ࡱ> [ 7bjbj 7ΐΐs8KKKKK____L<_?-*v L,,,,,,,#/1V,QKVVV,KK,!!!V:KK,!V,!!r+T+0c2_ v+,-0?-+2!2++x2Kr, VV!VVVVV,,!VVV?-VVVV2VVVVVVVVV : Red Hat Linux Server Hardening Checklist The hardening checklists are based on the comprehensive checklists produced by CIS. The  HYPERLINK "http://security.utexas.edu" Information Security Office has distilled the CIS lists down to the most critical steps for your systems, with a particular focus on configuration issues that are unique to the computing environment How to use the checklist Print the checklist and check off each item you complete to ensure that you cover the critical steps for securing your server. The Information Security Office uses this checklist during risk assessments as part of the process to verify that servers are secure. How to read the checklist Step - The step number in the procedure. If there is a  HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "note" UT Note for this step, the note # corresponds to the step #. Check (") - This is for administrators to check off when she/he completes this portion. To Do - Basic instructions on what to do to harden the respective system CIS - Reference number in the Center for Internet Security  HYPERLINK "https://security.utexas.edu/admin/cis/CIS_RHEL5_Benchmark_v1.1.pdf" Red Hat Linux Benchmark (PDF, Requires UT EID login.) The CIS document outlines in much greater detail how to complete each step. UT Note - The  HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "note" UT Note at the bottom of the page provides additional detail about the step for the university computing environment. Cat I - For systems that include  HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/dataclassification.php" Category-I data, required steps are denoted with the ! symbol. All steps are recommended. Cat II/III - For systems that include  HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/dataclassification.php" Category-II or -III data, all steps are recommended, and some are required (denoted by the !). Min Std - This column links to the specific requirement for the university in the  HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" Minimum Security Standards for Systems document. Server Information MAC AddressIP AddressMachine NameAsset TagAdministrator NameDate Preparation and InstallationStep"To DoCISUT NoteCat ICat II/IIIMin Std1If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened. HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r1" ! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "51" 5.12Set a BIOS/firmware password and/or - configure the device boot order to prevent unauthorized booting from alternate media.8.8! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "41" 4.1Patches, Packages and Initial Lockdown3Operating system and application services security patches should be installed expediently and in a manner consistent with change management procedures.2.1! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "52" 5.24Configure SSH Note: Services used to transfer  HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/dataclassification.php" Category-I data shall be encrypted.2.3 HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r4" ! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "56" 5.65Enable system accounting (install package sysstat).2.4 HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r5" ! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "61" 6.16Enable and test OS and Applications logging.n/a HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r6" ! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "61" 6.1Minimize xinetd network services7Disable any services and/or applications started by xinetd or inetd that are not being utilized.3.1 HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r7" ! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "54" 5.48Limit connections to services running on the host to authorized users of the service (utilize firewall and other access control technology)3.2 HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r8" ! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "55" 5.5Minimize boot services9Disable GUI login if possible.4.4 HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r9" !10Disable unused standard boot services.4.6!Logging 11Configure an NTP server. HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r11" !12All administrator or root access must be logged. 6 HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r12" ! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "64" 6.4Files/Directory Permissions/Access 13Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested.SN.7 6.4 HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r13" ! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "59" 5.9System Access, Authentication, and Authorization 14Ensure that the configuration files for PAM, /etc/pam.d/* are secure.7.1 8.2 HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r14" !! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "512" 5.1215Enable the terminal security file/restrict root logins to system console.8.6 HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r15" !! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "41" 4.1Warning Banners 16If network or physical access services are running - ensure the university warning banner is displayed.10.1 HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r16" !! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "510" 5.1017If the system allows logins via a graphical user interface, create a warning banner for it.10.2Anti-Virus Considerations 18Install and enable anti-virus software.12 HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r18" !! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "31" 3.119Configure to update signature daily on AV.12 HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r19" !! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "33" 3.3Additional Security Notes 20Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate. HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r20" !! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "57" 5.721Integrity checking of critical operating system files should be enabled and tested. Third-party tools may also be used to implement this. HYPERLINK "http://security.utexas.edu/admin/redhat-linux.html" \l "r21" !! HYPERLINK "http://www.utexas.edu/its/policies/opsmanual/secstd.php" \l "58" 5.8UT Note: Addendum This list provides specific tasks related to the computing environment at The University of Texas at Austin. 1If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall in between the network and the host to be protected.4If you decide to utilize  HYPERLINK "http://www.openssh.com" SSH, the ISO highly recommends the following: Change the port from port 22 to something/anything else. There are scripts online that malicious hackers can use against an SSH server. These scripts always attack port 22 since most people do not change the default port. Do not allow root logins via SSH. If possible, use keys with passphrase instead of just passwords. To create rsa keys, follow these commands: ssh-keygen t rsa ssh server mkdir .ssh; chmod 0700 .ssh scp ./ssh/ida_rsa.pub server:.ssh/authorized_keys2 The CIS Solaris Benchmark covers some suggested basic settings to place in the configuration file. You may also want to visit the  HYPERLINK "http://www.openssl.org/" SSL Web site. 5System accounting gathers baseline system data (CPU utilization, disk I/O, etc.) every 10 minutes. The data may be accessed with the sar command, or by reviewing the nightly report files named /var/log/sa/sar*. Once a normal baseline for the system has been established, unauthorized activity (password crackers and other CPU-intensive jobs, and activity outside of normal usage hours) may be detected due to departures from the normal system performance curve.6The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton, and sa. ac displays statistics about how long users have been logged on. lastcomm displays information about previously executed commands. accton turns process accounting on or off. sa summarizes information about previously executed commands.7Disable any xinetd services you do not absolutely require by setting disable=yes in /etc/xinetd.d/*. If no xinetd services are required, disable xinetd altogether (sudo service xinetd stop; sudo chkconfig xinetd off) Configure TCP wrappers for access control. Edit /etc/hosts.deny to include