Sr.No. Security Feature

1 SU

2 SUDO

3 Disable services

4 Key-base-authentication

56

7 Password security

BIOS and Boot loader security

Disabling Interactive Startup

8 password ageing

910

11 Limiting Root Access

Disallowing Root Access

Enabling automatic logouts

12

How to implement

chkconfig telnet off / chkconfig rsh off / chkconfig rlogin off / chkconfig vsftpd off

1. Add username as a member of wheel group in /etc/group file to whome su access to be allowed.2. Remove hash from line "#auth required pam _wheel.so use_uid" from /etc/pam.d/su file

1. Edit /etc/sudoers file with visudo command.2. By default, sudo stores the sudoer's password for a five minute timeout period. Anysubsequent uses of the command during this period will not prompt the user for a password.This could be exploited by an attacker if the user leaves his workstation unattended andunlocked while still being logged in. T his behavior can be changed by adding the following lineto the /etc/sudoers file.Defaults timestamp_timeout=where is the desired timeout length in minutes. Setting the to 0 causessudo to require a password every time.3. Each successful authentication using the sudo is logged to the file /var/log/messages and thecommand issued along with the issuer's username is logged to the file /var/log/secure. Should yourequire additional logging, use the pam _tty_audit module to enable T T Y auditing for specified users by adding the following line to your /etc/pam .d/system -auth file:session required pam _tty_audit.so disable= enable=where pattern represents a comma-separated listing of users with an optional use of globs. Forexample, the following configuration will enable T T Y auditing for the root user and disable it for all other users.session required pam _tty_audit.so disable=* enable=root4. To give someone full administrative privileges, type visudo and add a line similar to the following in the user privilege specification section:juan ALL=(ALL) ALLThis example states that the user, juan, can use sudo from any host and execute any command.5. The example below illustrates the granularity possible when configuring sudo:%users localhost=/sbin/shutdown -h nowThis example states that any user can issue the command /sbin/shutdown -h now as long as it isissued from the console

open the /etc/ssh/sshd_config configuration filein a text editor such as vi or nano, and change the PasswordAuthentication option as follows : PasswordAuthentication no

T o do this, first choose a strongpassword, open a shell, log in as root, and then type the following command:/sbi n/grub-md5-cryptWhen prompted, type the GRUB password and press Enter. T his returns an MD5 hash of thepassword.Next, edit the GRUB configuration file /boot/grub/grub.conf. Open the file and below the tim eoutline in the main section of the document, add the following line:password --m d5 Replace with the value returned by /sbin/grub-md5-crypt

Unfortunately, this solution does not prevent an attacker from booting into an insecure operating systemin a dual-boot environment. For this, a different part of the /boot/grub/grub.conf file must be edited.Look for the title line of the operating system that you want to secure, and add a line with the lockdirective immediately beneath it.For a DOS system, the stanza should begin similar to the following:

title DOSlockA password line must be present in the main section of the /boot/grub/grub.conf file forthis method to work properly. Otherwise, an attacker can access the GRUB editor interface and remove the lock line.

T o create a different password for a particular kernel or operating system, add a lock line to the stanza, followed by a password line.Each stanza protected with a unique password should begin with lines similar to the following example:title DOSlockpassword --m d5

T o prevent users from starting up the system interactively, as root, disable the PROMPT parameter in the/etc/sysconfig/init file:

PROMPT=no

T here are two primary programs used to specify password aging under Red Hat Enterprise Linux: the chage command or the graphical User Manager (system -config-users) application.Shadow passwords must be enabled to use the chage command.The -M option of the chage command specifies the maximum number of days the password is valid. For example, to set a user's password to expire in 90 days, use the following command.chage -M 90 ( T o disable password expiration, it is traditional to use a value of 99999 after the -M option (this equates to a little over 273 years).)Use the following command to enter interactive modechange Force immediate password expiration by running the following command as root.change -d 0 Option Description-d days Specifies the number of days since January 1, 1970 the passwordwas changed.-E date Specifies the date on which the account is locked, in the format YYYYMM-DD. Instead of the date, the number of days since January 1, 1970can also be used.-I days Specifies the number of inactive days after the password expiration before locking the account. If the value is 0, the account is not locked after the password expires.-l Lists current account aging settings.-m days Specify the minimum number of days after which the user must changepasswords. If the value is 0, the password does not expire.-M days Specify the maximum number of days for which the password is valid.When the number of days specified by this option plus the number ofdays specified with the -d option is less than the current day, the usermust change passwords before using the account.-W days Specifies the number of days before the password expiration date towarn the user.

