- Account
- Join for Free
- Sign In
- Help & Info
- Privacy Notice
- DMCA
- Contact Us
- Terms Of Use
Guide to the Secure Configuration of Red Hat Enterprise Linux 5
You don't have the latest version of Adobe Flash Player.
Please update your flash player.
Guide to the Secure Configuration of
Red Hat Enterprise Linux 5
Revision 4.1
February 28, 2011
Operating Systems Division Unix Team
of the
Systems and Network Analysis Center
National Security Agency
9800 Savage Rd. Suite 6704
Ft. Meade, MD 20755-6704
2
Warnings
?
Do not attempt to implement any of the recommendations in this guide without rst testing in a non-
production environment. ? This document is only a guide containing recommended security settings.
It is not meant to replace well-
structured policy or sound judgment. Furthermore this guide does not address site-speci c con guration
concerns. Care must be taken when implementing this guide to address local operational and policy
concerns.
? The security changes described in this document apply only to Red Hat Enterprise Linux 5. They may not
translate gracefully to other operating systems.
? Internet addresses referenced were valid as of 1 Dec 2009. Trademark Information
Red Hat is a registered trademark of Red Hat, Inc.
Any other trademarks referenced herein are the property of
their respective owners. Change Log
Revision 4.1 is an update of Revision 4 dated September 14, 2010. ?
Added section 2.2.2.6,
Disable All GNOME Thumbnailers if Possible
. ? Added Common Con guration Enumeration (CCE) identi ers ... more.
less.
to associated sections within the guide, and a note about CCE in section 1.2.4, Formatting Conventions .<br><br> ? Updated section 2.3.3.2, Set Lockouts for Failed Password Attempts . There is no longer the need to add the pam tally2 module into each program 9s PAM con guration le, or to comment out some lines from /etc/pam.d/system-auth .<br><br> The pam tally2 module can now be referenced directly from /etc/pam.d/ system-auth . ? Corrected section 2.6.2.4.5 title from Ensure auditd Collects Logon and Logout Events to Record Attempts to Alter Logon and Logout Event Information .<br><br> ? Corrected section 2.6.2.4.6 title from Ensure auditd Collects Process and Session Initiation Information to Record Attempts to Alter Process and Session Initiation Information Note: The above changes did not a ect any of the section numbering. TABLE OF CONTENTS 3 Table of Contents 1 Introduction 13 1.1 General Principles .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 13 1.1.1 Encrypt Transmitted Data Whenever Possible . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 13 1.1.2 Minimize Software to Minimize Vulnerability . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 13 1.1.3 Run Di erent Network Services on Separate Systems .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 13 1.1.4 Con gure Security Tools to Improve System Robustness .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 14 1.1.5 Least Privilege . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 14 1.2 How to Use This Guide . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 14 1.2.1 Read Sections Completely and in Order .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 14 1.2.2 Test in Non-Production Environment . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 14 1.2.3 Root Shell Environment Assumed .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 14 1.2.4 Formatting Conventions . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 15 1.2.5 Reboot Required . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 15 2 System-wide Con guration 17 2.1 Installing and Maintaining Software . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 17 2.1.1 Initial Installation Recommendations . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 17 2.1.1.1 Disk Partitioning . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 17 2.1.1.2 Boot Loader Con guration . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 18 2.1.1.3 Network Devices . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 19 2.1.1.4 Root Password . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 19 2.1.1.5 Software Packages .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 19 2.1.1.6 First-boot Con guration . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 19 2.1.2 Updating Software .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 20 2.1.2.1 Con gure Connection to the RHN RPM Repositories . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 20 2.1.2.2 Disable the rhnsd Daemon . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 21 2.1.2.3 Obtain Software Package Updates with yum . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 21 2.1.3 Software Integrity Checking . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 22 2.1.3.1 Con gure AIDE .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 23 2.1.3.2 Verify Package Integrity Using RPM .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 24 2.2 File Permissions and Masks . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 25 2.2.1 Restrict Partition Mount Options . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 25 2.2.1.1 Add nodev Option to Non-Root Local Partitions .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 25 2.2.1.2 Add nodev , nosuid , and noexec Options to Removable Storage Partitions .<br><br> . . 26 2.2.1.3 Add nodev , nosuid , and noexec Options to Temporary Storage Partitions .<br><br> . . 26 2.2.1.4 Bind-mount /var/tmp to /tmp .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 26 2.2.2 Restrict Dynamic Mounting and Unmounting of Filesystems . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 27 2.2.2.1 Restrict Console Device Access . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 27 2.2.2.2 Disable USB Device Support .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 27 4 TABLE OF CONTENTS 2.2.2.3 Disable the Automounter if Possible . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 28 2.2.2.4 Disable GNOME Automounting if Possible .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 29 2.2.2.5 Disable Mounting of Uncommon Filesystem Types .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 29 2.2.2.6 Disable All GNOME Thumbnailers if Possible . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 30 2.2.3 Verify Permissions on Important Files and Directories .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 30 2.2.3.1 Verify Permissions on passwd , shadow , group and gshadow Files . .<br><br> . . .<br><br> . . .<br><br> . 30 2.2.3.2 Verify that All World-Writable Directories Have Sticky Bits Set . .<br><br> . . .<br><br> . . .<br><br> . 31 2.2.3.3 Find Unauthorized World-Writable Files . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 31 2.2.3.4 Find Unauthorized SUID/SGID System Executables .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 31 2.2.3.5 Find and Repair Unowned Files . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 33 2.2.3.6 Verify that All World-Writable Directories Have Proper Ownership . . .<br><br> . . .<br><br> . 33 2.2.4 Restrict Programs from Dangerous Execution Patterns . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 33 2.2.4.1 Set Daemon umask . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 33 2.2.4.2 Disable Core Dumps .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 34 2.2.4.3 Enable ExecShield . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 35 2.2.4.4 Enable Execute Disable (XD) or No Execute (NX) Support on 32-bit x86 Systems 35 2.2.4.5 Con gure Prelink .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 36 2.3 Account and Access Control . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 37 2.3.1 Protect Accounts by Restricting Password-Based Login . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 37 2.3.1.1 Restrict Root Logins to System Console .