Guide to the Secure Configuration of Red Hat Enterprise Linux 5
Total Page:16
File Type:pdf, Size:1020Kb
Guide to the Secure Configuration of Red Hat Enterprise Linux 5 Revision 4.2 August 26, 2011 Operating Systems Division Unix Team of the Systems and Network Analysis Center National Security Agency 9800 Savage Rd. Suite 6704 Ft. Meade, MD 20755-6704 2 Warnings Do not attempt to implement any of the recommendations in this guide without first testing in a non- production environment. This document is only a guide containing recommended security settings. It is not meant to replace well- structured policy or sound judgment. Furthermore this guide does not address site-specific configuration concerns. Care must be taken when implementing this guide to address local operational and policy concerns. The security changes described in this document apply only to Red Hat Enterprise Linux 5. They may not translate gracefully to other operating systems. Internet addresses referenced were valid as of 1 Dec 2009. Trademark Information Red Hat is a registered trademark of Red Hat, Inc. Any other trademarks referenced herein are the property of their respective owners. Change Log Revision 4.2 is an update of Revision 4.1 dated February 28, 2011. Added section 2.5.3.1.3, Disable Functionality of IPv6 Kernel Module Through Option. Added discussion to section 2.5.3.1.1, Disable Automatic Loading of IPv6 Kernel Module, indicating that this is no longer the preferred method for disabling IPv6. Added section 2.3.1.9, Set Accounts to Disable After Password Expiration. Revision 4.1 is an update of Revision 4 dated September 14, 2010. Added section 2.2.2.6, Disable All GNOME Thumbnailers if Possible. Added Common Configuration Enumeration (CCE) identifiers to associated sections within the guide, and a note about CCE in section 1.2.4, Formatting Conventions. Updated section 2.3.3.2, Set Lockouts for Failed Password Attempts. There is no longer the need to add the pam tally2 module into each program's PAM configuration file, or to comment out some lines from /etc/pam.d/system-auth. The pam tally2 module can now be referenced directly from /etc/pam.d/ system-auth. Corrected section 2.6.2.4.5 title from Ensure auditd Collects Logon and Logout Events to Record Attempts to Alter Logon and Logout Event Information. Corrected section 2.6.2.4.6 title from Ensure auditd Collects Process and Session Initiation Information to Record Attempts to Alter Process and Session Initiation Information Note: The above changes did not affect any of the existing section numbering. TABLE OF CONTENTS 3 Table of Contents 1 Introduction 13 1.1 General Principles............................................ 13 1.1.1 Encrypt Transmitted Data Whenever Possible........................ 13 1.1.2 Minimize Software to Minimize Vulnerability......................... 13 1.1.3 Run Different Network Services on Separate Systems..................... 13 1.1.4 Configure Security Tools to Improve System Robustness................... 14 1.1.5 Least Privilege.......................................... 14 1.2 How to Use This Guide......................................... 14 1.2.1 Read Sections Completely and in Order............................ 14 1.2.2 Test in Non-Production Environment............................. 14 1.2.3 Root Shell Environment Assumed............................... 14 1.2.4 Formatting Conventions..................................... 15 1.2.5 Reboot Required......................................... 15 2 System-wide Configuration 17 2.1 Installing and Maintaining Software.................................. 17 2.1.1 Initial Installation Recommendations.............................. 17 2.1.1.1 Disk Partitioning.................................... 17 2.1.1.2 Boot Loader Configuration.............................. 18 2.1.1.3 Network Devices.................................... 19 2.1.1.4 Root Password..................................... 19 2.1.1.5 Software Packages................................... 19 2.1.1.6 First-boot Configuration............................... 19 2.1.2 Updating Software........................................ 20 2.1.2.1 Configure Connection to the RHN RPM Repositories............... 20 2.1.2.2 Disable the rhnsd Daemon.............................. 21 2.1.2.3 Obtain Software Package Updates with yum ..................... 21 2.1.3 Software Integrity Checking................................... 22 2.1.3.1 Configure AIDE.................................... 23 2.1.3.2 Verify Package Integrity Using RPM......................... 24 2.2 File Permissions and Masks....................................... 25 2.2.1 Restrict Partition Mount Options................................ 25 2.2.1.1 Add nodev Option to Non-Root Local Partitions.................. 25 2.2.1.2 Add nodev, nosuid, and noexec Options to Removable Storage Partitions... 