You can also use the graphical User Manager application to create password aging policies, as follows. Note: you need Administrator privileges to perform this procedure.1. Click the System menu on the Panel, point to Administration and then click Users and Groupsto display the User Manager. Alternatively, type the command system -config-users at a shellprompt.2. Click the Users tab, and select the required user in the list of users.3. Click Properties on the toolbar to display the User Properties dialog box (or chooseProperties on the File menu).4. Click the Password Info tab, and select the check box for Enable password expiration.5. Enter the required value in the Days before change required field, and click OK.

Via SU OR SUDO configuration

T o prevent users from logging in directly as root, the system administrator can set the root account's shell to /sbin/nologin in the /etc/passwd file.T o prevent root logins via the SSH protocol, edit the SSH daemon's configuration file, /etc/ssh/sshd_config, and change the line that reads: Perm itRootLogin no

Make sure the screen package is installed. You can do so by running the following command as root : yum i nstal l screen OR rpm -qa | grep -i screen.As root, add the following line at the beginning of the /etc/profile file to make sure the processing of this file cannot be interrupted: trap "" 1 2 3 15.Add the following lines at the end of the /etc/profile file to start a screen session each time a user logs in to a virtual console or remotely:SCREENEXEC="screen"if [ -w $ (tty) ]; thentrap "exec $ SCREENEXEC" 1 2 3 15echo -n 'Starting session in 10 seconds'sleep 10exec $ SCREENEXECfi

Note that each time a new session starts, a message will be displayed and the user will have to wait ten seconds. T o adjust the time to wait before starting a session, change the value after the sleep command.

Add the following lines to the /etc/screenrc configuration file to close the screen session after a given period of inactivity: idle 120 quit autodetach off.Alternatively, you can configure the system to only lock the session by using the following lines instead: idle 120 lockscreen autodetach off.T his way, a password will be required to unlock the session. The changes take effect the next time a user logs in to the system

# Turn on the tcp_sacknet.ipv4.tcp_sack = 1# tcp_fack should be on because of sacknet.ipv4.tcp_fack = 1# Turn on the tcp_timestampsnet.ipv4.tcp_timestamps = 1# Enable TCP SYN Cookie Protectionnet.ipv4.tcp_syncookies = 1# Enable ignoring broadcasts requestnet.ipv4.icmp_echo_ignore_broadcasts = 1# Disable ICMP Redirect Acceptancenet.ipv4.conf.all.accept_redirects = 0# Enable bad error message Protectionnet.ipv4.icmp_ignore_bogus_error_responses = 1# Don't Log Spoofed Packets, Source Routed Packets, Redirect Packetsnet.ipv4.conf.all.log_martians = 0# Make more local ports availablenet.ipv4.ip_local_port_range = 1024 65000# Increase maximum amount of memory allocated to shmkernel.shmmax = 1073741824# Improve file system performancevm.bdflush = 100 1200 128 512 15 5000 500 1884 2# This will increase the amount of memory available for socket input/output queuesnet.ipv4.tcp_rmem = 4096 25165824 25165824net.core.rmem_max = 25165824net.core.rmem_default = 25165824net.ipv4.tcp_wmem = 4096 65536 25165824net.core.wmem_max = 25165824net.core.wmem_default = 65536net.core.optmem_max = 25165824

# If you are feeling daring, you can also use these settings below, otherwise just remove them. (Should increase performance)

Linux commandsSr.No. Commands

1 dmidecode2 rhn_register3 yum update package_name4 yum update all5 yum list installed 6 yum list all7 yum install package_name8 yum groupinstall groupname or groupid / yum install @group9 yum remove package_name

10 yum groupremove groupname11 yum grouplist12 yum repolist13 yum info package_name14 yum history or yum history list15 yum history list all16 yum history summary17 yum history info id18 yum history addon-info id 19 yum -q history addon-info id saved_tx > fi l e_name