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 37 2.3.1.2 Limit su Access to the Root Account . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 38 2.3.1.3 Con gure sudo to Improve Auditing of Root Access . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 39 2.3.1.4 Block Shell and Login Access for Non-Root System Accounts .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 39 2.3.1.5 Verify Proper Storage and Existence of Password Hashes . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 40 2.3.1.6 Verify that No Non-Root Accounts Have UID 0 .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 40 2.3.1.7 Set Password Expiration Parameters .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 41 2.3.1.8 Remove Legacy 9+ 9 Entries from Password Files . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 42 2.3.2 Use Unix Groups to Enhance Security . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 42 2.3.2.1 Create a Unique Default Group for Each User .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 42 2.3.2.2 Create and Maintain a Group Containing All Human Users . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 42 2.3.3 Protect Accounts by Con guring PAM . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 43 2.3.3.1 Set Password Quality Requirements .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 43 2.3.3.2 Set Lockouts for Failed Password Attempts . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 44 2.3.3.3 Use pam deny.so to Quickly Deny Access to a Service . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 45 2.3.3.4 Restrict Execution of userhelper to Console Users . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 45 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 46 2.3.3.6 Limit Password Reuse . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 46 2.3.3.7 Remove the pam ccreds Package if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 47 2.3.4 Secure Session Con guration Files for Login Accounts . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 47 2.3.4.1 Ensure that No Dangerous Directories Exist in Root 9s Path .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 47 2.3.4.2 Ensure that User Home Directories are not Group-Writable or World-Readable .<br><br> 48 2.3.4.3 Ensure that User Dot-Files are not World-writable . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 48 2.3.4.4 Ensure that Users Have Sensible Umask Values .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 49 2.3.4.5 Ensure that Users do not Have .netrc Files . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 49 2.3.5 Protect Physical Console Access .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 49 2.3.5.1 Set BIOS Password . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 50 2.3.5.2 Set Boot Loader Password .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 50 2.3.5.3 Require Authentication for Single-User Mode .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 50 2.3.5.4 Disable Interactive Boot . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 51 2.3.5.5 Implement Inactivity Time-out for Login Shells . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 51 2.3.5.6 Con gure Screen Locking . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 52 2.3.5.7 Disable Unnecessary Ports .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 53 TABLE OF CONTENTS 5 2.3.6 Use a Centralized Authentication Service .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 53 2.3.7 Warning Banners for System Accesses .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 54 2.3.7.1 Modify the System Login Banner . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 54 2.3.7.2 Implement a GUI Warning Banner . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 54 2.4 SELinux .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 55 2.4.1 How SELinux Works . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 55 2.4.2 Enable SELinux . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 56 2.4.2.1 Ensure SELinux is Properly Enabled . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 56 2.4.3 Disable Unnecessary SELinux Daemons . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 57 2.4.3.1 Disable and Remove SETroubleshoot if Possible . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 57 2.4.3.2 Disable MCS Translation Service ( mcstrans ) if Possible . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 57 2.4.3.3 Restorecon Service ( restorecond ) . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 58 2.4.4 Check for Uncon ned Daemons .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 58 2.4.5 Check for Unlabeled Device Files .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 58 2.4.6 Debugging SELinux Policy Errors . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 58 2.4.7 Further Strengthening .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 60 2.4.7.1 Strengthen the Default SELinux Boolean Con guration . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 61 2.4.7.2 Use a Stronger Policy . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 61 2.4.8 SELinux References . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 62 2.5 Network Con guration and Firewalls . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 62 2.5.1 Kernel Parameters which A ect Networking . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 62 2.5.1.1 Network Parameters for Hosts Only . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 62 2.5.1.2 Network Parameters for Hosts and Routers . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 63 2.5.1.3 Ensure System is Not Acting as a Network Sni er . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 63 2.5.2 Wireless Networking . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 64 2.5.2.1 Remove Wireless Hardware if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 64 2.5.2.2 Disable Wireless Through Software Con guration . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 64 2.5.3 IPv6 .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 65 2.5.3.1 Disable Support for IPv6 unless Needed .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 65 2.5.3.2 Con gure IPv6 Settings if Necessary . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 66 2.5.4 TCP Wrapper .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 68 2.5.4.1 How TCP Wrapper Protects Services .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 68 2.5.4.2 Reject All Connections From Other Hosts if Appropriate .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 69 2.5.4.3 Allow Connections Only From Hosts in This Domain if Appropriate . . .<br><br> . . .<br><br> . 69 2.5.4.4 Monitor Syslog for Relevant Connections and Failures . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 69 2.5.4.5 Further Resources . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 70 2.5.5 Iptables and Ip6tables . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 70 2.5.5.1 Inspect and Activate Default Rules .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 70 2.5.5.2 Understand the Default Ruleset . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 71 2.5.5.3 Strengthen the Default Ruleset . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 72 2.5.5.4 Further Strengthening . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 75 2.5.5.5 Further Resources . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 75 2.5.6 Secure Sockets Layer Support . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 76 2.5.6.1 Create a CA to Sign Certi cates . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 76 2.5.6.2 Create SSL Certi cates for Servers . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 77 2.5.6.3 Enable Client Support . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 78 2.5.6.4 Further Resources . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 79 2.5.7 Uncommon Network Protocols .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 79 2.5.7.1 Disable Support for DCCP .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 79 2.5.7.2 Disable Support for SCTP .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 80 2.5.7.3 Disable Support for RDS .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 80 2.5.7.4 Disable Support for TIPC . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 80 6 TABLE OF CONTENTS 2.5.8 IPsec . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 80 2.5.8.1 Using Openswan for IPsec . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 81 2.6 Logging and Auditing . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 81 2.6.1 Con gure Logging . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 81 2.6.1.1 Con gure Syslog .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 82 2.6.1.2 Con gure Rsyslog .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 84 2.6.1.3 Logrotate . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 85 2.6.1.4 Logwatch . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 86 2.6.2 System Accounting with auditd . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 87 2.6.2.1 Enable the auditd Service . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 88 2.6.2.2 Con gure auditd Data Retention . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 88 2.6.2.3 Enable Auditing for Processes Which Start Prior to the Audit Daemon .<br><br> . . .<br><br> . 89 2.6.2.4 Con gure auditd Rules for Comprehensive Auditing . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 89 2.6.2.5 Summarize and Review Audit Logs using aureport . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 93 3 Services 95 3.1 Disable All Unneeded Services at Boot Time .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 95 3.1.1 Determine which Services are Enabled at Boot . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 95 3.1.2 Guidance on Default Services . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 95 3.1.3 Guidance for Unfamiliar Services .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 96 3.2 Obsolete Services . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 97 3.2.1 Inetd and Xinetd . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 97 3.2.2 Telnet . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 97 3.2.2.1 Remove Telnet Clients .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 97 3.2.3 Rlogin, Rsh, and Rcp .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 98 3.2.3.1 Remove the Rsh Server Commands from the System . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 98 3.2.3.2 Remove .rhosts Support from PAM Con guration Files .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 98 3.2.3.3 Remove the Rsh Client Commands from the System . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 98 3.2.4 NIS . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 99 3.2.5 TFTP Server . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 99 3.2.6 Talk .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 99 3.2.6.1 Remove talk-server Package .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 99 3.2.6.2 Remove talk Package . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 100 3.3 Base Services . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 100 3.3.1 Installation Helper Service ( firstboot ) .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 100 3.3.2 Console Mouse Service ( gpm ) . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 100 3.3.3 Interrupt Distribution on Multiprocessor Systems ( irqbalance ) . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 100 3.3.4 ISDN Support ( isdn ) . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 101 3.3.4.1 Remove the isdn4k-utils Package if Possible .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 101 3.3.5 Kdump Kernel Crash Analyzer ( kdump ) .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 101 3.3.6 Kudzu Hardware Probing Utility ( kudzu ) . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 101 3.3.7 Software RAID Monitor ( mdmonitor ) . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 102 3.3.8 IA32 Microcode Utility ( microcode ctl ) .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 102 3.3.9 Network Service ( network ) .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 102 3.3.9.1 Disable All Networking if Not Needed . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 102 3.3.9.2 Disable All External Network Interfaces if Not Needed . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 102 3.3.9.3 Disable Zeroconf Networking . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 103 3.3.10 Smart Card Support ( pcscd ) .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 103 3.3.11 SMART Disk Monitoring Support ( smartd ) . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 103 3.3.12 Boot Caching ( readahead early/readahead later ) .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 103 3.3.13 Application Support Services .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 104 3.3.13.1 D-Bus IPC Service ( messagebus ) . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 104 TABLE OF CONTENTS 7 3.3.13.2 HAL Daemon ( haldaemon ) .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 104 3.3.14 Bluetooth Support .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 105 3.3.14.1 Bluetooth Host Controller Interface Daemon ( bluetooth ) . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 105 3.3.14.2 Bluetooth Input Devices ( hidd ) . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 105 3.3.14.3 Disable Bluetooth Kernel Modules . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 106 3.3.15 Power Management Support . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 106 3.3.15.1 Advanced Power Management Subsystem ( apmd ) . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 106 3.3.15.2 Advanced Con guration and Power Interface ( acpid ) . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 106 3.3.15.3 CPU Throttling ( cpuspeed ) . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 107 3.3.16 Infrared Communications ( irda ) . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 107 3.3.16.1 Disable the irda Service if Possible .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 107 3.3.16.2 Remove the irda-utils Package if Possible . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 107 3.3.17 Raw Devices ( rawdevices ) .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 107 3.3.17.1 Disable the Raw Devices Daemon if Possible . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 107 3.4 Cron and At Daemons . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 107 3.4.1 Disable anacron if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 108 3.4.2 Restrict Permissions on Files Used by cron .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 108 3.4.3 Disable at if Possible . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 109 3.4.4 Restrict at and cron to Authorized Users . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 109 3.5 SSH Server . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 109 3.5.1 Disable OpenSSH Server if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 109 3.5.1.1 Disable and Remove OpenSSH Software . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 110 3.5.1.2 Remove SSH Server iptables Firewall Exception .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 110 3.5.2 Con gure OpenSSH Server if Necessary . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 110 3.5.2.1 Ensure Only Protocol 2 Connections Allowed .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 110 3.5.2.2 Limit Users 9 SSH Access . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 110 3.5.2.3 Set Idle Timeout Interval for User Logins .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 111 3.5.2.4 Disable .rhosts Files . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 111 3.5.2.5 Disable Host-Based Authentication . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 111 3.5.2.6 Disable root Login via SSH . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 111 3.5.2.7 Disable Empty Passwords . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 112 3.5.2.8 Enable a Warning Banner . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 112 3.5.2.9 Do Not Allow Users to Set Environment Options .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 112 3.5.2.10 Use Only Approved Ciphers in Counter Mode .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 112 3.5.2.11 Strengthen Firewall Con guration if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 113 3.6 X Window System .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 113 3.6.1 Disable X Windows if Possible . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 113 3.6.1.1 Disable X Windows at System Boot . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 113 3.6.1.2 Remove X Windows from the System if Possible .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 113 3.6.1.3 Lock Down X Windows startx Con guration if Necessary .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 114 3.6.2 Con gure X Windows if Necessary .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 114 3.6.2.1 Create Warning Banners for GUI Login Users . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 115 3.7 Avahi Server . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 115 3.7.1 Disable Avahi Server if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 115 3.7.1.1 Disable Avahi Server Software . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 115 3.7.1.2 Remove Avahi Server iptables Firewall Exception . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 115 3.7.2 Con gure Avahi if Necessary .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 116 3.7.2.1 Serve Only via Required Protocol . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 116 3.7.2.2 Check Responses 9 TTL Field .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 116 3.7.2.3 Prevent Other Programs from Using Avahi 9s Port . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 116 3.7.2.4 Disable Publishing if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 117 3.7.2.5 Restrict Published Information .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 117 8 TABLE OF CONTENTS 3.8 Print Support . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 117 3.8.1 Disable the CUPS Service if Possible .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 118 3.8.2 Disable Firewall Access to Printing Service if Possible .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 118 3.8.3 Con gure the CUPS Service if Necessary . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 118 3.8.3.1 Limit Printer Browsing . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 118 3.8.3.2 Disable Print Server Capabilities if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 119 3.8.3.3 Limit Access to the Web Administration Interface . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 120 3.8.3.4 Take Further Security Measures When Appropriate .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 120 3.8.4 The HP Linux Imaging and Printing (HPLIP) Toolkit . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 120 3.8.4.1 Disable HPLIP Service if Possible .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 121 3.9 DHCP . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 121 3.9.1 Disable DHCP Client if Possible . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 121 3.9.2 Con gure DHCP Client if Necessary . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 122 3.9.2.1 Minimize the DHCP-Con gured Options . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 122 3.9.3 Disable DHCP Server if Possible . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 123 3.9.4 Con gure the DHCP Server if Necessary . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 123 3.9.4.1 Do Not Use Dynamic DNS . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 123 3.9.4.2 Deny Decline Messages . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 124 3.9.4.3 Deny BOOTP Queries . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 124 3.9.4.4 Minimize Served Information . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 124 3.9.4.5 Con gure Logging .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 125 3.9.4.6 Further Resources . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 125 3.10 Network Time Protocol . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 125 3.10.1 Select NTP Software .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 125 3.10.2 Con gure Reference NTP if Appropriate .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 126 3.10.2.1 Con gure an NTP Client . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 126 3.10.2.2 Con gure an NTP Server . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 127 3.10.3 Con gure OpenNTPD if Appropriate .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 128 3.10.3.1 Obtain NTP Software . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 128 3.10.3.2 Con gure an SNTP Client . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 129 3.10.3.3 Con gure an SNTP Server . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 129 3.11 Mail Transfer Agent . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 130 3.11.1 Select Mail Server Software and Con guration .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 130 3.11.1.1 Select Post x as Mail Server Software .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 131 3.11.1.2 Select Sendmail as Mail Server Software .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 131 3.11.2 Con gure SMTP For Mail Clients . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 132 3.11.2.1 Con gure Post x for Submission-Only Mode .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 132 3.11.2.2 Con gure Sendmail for Submission-Only Mode . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 132 3.11.3 Strategies for MTA Security .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 133 3.11.3.1 Use Resource Limits to Mitigate Denial of Service . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 133 3.11.3.2 Con gure SMTP Greeting Banner . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 133 3.11.3.3 Control Mail Relaying .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 133 3.11.4 Con gure Operating System to Protect Mail Server .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 134 3.11.4.1 Use Separate Hosts for External and Internal Mail if Possible .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 134 3.11.4.2 Protect the MTA Host from User Access . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 134 3.11.4.3 Restrict Remote Access to the Mail Spool .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 134 3.11.4.4 Con gure iptables to Allow Access to the Mail Server . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 135 3.11.4.5 Verify System Logging and Log Permissions for Mail .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 135 3.11.4.6 Con gure SSL Certi cates for Use with SMTP AUTH . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 135 3.11.5 Con gure Sendmail Server if Necessary . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 136 3.11.5.1 Limit Denial of Service Attacks . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 137 3.11.5.2 Con gure SMTP Greeting Banner .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 137 TABLE OF CONTENTS 9 3.11.5.3 Control Mail Relaying . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 137 3.11.6 Con gure Post x if Necessary . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 139 3.11.6.1 Limit Denial of Service Attacks .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 139 3.11.6.2 Con gure SMTP Greeting Banner . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 140 3.11.6.3 Control Mail Relaying .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 140 3.11.6.4 Require TLS for SMTP AUTH .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 142 3.12 LDAP . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 142 3.12.1 Use OpenLDAP to Provide LDAP Service if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 143 3.12.2 Con gure OpenLDAP Clients . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 143 3.12.2.1 Con gure the Appropriate LDAP Parameters for the Domain . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 143 3.12.2.2 Con gure LDAP to Use TLS for All Transactions . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 143 3.12.2.3 Con gure Authentication Services to Use OpenLDAP .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 144 3.12.3 Con gure OpenLDAP Server .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 145 3.12.3.1 Install OpenLDAP Server RPM . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 145 3.12.3.2 Con gure Domain-Speci c Parameters . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 145 3.12.3.3 Con gure an LDAP Root Password .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 145 3.12.3.4 Con gure the LDAP Server to Require TLS for All Transactions . . .<br><br> . . .<br><br> . . .<br><br> 146 3.12.3.5 Install Account Information into the LDAP Database . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 148 3.12.3.6 Con gure slapd to Protect Authentication Information . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 150 3.12.3.7 Correct Permissions on LDAP Server Files .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 151 3.12.3.8 Con gure iptables to Allow Access to the LDAP Server .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 151 3.12.3.9 Con gure Logging for LDAP . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 151 3.13 NFS and RPC .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 152 3.13.1 Disable All NFS Services if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 152 3.13.1.1 Disable Services Used Only by NFS . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 152 3.13.1.2 Disable netfs if Possible . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 153 3.13.1.3 Disable RPC Portmapper if Possible .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 153 3.13.2 Con gure All Machines which Use NFS . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 154 3.13.2.1 Make Each Machine a Client or a Server, not Both . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 154 3.13.2.2 Restrict Access to the Portmapper . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 154 3.13.2.3 Con gure NFS Services to Use Fixed Ports .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 154 3.13.3 Con gure NFS Clients .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 155 3.13.3.1 Disable NFS Server Daemons . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 155 3.13.3.2 Mount Remote Filesystems with Restrictive Options . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 155 3.13.4 Con gure NFS Servers . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 155 3.13.4.1 Con gure the Exports File Restrictively . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 156 3.13.4.2 Allow Legitimate NFS Clients to Access the Server .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 157 3.14 DNS Server . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 157 3.14.1 Disable DNS Server if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 157 3.14.2 Run the BIND9 Software if DNS Service is Needed . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 158 3.14.3 Isolate DNS from Other Services . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 158 3.14.3.1 Run DNS Software on Dedicated Servers if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 158 3.14.3.2 Run DNS Software in a chroot Jail . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 158 3.14.3.3 Con gure Firewalls to Protect the DNS Server .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 159 3.14.4 Protect DNS Data from Tampering or Attack . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 159 3.14.4.1 Run Separate DNS Servers for External and Internal Queries if Possible . .<br><br> . . .<br><br> 159 3.14.4.2 Use Views to Partition External and Internal Information if Necessary . . .<br><br> . . .<br><br> 160 3.14.4.3 Disable Zone Transfers from the Nameserver if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 161 3.14.4.4 Authenticate Zone Transfers if Necessary .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 162 3.14.4.5 Disable Dynamic Updates if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 163 3.15 FTP Server . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 163 3.15.1 Disable vsftpd if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 163 10 TABLE OF CONTENTS 3.15.2 Use vsftpd to Provide FTP Service if Necessary . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 163 3.15.3 Con gure vsftpd Securely .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 164 3.15.3.1 Enable Logging of All FTP Transactions . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 164 3.15.3.2 Create Warning Banners for All FTP Users .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 164 3.15.3.3 Restrict the Set of Users Allowed to Access FTP .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 164 3.15.3.4 Disable FTP Uploads if Possible .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 165 3.15.3.5 Place the FTP Home Directory on its Own Partition .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 166 3.15.3.6 Con gure Firewalls to Protect the FTP Server .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 166 3.16 Web Server . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 166 3.16.1 Disable Apache if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 166 3.16.2 Install Apache if Necessary . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 167 3.16.2.1 Install Apache Software Safely .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 167 3.16.2.2 Con rm Minimal Built-in Modules . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 167 3.16.3 Secure the Apache Con guration .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 167 3.16.3.1 Restrict Information Leakage . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 167 3.16.3.2 Minimize Loadable Modules . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 168 3.16.3.3 Minimize Con guration Files Included .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 173 3.16.3.4 Directory Restrictions .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 173 3.16.3.5 Con gure Authentication if Applicable .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 174 3.16.3.6 Limit Available Methods . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 176 3.16.4 Use Appropriate Modules to Improve Apache 9s Security .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 176 3.16.4.1 Deploy mod ssl . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 176 3.16.4.2 Deploy mod security . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 178 3.16.4.3 Use Denial-of-Service Protection Modules . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 179 3.16.4.4 Con gure Supplemental Modules Appropriately . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 179 3.16.5 Con gure Operating System to Protect Web Server . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 180 3.16.5.1 Restrict File and Directory Access . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 180 3.16.5.2 Con gure iptables to Allow Access to the Web Server . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 181 3.16.5.3 Run Apache in a chroot Jail if Possible .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 181 3.16.6 Additional Resources . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 181 3.17 IMAP and POP3 Server . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 181 3.17.1 Disable Dovecot if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 181 3.17.2 Con gure Dovecot if Necessary .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 182 3.17.2.1 Support Only the Necessary Protocols .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 182 3.17.2.2 Enable SSL Support .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 182 3.17.2.3 Enable Dovecot Options to Protect Against Code Flaws . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 184 3.17.2.4 Allow IMAP Clients to Access the Server .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 184 3.18 Samba (SMB) Microsoft Windows File Sharing Server . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 184 3.18.1 Disable Samba if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 185 3.18.2 Con gure Samba if Necessary . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 185 3.18.2.1 Testing the Samba Con guration File . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 185 3.18.2.2 Choosing the Appropriate security Parameter . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 185 3.18.2.3 Disable Guest Access and Local Login Support . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 187 3.18.2.4 Disable Root Access .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 187 3.18.2.5 Set the Allowed Authentication Negotiation Levels . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 187 3.18.2.6 Let Domain Controllers Create Machine Trust Accounts On-the-Fly .<br><br> . . .<br><br> . . .<br><br> 188 3.18.2.7 Restrict Access to the [IPC $ ] Share . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 188 3.18.2.8 Restrict File Sharing . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 188 3.18.2.9 Require Server SMB Packet Signing . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 189 3.18.2.10 Require Client SMB Packet Signing, if using smbclient .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 189 3.18.2.11 Require Client SMB Packet Signing, if using mount.cifs . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 189 3.18.2.12 Restrict Printer Sharing .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 189 TABLE OF CONTENTS 11 3.18.2.13 Con gure iptables to Allow Access to the Samba Server . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 190 3.18.3 Avoid the Samba Web Administration Tool (SWAT) .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 190 3.19 Proxy Server .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 191 3.19.1 Disable Squid if Possible . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 191 3.19.2 Con gure Squid if Necessary .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 191 3.19.2.1 Listen on Uncommon Port . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 191 3.19.2.2 Verify Default Secure Settings . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 191 3.19.2.3 Change Default Insecure Settings . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 192 3.19.2.4 Con gure Authentication if Applicable . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 193 3.19.2.5 Access Control Lists (ACL) .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 193 3.19.2.6 Con gure Internet Cache Protocol (ICP) if Necessary .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 195 3.19.2.7 Con gure iptables to Allow Access to the Proxy Server .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 195 3.19.2.8 Forward Log Messages to Syslog Daemon . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 195 3.19.2.9 Do Not Run as Root . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 196 3.20 SNMP Server . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> 197 3.20.1 Disable SNMP Server if Possible . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 197 3.20.2 Con gure SNMP Server if Necessary .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . 197 3.20.2.1 Further Resources .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . . .<br><br> . 197 12 TABLE OF CONTENTS 13 1. Introduction The purpose of this guide is to provide security con guration recommendations for the Red Hat Enterprise Linux (RHEL) 5 operating system.<br><br> The guidance provided here should be applicable to all variants (Desktop, Server, Advanced Platform) of the product. Recommended settings for the basic operating system are provided, as well as for many commonly-used services that the system can host in a network environment. The guide is intended for system administrators.<br><br> Readers are assumed to possess basic system administration skills for Unix-like systems, as well as some familiarity with Red Hat 9s documentation and administration con- ventions. Some instructions within this guide are complex. All directions should be followed completely and with understanding of their e ects in order to avoid serious adverse e ects on the system and its security.<br><br> 1.1 General Principles The following general principles motivate much of the advice in this guide and should also in\x2uence any con g- uration decisions that are not explicitly covered. 1.1.1 Encrypt Transmitted Data Whenever Possible Data transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such data exist, they should be applied.<br><br> Even if data is expected to be transmitted only over a local network, it should still be encrypted. Encrypting authentication data, such as passwords, is particularly important. Networks of RHEL5 machines can and should be con gured so that no unencrypted authentication data is ever transmitted between machines.<br><br> 1.1.2 Minimize Software to Minimize Vulnerability The simplest way to avoid vulnerabilities in software is to avoid installing that software. On RHEL, the RPM Package Manager (originally Red Hat Package Manager, abbreviated RPM) allows for careful management of the set of software packages installed on a system. Installed software contributes to system vulnerability in several ways.<br><br> Packages that include setuid programs may provide local attackers a potential path to privilege escala- tion. Packages that include network services may give this opportunity to network-based attackers. Packages that include programs which are predictably executed by local users (e.g.<br><br> after graphical login) may provide opportunities for trojan horses or other attack code to be run undetected. The number of software packages installed on a system can almost always be signi cantly pruned to include only the software for which there is an environmental or operational need. 1.1.3 Run Di erent Network Services on Separate Systems Whenever possible, a server should be dedicated to serving exactly one network service.<br><br> This limits the number of other services that can be compromised in the event that an attacker is able to successfully exploit a software \x2aw in one network service. 14 CHAPTER 1. INTRODUCTION 1.1.4 Con gure Security Tools to Improve System Robustness Several tools exist which can be e ectively used to improve a system 9s resistance to and detection of unknown attacks.<br><br> These tools can improve robustness against attack at the cost of relatively little con guration e ort. In particular, this guide recommends and discusses the use of Iptables for host-based rewalling, SELinux for protection against vulnerable services, and a logging and auditing infrastructure for detection of problems. 