Centos 6 Checklist on Systems Security

Following is a template for checklist on general security task to ensure a Linux server is secured. Examples provided are on Centos Linux 6.

A. Detail of system.

Capture baseline of the system installed
  • Hostname:superlinuxhosting.localhost
  • Operating System(/etc/redhat-release): Centos 6.5
Linux kernel and architecture(uname -a): Linux LBServer2 2.6.32-431.11.2.el6.x86_64 #1 SMP Tue Mar 25 19:59:55 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

  • Security reference sites:
  • SELinux mode: Permissive 
  • Boot runlevel (/etc/inittab): 3
  • Fixed mounts (/etc/fstab):
List separate mount for following directories and its size
  • Network Interface (ifconfig): 
  • Network route (route -n):
  • Resolver (/etc/resolv.conf):

B. Services

  1. Enable only essential services to run at startup (chkconfig --list-all) 
  2. Remove unused packages
  3. Remove unused running applications. Check this via open ports (netstat -tulpn)
  4. Use of sudo to manage access to administrative commands (visudo)
  5. Secure SSH for connection. Block access from all and allow only white list.
  6. Enable only essential jobs in cron (crontab).
  7. Disable auto mount of usb storage. 
  8. SELinux should be turned on. 
  9. Enable iptables
  10. Display legal banner at SSH login

C. Essential files

1. Backup essential logs. Complete the following columns for Filename, Frequency and Destination

2. Make /boot read only

Secure /boot by making it RO in /etc/fstab. Change this when need to update kernel.

3. Update latest security patches
Check for security info with the yum-plugin-security
# yum updateinfo list available
# yum updateinfo list security installed
# yum updateinfo list security all
# yum info-sec
E.g. update only a specific advisory number
# yum update --advisory=RHSA-2014:0159
# yum update --advisory=FEDORA-EPEL-2015-8144

4. Backup essential configuration files

5. File and directory have minimum permissions

6. Import GPG keys to verify installed packages (check enabled in yum.repos.d files)

D. Examples

Ignore ping and broadcast request. Edit /etc/sysctl.conf

Ignore ICMP request:
net.ipv4.icmp_echo_ignore_all = 1

Ignore Broadcast request:
net.ipv4.icmp_echo_ignore_broadcasts = 1

Reboot or
# sysctl -p
B.2 Remove unused packages
Remove the Gnome desktop
# yum groupremove "X Window System"

Clear Yum
# yum clean all

B.7 Create a file no-usb in /etc/modprobe.d and add following line
install usb-storage /bin/true

B.8 Enable SELinux as permissive
# setenforce permissive

Check status of SELinux
# sestatus

C.6 GPG keys
Install keys from a CDROM
# rpm --import /mnt/cdrom/RPM-GPG-KEY

Verify packages against the installed key
# rpm -K /tmp/updates/*.rpm

Check installed keys
# rpm -qa gpg-pubkey*

Creative Commons License

Checklist for Systems Security by Nicholas A. Suppiah is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
Permissions beyond the scope of this license may be available at http://www.blogger.com/profile/06749525177696246387.

No comments:

Blog Archive