you can select this unless you dual boot with windows).
Enter root password, and select MD5 and shadow passwords.
Choose Package Group Selection -> Miscellaneous -> Minimal.
Installation will now begin, once it is finished create a boot disk.
After the new system has booted, log in as root and create a user account for youself.
Tuning IDE Harddrive performance
(this appears not to be needed under fc5 - researching)
edit /etc/sysconfig/harddrive
FedoraCore3_Appendix#harddisks
Reference: http://support.pa.msu.edu/help/faqs/linux/harddisks.html
FC5 Issues with Binary Video Drivers (nVidia & ATI)
see http://www.mjmwired.net/resources/mjm-fedora-fc5.html#nvidia
This issue has now been fixed with the release of the 2.6.16-1.2080 kernel
If you install manually, the packages: binutils, gcc, kernel-[smp-]devel needs to be installed.
else use livna repository to install their kernel modules.
Updating with Yum
Yum is a package updater that was originally created for Yellow Dog Linux. It now is used by many systems to download and resolve package dependencies.
Installing GPG Keys
In past distributions, one had to manually load GPG keys that would be used to authenicate that downloaded packages were identical to the one released by the vendor.
That is no longer necessary, once you update to beyond yum version XX.
So the first thing to do is update yum. We will do this using rpm as follows:
rpm -Uvh http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/i386/yum-2.2.2-0.fc3.noarch.rpm
We can now embed the GPG Keys into the yum.conf file and the keys will be installed before the packages.
Yum Repositories
| Label | Primary Repository Location | Description |
|---|---|---|
| base | http://download.fedora.redhat.com/pub/fedora/linux/core/5/i386/os/Fedora/RPMS/ | These are the official packages that exist at release time. |
| updates-released | http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/i386/ | These are the official updates. The ones developed after RedHat support ended have the word legacy in the package name. |
| fedora-extras | http://download.fedora.redhat.com/pub/fedora/linux/extras/5/i386/ | 3rd party packages created by the Fedora Extras Project |
| livna | http://rpm.livna.org/fedora/5/i386/ | 3rd party packages created by the Livna Project To use read the Configuration Page |
yum.conf
see FedoraCore3_Appendix#yum.conf
Using Yum Commands
| Action | Command | Example |
|---|---|---|
| apply all updates | yum update | |
| apply all updates with exclusions | yum --exclude <package> update | yum --exclude kernel* update |
| show all packages available | yum list | |
| install package | yum install <package name> | |
| remove package | yum remove <package name> | |
| get information on a package | yum info <package name> | |
| which package provides a feature or file | yum provide <feature> | |
| search packages contain this word | yum search <string> |
Hardening
Backup original files
Installing the CIS Benchmark Tool
Installing Java
The latest CIS Benchmarking Tool is java based, requiring us to install jre 1.5.x
bunzip2 ng_scoring_tool-1.0-linux-nojvm.tar.bz2 tar -xvf ng_scoring_tool-1.0-linux-nojvm.tar /usr/local/jre1.5.0_10/bin/java -jar ng_scoring_tool-1.0-linux.jar -console
------------------------------------------------------------------------------- Next Generation Scoring Tool - InstallShield Wizard
Welcome to the InstallShield Wizard for Next Generation Scoring Tool
The InstallShield Wizard will install Next Generation Scoring Tool on your computer. To continue, choose Next.
Next Generation Scoring Tool The Center for internet Security http://www.cisecurity.org
Press 1 for Next, 3 to Cancel or 5 to Redisplay [1] 1
------------------------------------------------------------------------------- Next Generation Scoring Tool - InstallShield Wizard
Please read the following license agreement carefully.
Untitled
TERMS OF USE AGREEMENT Background.
<LICENSE FOO>
Press ENTER to read the text [Type q to quit] WE ACKNOWLEDGE THAT WE HAVE READ THESE AGREED TERMS OF USE IN THEIR ENTIRETY, UNDERSTAND THEM, AND WE AGREE TO BE BOUND BY THEM IN ALL RESPECTS.
Terms of Use Agreement Version 2.1 - 02/20/04
Please choose from the following options: [ ] 1 - I accept the terms of the license agreement. [X] 2 - I do not accept the terms of the license agreement.
To select an item enter its number, or 0 when you are finished: [0] 1
[X] 1 - I accept the terms of the license agreement. [ ] 2 - I do not accept the terms of the license agreement.
To select an item enter its number, or 0 when you are finished: [0]
Press 1 for Next, 2 for Previous, 3 to Cancel or 5 to Redisplay [1] 1 ------------------------------------------------------------------------------- Next Generation Scoring Tool - InstallShield Wizard
Next Generation Scoring Tool Install Location
Please specify a directory or press Enter to accept the default directory.
Destination Directory [/opt/CISngtool] /usr/local/CISngtool
Press 1 for Next, 2 for Previous, 3 to Cancel or 5 to Redisplay [1]
------------------------------------------------------------------------------- Next Generation Scoring Tool - InstallShield Wizard
Choose the installation type that best suits your needs.
[X] 1 - Typical
The program will be installed with the suggested configuration.
Recommended for most users.
[ ] 2 - Custom
The program will be installed with the features you choose.
Recommended for advanced users.
