40 likes | 189 Views
CIS 290 LINUX Security. Basic OS Hardening Procedures. Physical security . Lock it up! BIOS Password Disable BIOS alternate boot devices Disable interactive boot: vi /etc/sysconfig/init PROMPT=no Password protected GRUB boot Console locking: yum install vlock, xlock
E N D
CIS 290LINUX Security Basic OS Hardening Procedures
Physical security • Lock it up! • BIOS Password • Disable BIOS alternate boot devices • Disable interactive boot: vi /etc/sysconfig/init PROMPT=no • Password protected GRUB boot • Console locking: yum install vlock, xlock • Lock desktop GUI, or no Xwindows at all. • Disable Ctrl/Alt/Del (procedure varies)
Software maintenance • Install Red Hat GPG key from installation CD-ROM or DVD. rpm --import /mnt/cdrom/RPM-GPG-KEY • Display a list of all keys installed for RPM verification: rpm -qagpg-pubkey* • Display specific key: rpm -qi gpg-pubkey-db4 2a60e-37ea5438 • Verify package keys: rpm -K /root/updates/*.rpm • Automatic GPG signature verification enabled: under the [main] section of your /etc/yum.conf: gpgcheck=1 • Cleanup Yum Repositories. Only what you need. • Remove unneeded software. • Keep the OS up to date. NO AUTO UPDATES!! • Kernel compile options – tricky, hard work to get it right
Filesystem security • Mount options (-o ): noexec (especially /tmp), nosetuid, nosuid, ro (!) • Encrypted File System (Dangerous), TruCrypt containers , encrypted hardrive (hardware, software) • Noowner Files find /dir -xdev \( -nouser -o -nogroup \) –print • World-Writable Files find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print • Disable Unwanted SUID and SGID Binaries #See all set user id files:find / -perm +4000# See all group id filesfind / -perm +2000# Or combine both in a single commandfind / \( -perm -4000 -o -perm -2000 \) -printfind / -path -prune -o -type f -perm +6000 –ls