HardeningRedHat9 Appendix
From Rivalug Wiki
This document is used in conjuction with HardeningRedHat9
Also see HardeningRedHat9_Evaluation
Contents |
harddisks
/etc/sysconfig/harddisks
# These options are used to tune the hard drives - # read the hdparm man page for more information
# Set this to 1 to enable DMA. This might cause some # data corruption on certain chipset / hard drive # combinations. This is used with the "-d" option
USE_DMA=1
# Multiple sector I/O. a feature of most modern IDE hard drives, # permitting the transfer of multiple sectors per I/O interrupt, # rather than the usual one sector per interrupt. When this feature # is enabled, it typically reduces operating system overhead for disk # I/O by 30-50%. On many systems, it also provides increased data # throughput of anywhere from 5% to 50%. Some drives, however (most # notably the WD Caviar series), seem to run slower with multiple mode # enabled. Under rare circumstances, such failures can result in # massive filesystem corruption. USE WITH CAUTION AND BACKUP. # This is the sector count for multiple sector I/O - the "-m" option # MULTIPLE_IO=16
# (E)IDE 32-bit I/O support (to interface card) # EIDE_32BIT=3
# Enable drive read-lookahead # # LOOKAHEAD=1
# Add extra parameters here if wanted # On reasonably new hardware, you may want to try -X66, -X67 or -X68 # Other flags you might want to experiment with are -u1, -a and -m # See the hdparm manpage (man hdparm) for details and more options. # EXTRA_PARAMS=
yum.conf
Note: because of the way this wiki is formated, the first character of each line of the file below appears to be a space, but is not. Please remove this character from each line if you cut and paste this text from the wiki to avoid yum errors.
[main] cachedir=/var/cache/yum debuglevel=2 logfile=/var/log/yum.log pkgpolicy=newest distroverpkg=redhat-release tolerant=1 exactarch=1 retries=20
[base]
name=RedHat $releasever - $basearch - Base
baseurl=http://mirror.vcu.edu/pub/linux/fedoralegacy/redhat/$releasever/os/$basearch/
http://download.fedoralegacy.org/redhat/$releasever/os/$basearch
failovermethod=priority
gpgcheck=1
[updates-released]
name=RedHat $releasever - $basearch - Released Updates
baseurl=http://mirror.vcu.edu/pub/linux/fedoralegacy/redhat/$releasever/updates/$basearch/
http://download.fedoralegacy.org/redhat/$releasever/updates/$basearch
failovermethod=priority
gpgcheck=1
[legacy-utils] name=Fedora Legacy utilities for Red Hat Linux $releasever baseurl=http://download.fedoralegacy.org/redhat/$releasever/legacy-utils/$basearch gpgcheck=1
[fedora-us-stable]
name=Fedora Project RedHat $releasever - $basearch - Fedora Extras
baseurl=
#http://mirror.vcu.edu/pub/linux/fedora.us/redhat/$releasever/$basearch/RPMS.stable
http://download.fedora.us/fedora/redhat/$releasever/$basearch/RPMS.stable
#failovermethod=priority
gpgcheck=1
kickstart
original kickstart file
/root/anaconda-ks.cfg # Kickstart file automatically generated by anaconda.
install lang en_US.UTF-8 langsupport --default en_US.UTF-8 en_US.UTF-8 keyboard us mouse generic3ps/2 --device psaux skipx network --device eth0 --bootproto static --ip 192.168.0.1 --netmask 255.255.255.0 --gateway 192.168.0.254 --nameserver 192.168.0.254 --hostname hard9 rootpw --iscrypted $1$blah firewall --high --port=ssh:tcp authconfig --enableshadow --enablemd5 timezone --utc America/New_York bootloader --location=partition # The following is the partition information you requested # Note that any partitions you deleted are not expressed # here so unless you clear all partitions first, this is # not guaranteed to work #clearpart --linux #part /boot --fstype ext3 --onpart hda2 #part /var --fstype ext3 --onpart hda6 #part /home --fstype ext3 --noformat --onpart hda8 #part / --fstype ext3 --onpart hda3 #part /usr --fstype ext3 --onpart hda5 #part swap --onpart hda7
%packages kernel-smp
%post
banners
rc.local
#!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. # Write issue and motd
if [ -f /etc/redhat-release ]; then
R=$(cat /etc/redhat-release)
arch=$(uname -m)
a="a"
case "_$arch" in
_a*) a="an";;
_i*) a="an";;
esac
NUMPROC=`egrep -c "^cpu[0-9]+" /proc/stat`
if [ "$NUMPROC" -gt "1" ]; then
SMP="$NUMPROC-processor "
if [ "$NUMPROC" = "8" -o "$NUMPROC" = "11" ]; then
a="an"
else
a="a"
fi
fi
fi
# This will overwrite /etc/issue at every boot. So, make any changes you # want to make to /etc/issue here or you will lose them when you reboot.
