Re: System Hardening > Unix, Linux and NT

From: Ed Turner (netguru1001@yahoo.com)
Date: 12/30/01


From: Ed Turner <netguru1001@yahoo.com>
Date: Sun, 30 Dec 2001 04:20:38 GMT

I have some input that may help a little (if you aren't using this method
already).

I am a Linux user for about 8 years now, and I have been through most of the
mainstream distributions. I was asked to design some systems and make them as
bullet proof as possible using RedHat Linux 6.2 on Sun and Intel. Anyway here is
what I did..

I installed only the base OS without all of the packages (appox. 228M). Then I
went throught the redhat package manager and looked through each one of them.
Since a few of these systems were to be accessed by multiple users, I then
proceeded to use the 'chattr' command to lock down all critical binary, and
configuration files (i.e. login, ls, and other common system files). .

You can use the 'chattr' command to change attributes of files. You can hide
them, make them uneraseable, unmodifyable, and other cool things (see. 'man
chattr'). This helps if the system is compromised and someone wants to try and
install a trojan horse.

I then installed the rest of the packages, and tested all of the binaries and
after making modifications to the attributes for the most likely not-to-change,
system access and adminstration files (i.e. login, in.telnetd, etc). Then I hid
the chattr command ( you can also choose to remove it, but do so after you are
sure you are done).

As you know the /etc directory contains most of the configuration files for the
system. I locked all of those down, and made select files -rw------- for root
only (you can't do this with every file, but I do have a list for RH 6.x though
7.x if you are interested).

That's a trick that I have been using for a while. It works well. I also don't
install any unecessary packages. I try to run with only what necessary. For
instance, I usually won't install X11R6 on a dedicated mailserver unless I am
running a server in which the administration is done via GUI.

Also keep in up with the advisories! There are many good sites out there that
have mailing lists that notify you when a bug or a hole has been found. Find
them, and join them because they usually carry some good tips and practices.

Anyway, that's only a very small fraction of steps that can be taken to HELP
secure a system. It goes hand and hand with a good permissions scheme.

As for the networking side, that's another book. Anyway I have been around for a
while, and if you need a list of steps you can take to secure a Linux system, I
would be glad to share brains with you. That's a small tip, but it helps (on not
only just Linux!).

Ed Turner
Chicago, IL

Casey Schaufler wrote:

> clarke wrote:
> >
> > I'm doing some research on system hardening for both NT, Linux and Unix. If
> > you don't mind please share experiences, any books you recommend, papers or
> > websites.
>
> If you really want to get down and dirty, there's the NSA's
> secure systems site:
>
> http://www.radium.ncsc.mil/tpep
>
> --
>
> Casey Schaufler Manager, Trust Technology, SGI
> casey@sgi.com voice: 650.933.1634
> casey_p@pager.sgi.com Pager: 888.220.0607