Re: System Hardening > Unix, Linux and NT

From: Ed Turner (netguru1001@yahoo.com)
Date: 12/30/01


From: Ed Turner <netguru1001@yahoo.com>
Date: Sun, 30 Dec 2001 04:20:38 GMT

I have some input that may help a little (if you aren't using this method
already).

I am a Linux user for about 8 years now, and I have been through most of the
mainstream distributions. I was asked to design some systems and make them as
bullet proof as possible using RedHat Linux 6.2 on Sun and Intel. Anyway here is
what I did..

I installed only the base OS without all of the packages (appox. 228M). Then I
went throught the redhat package manager and looked through each one of them.
Since a few of these systems were to be accessed by multiple users, I then
proceeded to use the 'chattr' command to lock down all critical binary, and
configuration files (i.e. login, ls, and other common system files). .

You can use the 'chattr' command to change attributes of files. You can hide
them, make them uneraseable, unmodifyable, and other cool things (see. 'man
chattr'). This helps if the system is compromised and someone wants to try and
install a trojan horse.

I then installed the rest of the packages, and tested all of the binaries and
after making modifications to the attributes for the most likely not-to-change,
system access and adminstration files (i.e. login, in.telnetd, etc). Then I hid
the chattr command ( you can also choose to remove it, but do so after you are
sure you are done).

As you know the /etc directory contains most of the configuration files for the
system. I locked all of those down, and made select files -rw------- for root
only (you can't do this with every file, but I do have a list for RH 6.x though
7.x if you are interested).

That's a trick that I have been using for a while. It works well. I also don't
install any unecessary packages. I try to run with only what necessary. For
instance, I usually won't install X11R6 on a dedicated mailserver unless I am
running a server in which the administration is done via GUI.

Also keep in up with the advisories! There are many good sites out there that
have mailing lists that notify you when a bug or a hole has been found. Find
them, and join them because they usually carry some good tips and practices.

Anyway, that's only a very small fraction of steps that can be taken to HELP
secure a system. It goes hand and hand with a good permissions scheme.

As for the networking side, that's another book. Anyway I have been around for a
while, and if you need a list of steps you can take to secure a Linux system, I
would be glad to share brains with you. That's a small tip, but it helps (on not
only just Linux!).

Ed Turner
Chicago, IL

Casey Schaufler wrote:

> clarke wrote:
> >
> > I'm doing some research on system hardening for both NT, Linux and Unix. If
> > you don't mind please share experiences, any books you recommend, papers or
> > websites.
>
> If you really want to get down and dirty, there's the NSA's
> secure systems site:
>
> http://www.radium.ncsc.mil/tpep
>
> --
>
> Casey Schaufler Manager, Trust Technology, SGI
> casey@sgi.com voice: 650.933.1634
> casey_p@pager.sgi.com Pager: 888.220.0607



Relevant Pages

  • >>>> INSTALL LINUX <<<<
    ... Linux Http Install Syntax ... Install Linux On Usb In Windows ...
    (comp.mail.sendmail)
  • Re: Best Linux version to port from OpenServer 5.0.5/6
    ... > We are embarking on a project to port from OpenServer 5.0.5/6, to Linux. ... something that doesn install aload of crap you don't need... ... The package management allows easy installs of packages, ... Debian will never die!,See the social ...
    (comp.unix.sco.misc)
  • Suggestion for Common Third Party Install system
    ... I have been working over strategies for Linux on the desktop. ... Third party applications are tricky. ... they currently have two options - to include packages for all the ... Perhaps on the install CD, or in the /etc/ directory, or with the ...
    (Debian-User)
  • Re: Simple HowTo
    ... Install location by years of convention from the roots of UNIX ... Linux distribution has ... the software packages all ready compiled and standardized as for file ... don't think apache and tomcat would be. ...
    (Fedora)
  • Re: No space left on device
    ... > I'm a VERY new linux user trying to administer an existing linux box to ... The distribution comes with many packages which duplicate each ... and only support hard drives up to 8Gig (try ... you want, and install it). ...
    (alt.os.linux)