...
1
| If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall in between the network and the host to be protected. | ||||||||||||||
5
| Since /tmp is intended to be world writable, creating a separate partition for it can prevent resource exhaustion. Setting nodev prevents users from creating or using block or special character devices. Setting noexec prevents users from running binary executables from /tmp. Setting nosuid prevents users from creating set userid files in /tmp. | ||||||||||||||
6
| Multiple partitions are recommended to protect against resource exhaustion conditions if a partition fills up, as well as to allow for the setting of various options on individual partitions to support increased security (e.g. nodev, nosuid, noexec). | ||||||||||||||
11
| Install and use the yum-security plugin.
| ||||||||||||||
13
| Setting user/group ownership to root and file permissions to read and write only for root is recommended to prevent non-root users from viewing or changing the boot parameters. | ||||||||||||||
15
| A simple way to disable the GUI is to change the default run level. Edit the file /etc/inittab. Look for the line that contains the following:
Replace the "5" with "3". The line will then read:
| ||||||||||||||
17
| Core dumps are intended to help determine why a program aborted. They may contain sensitive or confidential data from memory. It is recommended that core dumps be disabled or restricted. The system should be configured to prevent setuid programs from creating core dumps. | ||||||||||||||
18
| Add the following line to the /etc/sysctl.conf file:
| ||||||||||||||
20
| Disable any xinetd services you do not absolutely require by setting "disable=yes" in /etc/xinetd.d/*. Configure TCP wrappers for access control. Unnecessary services can be disabled with:
or:
For example, the command
configures runlevels 3, 4, and 5.
| ||||||||||||||
21
| If no xinetd services are required, disable xinetd altogether:
| ||||||||||||||
25
| Red Hat RHEL7 comes with firewalld, however iptables may be installed and used instead.This is documented at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html Below is a list of some iptables resources: | ||||||||||||||
33
| If you decide to utilize SSH, the ISO highly recommends the following:
| ||||||||||||||
34
| INFO is a basic logging level that will capture user login and logout activity. Other logging levels may be used, but may generate more noise. The DEBUG logging level is not recommended for production servers. | ||||||||||||||
35
| Do not permit root logins via SSH. If root access over SSH is absolutely necessary, require administrators to authenticate with an individual account first and then use su or sudo. This is to prevent remote brute force attacks against the root user account as well as to create an audit trail of administrative activity in the event of a compromise. | ||||||||||||||
37
| There is a license fee for Tripwire. The Tripwire management console can be very helpful for managing more complex installations.
| ||||||||||||||
38
| Many resources exist for understanding and configuring SELinux:
SELinux is enabled by default with RHEL systems and should not be disabled unless absolutely necessary. | ||||||||||||||
39
| OSSEC is a free, open-source host-based intrusion detection system, which performs log analysis, file integrity checking, and rootkit detection, with real time alerting, in an effort to identify malicious activity. It is available at http://www.ossec.net/. | ||||||||||||||
40
| ITS Networking operates two stratum 2 NTPv4 (NTP version 4) servers for network time synchronization services for university network administrators. | ||||||||||||||
41
| Auditd monitors various system activity, such as system logins, authentications, account modifications, and SELinux denials. These records may help administrators identify malicious activity or unauthorized access. | ||||||||||||||
42
| Rsyslog is a third-party package which is intended to replace the standard syslog daemon. The CIS benchmark has several recommendations for configuring rsyslog. Some benefits of rsyslog include transmission of logs over TCP and support for encryption of log data when transmitting over a network. | ||||||||||||||
44
| It is highly recommended that logs are shipped from any Category I devices to a service like Splunk, which provides log aggregation, processing, and real-time monitoring of events among many other things. This helps to ensure that logs are preserved and unaltered in the event of a compromise, in addition to allowing proactive log analysis of multiple devices. Splunk licenses are available through ITS at no charge. ITS also maintains a centrally-managed Splunk service that may be leveraged. | ||||||||||||||
45
|
| ||||||||||||||
46
| Ensure the following are set in /etc/pam.d/other:
Warn will report alerts to syslog. | ||||||||||||||
48
| To require strong passwords, in compliance with section 5.18 of the Information Resources Use and Security Policy: For RHEL 6: In /etc/pam.d/system-auth, add or change the file as required to read:
For RHEL 7: In /etc/security/pwquality.conf, add:
In /etc/pam.d/system-auth, add or change the file as required to read:
| ||||||||||||||
49
| Ensure that the terminal security file (for example, /etc/securetty or /etc/ttys) is configured to deny privileged (root) access. On a Red Hat box, this means that no virtual devices (such as /dev/pty*) appear in this file. | ||||||||||||||
50
| The text of the university's official warning banner can be found on the ITS Web site. You may add localized information to the banner as long as the university banner is included. | ||||||||||||||
51
| The text of the university's official warning banner can be found on the ITS Web site. You may add localized information to the banner as long as the university banner is included. | ||||||||||||||
52
| There are few viruses that infect Linux computers; therefore, it is understandable for most Linux servers to have an exception to this rule. See the Operations Manual for information on the exception process. You may choose any proven anti-virus product. One option is ClamAV. | ||||||||||||||
53
| There are few viruses that infect Linux computers; therefore, it is understandable for most Linux servers to have an exception to this rule. See the Operations Manual for information on the exception process. | ||||||||||||||
54
| There are a variety of methods available to provide encrypted storage. Two good candidates are LUKS and GNUPG (free). |
...