Select the number corresponding to the type of install you would like: [0]
Press 1 for Next, 2 for Previous, 3 to Cancel or 5 to Redisplay [1] 1
------------------------------------------------------------------------------- Next Generation Scoring Tool - InstallShield Wizard
Next Generation Scoring Tool will be installed in the following location:
/usr/local/CISngtool
with the following features:
Documentation
Users Manual
Benchmarks
Linux Benchmarks
Suse 9.0 Benchmark
RedHat Benchmark
for a total size:
19.7 MB
Press 1 for Next, 2 for Previous, 3 to Cancel or 5 to Redisplay [1]
------------------------------------------------------------------------------- Next Generation Scoring Tool - InstallShield Wizard
Installing Next Generation Scoring Tool. Please wait...
|-----------|-----------|-----------|------------| 0% 25% 50% 75% 100% ||||||||||||||||||||||||||||||||||||||||||||||||||
Creating uninstaller...
Finalizing the Vital Product Data Registry. Please wait...
------------------------------------------------------------------------------- Next Generation Scoring Tool - InstallShield Wizard
The InstallShield Wizard has successfully installed Next Generation Scoring Tool. Choose Finish to exit the wizard.
Press 3 to Finish or 5 to Redisplay [3]
cd /usr/local/CISngtool /usr/local/CISngtool/ng.sh -h
[root@localhost CISngtool]# ./ng.sh --version NG Scoring Tool 1.0 build 137
go to this page:
http://www.cisecurity.org/bench_linux.html
click the download link select your user classification: Public, Government, Education enter your name, organization, email address check Linux level-1 read License Agreement, check I Accept click on link: Download the Linux Tool archive
you then download the file: cis_score_tool_linux_v1.6.4.sh.bz2
run bunzip2 cis_score_tool_linux_v1.6.4.sh.bz2 run ./cis_score_tool_linux_v1.6.4.sh
To use:
run ./cis-scan
to see changes that need to be made to get a better score:
egrep "^Negative" ./cis-most-recent-log
Bastille Linux Script
Installation
yum install perl-Tk yum install perl-Curses http://www.bastille-unix.org/running_bastille_on.htm#top get Bastille-3.0.9-1.0.noarch.rpm rpm -Uvh Bastille-3.0.9-1.0.noarch.rpm
Running
This runs Bastille Linux in command line/curses mode:
/usr/sbin/bastille -c
Assessment mode
# /usr/sbin/bastille --assessnobrowser
NOTE: Using audit user interface module. NOTE: Bastille is scanning the system configuration...
============================================================================== | Bastille Hardening Assessment Completed | | | | You can find a report in HTML format at: | | file:///var/log/Bastille/Assessment/assessment-report.html | | | | You can find a report in text format at: | | | | /var/log/Bastille/Assessment/assessment-report.txt | | | | You can find a more machine-parseable report at: | | | | /var/log/Bastille/Assessment/assessment-log.txt | ==============================================================================
using cis configuration
run cis supplied bastille configuration
cd /etc/Bastille cp /path/to/bastille.CIS.conf config bastille -b
revert
bastille -r
What it does
File Permissions
mount/umount ping at usernetctl traceroute
Account Security
password aging - 180 days restrict cron set default umask
Boot Security
disallow root login on tty's 1-6 password protect grub disable Ctrl-Alt-Del password protect single user mode
Secure Inetd
set defautl deny on tcp wrappers and xinetd disable telnet disable ftp display Authorized Use message
Disable User Tools
disable gcc - root access to gcc only
Configure Misc PAM
limit core dumps, processes restrict console
Logging
additional logging
Miscellaneous Daemons
stop sendmail running in daemon mode
Tmp directory
install tmpdir/tmp scripts
Firewall
turns on and configures iptables
Evaluating the Unhardened System
CIS Benchmark Scoring Tool
FedoraCore5_Hardened_Evaluation#CIS_Benchmark_Score_1
Chkconfig List of a Minimal Install
FedoraCore5_Hardened_Evaluation#Services_1
Process List
FedoraCore5_Hardened_Evaluation#Processes_1
Disk Usage
FedoraCore5_Hardened_Evaluation#Disk_Usage_1
Open Network Connections
FedoraCore5_Hardened_Evaluation#Network_Connections_1
Open Files
FedoraCore5_Hardened_Evaluation#Open_Files_1
nessus
FedoraCore5_Hardened_Evaluation#Vulnerability_Scan_1
Bastille Assessment
FedoraCore5_Hardened_Evaluation#Bastille_Assessment_1
Making the Minimum System even smaller
Following suggestions found here: http://www.simpaticus.com/linux/small-netserver-fc3-howto.php and my own experiments, I was able to remove the following packages without affecting normal operations:
I always update yum first
yum update yum
yum remove acl aspell aspell-en authconfig autofs bind bluez-utils bluez-libs caching-nameserver cpuspeed crash desktop-file-utils dhcdbd dhcpv6_client diskdumputils dos2unix dosfstools dump finger firstboot-tui gpm htmlview irda-utils jwhois krb5-workstation ksh libevent libgssapi libnl lftp longrun mailcap mgetty mkbootdisk mtools mtr NetworkManager nano netdump nc nfs-utils nfs-utils-lib nscd nss_db nss_ldap pam_ccreds pam_krb5 pam_smb pcmciautils perl-String-CRC32-1.3-3.FC5.2 pinfo portmap ppp quota rdate rdist readahead redhat-menus rhpl rmt rp-pppoe rsh setuptool specspo stunnel syslinux system-config-network-tui tcsh telnet traceroute unix2dos unzip vconfig wget which wireless-tools wpa_supplicant ypbind yp-tools zip
Finally now that we have minimized the system, we can do a complete update:
yum update
Reference: Simpaticus http://www.simpaticus.com/linux/barebones-server-howto.php#trimfat1
remove lingering files and accounts
find / -nouser find / -nogroup
rm -rf /var/lib/nfs
( CIS 6.8 )
change shell on rpm to /dev/null or /sbin/nologin CIS recommends changing /sbin/nologin to /dev/null on accounts:
bin daemon lp mail nobody vcsa sshd rpc mailnull smmsp ntp
rpcuser apache http httpd named dns mysql postgress squid
use usermod -L -s /dev/null <account>
SL uses /sbin/nologin to create a banner when reaching an account with nologin shell edit /etc/nologin.txt
Reference: CIS 3.6
kickstart file
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/ch-kickstart2.html
The kickstart file created by your initial install is located in /root/anaconda-ks.cfg An example of the original kickstart file is here: HardeningRedHat9_Appendix#original_kickstart_file
