A. Detail of system.
Capture baseline of the system installed- Hostname:superlinuxhosting.localhost
- Operating System(/etc/redhat-release): Centos 6.5
- Security reference sites:
- SELinux mode: Permissive
- Boot runlevel (/etc/inittab): 3
- Fixed mounts (/etc/fstab):
/boot
/home
/tmp
/opt
- Network Interface (ifconfig):
- Network route (route -n):
- Resolver (/etc/resolv.conf):
B. Services
- Enable only essential services to run at startup (chkconfig --list-all)
- Remove unused packages
- Remove unused running applications. Check this via open ports (netstat -tulpn)
- Use of sudo to manage access to administrative commands (visudo)
- Secure SSH for connection. Block access from all and allow only white list.
- Enable only essential jobs in cron (crontab).
- Disable auto mount of usb storage.
- SELinux should be turned on.
- Enable iptables
- Display legal banner at SSH login
C. Essential files
1. Backup essential logs. Complete the following columns for Filename, Frequency and Destination/var/log/messages
/var/log/auth.log
/var/log/cron.log
/var/log/boot.log
/var/log/secure
/var/log/yum.log
/var/log/pgsql
/var/log/mysql
2. Make /boot read only
Secure /boot by making it RO in /etc/fstab. Change this when need to update kernel.
3. Update latest security patches
Check for security info with the yum-plugin-security
# yum updateinfo list available
# yum updateinfo list security installed
# yum updateinfo list security all
# yum info-sec
E.g. update only a specific advisory number
# yum update --advisory=RHSA-2014:0159
# yum update --advisory=FEDORA-EPEL-2015-8144
4. Backup essential configuration files
5. File and directory have minimum permissions
6. Import GPG keys to verify installed packages (check enabled in yum.repos.d files)
D. Examples
B.1
Ignore ping and broadcast request. Edit /etc/sysctl.conf
Ignore ICMP request:
net.ipv4.icmp_echo_ignore_all = 1
Ignore Broadcast request:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Reboot or
# sysctl -p
B.2 Remove unused packages
Remove the Gnome desktop
# yum groupremove "X Window System"
Clear Yum
# yum clean all
B.7 Create a file no-usb in /etc/modprobe.d and add following line
install usb-storage /bin/true
B.8 Enable SELinux as permissive
# setenforce permissive
Check status of SELinux
# sestatus
C.6 GPG keys
Install keys from a CDROM
# rpm --import /mnt/cdrom/RPM-GPG-KEY
Verify packages against the installed key
# rpm -K /tmp/updates/*.rpm
Check installed keys
# rpm -qa gpg-pubkey*
Checklist for Systems Security by Nicholas A. Suppiah is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
Permissions beyond the scope of this license may be available at http://www.blogger.com/profile/06749525177696246387.
No comments:
Post a Comment