1.1.5 Least Privilege Grant the least privilege necessary for user accounts and software to perform tasks.<br><br> For example, do not allow users except those that need administrator access to use sudo . Another example is to limit logins on server systems to only those administrators who need to log into them in order to perform administration tasks. Using SELinux also follows the principle of least privilege: SELinux policy can con ne software to perform only actions on the system that are speci cally allowed.<br><br> This can be far more restrictive than the actions permissible by the traditional Unix permissions model. 1.2 How to Use This Guide Readers should heed the following points when using the guide. 1.2.1 Read Sections Completely and in Order Each section may build on information and recommendations discussed in prior sections.<br><br> Each section should be read and understood completely; instructions should never be blindly applied. Relevant discussion will occur after instructions for an action. The system-level con guration guidance in Chapter 2 must be applied to all machines.<br><br> The guidance for individual services in Chapter 3 must be considered for all machines as well: apply the guidance if the machine is either a server or a client for that service, and ensure that the service is disabled according to the instructions provided if the machine is neither a server nor a client. 1.2.2 Test in Non-Production Environment This guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which the system will be deployed as closely as possible.<br><br> 1.2.3 Root Shell Environment Assumed Most of the actions listed in this document are written with the assumption that they will be executed by the root user running the /bin/bash shell. Commands preceded with a hash mark ( # ) assume that the administrator will execute the commands as root, i.e. apply the command via sudo whenever possible, or use su to gain root privileges if sudo cannot be used.<br><br> Commands which can be executed as a non-root user are are preceded by a dollar sign ( $ ) prompt. 15 1.2.4 Formatting Conventions Commands intended for shell execution, as well as con guration le text, are featured in a monospace font . Italics are used to indicate instances where the system administrator must substitute the appropriate infor- mation into a command or con guration le.<br><br> Common Con guration Enumeration (CCE) identi ers are presented at the lower right corner of those sections for which an associated identi er exists. More information about CCE is available at http://cce.mitre.org . 1.2.5 Reboot Required A system reboot is implicitly required after some actions in order to complete the recon guration of the system.<br><br> In many cases, the changes will not take e ect until a reboot is performed. In order to ensure that changes are applied properly and to test functionality, always reboot the system after applying a set of recommendations from this guide. 16 CHAPTER 1.<br><br> INTRODUCTION 17 2. System-wide Con guration 2.1 Installing and Maintaining Software The following sections contain information on security-relevant choices during the initial operating system instal- lation process and the setup of software updates. 2.1.1 Initial Installation Recommendations The recommendations here apply to a clean installation of the system, where any previous installations are wiped out.<br><br> The sections presented here are in the same order that the installer presents, but only installation choices with security implications are covered. Many of the con guration choices presented here can also be applied after the system is installed. The choices can also be automatically applied via Kickstart les, as covered in [ 8 ].<br><br> 2.1.1.1 Disk Partitioning Some system directories should be placed on their own partitions (or logical volumes). This allows for better separation and protection of data. The installer 9s default partitioning scheme creates separate partitions (or logical volumes) for / , /boot , and swap .<br><br> ? If starting with any of the default layouts, check the box to cReview and modify partitioning. d This allows for the easy creation of additional logical volumes inside the volume group already created, though it may require making / 9s logical volume smaller to create space. In general, using logical volumes is preferable to using partitions because they can be more easily adjusted later.<br><br> ? If creating a custom layout, create the partitions mentioned in the previous paragraph (which the installer will require anyway), as well as separate ones described in the following sections. If a system has already been installed, and the default partitioning scheme was used, it is possible but nontrivial to modify it to create separate logical volumes for the directories listed above.<br><br> The Logical Volume Manager (LVM) makes this possible. See the LVM HOWTO at http://tldp.org/HOWTO/LVM-HOWTO/ for more detailed information on LVM. 2.1.1.1.1 Create Separate Partition or Logical Volume for /tmp The /tmp directory is a world-writable directory used for temporary le storage.<br><br> Ensure that it has its own partition or logical volume. CCE 14161-4 Because software may need to use /tmp to temporarily store large les, ensure that it is of adequate size. For a modern, general-purpose system, 10GB should be adequate.<br><br> Smaller or larger sizes could be used, depending on the availability of space on the drive and the system 9s operating requirements. 18 CHAPTER 2. SYSTEM-WIDE CONFIGURATION 2.1.1.1.2 Create Separate Partition or Logical Volume for /var The /var directory is used by daemons and other system services to store frequently-changing data.<br><br> It is not uncommon for the /var directory to contain world-writable directories, installed by other software packages. Ensure that /var has its own partition or logical volume. CCE 14777-7 Because the yum package manager and other software uses /var to temporarily store large les, ensure that it is of adequate size.<br><br> For a modern, general-purpose system, 10GB should be adequate. 2.1.1.1.3 Create Separate Partition or Logical Volume for /var/log System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume.<br><br> Make certain that it is large enough to store all the logs that will be written there. CCE 14011-1 See Section 2.6 for more information about logging and auditing. 2.1.1.1.4 Create Separate Partition or Logical Volume for /var/log/audit Audit logs are stored in the /var/log/audit directory.<br><br> Ensure that it has its own partition or logical volume. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. CCE 14171-3 See 2.6.2.2 for discussion on deciding on an appropriate size for the volume.<br><br> 2.1.1.1.5 Create Separate Partition or Logical Volume for /home if Using Local Home Directories If user home directories will be stored locally, create a separate partition for /home . If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be con gured later. CCE 14559-9 2.1.1.2 Boot Loader Con guration Check the box to cUse a boot loader password d and create a password.<br><br> Once this password is set, anyone who wishes to change the boot loader con guration will need to enter it. More information is available in Section 2.3.5.2 . Assigning a boot loader password prevents a local user with physical access from altering the boot loader con g- uration at system startup.<br><br> 19 2.1.1.3 Network Devices The default network device con guration uses DHCP, which is not recommended. Unless use of DHCP is absolutely necessary , click the cEdit d button and: ? Uncheck cUse Dynamic IP con guration (DHCP). d ?<br><br> Uncheck cEnable IPv4 Support d if the system does not require IPv4. (This is uncommon.) ? Uncheck cEnable IPv6 Support d if the system does not require IPv6.