# Kickstart file automatically generated by anaconda.
install text cdrom lang en_US.UTF-8 keyboard us skipx monitor --hsync 30-70 --vsync 50-120 network --device eth0 --bootproto static --ip 192.168.1.2 --netmask 255.255.255.0 --gateway 192.168.1.1 --nameserver 192.168.1.1 --hostname example.host network --device eth1 --onboot no --bootproto dhcp --hostname example.host rootpw --iscrypted $1$blah firewall --enabled --port=22:tcp authconfig --enableshadow --enablemd5 selinux --enforcing timezone --utc America/New_York #zerombr yes bootloader --location=mbr --driveorder=sda # The following is the partition information you requested # Note that any partitions you deleted are not expressed # here so unless you clear all partitions first, this is # not guaranteed to work clearpart --linux part /boot --fstype ext3 --ondisk=sda --size=200 --asprimary part /usr/local --fstype ext3 --ondisk=sda --size=3000 part /home --fstype ext3 --ondisk=sda --size=3000 part /var --fstype ext3 --ondisk=sda --size=3000 part /usr --fstype ext3 --ondisk=sda --size=3000 part / --fstype ext3 --ondisk=sda --size=3000 --asprimary part swap --size=512 --ondisk=sda part /tmp --fstype ext3 --ondisk=sda --size=100 --grow
%packages @base -acl -aspell -aspell-en -authconfig -autofs -bind -bluez-libs -bluez-utils -caching-nameserver -cpuspeed -crash -desktop-file-utils -dhcdbd -dhcpv6_client -diskdumputils -dos2unix -dosfstools -dump -finger -firstboot-tui -gpm -htmlview -irda-utils -jwhois -krb5-workstation -ksh -libevent -libgssapi -libnl -lftp -longrun -mailcap -mgetty -mkbootdisk -mtools -mtr -NetworkManager -nano -netdump -nc -nfs-utils -nfs-utils-lib -nscd -nss_db -nss_ldap -pam_ccreds -pam_krb5 -pam_smb -parted -pcmciautils -perl-String-CRC32-1.3-3.FC5.2 -pinfo -portmap -ppp -quota -rdate -rdist -readahead -redhat-menus -rhpl -rmt -rp-pppoe -rsh -setuptool -specspo -stunnel -syslinux -system-config-network-tui -tcsh -telnet -traceroute -unix2dos -unzip -vconfig -which -wireless-tools -wpa_supplicant -ypbind -yp-tools -zip
%post
updating with yum
yum list updates yum update
CIS Benchmark after removing packages and updating the system: 6.88
# df -h Filesystem Size Used Avail Use% Mounted on /dev/hda3 981M 116M 816M 13% / /dev/hda2 99M 15M 79M 16% /boot /dev/hda8 3.7G 241M 3.3G 7% /home none 62M 0 62M 0% /dev/shm /dev/hda5 587M 274M 284M 50% /usr /dev/hda6 373M 106M 248M 30% /var
Turning off or removing unused services
apmd (CIS 3.6) atd - removed with autofs - removed (CIS 3.9) gpm - removed (CIS 3.6) irda - removed (CIS 3.6) isdn - removed (CIS 3.6) kudzu (CIS 3.21) netfs (CIS 3.8) nfs - removed (CIS 3.8) nfslock - removed (CIS 3.9) pcmcia - removed (CIS 3.6) portmap - removed (CIS 3.12) sendmail (CIS 3.3)
# chkconfig --level 12345 acpid off # chkconfig --level 12345 apmd off # chkconfig --level 12345 atd off # chkconfig --level 12345 irqbalance off # chkconfig --level 12345 kudzu off # chkconfig --level 12345 mdmonitor off # chkconfig --level 12345 messagebus off # chkconfig --level 12345 netfs off # chkconfig --level 12345 smartd off
References: CIS 2 & 3
Evaluation
CIS Benchmark Scoring Tool
FedoraCore5_Hardened_Evaluation#CIS_Benchmark_Score_2
Chkconfig List of a Minimal Install
FedoraCore5_Hardened_Evaluation#Services_2
Process List
FedoraCore5_Hardened_Evaluation#Processes_2
Disk Usage
FedoraCore5_Hardened_Evaluation#Disk_Usage_2
Open Network Connections
FedoraCore5_Hardened_Evaluation#Network_Connections_2
Open Files
FedoraCore5_Hardened_Evaluation#Open_Files_2
nessus
FedoraCore5_Hardened_Evaluation#Vulnerability_Scan_2
Bastille Assessment
FedoraCore5_Hardened_Evaluation#Bastille_Assessment_2
Reducing remote access
Physical Access
Computer security starts with physical security. If a hacker can physically reach your computer then they will be able to break in or steal data.