26 2.2.1.3 Add nodev, nosuid, and noexec Options to Temporary Storage Partitions... 26 2.2.1.4 Bind-mount /var/tmp to /tmp ............................ 26 2.2.2 Restrict Dynamic Mounting and Unmounting of Filesystems................ 27 2.2.2.1 Restrict Console Device Access............................ 27 2.2.2.2 Disable USB Device Support............................. 27 4 TABLE OF CONTENTS 2.2.2.3 Disable the Automounter if Possible......................... 28 2.2.2.4 Disable GNOME Automounting if Possible..................... 29 2.2.2.5 Disable Mounting of Uncommon Filesystem Types................. 29 2.2.2.6 Disable All GNOME Thumbnailers if Possible................... 30 2.2.3 Verify Permissions on Important Files and Directories.................... 30 2.2.3.1 Verify Permissions on passwd, shadow, group and gshadow Files......... 30 2.2.3.2 Verify that All World-Writable Directories Have Sticky Bits Set......... 31 2.2.3.3 Find Unauthorized World-Writable Files...................... 31 2.2.3.4 Find Unauthorized SUID/SGID System Executables................ 31 2.2.3.5 Find and Repair Unowned Files........................... 33 2.2.3.6 Verify that All World-Writable Directories Have Proper Ownership....... 33 2.2.4 Restrict Programs from Dangerous Execution Patterns.................... 33 2.2.4.1 Set Daemon umask ................................... 33 2.2.4.2 Disable Core Dumps.................................. 34 2.2.4.3 Enable ExecShield................................... 35 2.2.4.4 Enable Execute Disable (XD) or No Execute (NX) Support on 32-bit x86 Systems 35 2.2.4.5 Configure Prelink................................... 36 2.3 Account and Access Control....................................... 37 2.3.1 Protect Accounts by Restricting Password-Based Login................... 37 2.3.1.1 Restrict Root Logins to System Console....................... 37 2.3.1.2 Limit su Access to the Root Account........................ 38 2.3.1.3 Configure sudo to Improve Auditing of Root Access................ 39 2.3.1.4 Block Shell and Login Access for Non-Root System Accounts........... 39 2.3.1.5 Verify Proper Storage and Existence of Password Hashes............. 40 2.3.1.6 Verify that No Non-Root Accounts Have UID 0.................. 40 2.3.1.7 Set Password Expiration Parameters......................... 41 2.3.1.8 Remove Legacy '+' Entries from Password Files.................. 42 2.3.1.9 Set Accounts to Disable After Password Expiration................ 42 2.3.2 Use Unix Groups to Enhance Security............................. 42 2.3.2.1 Create a Unique Default Group for Each User................... 42 2.3.2.2 Create and Maintain a Group Containing All Human Users............ 43 2.3.3 Protect Accounts by Configuring PAM............................. 43 2.3.3.1 Set Password Quality Requirements......................... 44 2.3.3.2 Set Lockouts for Failed Password Attempts..................... 45 2.3.3.3 Use pam deny.so to Quickly Deny Access to a Service............... 45 2.3.3.4 Restrict Execution of userhelper to Console Users................ 46 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512................. 46 2.3.3.6 Limit Password Reuse................................. 47 2.3.3.7 Remove the pam ccreds Package if Possible..................... 47 2.3.4 Secure Session Configuration Files for Login Accounts.................... 47 2.3.4.1 Ensure that No Dangerous Directories Exist in Root's Path............ 47 2.3.4.2 Ensure that User Home Directories are not Group-Writable or World-Readable. 48 2.3.4.3 Ensure that User Dot-Files are not World-writable................. 49 2.3.4.4 Ensure that Users Have Sensible Umask Values................... 49 2.3.4.5 Ensure that Users do not Have .netrc Files.................... 50 2.3.5 Protect Physical Console Access................................ 50 2.3.5.1 Set BIOS Password.................................. 50 2.3.5.2 Set Boot Loader Password.............................. 50 2.3.5.3 Require Authentication for Single-User Mode.................... 51 2.3.5.4 Disable Interactive Boot................................ 51 2.3.5.5 Implement Inactivity Time-out for Login Shells................... 51 2.3.5.6 Configure Screen Locking............................... 52 TABLE OF CONTENTS 5 2.3.5.7 Disable Unnecessary Ports.............................. 53 2.3.6 Use a Centralized Authentication Service........................... 54 2.3.7 Warning Banners for System Accesses............................. 54 2.3.7.1 Modify the System Login Banner.......................... 54 2.3.7.2 Implement a GUI Warning Banner.......................... 55 2.4 SELinux.................................................. 55 2.4.1 How SELinux Works....................................... 56 2.4.2 Enable SELinux......................................... 56 2.4.2.1