<br><br> ? Enter appropriate IPv4 and IPv6 addresses and pre xes as required. With the DHCP setting disabled, the hostname, gateway, and DNS servers should then be assigned on the main screen.<br><br> Sections 3.9.1 and 3.9.2 contain more information on network con guration and the use of DHCP. 2.1.1.4 Root Password The security of the entire system depends on the strength of the root password. The password should be at least 12 characters long, and should include a mix of capitalized and lowercase letters, special characters, and numbers.<br><br> It should also not be based on any dictionary word. 2.1.1.5 Software Packages Uncheck all package groups, including the package groups cSoftware Development d and cWeb Server, d unless there is a speci c requirement to install software using the system installer. If the machine will be used as a web server, it is preferable to manually install the necessary RPMs instead of installing the full cWeb Server d package group.<br><br> See Section 3.16 for installation and con guration details. Use the cCustomize now d radio box to prune package groups as much as possible. This brings up a two-column view of categories and package groups.<br><br> If appropriate, uncheck cX Window System d in the cBase System d category to avoid installing X entirely. Any other package groups not necessary for system operation should also be unchecked. Much ner-grained package selection is possible via Kickstart as described in [ 8 ].<br><br> 2.1.1.6 First-boot Con guration The system presents more con guration options during the rst boot after installation. For the screens listed, implement the security-related recommendations: Screen Recommendation Firewall Leave set to cEnabled. d Only check the cTrusted Services d that this system needs to serve. Uncheck the default selection of SSH if the system does not need to serve SSH.<br><br> SELinux Leave SELinux set to cEnforcing d mode. Kdump Leave Kdump o unless the feature is required, such as for kernel develop- ment and testing. 20 CHAPTER 2.<br><br> SYSTEM-WIDE CONFIGURATION Screen Recommendation Set Up Software Updates If the system is connected to the Internet now, click cYes, I 9d like to register now. d This will require a connection to either the Red Hat Network servers or their proxies or satellites. This can also be con gured later as described in Section 2.1.2.1 . Create User If the system will require a local user account, it can be created here.<br><br> Even if the system will be using a network-wide authentication system as described in Section 2.3.6 , do not click on the cUse Network Login... d button. Manually applying con guration later is preferable. 2.1.2 Updating Software The yum command line tool is used to install and update software packages.<br><br> Yum replaces the up2date utility used in previous system releases. The system also provides two graphical package managers, pirut and pup . The pirut tool is a graphical front-end for yum that allows users to install and update packages while pup is a simple update tool for packages that are already installed.<br><br> In the Applications menu, pirut is labeled Add/Remove Software and pup is labeled Software Updater . It is recommended that these tools be used to keep systems up to date with the latest security patches. 2.1.2.1 Con gure Connection to the RHN RPM Repositories The rst step in con guring a system for updates is to register with the Red Hat Network (RHN).<br><br> For most systems, this is done during the initial installation. Successfully registered systems will appear on the RHN web site. If the system is not listed, run the Red Hat Network Registration tool, which can be found in the Applications menu under System Tools or on the command line: # rhn register Follow the prompts on the screen.<br><br> If successful, the system will appear on the RHN web site and be subscribed to one or more software update channels. Additionally, a new daemon, rhnsd , will be enabled. If the system will not have access to the Internet, it will not be able to directly subscribe to the RHN update repository.<br><br> Updates will have to be downloaded from the RHN web site manually. The command line tool yum and the graphical front-ends pirut and pup can be con gured to handle this situation. 2.1.2.1.1 Ensure Red Hat GPG Key is Installed To ensure that the system can cryptographically verify update packages (and also connect to the Red Hat Network to receive them if desired), run the following command to ensure that the system has the Red Hat GPG key properly installed: $ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey The command should return the string: gpg(Red Hat, Inc.<br><br> (release key ) 21 CCE 14440-2 To verify that the Red Hat GPG key itself has not been tampered with, its ngerprint can be compared to the one from Red Hat 9s web site at http://www.redhat.com/security/team/key . The following command can be used to print the installed release key 9s ngerprint, which is actually contained in the le referenced below: $ gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release More information on package signing is also available at https://fedoraproject.org/keys . 2.1.2.2 Disable the rhnsd Daemon The rhnsd daemon polls the Red Hat Network web site for scheduled actions.<br><br> Unless it is actually necessary to schedule updates remotely through the RHN website, it is recommended that the service be disabled. # chkconfig rhnsd off CCE 3416-5 The rhnsd daemon is enabled by default, but until the system has been registered with the Red Hat Network, it will not run. However, once the registration process is complete, the rhnsd daemon will run in the background and periodically call the rhn check utility.<br><br> It is the rhn check utility that communicates with the Red Hat Network web site. This utility is not required for the system to be able to access and install system updates. Once the system has been registered, either use the provided yum-updatesd service or create a cron job to automatically apply updates.<br><br> 2.1.2.3 Obtain Software Package Updates with yum The yum update utility can be run by hand from the command line, called through one of the provided front-end tools, or con gured to run automatically at speci ed intervals. 2.1.2.3.1 Manually Check for Package Updates The following command prints a list of packages that need to be updated: # yum check-update To actually install these updates, run: # yum update 2.1.2.3.2 Con gure Automatic Update Retrieval and Installation with Cron The yum-updatesd service is not mature enough for an enterprise environment, and the service may introduce unnecessary overhead. When possible, replace this service with a cron job that calls yum directly.<br><br> 22 CHAPTER 2. SYSTEM-WIDE CONFIGURATION Disable the yum-updatesd service: # chkconfig yum-updatesd off Create the le yum.cron , make it executable, and place it in /etc/cron.daily : #!/bin/sh /usr/bin/yum -R 120 -e 0 -d 0 -y update yum /usr/bin/yum -R 10 -e 0 -d 0 -y update CCE 4218-4 This particular script instructs yum to update any packages it nds. Placing the script in /etc/cron.daily ensures its daily execution.<br><br> To only apply updates once a week, place the script in /etc/cron.weekly instead. 2.1.2.3.3 Ensure Package Signature Checking is Globally Activated The gpgcheck option should be used to ensure that checking of an RPM package 9s signature always occurs prior to its installation. To force yum to check package signatures before installing them, ensure that the following line appears in /etc/yum.conf in the [main] section: gpgcheck=1<br><br>
- Username: Hans002
- Subcategory: Home > Programming > Unix Programming
- Added: 01:12 ← 21 May 2011
- Views: 556
- Downloads: 0
- File size: 1.1 MB
- Favourites: 0 | Add to favourites
- Status: Public
- Tags: guide, secure, configuration, enterprise, linux
Latest documents