Banners
http://ciac.llnl.gov/ciac/bulletins/j-043.shtml
Banner recommended by Bastille Linux script. Replace $owner with your name if you wish. If you have a company that specifies a banner, use that banner instead:
***************************************************************************
NOTICE TO USERS
This computer system is the private property of $owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
****************************************************************************
rewrite /etc/rc.d/rc.local with this file: HardeningRedHat9_Appendix#rc.local to have the above banner written to /etc/issue and /etc/issue.net. In /etc/motd the above banner will be displayed again along with system information once someone logs in.
execute /etc/rc.d/rc.local so that /etc/motd, /etc/issue, and /etc/issue.net get written correctly. chown root:root /etc/motd /etc/issue /etc/issue.net chmod 644 /etc/motd /etc/issue /etc/issue.net
References: CIS 9.1
TCP Wrappers
Setting up the TCP Wrappers banner:
mkdir /etc/banners echo "Authorized Users Only. All activity may be monitored and reported." > /etc/banners/prototype cd /etc/banners /usr/bin/make -f /usr/share/doc/tcp_wrappers-7.6/Banners.Makefile ls /etc/banners in.ftpd in.rlogind in.telnetd nul prototype
To do the above you need to have make and gcc installed. After it has been done on one computer, in could be transported to other installations with the same operating system by creating a tar file of /etc/banners.
Setting up warning message for /sbin/nologin:
cp /etc/banners/prototype /etc/nologin.txt chown root:root /etc/nologin.txt chmod 644 /etc/nologin.txt
/etc/hosts.allow
# # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. #
ALL: LOCAL : banners /etc/banners sshd: ALL
/etc/hosts.deny
# # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap!
ALL: ALL : spawn (/bin/echo -e `/bin/date` "\n%c attempted connection to %s and was denied"\ | /bin/mail -s "Connection attempt to %s" root) &
References: SL 2.5.6.1, CIS 2.2
Secure Shell
before you proceed with this configuration, verify that you have a non-root login created.
The following changes will need to be made: /etc/ssh/sshd_config
Protocol 2 X11Forwarding yes IgnoreRhosts yes RhostsAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no PermitRootLogin no PermitEmptyPasswords no Banner /etc/issue.net
# for added security, restrict ssh to listed users AllowUsers joeuser (others as needed)
The AllowUsers option should probably only be used on systems with small numbers of users due to the amount of administration involved -- every time you add a user you want to be able to log in remotely they will need to be added here.
restart sshd
services sshd restart
/etc/ssh/ssh_config
Host * Protocol 2
The complete files are found here: FedoraCore5_Appendix_Appendix#sshd_config and FedoraCore5_Appendix_Appendix#ssh_config
also see chroot-ing ssh http://chrootssh.sourceforge.net/index.php
References: CIS 1.3, SL 3.3.4, Simpaticus http://www.simpaticus.com/linux/barebones-server-howto.php#opensshserver
Network Kernel Parameters
Notes these are default for sysctl.conf:
net.ipv4.ip_forward = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.tcp_syncookies = 1
/etc/sysctl.conf
# Following 11 lines added by CISecurity Benchmark sec 4.1 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1
# Following 3 lines added by CISecurity Benchmark sec 4.2 #do not perform below if system is firewall or gateway. net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0
chown root:root /etc/sysctl.conf chmod 0600 /etc/sysctl.conf service network restart
The complete sysctl.conf file is here: FedoraCore5_Appendix#sysctl.conf
References: CIS 4.1, CIS 4.2, SL 2.2.1
inittab
If X is installed, disable GUI login change:
id:5:initdefault
to:
id:3:initdefault
Reference: CIS 3.4
Require root to log into single user mode:
add
~~:S:wait:/sbin/sulogin
Reference: CIS 7.9
Disable Ctrl-Alt-Del for automatic reboot:
comment out
##ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Reference: SL 2.3.2
Remove unused login daemons
comment out
# Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 # Disable gettys not being used ##2:2345:respawn:/sbin/mingetty tty2 ##3:2345:respawn:/sbin/mingetty tty3 ##4:2345:respawn:/sbin/mingetty tty4 ##5:2345:respawn:/sbin/mingetty tty5 ##6:2345:respawn:/sbin/mingetty tty6
SU recommends the use of the GNU Screen command to run multiple shell sessions instead of multiple gettys. This can be installed with: yum install screen.
