CIS 290 LINUX Security Basic OS Hardening Procedures

  • Slides: 4
Download presentation
CIS 290 LINUX Security Basic OS Hardening Procedures

CIS 290 LINUX Security Basic OS Hardening Procedures

Physical security • Lock it up! • BIOS Password • Disable BIOS alternate boot

Physical security • Lock it up! • BIOS Password • Disable BIOS alternate boot devices • Disable interactive boot: vi /etc/sysconfig/init PROMPT=no • Password protected GRUB boot • Console locking: yum install vlock, xlock • Lock desktop GUI, or no Xwindows at all. • Disable Ctrl/Alt/Del (procedure varies)

Software maintenance • Install Red Hat GPG key from installation CD-ROM or DVD. rpm

Software maintenance • Install Red Hat GPG key from installation CD-ROM or DVD. rpm --import /mnt/cdrom/RPM-GPG-KEY • Display a list of all keys installed for RPM verification: rpm -qa gpg-pubkey* • Display specific key: rpm -qi gpg-pubkey-db 4 2 a 60 e-37 ea 5438 • Verify package keys: rpm -K /root/updates/*. rpm • Automatic GPG signature verification enabled: under the [main] section of your /etc/yum. conf: gpgcheck=1 • Cleanup Yum Repositories. Only what you need. • Remove unneeded software. • Keep the OS up to date. NO AUTO UPDATES!! • Kernel compile options – tricky, hard work to get it right

Filesystem security • Mount options (-o ): noexec (especially /tmp), nosetuid, nosuid, ro (!)

Filesystem security • Mount options (-o ): noexec (especially /tmp), nosetuid, nosuid, ro (!) • Encrypted File System (Dangerous), Tru. Crypt containers , encrypted hardrive (hardware, software) • Noowner Files find /dir -xdev ( -nouser -o -nogroup ) –print • World-Writable Files find /dir -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print • Disable Unwanted SUID and SGID Binaries #See all set user id files: find / -perm +4000 # See all group id files find / -perm +2000 # Or combine both in a single command find / ( -perm -4000 -o -perm -2000 ) -print find / -path -prune -o -type f -perm +6000 –ls