Red Hat Linux 5 Hardening Tips
The following tips assume that the reader is starting with
Physical Security
Items marked with a * are network services. It is particularly
a default installation of Red Hat Enterprise Linux 5. This
Configure the BIOS to disable booting from CDs/DVDs,
important to disable these. Additionally, the following services
high-impact guidance can be applied quickly, but is by no
floppies, and external devices, and set a password to protect
can be safely disabled if NFS is not in use: netfs, nfslock,
means complete. For more complete guidance, please see
these settings.
portmap, rpcgssd, and rpcidmapd. Some software relies on
our other publication, “Guide to the Secure Configuration
Next, set a password for the GRUB bootloader. Generate a
haldaemon and messagebus, so care should be taken when
of Red Hat Enterprise Linux 5,” which can be found
password hash using the command
disabling them. Changes will take effect after a reboot.
online at http://www.nsa.gov. These tips may or may not
/sbin/grub-md5-crypt.
Add the hash to the first line of
translate gracefully for other Linux distributions or modified
/etc/grub.conf as follows:
Disable SUID and SGID Binaries
installations of RHEL.
password --md5 passwordhash
To find SUID and SGID files on the system, use the following
General Principles
This prevents users from entering single user mode or
command:
changing settings at boot time.
•
Encrypt all data transmitted over the network.
find / \( -perm -4000 -o -perm -2000 \) -print
Encrypting authentication information (such as
Keep Software Up to Date
The following files can have their SUID or SGID bits safely
passwords) is particularly important.
Either download updates manually through the Red Hat
disabled (using chmod -s filename) unless required for the
•
Minimize the amount of software installed and running
Network (http://rhn.redhat.com) or register each system with
purpose listed in the second column:
in order to minimize vulnerability.
RHN to apply updates automatically. Security updates should
• Use security-enhancing software and tools whenever
be applied as soon as possible.
File:
Required For:
available (e.g., SELinux and Iptables).
/bin/ping6
IPv6
/sbin/mount.nfs
NFS
•
Run each network service on a separate server whenever
The default version of yum-updatesd does not function
/sbin/mount.nfs4
NFS
possible. This minimizes the risk that a compromise of
reliably. A better solution is to apply updates through a cron
/sbin/netreport
network control
one service could lead to a compromise of others.
job. First, disable the service with:
/sbin/umount.nfs
NFS
•
Maintain user accounts. Create a good password policy
/sbin/umount.nfs4
NFS
and enforce its use. Delete unused user accounts.
/sbin/chkconfig yum-updatesd off
/usr/bin/chage
passwd
•
Review system and application logs on a routine basis.
Second, create the file
/usr/bin/chfn
account info
yum.cron, make it executable, place
/usr/bin/chsh
account info
Send logs to a dedicated log server. This prevents
it in /etc/cron.daily or /etc/cron.weekly, and ensure
/usr/bin/crontab
cron
intruders from easily avoiding detection by modifying
that it reads as follows:
/usr/bin/lockfile
Procmail
the local logs.
/usr/bin/rcp
rsh
•
#!/bin/sh
Never log in directly as root, unless absolutely necessary.
/usr/bin/yum -R 120 -e 0 -d 0 -y update yum
/usr/bin/rlogin
rsh
Administrators should use sudo to execute commands as
/usr/bin/yum -R 10 -e 0 -d 0 -y update
/usr/bin/rsh
rsh
root when required. The accounts capable of using sudo
/usr/bin/wall
console messaging
/usr/bin/write
console messaging
are specified in
Disable Unnecessary Services
/etc/sudoers, which is edited with the
/usr/bin/Xorg
Xorg
visudo utility. By default, relevant logs are written to
To list the services configured to start at boot, run the
/usr/kerberos/bin/ksu
Kerberos
/var/log/secure.
following command:
/usr/libexec/openssh/ssh-
SSH host-based
keysign
authentication
Disk Partitions and Mounting
/sbin/chkconfig --list
/usr/lib/vte/gnome-pty-helper Gnome, Xorg
During initial installation, ensure that filesystems with
Find the column for the current run level to see which
/usr/sbin/ccreds_validate
Pam auth caching
user-writeable directories such as the following are mounted
services are enabled. The default run level is 5. To disable a
/usr/sbin/suexec
Apache, CGI
/usr/sbin/userisdnctl
ISDN
on separate partitions: /home, /tmp, /var/tmp.