The complete inittab file is here: FedoraCore5_Appendix#inittab
Reference: SU 506.2 2-16
chown root:root /etc/inittab chmod 644 /etc/inittab
securetty
Edit /etc/securetty so that it looks like this
console tty1
chown root:root /etc/securetty chmod 400 /etc/securetty
Reference: CIS 7.7, SL 2.3.1
grub.conf
/boot/grub/grub.conf To force a grub password, add line before first uncommented line in /etc/grub.conf
password <clear-text password>
If you are planning on limiting USB access, you can do that now since it requires changes to grub.conf
In addition, I prefer to not use the splashimage and hiddenmenu options and I comment them out.
The complete grub file is here: FedoraCore5_Appendix#grub.conf
Refernces CIS 7.8, SL 2.1.3
Evaluation
CIS Benchmark Scoring Tool
FedoraCore5_Hardened_Evaluation#CIS_Benchmark_Score_3
Chkconfig List of a Minimal Install
FedoraCore5_Hardened_Evaluation#Services_3
Process List
FedoraCore5_Hardened_Evaluation#Processes_3
Disk Usage
FedoraCore5_Hardened_Evaluation#Disk_Usage_3
Open Network Connections
FedoraCore5_Hardened_Evaluation#Network_Connections_3
Open Files
FedoraCore5_Hardened_Evaluation#Open_Files_3
nessus
FedoraCore5_Hardened_Evaluation#Vulnerability_Scan_3
Bastille Assessment
FedoraCore5_Hardened_Evaluation#Bastille_Assessment_3
Reducing local access
fstab
Following the principle of least-privledge, the partitions are adjusted to restrict access.
before:
LABEL=/ / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /proc proc defaults 0 0 none /dev/shm tmpfs defaults 0 0 LABEL=/usr /usr ext3 defaults 1 2 LABEL=/var /var ext3 defaults 1 2 /dev/hda7 swap swap defaults 0 0 /dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0 /dev/fd0 /mnt/floppy auto noauto,owner,kudzu 0 0
edit /etc/fstab
after:
LABEL=/ / ext3 defaults 1 1 LABEL=/boot /boot ext3 nodev 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /proc proc defaults 0 0 none /dev/shm tmpfs defaults 0 0 LABEL=/usr /usr ext3 ro,nodev 1 2 LABEL=/var /var #4:2345:respawn:/sbin/mingetty tty4 ##5:2 swap swap defaults 0 0 /dev/cdrom /mnt/cdrom udf,iso9660 noauto,nosuid,nodev,ro 0 0 /dev/fd0 /mnt/floppy auto noauto,nosuid,nodev 0 to run multiple shell sessions
Because /usr is now mounted as read-only, it will need to be remounted as read-write anytime updates or new applications are installed. Use the command:
mount -o remount,rw /usr
to do this, install binaries, then use:
mount -o remount,ro /usr
to return it to read-only.
From CIS Benchmark: "Additional actions are required for RHEL3 and later and Fedora Core 3 and later. These operating system use the Hardware Abstraction Layer (HAL) Daemon software to update the filesystem description table (/etc/fstab) based on a series of SGML policies located in /usr/share/hal/fdi/ using the program fstab-sync. Experience has shown HAL is still maturing and there are a lack of tools available to configure the SGML configuration files. Editing these SHML files manually is beyond the scope of this Benchmark. Therefore, once the desired changes are made to /etc/fstab, set it to be immutable (as discussed in the fstab-sync man page)."
chattr +i /etc/fstab
References: CIS 6.1 & 6.2
removable media
Note: there are changes from previous versions of cis and fedora
Make it so that only root can mount removable media
edit /etc/security/console.perms.d/50-default.perms
comment out the following lines:
#<console> 0660 <floppy> 0660 root.floppy
#<console> 0600 <cdrom> 0660 root.disk #<console> 0600 <pilot> 0660 root.uucp #<console> 0600 <jaz> 0660 root.disk #<console> 0600 <zip> 0660 root.disk #<console> 0600 <ls120> 0660 root.disk
#<console> 0600 <camera> 0600 root #<console> 0600 <memstick> 0600 root #<console> 0600 <flash> 0600 root #<console> 0600 <diskonkey> 0660 root.disk #console> 0600 <rem_ide> 0660 root.disk
#<console> 0600 <rio500> 0600 root #<console> 0600 <pmu> 0600 root #<console> 0600 <bluetooth> 0600 root #<console> 0600 <raw1394> 0600 root #<console> 0600 <irda> 0600 root #<console> 0600 <dvb> 0600 root
#<console> 0600 <dri> 0600 root
chmod 600 /etc/security/console.perms.d/50-default.perms
References: CIS 6.3
cron & at
restrict the adding of cron and at jobs to only root. Jobs can still be run at other users, but only root can install these jobs
remove /etc/cron.deny and /etc/at.deny if it exists
edit /etc/cron.allow /etc/at.allow so that root is only authorized user
echo root > /etc/cron.allow echo root > /etc/at.allow chown root:root /etc/cron.allow /etc/at.allow chmod 400 /etc/cron.allow /etc/at.allow
Reference: CIS 7.4
chmod 400 /etc/crontab ls | grep cron | grep -v preCIS | xargs chmod -R go-rwx
Result:
# ls -al at.* -r-------- 1 root root 5 Feb 1 12:49 at.allow -rw------- 1 root root 1 Nov 6 09:11 at.deny-preCIS # ls -al | grep cron -rw------- 1 root root 298 Oct 11 08:19 anacrontab -r-------- 1 root root 5 Feb 1 12:44 cron.allow drwx------ 2 root root 4096 Jan 30 13:25 cron.d drwx------ 2 root root 4096 Jan 26 11:58 cron.daily drwxr-xr-x 2 root root 4096 Jan 26 11:58 cron.daily-preCIS -rw-r--r-- 1 root root 0 Jan 18 07:34 cron.deny-preCIS drwx------ 2 root root 4096 Sep 8 07:49 cron.d-preCIS drwx------ 2 root root 4096 Dec 10 2005 cron.hourly drwxr-xr-x 2 root root 4096 Dec 10 2005 cron.hourly-preCIS drwx------ 2 root root 4096 Jan 26 11:56 cron.monthly drwxr-xr-x 2 root root 4096 Jan 26 11:56 cron.monthly-preCIS -r-------- 1 root root 255 Dec 10 2005 crontab -rw-r--r-- 1 root root 255 Dec 10 2005 crontab-preCIS drwx------ 2 root root 4096 Jan 26 11:58 cron.weekly drwxr-xr-x 2 root root 4096 Jan 26 11:58 cron.weekly-preCIS
Reference: CIS 7.5
remove unused accounts
backup /etc/passwd /etc/group /etc/shadow
remove accounts: uucp games gopher operator
userdel uucp userdel operator userdel games userdel gopher
userdel adm userdel news userdel ftp userdel pcap
remove groups: uucp games gopher dip
groupdel uucp groupdel dip groupdel games groupdel gopher (may be gone because gopher account already removed)
search for accounts from uninstalled packages (SL 2.4.2)
verify passwd & group
/usr/sbin/pwck /usr/sbin/grpck
find files that are owned by deleted users or groups
find / -nouser -exec /bin/chown root {} \;
find / -nogroup -exec /bin/group root {} \;
change shell on rpm to /dev/null or /sbin/nologin
CIS recommends changing /sbin/nologin to /dev/null on accounts:
bin daemon lp mail nobody vcsa sshd rpc mailnull smmsp ntp rpm
use usermod -L -s /dev/null <account>
SL uses /sbin/nologin to create a banner when reaching an account with nologin shell edit /etc/nologin.txt
Reference: CIS 8.1, SL 2.4.2
passwords
Setting values
Default values:
Maximum Password age: 99999 days = never Minimum Password age between changes: 0 days Maximum warning period: 7 days before maximum password age Minimum password length: 5 characters
Recommended values by CIS:
Maximum Password age: 90 days Minimum Password age between changes: 7 days Maximum warning period: 28 days before maximum password age Minimum password length: 6 characters
Recommended values by SL:
Maximum Password age: 180 days Minimum Password age between changes: 2 days Maximum warning period: 7 days before maximum password age Minimum password length: 5 characters
edit /etc/login.defs
##PASS_MAX_DAYS 99999 PASS_MAX_DAYS 90
##PASS_MIN_DAYS 0 PASS_MIN_DAYS 7
##PASS_MIN_LEN 5 PASS_MIN_LEN 6
##PASS_WARN_AGE 7 PASS_WARN_AGE 28
for existing accounts:
chage -M 90 -m 7 -W 28 <account>
search all account above uid=500
awk -F: `$3 >= 500 { system ("chage -M 90 -m 7 -W 28 " $1) }' /etc/passwd
Reference: CIS 8.3, SL 2.4.1
using pam
determining quality of passwords
johntheripper
umask
services edit /etc/rc.d/init.d/functions change
umask 022
to
umask 027
Reference: CIS 8.13
edit
/etc/profile /etc/csh.login
append to <file> umask 077 chmod 444 <file>
/etc/csh.cshrc
##if $status then ## umask 022 ##else ## umask 002 ##endif
umask 077
chmod 444 /etc/csh.cshrc
/etc/bashrc
change in <file> umask 022 to 077 and umask 002 to 007 chmod 444 <file>
/root/.bash_profile /root/.bashrc /root/.cshrc
tsch has been removed, but if it existed do the following:
/root/.tschrc
append to <file> umask 077 SL notes that this may result in a warning message during the upgrade of some packages.
References: CIS 8.10, SL 2.4.5
logout of inactive sessions
for bash, edit /etc/profile
# logout after 15 minutes TMOUT=900
for csh, etc /etc/csh.cshrc
#logout after 15 minutes set autologout=15
Reference: SL 2.4.5.1
limits.conf
prevent core dumps edit /etc/security/limits.conf
#* soft core 0 * soft core 0 #* hard rss 10000 * hard core 0
limit users to 150 concurrent processes
* hard nproc 150
Not necessary, but this file can also limit max file size: limit file sizes to 100 Mb
* hard fsize 102400
Reference: CIS 8.11, SL 2.4.6.1
suid audit
Determine list of suid programs:
find <partition> \( -perm -04000 -o -perm -02000 \) -type f -xdev -print
Removing suid privledges:
chmod u-s <program>
Adding suid privleges:
chmod u+s <program>
Recommendations:
mount/umount ping at usernetctl
References: BL - FilePermissions, CIS 6.7
su and sudo
Important note about "su" and "su -"
su - <account> applies all the environmental varibles
UPDATE: see new CIS Benchmark 8.13
edit /etc/pam.d/su enable this line:
# Uncomment the following line to require a user to be in the "wheel" group. auth required /lib/security/$ISA/pam_wheel.so use_uid
add users to wheel group with:
usermod -G joeuser,wheel joeuser
sudo
visudo
# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. #
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# User privilege specification root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL
# Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL
# Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now
Evaluation
Enhancing Logging
time
In order to get logs with accurate times, one needs to have an accurate clock.