20 yum load-transaction file_nameYum historyyum history rollback/undo/redo

21 yum history new22 /var/log/yum.log23 ntsysv

24 chkconfig25 ip route add X.X.X.X

26 ip route add X.X.X.X/Y

27

2829 ifup / ifdown 30 runlevel31 pvs,pvdisplay,pvscan32 lvmdiskscan33 pvchange -x n /dev/sdk1

34 pvchange -x y /dev/sdk135 pvresize36 pvremove37 vgs38 vgchange -l 128 vg0039 lvchange

40 vgsplit41 vgspl i t bi gvg smal l vg /dev/ram15

42 vgmerge -v databases my_vg

43 vgcfgbackup

44 vgcfgrestore45 vgrename

4647 lvcreate -L 10G vg1

48 lvcreate -l 60%VG -n mylv testvg

Entries in route-eth0 filedefault via 192.168.0.1 dev eth010.10.10.0/24 via 192.168.0.1 dev eth0172.16.1.0/24 via 192.168.0.1 dev eth0

Network/Netmask Directives Format for permamnent route entries in route-interface name fileADDRESS0=10.10.10.0NETMASK0=255.255.255.0GATEWAY0=192.168.0.1ADDRESS1=172.16.1.0NETMASK1=255.255.255.0GATEWAY1=192.168.0.1

vgrename /dev/vg02 /dev/my_vo l ume_gro up OR vgrename vg02 my_vo l ume_gro up

49 lvcreate -l 100%FR EE -n yo url v testvg50 lvconvert -m1 vg00/l vo l 1

51 lvconvert -m0 vg00/l vo l 152 To see what is configurd

5354 service iptables save55 chkconfig --list iptables56 chkconfig iptables on57 date +%D -s YYYY-MM-DD58 date +%T -s HH:MM:SS59 date +%T -s HH:MM:SS -u60 ntpdate -q server-address61 ntpdate server-address63 ethtool em164 lsblk65 ethtool -s eth0 speed 100 duplex full 66 ethtool -s eth0 speed 100 duplex half67 mii-tool eth068 fsck -N /dev/sdb1 or file -sL /dev/sdb1

1. iptables -A INPUT -s 192.168.75.0/24 -j REJECT2. iptables -A INPUT -s 192.168.25.200 -p icmp -j DROP

Linux commandsUseTo show system informationTo register system to the RHNTo update specific packageTo update all packagesTo list all installed packages on the systemTo Lists all installed and available packagesTo install specific packageTo install a package group by passing its full group name or groupidTo remove specific packageTo remove a package groupTo Lists all package groupsTo Lists the repository ID, name, and number of packages it provides for each enabled repositoryT o display information about one or more packagesT o display a list of twenty most recent transactions, as rootT o display all transactionsTo display a summary of all past transactionsT o examine a particular transaction or transactions in more detailTo display additional information for a certain transactionT o store the transaction details to a file, type the following at a shell prompt as root

Once you copy this file to the target system, you can repeat the transaction by using the following command.To check the last updated/installed history with time stamp and ID.It 'll rollback the privicelly installed or updated rpms by using the ID.

yum log fileTo configure which services are to be started in selected runlevels

To add static route - host specific

T o start new transaction history. T his will create a new, empty database file in the /var/lib/yum /history/ directory. T he old transaction history will be kept, but will not be accessible as long as a newer database file is present in the directory.

To specify in which runlevel to start a selected service, as well as to list all available services along with their current setting

To add a static route to a network, where X.X.X.X is the IP address of the network in dotted decimal notation and Y is the network prefix. The network prefix is the number of enabled bits in the subnet mask.

Static route configuration is stored per-interface in a /etc/sysconfig/network-scripts/route-interface file. For example, static routes for the eth0 interface would be stored in the /etc/sysconfig/network-scripts/route-eth0 file. The route-interface file has two formats: IP command arguments and network/netmask directives.