/bin/cat >/etc/issue <<ISSUE
***************************************************************************
NOTICE TO USERS
This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
****************************************************************************
ISSUE # This will overwrite /etc/motd at every boot. So, make any changes you # want to make to /etc/motd here or you will lose them when you reboot.
/bin/cp -f /etc/issue /etc/motd /bin/cp -f /etc/issue /etc/issue.net
echo "$(hostname)" >> /etc/motd echo "$R" >> /etc/motd echo "Kernel $(uname -r) on $a $SMP$(uname -m)" >> /etc/motd echo " " >> /etc/motd echo " " >> /etc/motd
touch /var/lock/subsys/local
nologin.txt
/etc/nologin.txt
Authorized Users Only. All activity may be monitored and reported.
prototype
/etc/banners/prototype
Authorized Users Only. All activity may be monitored and reported.
tcpwrappers
hosts.allow
/etc/hosts.allow
# # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. #
ALL: LOCAL : banners /etc/banners ALL: 127.0.0.1 : banners /etc/banners sshd: ALL
hosts.deny
/etc/hosts.deny
# # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap!
ALL: ALL : spawn (/bin/echo -e `/bin/date` "\n%c attempted connection to %s and was denied"\ | /bin/mail -s "Connection attempt to %s" root) &
secure shell
sshd_config
/etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
# This is the sshd server system-wide configuration file. See # sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value.
#Port 22 #Protocol 2,1
Protocol 2
#ListenAddress 0.0.0.0 #ListenAddress ::
# HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768
# Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO
# Authentication:
#LoginGraceTime 120 #PermitRootLogin yes
PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys
# rhosts authentication should not be used #RhostsAuthentication no
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no
RhostsRSAAuthentication yes
# similar for protocol version 2 #HostbasedAuthentication no HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no
# To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no
PermitEmptyPasswords no
# Change to no to disable s/key passwords #ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes
#AFSTokenPassing no
# Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no
# Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt no
#X11Forwarding no
X11Forwarding no
#X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes
#MaxStartups 10 # no default banner path #Banner /some/path
Banner /etc/issue.net
#VerifyReverseMapping no
# override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server
AllowUsers joeuser
ssh_config
/etc/ssh/ssh_config
# $OpenBSD: ssh_config,v 1.16 2002/07/03 14:21:05 markus Exp $
# This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line.
# Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end.
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsAuthentication no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
Host *
ForwardX11 no
Protocol 2
inittab
/etc/inittab
# # inittab This file describes how the INIT process should set up # the system in a certain run-level. # # Author: Miquel van Smoorenburg, <miquels@drinkel.nl.mugnet.org> # Modified for RHS Linux by Marc Ewing and Donnie Barnes #
# Default runlevel. The runlevels used by RHS are: # 0 - halt (Do NOT set initdefault to this) # 1 - Single user mode # 2 - Multiuser, without NFS (The same as 3, if you do not have networking) # 3 - Full multiuser mode # 4 - unused # 5 - X11 # 6 - reboot (Do NOT set initdefault to this) # id:3:initdefault: # CIS Benchmark 7.9 - require root password for single user mode ~~:S:wait:/sbin/sulogin
# System initialization. si::sysinit:/etc/rc.d/rc.sysinit
l0:0:wait:/etc/rc.d/rc 0 l1:1:wait:/etc/rc.d/rc 1 l2:2:wait:/etc/rc.d/rc 2 l3:3:wait:/etc/rc.d/rc 3 l4:4:wait:/etc/rc.d/rc 4 l5:5:wait:/etc/rc.d/rc 5 l6:6:wait:/etc/rc.d/rc 6
# Trap CTRL-ALT-DELETE # Securing Linux 2.3.2 - disable Ctrl-Alt-Del ##ca::ctrlaltdel:/sbin/shutdown -t3 -r now
# When our UPS tells us power has failed, assume we have a few minutes # of power left. Schedule a shutdown for 2 minutes from now. # This does, of course, assume you have powerd installed and your # UPS connected and working correctly. pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"
# If power was restored before the shutdown kicked in, cancel it. pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"
# Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 ## Disable gettys not being used ##2:2345:respawn:/sbin/mingetty tty2 ##3:2345:respawn:/sbin/mingetty tty3 ##4:2345:respawn:/sbin/mingetty tty4 ##5:2345:respawn:/sbin/mingetty tty5 ##6:2345:respawn:/sbin/mingetty tty6
# Run xdm in runlevel 5 x:5:respawn:/etc/X11/prefdm -nodaemon
sysctl.conf
/etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details.
