cis 290 linux security
DESCRIPTION
CIS 290 LINUX Security. Basic OS Hardening Procedures. Physical security. Lock it up! BIOS Password Disable BIOS alternate boot devices Disable interactive boot: vi /etc/sysconfig/init PROMPT=no Password protected GRUB boot Console locking: yum install vlock, xlock - PowerPoint PPT PresentationTRANSCRIPT
CIS 290LINUX Security
Basic OS Hardening Procedures
Physical security• Lock it up!
• BIOS Password
• Disable BIOS alternate boot devices
• Disable interactive boot: vi /etc/sysconfig/initPROMPT=no
• Password protected GRUB boot
• Console locking: yum install vlock, xlock
• Lock desktop GUI, or no Xwindows at all.
• Disable Ctrl/Alt/Del (procedure varies)
Software maintenance• Install Red Hat GPG key from installation CD-ROM or DVD.
rpm --import /mnt/cdrom/RPM-GPG-KEY
• Display a list of all keys installed for RPM verification: rpm -qa gpg-pubkey*
• Display specific key:rpm -qi gpg-pubkey-db4 2a60e-37ea5438
• Verify package keys:rpm -K /root/updates/*.rpm
• Automatic GPG signature verification enabled: under the [main] section of your /etc/yum.conf:gpgcheck=1
• Cleanup Yum Repositories. Only what you need.
• Remove unneeded software.
• Keep the OS up to date. NO AUTO UPDATES!!
• Kernel compile options – tricky, hard work to get it right
Filesystem security• Mount options (-o ): noexec (especially /tmp), nosetuid, nosuid, ro (!)
• Encrypted File System (Dangerous), TruCrypt containers , encrypted hardrive (hardware, software)
• Noowner Filesfind /dir -xdev \( -nouser -o -nogroup \) –print
• World-Writable Filesfind /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
• Disable Unwanted SUID and SGID Binaries#See all set user id files:find / -perm +4000# See all group id filesfind / -perm +2000# Or combine both in a single commandfind / \( -perm -4000 -o -perm -2000 \) -printfind / -path -prune -o -type f -perm +6000 –ls