Tuesday, June 14, 2011

Linux security checklist

The Anonymous is announcing an attack on www.malaysia.gov.my, which is a central portal to reach all other Malaysian Government portals. This is reported by F-Secure Corporation and theStar, 14 Jun 2011. Makes you wonder why Anonymous would want to do that.

Follow up from my previous post, I realise that many Linux Admins out there do not have a Security Checklist for their web application. I am sharing the following checklist here as it provides a standard security consideration for almost all web application on Linux or LAMP stack. It is by no means the only security guide, please apply all other security concerns specific to your needs and you can then sleep better at night.

Check List for Web Application (deployment)

Category

Item

Notes

Logins

A.1

Operating system

-Administrator password is secured and recorded as only accessible by ONE administrator

-All login's are done as normal user

-Normal users with access to Administrator priviledges are recorded. Access should be via SUDO.

-All logins are recorded



A.2

Application

-All users to have secured logins

-Administrator logins are assigned to specific individuals and listed

-Web based self registered user must have email and spam prevention facilities

-Lock down on Web server's user/application access

-Default access and password for all administrator applications must be secured. This includes the main application, phpmyadmin, firewall.


A.3

Database

-Each application to have a specific user and password access. This user cannot access other databases.

-Administrator access is with secured password. Assignment to specific individuals must be recorded.



Services

B.1

Disable unnecassary services

-Firewalls must be enabled to restrict external access to only the approved application (via port numbers).

-Identify every services running. Disable those not in use.

-Remote access must be via encrypted protocols

-Disable local email server (e.g. sendmail) from runnin/listening continuously. Or use external email server.

-Email servers controlled to allow access to specific application and directories.

-Anti-virus if implemented, must have patches and pattern updates kept to the most recent.




B.2

Create a base point of security

-A penetration test must be carried out. The type and complexity is based on the specific application.

-Establish an integrity check point


B.3

Tell them you do not allow access

-Place warning messages to all points of access. E.g. motd and issue.net



B.4

Logging

-Log activities to separate files for operating system and application.

-Make logs available to a centralised log server.



B.5

Backup

-Establish a backup plan.

-Implement a backup process



B.6

Create a boot disk and rescue of the Linux



B.7

System updates

-Disable the automatic system updates. Updates should be installed only after it is verfied working with the application.

-Periodically check with security issues, respective application security notices and update as needed.



Physical

C.1

Physical Access

-Ensure only authorised personel can access to the server.

-A record of physical access is maintained.



C.2

Storage Media

-All storage media is tagged.

-Storage location and transportation is secure and recorded.



C.3

Security Policy

-Ensure the document is readily available to authorised users.





Creative Commons License

Checklist for Web Application (Deployment) by Nicholas A. Suppiah is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
Permissions beyond the scope of this license may be available at http://www.blogger.com/profile/06749525177696246387.

1 comment:

The Geeks said...


Thanks for review, it was excellent and very informative.
thank you :)

Blog Archive