# Controls IP packet forwarding ##net.ipv4.ip_forward = 0
# Controls source route verification ##net.ipv4.conf.default.rp_filter = 1
# Controls the System Request debugging functionality of the kernel kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1
# the following section added due to CIS Benchmark 4.1 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1
# the following section added due to CIS Benchmark 4.2 #do not perform below if system is firewall or gateway. net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0
securetty
/etc/securetty
console tty1
grub.conf
/boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,1)
# kernel /vmlinuz-version ro root=/dev/hda3
# initrd /initrd-version.img
#boot=/dev/hda2
password password
default=0
timeout=10
splashimage=(hd0,1)/grub/splash.xpm.gz
title Red Hat Linux (2.4.20-42.9.legacy)
root (hd0,1)
kernel /vmlinuz-2.4.20-42.9.legacy ro root=LABEL=/
initrd /initrd-2.4.20-42.9.legacy.img
fstab
/etc/fstab
LABEL=/ / ext3 defaults 1 1 LABEL=/boot /boot ext3 nodev 1 2 none /dev/pts devpts gid=5,mode=620 0 0 LABEL=/home /home ext3 nosuid,nodev 1 2 none /proc proc defaults 0 0 none /dev/shm tmpfs defaults 0 0 LABEL=/usr /usr ext3 ro,nodev 1 2 LABEL=/var /var ext3 nodev 1 2 /dev/hda7 swap swap defaults 0 0 /dev/cdrom /mnt/cdrom udf,iso9660 noauto,nosuid,nodev,ro 0 0 /dev/fd0 /mnt/floppy auto noauto,nosuid,nodev 0 0
console.perms
/etc/security/console.perms
# /etc/security/console.perms # # This file determines the permissions that will be given to priviledged # users of the console at login time, and the permissions to which to # revert when the users log out.
# format is: # <class>=list of regexps specifying consoles or globs specifying files # file-glob|<class> perm dev-regex|<dev-class> \ # revert-mode revert-owner[.revert-group] # the revert-mode, revert-owner, and revert-group are optional, and default # to 0600, root, and root, respectively. # # For more information: # man 5 console.perms
# file classes -- these are regular expressions <console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9] <xconsole>=:[0-9]\.[0-9] :[0-9]
# device classes -- these are shell-style globs
<floppy>=/dev/fd[0-1]* \
/dev/floppy/* /mnt/floppy*
<sound>=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/* /dev/beep
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
<pilot>=/dev/pilot
<jaz>=/mnt/jaz*
<zip>=/mnt/pocketzip* /mnt/zip*
<ls120>=/dev/ls120 /mnt/ls120*
<scanner>=/dev/scanner /dev/usb/scanner*
<rio500>=/dev/usb/rio500
<camera>=/mnt/camera* /dev/usb/dc2xx* /dev/usb/mdc800*
<memstick>=/mnt/memstick*
<flash>=/mnt/flash*
<diskonkey>=/mnt/diskonkey*
<rem_ide>=/mnt/microdrive*
<fb>=/dev/fb /dev/fb[0-9]* \
/dev/fb/*
<kbd>=/dev/kbd
<joystick>=/dev/js[0-9]*
<v4l>=/dev/video* /dev/radio* /dev/winradio* /dev/vtx* /dev/vbi* \
/dev/video/*
<gpm>=/dev/gpmctl
<dri>=/dev/nvidia* /dev/3dfx*
<mainboard>=/dev/apm_bios
# permission definitions ##<console> 0660 <floppy> 0660 root.floppy <console> 0600 <sound> 0600 root ##<console> 0600 <cdrom> 0660 root.disk ##<console> 0600 <pilot> 0660 root.uucp ##<console> 0600 <jaz> 0660 root.disk ##<console> 0600 <zip> 0660 root.disk ##<console> 0600 <ls120> 0660 root.disk <console> 0600 <scanner> 0600 root ##<console> 0600 <camera> 0600 root ##<console> 0600 <memstick> 0600 root ##<console> 0600 <flash> 0600 root ##<console> 0600 <diskonkey> 0660 root.disk ##<console> 0600 <rem_ide> 0660 root.disk <console> 0600 <fb> 0600 root <console> 0600 <kbd> 0600 root <console> 0600 <joystick> 0600 root <console> 0600 <v4l> 0600 root <console> 0700 <gpm> 0700 root <console> 0600 <mainboard> 0600 root ##<console> 0600 <rio500> 0600 root
<xconsole> 0600 /dev/console 0600 root.root <xconsole> 0600 <dri> 0600 root
login.defs
/etc/login.defs
# *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail
# Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # ##PASS_MAX_DAYS 99999 PASS_MAX_DAYS 90