If not installed, install ntp, this also requires libcap.
edit /etc/ntp.conf edit /etc/ntp/
Sidenote: one can use a gps unit as a time source for ntp. (researching) see http://www.boulder.nist.gov/timefreq/service/gpscal.htm
References: CIS 5
http://www.ntp.org/ http://www.ntp.org/ntpfaq/NTP-a-faq.htm http://www.sun.com/blueprints/0701/NTP.pdf http://www.sun.com/blueprints/0801/NTPpt2.pdf
Logs are frequently reported to administrators by email. Unlike previous versions of sendmail, verion 8.12 requires the daemon to be running to send outgoing mail, unless a specific mail relay had been specified.
edit /etc/mail/submit.cf
find: D{MTAHost} [127.0.0.1]
replace 127.0.0.1 with ip address of mail relay.
to turn off MTA daemon edit /etc/sysconfig/sendmail
set DAEMON=no
If mail deamon needs to run, make sure that /etc/hosts.allow is configured to allow connections, else the mail won't reach the sendmail daemon on the same computer.
sendmail: 127.0.0.1
Reference: SU 506.2 2-18
sysstat
yum install sysstat
Documentation for sysstat
http://perso.wanadoo.fr/sebastien.godard/
Reference: CIS 1.5
syslog
Add the following to /etc/syslog.conf
#If you have a remote logging host, uncomment the lines corresponding to #the types of messages you want to forward to it. Replace this string #loghost with the IP address of your central logging server. #kern.* @loghost #authpriv,auth.* @loghost #mail.* @loghost # or to send everything #*.* @loghost ################
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console kern.* /dev/console
#Send kernel messages to a separate file. Note this will #include messages generated by iptables about blocked #network traffic. kern.* /var/log/kernel
# Log anything (except mail) of level info or higher. # Don't log private authentication messages! ##*.info;mail.none;authpriv.none;cron.none /var/log/messages *.info;authpriv,auth,mail,cron,kern,local7.none /var/log/messages
# The authpriv file has restricted access. ##authpriv.* /var/log/secure # capture auth messages also auth,authpriv.* /var/log/secure
Create file for kernel log, and set to proper permissions
touch /var/log/kernel chmod 400 /var/log/kernel
References: CIS 5.2, SL 2.8.1.1, SL Appendix B
logrotate
edit /etc/logrotate.conf
# rotate log files weekly ##weekly monthly
# keep 4 weeks worth of backlogs #rotate 4 rotate 12
# uncomment this if you want your log files compressed #compress compress
edit /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/kernel {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
Restart syslogd
/sbin/service syslog restart
Force log rotation to verify all is correct.
/usr/sbin/logrotate -f /etc/logrotate.conf
Reference: SL 2.8.2.1, SL 2.8.2.2
logwatch
Configuring logwatch vi /etc/logwatch/conf/logwatch.conf add this line: MailTo = <address> You will be emailed nightly.
References: http://www.logwatch.org
logcheck
installing logcheck (must have gcc installed) see http://sourceforge.net/projects/sentrytools/
download logcheck-1.1.1.tar.gz
tar -xvzf logcheck-1.1.1.tar.gz cd logcheck-1.1.1 make linux
set address to mail logs to
vi /usr/local/etc/logcheck.sh
add to crontab
00 * * * * /usr/local/etc/logcheck.sh
verify only root can use directory /usr/local/etc/tmp
note: this location will need to be changed if /usr is made read-only
process accounting
Install and start process acccount. Warning: This could be very system intensive.
yum install psacct service psacct start
Associated commands:
ac - displays statistics about how long users have been logged on lastcomm - displays information about previous executed commands sa - summarizes information about previously executed commmands
Firewall
note: enabling logging http://www.redhatmagazine.com/2007/01/18/how-do-i-add-logging-for-iptables-using-the-etcsysconfigiptables-file-for-red-hat-enterprise-linux-4/
system-config-securitylevel
/usr/bin/system-config-securitylevel
creates file at /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Shorewall
http://www.shorewall.net/
Installation - 3.0.5 is in Extras
yum install shorewall
Modify files
Edit /etc/shorewall/shorewall.conf Templates for one, two, or three interface rules are found here:
/usr/share/doc/shorewall-3.0.5/Samples
copy one-interface to /etc/shorewall Edit /etc/shorewall/rules to allow SSH
SSH/ACCEPT net $FW
To allow for logging of dropped packets
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT ##net all DROP info net all DROP warning # The FOLLOWING POLICY MUST BE LAST ##all all REJECT info all all REJECT warning
replace iptables with shorewall
remove iptables from chkconfig
chkconfig --level 12345 iptables off
stop iptables
service shorewall start
To restart shorewall always
service shorewall stop service shorewall start
Blacklists: http://www.shorewall.net/blacklisting_support.htm
Firestarter
http://www.fs-security.com/ Firestarter 1.0.3 is in Extras
SELinux
FC5 Release Notes
The new SELinux project pages have troubleshooting tips, explanations, and pointers to documentation and references. Some useful links include the following:
- New SELinux project pages: http://fedoraproject.org/wiki/SELinux
- Troubleshooting tips: http://fedoraproject.org/wiki/SELinux/Troubleshooting
- Frequently Asked Questions: http://fedora.redhat.com/docs/selinux-faq/
- Listing of SELinux commands: http://fedoraproject.org/wiki/SELinux/Commands
- Details of confined domains: http://fedoraproject.org/wiki/SELinux/Domains
Multi Category Security (MCS)
MCS is a general-use implementation of the more stringent Multilevel Security (MLS). MCS is an enhancement to SELinux to allow users to label files with categories. Categories might include Company_Confidential, CEO_EYES_ONLY, or Sysadmin_Passwords. For more information about MCS, refer to http://james-morris.livejournal.com/5583.html, an article by the author.