service, run the following command:
/usr/sbin/usernetctl
network control
/sbin/chkconfig servicename off
During system configuration, change mount options in
To see which RPM package each file belongs to, run
Unless they are required, disable the following:
/etc/fstab to limit user access on appropriate filesystems.
rpm -qf filename. If the package is not necessary, remove
The defaults option is equal to rw,suid,dev,exec,auto
anacron
haldaemon
messagebus
it with rpm -e packagename. Precise control over the
apmd
hidd
microcode_ctl
,nouser,async. Using noexec instead prevents execution
autofs`
hplip*
pcscd
packages installed during initial system installation can be
of binaries on a file system (though it will not prevent scripts
avahi-daemon*
isdn
readahead_early
achieved using a Kickstart file.
bluetooth
kdump
readahead_later
from running). Using nosuid will prevent the setuid bit
cups*
kudzu
rhnsd*
from having effect. The nodev option prevents use of device
firstboot
mcstrans
setroubleshoot
gpm
mdmonitor
xfs
files on the filesystem.
Remove X Windows
net.ipv4.icmp_ignore_bogus_error_messages=1
kernel.exec-shield=1
A server will not typically need X Windows to provide its
kernel.randomize_va_space=1
services, so remove it if possible:
For more possible parameters, including settings for IPv6,
Hardening Tips
yum groupremove “X Window System”
please see our complete guide.
Installation of X Windows can also be completely prevented
NTP
For Default Installation of
during initial system installation.
For most systems, the ntpd service introduces unnecessary
Configure and Use Iptables and TCP Wrapper
overhead. Instead, call its update utility, ntpdate, directly
The Iptables firewall should be configured to allow only
through a cron job. Create the file /etc/cron.d/ntpdate
necessary network communications. For workstations, this
with the following line:
Red Hat
may entail blocking all incoming communications, except for
15 * * * * root /usr/sbin/ntpdate server
those related to connections the system initiated. If Iptables
Substitute an appropriate NTP server for server. Hosts on
is currently running, view the current firewall policy with the
a network should synchronize their time from a local NTP
following command:
Enterprise
server, and then only this local NTP server should acquire the
/sbin/iptables -L
time from an external, trusted source.
By default, the output should correspond to rules stored
Configure or Disable SSH
Linux 5
in the file /etc/sysconfig/iptables. Understand and
edit these rules, removing any lines that allow unnecessary
SSH is often required, but if it is not, disable it:
communications. To activate the updated rules, restart the
/sbin/chkconfig sshd off
service.
If SSH is required, ensure the SSH configuration file
Also configure the TCP Wrapper library to protect network
/etc/ssh/sshd_config includes the following lines:
daemons that support its use by adding appropriate rules to
PermitRootLogin no
/etc/hosts.allow and /etc/hosts.deny.
Protocol 2
Configure and Use SELinux
If possible, limit SSH access to a subset of users. Create
a group called sshusers and only add the users that
The default SELinux policy, called targeted, provides
need remote access. Then, add the following line to
protection against compromised or misconfigured system
/etc/ssh/sshd_config:
services. This policy should not interfere with normal system
operation. Ensure that
AllowGroups sshusers
/etc/selinux/config includes the
following lines:
Restart the service so that these changes take effect.
SELINUX=enforcing
Disable IPv6
SELINUXTYPE=targeted
Stronger policies such as
Unless your policy or network configuration requires it,
strict and mls can be used if
appropriate. However, these require customization to operate
disable IPv6. To do so, prevent the kernel module from
successfully for many general-purpose usage scenarios.
loading by adding the following line to
/etc/modprobe.conf:
Systems and Network Analysis Center
Set Kernel Parameters
install ipv6 /bin/true
National Security Agency
At boot, the system reads and applies a set of kernel
Next, add or change the following lines in
9800 Savage Rd.
parameters from /etc/sysctl.conf. Add the following
Ft. Meade, MD 20755
/etc/sysconfig/network:
lines to that file to prevent certain kinds of attacks:
http://www.nsa.gov
NETWORKING_IPV6=no
net.ipv4.conf.all.rp_filter=1
IPV6INIT=no
net.ipv4.conf.all.accept_source_route=0
net.ipv4.icmp_echo_ignore_broadcasts=1