Global default gateway configuration is stored in the /etc/sysconfig/network file. This file specifies gateway and host information for all network interfaces

his is a sample route-eth0 file using the Network/Netmask Directives FormatTo bring up / down interface.To check in which runlevel you are operating,to display properties of LVM physical volumesscan for block devices that may be used as physical volumesT his command disallows the allocation of physical extents on /dev/sdk1

T his command allows the allocation of physical extents on /dev/sdk1 which has been previously disallowedto change the size of an underlying block device for any reason to update LVM with the new sizeIf a device is no longer required for use by LVM, you can remove the LVM labelcheck whether an existing volume group is a clustered volume groupchanges the maximum number of logical volumes of volume group vg00 to 128You can deactivate individual logical volumes

T he example splits off the new volume group sm allvg from the original volume group bigvg

to rename an existing volume group

Either of the commands renames the existing volume group vg02 to m y_volum e_groupcreates a logical volume 10 gigabytes in size in the volume group vg1

This is a sample route-eth0 file using the IP command arguments format. The default gateway is 192.168.0.1, interface eth0. The two static routes are for the 10.10.10.0/24 and 172.16.1.0/24 networks:

T o split the physical volumes of a volume group and create a new volume group, use the vgsplitcommand

T o combine two volume groups into a single volume group, use the vgm erge command. You can mergean inactive "source" volume with an active or an inactive "destination" volume if the physical extent sizesof the volume are equal and the physical and logical volume summaries of both volume groups fit into thedestination volume groups limits.T he following command merges the inactive volume group m y_vg into the active or inactive volumegroup databases giving verbose runtime informationBy default, the metadata backup is stored inthe /etc/lvm /backup file and the metadata archives are stored in the /etc/lvm /archives file. Youcan manually back up the metadata to the /etc/lvm /backup file with the vgcfgbackup commandT he vgcfrestore command restores the metadata of a volume group from the archive to all thephysical volumes in the volume groups

T he following command creates a logical volume called mylv that uses 60% of the totalspace in volume group testvg

T he following command converts the linear logical volume vg00/lvol1 to a mirrored logical volume

iptables -L

Saves firewall configuration to a fileTo check the iptables service statusTo activate iptables serviceTo set the dateTo set the timeTo set the clock to use UTCTo check whether selected ntpserver is availableTo sync the date with ntp serverTo check the physical connectivity of the LAN CardTo list disk devicesTo change the networke interface card speed to fullTo change the networke interface card speed to fullTo check the interface card speed and helth.To check the file system type

You can also use the -l argument of the lvcreate command to specify the percentage of theremaining free space in a volume group as the size of the logical volume. T he following commandcreates a logical volume called yourlv that uses all of the unallocated space in the volume grouptestvg.

T he following command converts the mirrored logical volume vg00/lvol1 to a linear logical volume,removing the mirror leg

Examples of iptables : 1. Rejects all traffic from the 192.168.75.0 subnet, and it sends a "destination unreachable" error message back to any client that tried to connect.2. To stop users from the computer with an IP address of 192.168.25.200 from "pinging" your system.

Linux commands

Sr.No.123456

7

89

1011

12

13

14

15

16

17

18

19

20

21

22

23

24

25

Commandsyum check-updateyum update package_nameyum historyyum updateyum search termyum list ( and related commands )yum list all

yum list installed ( eg. Yum list installed "krb?-*" )yum list availableyum grouplistyum repolistyum info paackage-name

yumdb info package-nameyum install package-nameyum install package-name package-name

yum install ( yum install sqlite2.i 586 )yum install audacious-plugins-\*

yum install /usr/sbin/namedyum install @groupyum groupinstall group-name yum groupinstall groupidyum provides "*/file_name"yum remove package-nameyum remove package-name package-name

Similar to install yum takes arguments: package names, global expression, package files, package providesyum groupremove package-groupyum remove @group

yum history listyum history list allyum history list start_id..end_idyum history list glob_expressionyum history list 1..5yum history summaryyum history summary id

yum history info idyum history addon-info id

yum history undo idyum history redo idyum -q history addon-info id saved-tx > file_name

yum load-transaction file_nameyum version nogroups

yum history new

/etc/yum.conf/etc/yum.repos.d

Creating a yum repositoryyum install createrepo/mnt/local_repo

createrepo --database /mnt/local_repo

yum check-update --security

yum update --securityyum update-minimal --security

yum install httpd --downloadonly

yum install --downloadonly --downloaddir= /patches --security

yum update --security --skip -y --downloadonly --downloaddir=/packages/security-updates/