##PASS_MIN_DAYS 0 PASS_MIN_DAYS 7
##PASS_MIN_LEN 5 PASS_MIN_LEN 6
##PASS_WARN_AGE 7 PASS_WARN_AGE 28
# # Min/max values for automatic uid selection in useradd # UID_MIN 500 UID_MAX 60000
# # Min/max values for automatic gid selection in groupadd # GID_MIN 500 GID_MAX 60000
# # If defined, this command is run when removing a user. # It should remove any at/cron/print jobs etc. owned by # the user to be removed (passed as the first argument). # #USERDEL_CMD /usr/sbin/userdel_local
# # If useradd should create home directories for users by default # On RH systems, we do. This option is ORed with the -m flag on # useradd command line. # CREATE_HOME yes
functions
head /etc/rc.d/init.d/functions
- -*-Shell-script-*-
- functions This file contains functions to be used by most or all
- shell scripts in the /etc/init.d directory.
TEXTDOMAIN=initscripts
- Make sure umask is sane
umask 027
limits.conf
/etc/security/limits.conf
# /etc/security/limits.conf # #Each line describes a limit for a user in the form: # #<domain> <type> <item> <value> # #Where: #<domain> can be: # - an user name # - a group name, with @group syntax # - the wildcard *, for default entry # #<type> can have the two values: # - "soft" for enforcing the soft limits # - "hard" for enforcing hard limits # #<item> can be one of the following: # - core - limits the core file size (KB) # - data - max data size (KB) # - fsize - maximum filesize (KB) # - memlock - max locked-in-memory address space (KB) # - nofile - max number of open files # - rss - max resident set size (KB) # - stack - max stack size (KB) # - cpu - max CPU time (MIN) # - nproc - max number of processes # - as - address space limit # - maxlogins - max number of logins for this user # - priority - the priority to run user process with # - locks - max number of file locks the user can hold # #<domain> <type> <item> <value> #
#* soft core 0 * soft core 0
#* hard rss 10000 * hard core 0
#@student hard nproc 20 #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 #@student - maxlogins 4
# End of file
syslog.conf
/etc/syslog.conf
#If you have a remote logging host, uncomment the lines corresponding to #the types of messages you want to forward to it. Replace this string #loghost with the IP address of your central logging server. #kern.* @loghost #authpriv,auth.* @loghost #mail.* @loghost # or to send everything #*.* @loghost ################
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console kern.* /dev/console
#Send kernel messages to a separate file. Note this will #include messages generated by iptables about blocked #network traffic. kern.* /var/log/kernel
# Log anything (except mail) of level info or higher. # Don't log private authentication messages! ##*.info;mail.none;authpriv.none;cron.none /var/log/messages *.info;authpriv,auth,mail,cron,kern,local7.none /var/log/messages
# The authpriv file has restricted access. ##authpriv.* /var/log/secure # capture auth messages also auth,authpriv.* /var/log/secure
# Log all the mail messages in one place. mail.* /var/log/maillog
# Log cron stuff cron.* /var/log/cron
# Everybody gets emergency messages *.emerg *
# Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log local7.* /var/log/boot.log
logrotate
logrotate.conf
/etc/logrotate.conf
# rotate log files weekly ##weekly monthly
# keep 4 weeks worth of backlogs #rotate 4 rotate 12
# uncomment this if you want your log files compressed #compress compress
# RPM packages drop log rotation information into this directory include /etc/logrotate.d
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
syslog
/etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/kernel {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
This page has been accessed 3556 times. This page was last modified 23:29, 25 Feb 2006.
