Versions Compared

Old Version 16

changes.mady.by.user Jason M Ragland

Saved on

compared with

New Version 17

changes.mady.by.user Jason M Ragland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

353738  

1

Anchor
r1
r1

If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall in between the network and the host to be protected.

5
Anchor
r5
r5
Since /tmp is intended to be world writable, creating a separate partition for it can prevent resource exhaustion. Setting nodev prevents users from creating or using block or special character devices. Setting noexec prevents users from running binary executables from /tmp. Setting nosuid prevents users from creating set userid files in /tmp.
6
Anchor
r6
r6
Multiple partitions are recommended to protect against resource exhaustion conditions if a partition fills up, as well as to allow for the setting of various options on individual partitions to support increased security (e.g. nodev, nosuid, noexec).

11

Anchor
r11
r11

Install and use the yum-security plugin.
To install the plugin run:

Code Block
yum install yum-security


To list all updates that are security relevant, and get a reutrn code on whether there are security updates use:

Code Block
yum --security check-update


To apply updates that are security relevant use:

Code Block
yum --security update
13
Anchor
r13
r13
Setting user/group ownership to root and file permissions to read and write only for root is recommended to prevent non-root users from viewing or changing the boot parameters.

15

Anchor
r15
r15

A simple way to disable the GUI is to change the default run level. Edit the file /etc/inittab. Look for the line that contains the following:

Code Block
id:5:initdefault:

 

Replace the "5" with "3". The line will then read:

Code Block
id:3:initdefault:
17
Anchor
r17
r17
Core dumps are intended to help determine why a program aborted. They may contain sensitive or confidential data from memory. It is recommended that core dumps be disabled or restricted. The system should be configured to prevent setuid programs from creating core dumps.
18
Anchor
r18
r18

Add the following line to the /etc/sysctl.conf file:

Code Block
kernel.randomize_va_space = 2

20

Anchor
r20
r20

Disable any xinetd services you do not absolutely require by setting "disable=yes" in /etc/xinetd.d/*.

Configure TCP wrappers for access control.
Edit /etc/hosts.deny to include this entry as the first uncommented line in the file: ALL:ALL
Ensure /etc/hosts.allow is edited appropriately to allow the administrator(s) to connect.
Verify that you have disabled any unnecessary startup scripts under /etc, /etc/rc*.d, or /etc/init.d (or startup script directory for your system) and disabled any unneeded services from starting in these scripts.

Unnecessary services can be disabled with:

Code Block
$ sudo chkconfig off


To check what services are listening use: 

Code Block
$ lsof 	\| grep '*:' 

or:

Code Block
$ sudo netstat \--tulp


Much more detailed information regarding services is available in the CIS benchmark documents.


Red Hat also provides a text-based interface for changing startup services: ntsysv

For example, the command

Code Block
ntsysv \--level 345

configures runlevels 3, 4, and 5.

 

21
Anchor
r21
r21

If no xinetd services are required, disable xinetd altogether:

Code Block
sudo service xinetd stop; sudo chkconfig xinetd off

25

Anchor
r25
r25

Red Hat comes with iptables. Below is a list of some iptables resources:
http://firehol.sourceforge.net
http://sourceforge.net/projects/fwbuilder
http://www.simonzone.com/software/guarddog

33
Anchor
r33
r33

If you decide to utilize SSH, the ISO highly recommends the following:

  • Change the port from port 22 to something/anything else. There are scripts online that malicious hackers can use against an SSH server. These scripts almost always only attack port 22 since most people do not change the default port.
  • Use SSH2 (by setting Protocol 2 in the sshd_config file) as it remediates many vulnerabilities from SSH1.
  • Restrict access to the SSH port using a hardware or software firewall.Do not allow root logins via SSH.

  • If possible, use keys with passphrase instead of just passwords. To create rsa keys, follow these commands:

    Code Block
    ssh-keygen \--t rsa
ssh server "mkdir .ssh; chmod 0700 .ssh"
scp ./ssh/ida_rsa.pub server:.ssh/authorized_keys2
  • The CIS Solaris Benchmark covers some suggested basic settings to place in the configuration file.
    You may also want to visit the SSL Web site.
34
Anchor
r34
r34
 
Anchor
r35r35 
Anchor
r37r37

There is a license fee for Tripwire. The Tripwire management console can be very helpful for managing more complex installations.
AIDE is a free tool available from SourceForge.
SamHain is another free tool, as is OSSEC HIDS.

Anchor

INFO is a basic logging level that will capture user login and logout activity. Other logging levels may be used, but may generate more noise. The DEBUG logging level is not recommended for production servers.