Multilevel Security (MLS)
MLS is a specific Mandatory Access Control (MAC) scheme that labels processes and objects with special security levels. For example, an object such as a document file can have the security level of { Secret, ProjectMeta }, where Secret is the sensitivity level, and ProjectMeta is the category. For more information about MLS, refer to http://james-morris.livejournal.com/5020.html.
Applications
java
Problems have been report when installing the sun java rpm package on Fedora Core 4 and above. The release notes for Fedora Core 4 recommend either installing the sun java binary or creating a sun java rpm using the jpackage repository.
The easiest way to get sun java installed on linux is described here: http://fedorasolved.org/browser-solutions/java-i386/
The link describs how to install Java 1.6, but Java 1.5 will be needed for compatibility with the CIS NG Scoring tool.
The following instructions apply to Java 1.5.0.10
* Go to Java SE Downloads - Previous Release - JDK 5 http://java.sun.com/javase/downloads/index_jdk5.jsp * Find Java Runtime Environment (JRE) 5.0 Update 10, press Download * Select Accept License Agreement * Select Linux self-extracting file jre-1_5_0_10-linux-i586.bin 16.28 Mb
Note for how one would use the jpackage repository are here: http://www.city-fan.org/tips/JpackageJava
compilers
sometimes binaries are not available and you need to compile a binary. This configuration does not contain compilers. It would be best to have a separate machine to do development on, but that is not always the case.
researching: determining what to install
yum install gcc
Removing compilers
yum remove gcc gcc3 gcc3-c++ gcc3-g77 gcc3-java gcc3-objc gcc-c++ gcc-chill gcc-g77 gcc-java gcc-objc bin86 dev86 nasm
Reference: CIS 8.12
sendmail
http://www.deer-run.com/~hal/dns-sendmail/ http://www.deer-run.com/~hal/sysadmin/sendmail.html http://www.deer-run.com/~hal/sysadmin/sendmail2.html
syslog-ng
http://www.balabit.com/products/syslog_ng/
aide
http://www.cs.tut.fi/~rammer/aide.html http://sourceforge.net/projects/aide
bind
web servers
apache
tux
lighttpd
ftp servers
wu-ftp
vsftp
vpn
http://www.openswan.org/
intrusion detection
psad
http://www.cipherdyne.com/psad/
snort
http://www.snort.org/
VmWare
possible issues with fc5 http://www.vmware.com/community/thread.jspa?threadID=31877
Disk Encryption
http://www.sdc.org/~leila/usb-dongle/readme.html
http://www.redhatmagazine.com/2007/01/18/disk-encryption-in-fedora-past-present-and-future/
http://fedoraproject.org/wiki/Releases/FeatureEncryptedFilesystems
Administering the Hardened System
Adding Users
useradd <account>
To allow user to log in with ssh: add <account> to /etc/ssh/sshd_config Append line:
AllowUsers
with <account>
service sshd restart
To allow user to use su
gpasswd -a <account> wheel
Install/Updating Software
Because /usr is now mounted as read-only, it will need to be remounted as read-write anytime updates or new applications are installed. Use the command:
mount -o remount,rw /usr
to do this, install binaries, then use:
mount -o remount,ro /usr
to return it to read-only.
Installing new hardware
before shutting down the machine
chkconfig kudzu on halt
install hardware, then boot after kudzu detects the hardware
service kudzu stop chkconfig kudzu off
Security Checks
These conditions exist if one followed the steps above. They are added for the purpose of doing security checks.
system utilites
ps
netstat
lsof
CIS Benchmarking Tool
confirm that password-less accounts do not exist
awk -F: '($2 == "") {print $1}' /etc/shadow
should return empty.
Reference: SL 2.4.4
chkrootkit
http://www.chkrootkit.org/
aide
nessus
Other References
O'Reilly Book: Building Secure Servers with Linux
http://www.oreilly.com/catalog/bssrvrlnx/
http://www.fedorafaq.org/ http://www.fedoraforum.org/ http://fedorasolved.org/ http://www.mjmwired.net/resources/mjm-fedora-fc5.html http://www.stanton-finley.net/fedora_core_5_installation_notes.html http://www.stud.uni-karlsruhe.de/~usge/fc2_install_notes.html http://fedoranews.org/colin/fnu/issue12.shtml http://fedoranews.org/colin/fnu/issue13.shtml http://fedoranews.org/colin/fnu/issue14.shtml http://users.netwit.net.au/~pursang/game.html
This page has been accessed 5797 times. This page was last modified 18:08, 2 Oct 2007.
