CIS 290LINUX Security

Basic OS Hardening Procedures

Physical security• Lock it up!

• BIOS Password

• Disable BIOS alternate boot devices

• Disable interactive boot: vi /etc/sysconfig/initPROMPT=no

• Password protected GRUB boot

• Console locking: yum install vlock, xlock

• Lock desktop GUI, or no Xwindows at all.

• Disable Ctrl/Alt/Del (procedure varies)

Software maintenance• Install Red Hat GPG key from installation CD-ROM or DVD.

rpm --import /mnt/cdrom/RPM-GPG-KEY

• Display a list of all keys installed for RPM verification: rpm -qa gpg-pubkey*

• Display specific key:rpm -qi gpg-pubkey-db4 2a60e-37ea5438

• Verify package keys:rpm -K /root/updates/*.rpm

• Automatic GPG signature verification enabled: under the [main] section of your /etc/yum.conf:gpgcheck=1

• Cleanup Yum Repositories. Only what you need.

• Remove unneeded software.

• Keep the OS up to date. NO AUTO UPDATES!!

• Kernel compile options – tricky, hard work to get it right

Filesystem security• Mount options (-o ): noexec (especially /tmp), nosetuid, nosuid, ro (!)

• Encrypted File System (Dangerous), TruCrypt containers , encrypted hardrive (hardware, software)

• Noowner Filesfind /dir -xdev \( -nouser -o -nogroup \) –print

• World-Writable Filesfind /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

• Disable Unwanted SUID and SGID Binaries#See all set user id files:find / -perm +4000# See all group id filesfind / -perm +2000# Or combine both in a single commandfind / \( -perm -4000 -o -perm -2000 \) -printfind / -path -prune -o -type f -perm +6000 –ls