35
Anchor
r35
r35
Do not permit root logins via SSH. If root access over SSH is absolutely necessary, require administrators to authenticate with an individual account first and then use su or sudo. This is to prevent remote brute force attacks against the root user account as well as to create an audit trail of administrative activity in the event of a compromise.

37

Anchor
r37
r37

There is a license fee for Tripwire. The Tripwire management console can be very helpful for managing more complex installations.
AIDE is a free tool available from SourceForge.
SamHain is another free tool, as is OSSEC HIDS.

 

38
Anchor
r38
r38

Many resources exist for understanding and configuring SELinux:

SELinux is enabled by default with RHEL systems and should not be disabled unless absolutely necessary.

39
Anchor
r39
r39
OSSEC is a free, open-source host-based intrusion detection system, which performs log analysis, file integrity checking, and rootkit detection, with real time alerting, in an effort to identify malicious activity. It is available at http://www.ossec.net/.r38r38 39
Anchor
r39r39

40

Anchor
r40
r40

ITS Networking operates two stratum 2 NTPv4 (NTP version 4) servers for network time synchronization services for university network administrators.network administrators.

41
Anchor
r41
r41
Auditd monitors various system activity, such as system logins, authentications, account modifications, and SELinux denials. These records may help administrators identify malicious activity or unauthorized access.41
Anchor
r41r41
42
Anchor
r42
r42
 		Rsyslog is a third-party package which is intended to replace the standard syslog daemon. The CIS benchmark has several recommendations for configuring rsyslog. Some benefits of rsyslog include transmission of logs over TCP and support for encryption of log data when transmitting over a network.
44
Anchor
r44
r44
It is highly recommended that logs are shipped from any Category I devices to a service like Splunk, which provides log aggregation, processing, and real-time monitoring of events among many other things. This helps to ensure that logs are preserved and unaltered in the event of a compromise, in addition to allowing proactive log analysis of multiple devices.

Splunk licenses are available through ITS at no charge. ITS also maintains a centrally-managed Splunk service that may be leveraged.

45

Anchor
r45
r45

  • Check in /etc/sudoers to see who has sudo rights
  • Check in /etc/groups to see what groups your users belong to
  • Check in /etc/passwd and/or /etc/shadow for blank passwords
  • Check the strength of users' passwords with tools such as John the Ripper
  • Seek approval from IT Owner. Consider using a simple dictionary for easily guessed passwords.
  • Develop a procedure to report and remediate easily guessed passwords.
46
Anchor
r46
r46

Ensure the following are set in /etc/pam.d/other:

Warn will report alerts to syslog.

48

Anchor
r48
r48

To require strong passwords, in compliance with section 5.18 of the Information Resources Use and Security Policy:

For RHEL 6:

In /etc/pam.d/system-auth, add or change the file as required to read:

Code Block
password   required     pam_cracklib.so retry=3 difok=5 minlen=8 lcredit=-1 dcredit=-1 ocredit=-1
password   sufficient   pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=10
password   required     pam_deny.so
password   required     pam_warn.so

 

For RHEL 7:

In /etc/security/pwquality.conf, add:

Code Block
difok = 5
minlen = 8
minclass = 1
maxrepeat = 0
maxclassrepeat = 0
lcredit = -1
ucredit = 0
dcredit = -1
ocredit = -1
gecoscheck = 1

In /etc/pam.d/system-auth, add or change the file as required to read:

Code Block
password    required    pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient  pam_unix.so sha512 shadow try_first_pass use_authtok remember=10
password    required    pam_deny.so

49

Anchor
r49
r49

Ensure that the terminal security file (for example, /etc/securetty or /etc/ttys) is configured to deny privileged (root) access. On a Red Hat box, this means that no virtual devices (such as /dev/pty*) appear in this file.

50

Anchor
r50
r50

The text of the university's official warning banner can be found on the ITS Web site. You may add localized information to the banner as long as the university banner is included.

51

Anchor
r51
r51

The text of the university's official warning banner can be found on the ITS Web site. You may add localized information to the banner as long as the university banner is included.

52

Anchor
r52
r52

There are few viruses that infect Linux computers; therefore, it is understandable for most Linux servers to have an exception to this rule. See the Operations Manual for information on the exception process.

You may choose any proven anti-virus product. One option is ClamAV.

53

Anchor
r53
r53

There are few viruses that infect Linux computers; therefore, it is understandable for most Linux servers to have an exception to this rule. See the Operations Manual for information on the exception process.

54

Anchor
r54
r54

There are a variety of methods available to provide encrypted storage. Two good candidates are LUKS and GNUPG (free).

...