The following tips assume that the reader is starting with Physical Security Items marked with a * are network services. It is particularly a default installation of Red Hat Enterprise Linux 5. This important to disable these. Additionally, the following services Configure the BIOS to disable booting from CDs/DVDs, high-impact guidance can be applied quickly, but is by no can be safely disabled if NFS is not in use: netfs, nfslock, floppies, and external devices, and set a password to protect means complete. For more complete guidance, please see portmap, rpcgssd, and rpcidmapd. Some software relies on these settings. our other publication, “Guide to the Secure Configuration haldaemon and messagebus, so care should be taken when Next, set a password for the GRUB bootloader. Generate a of Red Hat Enterprise Linux 5,” which can be found disabling them. Changes will take effect after a reboot. password hash using the command /sbin/grub-md5-crypt. online at http://www.nsa.gov. These tips may or may not Add the hash to the first line of/etc/grub.conf as follows: translate gracefully for other Linux distributions or modified Disable SUID and SGID Binaries installations of RHEL. password --md5 passwordhash To find SUID and SGID files on the system, use the following This prevents users from entering single user mode or command: General Principles changing settings at boot time. find / \( -perm -4000 -o -perm -2000 \) -print • Encrypt all data transmitted over the network. Encrypting authentication information (such as Keep Software Up to Date The following files can have their SUID or SGID bits safely passwords) is particularly important. Either download updates manually through the Red Hat disabled (using chmod -s filename) unless required for the • Minimize the amount of software installed and running Network (http://rhn.redhat.com) or register each system with purpose listed in the second column: in order to minimize vulnerability. RHN to apply updates automatically. Security updates should • Use security-enhancing software and tools whenever File: Required For: be applied as soon as possible. /bin/ping6 IPv6 available (e.g., SELinux and Iptables). /sbin/mount.nfs NFS • Run each network service on a separate server whenever The default version ofyum-updatesd does not function /sbin/mount.nfs4 NFS possible. This minimizes the risk that a compromise of reliably. A better solution is to apply updates through a cron /sbin/netreport network control one service could lead to a compromise of others. job. First, disable the service with: /sbin/umount.nfs NFS • Maintain user accounts. Create a good password policy /sbin/umount.nfs4 NFS and enforce its use. Delete unused user accounts. /sbin/chkconfig yum-updatesd off /usr/bin/chage passwd /usr/bin/chfn account info • Review system and application logs on a routine basis. Second, create the fileyum.cron , make it executable, place /usr/bin/chsh account info Send logs to a dedicated log server. This prevents it in /etc/cron.daily or /etc/cron.weekly, and ensure /usr/bin/crontab cron intruders from easily avoiding detection by modifying that it reads as follows: /usr/bin/lockfile Procmail /usr/bin/rcp rsh the local logs. #!/bin/sh • Never log in directly as root, unless absolutely necessary. /usr/bin/yum -R 120 -e 0 -d 0 -y update yum /usr/bin/rlogin rsh Administrators should use sudo to execute commands as /usr/bin/yum -R 10 -e 0 -d 0 -y update /usr/bin/rsh rsh /usr/bin/wall console messaging root when required. The accounts capable of using sudo Disable Unnecessary Services /usr/bin/write console messaging are specified in/etc/sudoers , which is edited with the /usr/bin/Xorg Xorg visudo utility. By default, relevant logs are written to To list the services configured to start at boot, run the /usr/kerberos/bin/ksu Kerberos /var/log/secure. following command: /usr/libexec/openssh/ssh- SSH host-based keysign authentication /sbin/chkconfig --list Disk Partitions and Mounting /usr/lib/vte/gnome-pty-helper Gnome, Xorg During initial installation, ensure that filesystems with Find the column for the current run level to see which /usr/sbin/ccreds_validate Pam auth caching services are enabled. The default run level is 5. To disable a /usr/sbin/suexec Apache, CGI user‑writeable directories such as the following are mounted /usr/sbin/userisdnctl ISDN service, run the following command: on separate partitions: /home, /tmp, /var/tmp. /usr/sbin/usernetctl network control /sbin/chkconfig servicename off During system configuration, change mount options in To see which RPM package each file belongs to, run Unless they are required, disable the following: /etc/fstab to limit user access on appropriate filesystems. rpm -qf filename. If the package is not necessary, remove anacron haldaemon messagebus it with rpm -e packagename. Precise control over the Thedefaults option is equal to rw,suid,dev,exec,auto apmd hidd microcode_ctl ,nouser,async. Using noexec instead prevents execution autofs` hplip* pcscd packages installed during initial system installation can be avahi-daemon* isdn readahead_early achieved using a Kickstart file. of binaries on a file system (though it will not prevent scripts bluetooth kdump readahead_later from running). Using nosuid will prevent the setuid bit cups* kudzu rhnsd* firstboot mcstrans setroubleshoot from having effect. Thenodev option prevents use of device gpm mdmonitor xfs files on the filesystem. Remove X Windows net.ipv4.icmp_ignore_bogus_error_messages=1 kernel.exec-shield=1 A server will not typically need X Windows to provide its kernel.randomize_va_space=1 services, so remove it if possible: For more possible parameters, including settings for IPv6, yum groupremove “X Window System” please see our complete guide. Hardening Tips Installation of X Windows can also be completely prevented NTP For Default Installation of during initial system installation. For most systems, the ntpd service introduces unnecessary Configure and Use Iptables and TCP Wrapper overhead. Instead, call its update utility, ntpdate, directly through a cron job. Create the file/etc/cron.d/ntpdate The Iptables firewall should be configured to allow only with the following line: necessary network communications. For workstations, this may entail blocking all incoming communications, except for 15 * * * * root /usr/sbin/ntpdate server Red Hat those related to connections the system initiated. If Iptables Substitute an appropriate NTP server for server. Hosts on is currently running, view the current firewall policy with the a network should synchronize their time from a local NTP following command: server, and then only this local NTP server should acquire the Enterprise /sbin/iptables -L time from an external, trusted source. By default, the output should correspond to rules stored Configure or Disable SSH in the file/etc/sysconfig/iptables . Understand and edit these rules, removing any lines that allow unnecessary SSH is often required, but if it is not, disable it: Linux 5 communications. To activate the updated rules, restart the /sbin/chkconfig sshd off service. If SSH is required, ensure the SSH configuration file /etc/ssh/sshd_config includes the following lines: Also configure the TCP Wrapper library to protect network daemons that support its use by adding appropriate rules to PermitRootLogin no /etc/hosts.allow and /etc/hosts.deny. Protocol 2 If possible, limit SSH access to a subset of users. Create Configure and Use SELinux a group called sshusers and only add the users that The default SELinux policy, calledtargeted , provides need remote access. Then, add the following line to protection against compromised or misconfigured system /etc/ssh/sshd_config: services. This policy should not interfere with normal system AllowGroups sshusers operation. Ensure that /etc/selinux/config includes the following lines: Restart the service so that these changes take effect. SELINUX=enforcing SELINUXTYPE=targeted Disable IPv6 Unless your policy or network configuration requires it, Stronger policies such as strict and mls can be used if disable IPv6. To do so, prevent the kernel module from appropriate. However, these require customization to operate loading by adding the following line to successfully for many general-purpose usage scenarios. /etc/modprobe.conf: Systems and Network Analysis Center Set Kernel Parameters install ipv6 /bin/true National Security Agency 9800 Savage Rd. At boot, the system reads and applies a set of kernel Next, add or change the following lines in Ft. Meade, MD 20755 parameters from /etc/sysctl.conf. Add the following /etc/sysconfig/network: http://www.nsa.gov lines to that file to prevent certain kinds of attacks: NETWORKING_IPV6=no net.ipv4.conf.all.rp_filter=1 IPV6INIT=no net.ipv4.conf.all.accept_source_route=0 net.ipv4.icmp_echo_ignore_broadcasts=1