this entry as the first uncommented line in the file: ALL:ALL Ensure /etc/hosts.allow is edited appropriately to allow the administrator(s) to connect. Unless r commands (i.e., rsh, rlogin) are required, remove or empty the file /etc/hosts.equiv. If r commands are required, consider replacing them with a secure alternative such as SSH. Verify that you have disabled any unnecessary startup scripts under /etc, /etc/rc*.d, or /etc/init.d (or startup script directory for your system) and disabled any unneeded services from starting in these scripts. Unnecessary services can be disabled with: $ sudo chkconfig off To check what services are listening use: $ lsof | grep *: OR $ sudo netstat tulp Much more detailed information regarding services is available in the CIS benchmark documents. Red Hat also provides a text-based interface for changing startup services: ntsysv For example, the command ntsysv --level 345 configures runlevels 3, 4, and 5.8Red Hat comes with iptables. Below is a list of some iptables resources:  HYPERLINK "http://firehol.sourceforge.net/" http://firehol.sourceforge.net  HYPERLINK "http://sourceforge.net/projects/fwbuilder" http://sourceforge.net/projects/fwbuilder  HYPERLINK "http://www.simonzone.com/software/guarddog/" http://www.simonzone.com/software/guarddog 9A simple way to disable the GUI is to change the default run level. Edit the file /etc/inittab. Look for the line that contains the following: id:5:initdefault: Replace the 5 with 3. The line will then read: id:3:initdefault:11ITS Networking operates two stratum 2 NTPv4 (NTP version 4) servers for  HYPERLINK "http://www.utexas.edu/its/ntp/" network time synchronization services for university network administrators.12Examples: syslog Red Hat:  HYPERLINK "http://www.redhat.com/docs/manuals/enterprise/RHEL-AS-2.1-Manual/cluster-manager/s1-software-syslog.html" http://www.redhat.com/docs/manuals/enterprise/RHEL-AS-2.1-Manual/cluster-manager/s1-software-syslog.html 13Check in /etc/sudoers to see who has sudo rights Check in /etc/groups to see what groups your users belong to Check in /etc/passwd and/or /etc/shadow for blank passwords Check the strength of users passwords with tools such as  HYPERLINK "http://www.openwall.com/john/" John the Ripper Seek approval from  HYPERLINK "http://www.utexas.edu/its/glossary/iso" \l "GL_Owner" IT Owner. Consider using a simple dictionary for easily guessed passwords. Develop a procedure to report and remediate easily guessed passwords.14Ensure the following are set in /etc/pam.d/other: auth required pam_deny.so auth required pam_warn.so account required pam_deny.so account required pam_warn.so password required pam_deny.so password required pam_warn.so session required pam_deny.so session required pam_warn.so session required pam_deny.so Warn will report alerts to syslog.15Ensure that the terminal security file (for example, /etc/securetty or /etc/ttys) is configured to deny privileged (root) access. On a Red Hat box, this means that no virtual devices (such as /dev/pty*) appear in this file.16The text of the  HYPERLINK "http://www.utexas.edu/its/policies/banner.php" university's official warning banner can be found on the ITS Web site. You may add localized information to the banner as long as the university banner is included.18There are few viruses that infect Linux computers; therefore, it is understandable for most Linux servers to have an exception to this rule. See the Operations Manual for information on the  HYPERLINK "http://www.utexas.edu/vp/it/policies/uts165/index.php" exception process. You may choose any proven anti-virus product.One option is  HYPERLINK "http://www.clamav.net" ClamAV. 19There are few viruses that infect Linux computers; therefore, it is understandable for most Linux servers to have an exception to this rule. See the Operations Manual for information on the  HYPERLINK "http://www.utexas.edu/vp/it/policies/uts165/index.php" exception process.20There are a variety of methods available to accomplish this goal. Two good candidates are  HYPERLINK "http://www.pgp.com" PGP (cost) and  HYPERLINK "http://www.gnupg.org" GNUPG (free).21)r s - . 5 6  B H -.EF  -.R\xy'(,3~,.0Ƹ h$IfFf;####4$5$6$7$8$9$:$;$<$=$$$$$$$$$%%%%%%%%%%d%e%h%i%j%k%%%%&&&&''''' '!'"'