# cat /etc/yum/pluginconf.d/downloadonly.conf[main]enabled=1

yum-plugin-security, yum security

[main]cachedir=/var/cache/yum /$ basearch/$ releasever (default )keepcache=0debuglevel=2 ( vaule between 1 t o10, setting higher value gives more detailed information. setting 0 means disabled debug)logfile=/var/log/yum .logexactarch=1obsoletes=1gpgcheck=1plugins=1installonly_limit=3

yum updateinfo list available

yum updateinfo list sec

yum updateinfo list security all

yum update --cve EG : yum update --cve CVE-2008-0947

yum updateinfo list available

UseT o see which installed packages on your system have updates available, use the following commandT o update a single package, run the following command as rootTo view yum transaction history use the commandTo update all packages and their dependencies, simply enter yum update (without any arguments):To search all RPM package names, descriptions and summaries by using the commandProvides information about packages, package groups, and repositoriesLists all installed and available packages.

Lists all available packages in all enabled repositoriesLists all package groupsLists the repository ID, name, and number of packages it provides for each enabled repositoryTo display information about package

T o install a single package and all of its non-installed dependencies, enter a commandTo install multiple packages simultaneously by appending their names as arguments

Using glob expressions

Install package groupInstall package groupInstall by group IDis a common and useful trick to find the package(s) that contain file_nameT o uninstall a particular package, as well as any packages that depend on it, run the following commandTo uninstall multiple packages at a time.

Similar to install yum takes arguments: package names, global expression, package files, package providesTo remove package groupTo remove package group

T o display all transactions, add the all keywordT o display only transactions in a given rangeTo list only transactions regarding a particular package or packagesList of the first five transactionsTo display summary of all past transactionsTo display summary of single transaction

To examine particular transaction in more detail ( If id is omit, then by default last transaction is examined. )For additional info

Lists all packages installed on your system. The rightmost column in the output lists the repository from which the package was retrieved.

For alternative and useful information about the package. This command provides additional information about a package, including the checksum of the package(and algorithm used to produce it, such as SHA-256), the command given on the command line that wasinvoked to install the package (if any), and the reason that the package is installed on the system (whereuser indicates it was installed by the user, and dep means it was brought in as a dependency). Forexample, to display additional information about the yum package, type:

If you are installing packages on a multilib system, such as an AMD64 or Intel64 machine, you canspecify the architecture of the package (as long as it is available in an enabled repository) by appending.arch to the package name

If you know the name of the binary you want to install, but not its package name, you can give yuminstall the path name

T o display a list of twenty most recent transactions, as root, either run yum history with noadditional arguments

T o revert a transactionTo repeat a particular transactionTo Store a transaction details to a file

To verify the rpmdb version

Yum configuration file locationIndividual repositories located under.

Sample yum.conf configuration file.

Install createrepo packageCopy all the packages that you want to have it in your repository under one folder

To check security related updates

updates them to the latest packages which were released as part of a security advisory

to download the latest version of the httpd package, without installing it:

to specify an alternate directory to save the packages

To download only the security updates without installing it

to enable the plugin of downloadonly option

plugin to download security patches

After copying the above file to the target system, transaction can be repeated by executing the command ( To this rpmdb version should be same on the source and atrget system )

This command will create new empty database under /var/lib/yum/history directory. The old transaction history will be kept but will not be accessible as long as newer database file is present in the directory.

T his creates the necessary metadata for your Yum repository, as well as the sqlite database forspeeding up yum operations.

To update those packages which are affected by security advisories. will update all packages affectedby a security advisory to the latest version of that package available

By default, packages downloaded using the --downloadonly option are saved in one of thesubdirectories of the /var/cache/yum directory, depending on the Red Hat Enterprise Linuxvariant and architecture.

Tolist all available errataswithout installing them, run:

Tolist all available security updateswithout installing them, run:

To get a list of thecurrently installedsecurity updates this command can be used:

olist all available errataswithout installing them, run:

To check the Avl pakesTo check pkg instlled r notTo install the pkgRemove the pkgcheck the avl group(bundle) pkg to install the bundle of pkgs to list the avl repo's intall the pk from purticuler repoto install and remove pk simultaneouslyEnable/Disable/refresh the repos

List only enabled repos Instll the patchcheck avl patches

zypper se zypper info zypper in zypper remove zypper se -t patternzypper in -t pattern zypper lr zypper -v in --from zypeer in -zypper mr --enable zypper mr --disable zypper re -s (refresh all repos)zypper reps -Ezypper patchzypper list-patches

security hardening guidecommandsYUMZypper