#'$'q'r'u'v'w'x'(( ( (S(T(U(V(W(X(Y(Z([(źźh:R:S:::::';(;);^;i<<<p=q=======g>h>)?*?m?n???????????@@߻߻߻߻h~xx$IfkdjV$$If009BB t0634Babyth>k>??~xxx$Ifkd&W$$If009BB t0634Babyt6666666666666666666666666666666666666666666666666hH6666666666666666666666666666666666666666666666666666666666666666662 0@P`p2( 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p8XV~ OJPJQJ_HmH nH sH tH J`J l'Normal dCJ_HaJmH sH tH d "d *phToT 3\`?/[G\!-Rk.sԻ..a濭?PK!֧6 _rels/.relsj0 }Q%v/C/}(h"O = C?hv=Ʌ%[xp{۵_Pѣ<1H0ORBdJE4b$q_6LR7`0̞O,En7Lib/SeеPK!kytheme/theme/themeManager.xml M @}w7c(EbˮCAǠҟ7՛K Y, e.|,H,lxɴIsQ}#Ր ֵ+!,^$j=GW)E+& 8PK!Ptheme/theme/theme1.xmlYOo6w toc'vuر-MniP@I}úama[إ4:lЯGRX^6؊>$ !)O^rC$y@/yH*񄴽)޵߻UDb`}"qۋJחX^)I`nEp)liV[]1M<OP6r=zgbIguSebORD۫qu gZo~ٺlAplxpT0+[}`jzAV2Fi@qv֬5\|ʜ̭NleXdsjcs7f W+Ն7`g ȘJj|h(KD- dXiJ؇(x$( :;˹! I_TS 1?E??ZBΪmU/?~xY'y5g&΋/ɋ>GMGeD3Vq%'#q$8K)fw9:ĵ x}rxwr:\TZaG*y8IjbRc|XŻǿI u3KGnD1NIBs RuK>V.EL+M2#'fi ~V vl{u8zH *:(W☕ ~JTe\O*tHGHY}KNP*ݾ˦TѼ9/#A7qZ$*c?qUnwN%Oi4 =3ڗP 1Pm \\9Mؓ2aD];Yt\[x]}Wr|]g- eW )6-rCSj id DЇAΜIqbJ#x꺃 6k#ASh&ʌt(Q%p%m&]caSl=X\P1Mh9MVdDAaVB[݈fJíP|8 քAV^f Hn- "d>znNJ ة>b&2vKyϼD:,AGm\nziÙ.uχYC6OMf3or$5NHT[XF64T,ќM0E)`#5XY`פ;%1U٥m;R>QD DcpU'&LE/pm%]8firS4d 7y\`JnίI R3U~7+׸#m qBiDi*L69mY&iHE=(K&N!V.KeLDĕ{D vEꦚdeNƟe(MN9ߜR6&3(a/DUz<{ˊYȳV)9Z[4^n5!J?Q3eBoCM m<.vpIYfZY_p[=al-Y}Nc͙ŋ4vfavl'SA8|*u{-ߟ0%M07%<ҍPK! ѐ'theme/theme/_rels/themeManager.xml.relsM 0wooӺ&݈Э5 6?$Q ,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JЊT8V"AȻHu}|$b{P8g/]QAsم(#L[PK-![Content_Types].xmlPK-!֧6 +_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!Ptheme/theme/theme1.xmlPK-! ѐ' theme/theme/_rels/themeManager.xml.relsPK] s8 0d}#[(f6@7!#,059=DM2Nn85 !.##%W(<*,. 035O789(;K<p=g>?AA37"$%&'()*+-./1234678:;<>?@ABCEFGHIJKLNOQ-5I,wcs7P1X D H # ' G K E G M ')/} X\35;$mou RT  M?Cmrhl=?EW1{}>vTy}"+"8"**++?+i+k+++-5---..n////0 02-3R3444+5O5V56`6r66667(7.778 8$8O8W8s8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX8@0(  B S  ?noter1r4r5r6r7r8r9r11r12r13r14r15r16r18r19r20r21:>"$z%n*+,-.0123]5x6;7u8     :>"$z%n*+,-.0123]5x6;7u8 hn !!#!&!'!*!3!8!:!=!?!D!K!N!P!S!V!Y!f!q!""## # # ##$$o$w$y$$$$$$%%:%<%%%%%%%&&!&%&.&4&;&?&@&I&J&P&&&&&T'W'''G(I(V(\(()) )=)A)D)H)U)Y)Z)a)c)g)**6*<*U*^*****-,4,--..../ /001172@2I2M222P5V58 8P8W8u8$$$$%%:%<%J*T*u8333333333rr8u8m H?>j:z_/,crM|_/M|6V4vsddB?V4vsddmEV4vsLIV4vsl'd,http://www.simonzone.com/software/guarddog/*http://sourceforge.net/projects/fwbuilder5 http://firehol.sourceforge.net/a6http://www.openssl.org/|4~http://www.openssh.com/{8http://www.utexas.edu/its/policies/opsmanual/secstd.php58K\x3http://security.utexas.edu/admin/redhat-linux.htmlr21 u8http://www.utexas.edu/its/policies/opsmanual/secstd.php57K\r3http://security.utexas.edu/admin/redhat-linux.htmlr20 o8http://www.utexas.edu/its/policies/opsmanual/secstd.php33K_l3http://security.utexas.edu/admin/redhat-linux.htmlr19i8http://www.utexas.edu/its/policies/opsmanual/secstd.php31K_f3http://security.utexas.edu/admin/redhat-linux.htmlr18c8http://www.utexas.edu/its/policies/opsmanual/secstd.php510K_`3http://security.utexas.edu/admin/redhat-linux.htmlr16]8http://www.utexas.edu/its/policies/opsmanual/secstd.php41K_Z3http://security.utexas.edu/admin/redhat-linux.htmlr15W8http://www.utexas.edu/its/policies/opsmanual/secstd.php512K_T3http://security.utexas.edu/admin/redhat-linux.htmlr14Q8http://www.utexas.edu/its/policies/opsmanual/secstd.php59K_N3http://security.utexas.edu/admin/redhat-linux.htmlr13 K8http://www.utexas.edu/its/policies/opsmanual/secstd.php64K_H3http://security.utexas.edu/admin/redhat-linux.htmlr12K_E3http://security.utexas.edu/admin/redhat-linux.htmlr11KWB3http://security.utexas.edu/admin/redhat-linux.htmlr9 ?8http://www.utexas.edu/its/policies/opsmanual/secstd.php55KV<3http://security.utexas.edu/admin/redhat-linux.htmlr8 98http://www.utexas.edu/its/policies/opsmanual/secstd.php54KY63http://security.utexas.edu/admin/redhat-linux.htmlr738http://www.utexas.edu/its/policies/opsmanual/secstd.php61KX03http://security.utexas.edu/admin/redhat-linux.htmlr6-8http://www.utexas.edu/its/policies/opsmanual/secstd.php61K[*3http://security.utexas.edu/admin/redhat-linux.htmlr5'8http://www.utexas.edu/its/policies/opsmanual/secstd.php56KZ$3http://security.utexas.edu/admin/redhat-linux.htmlr4$%!Dhttp://www.utexas.edu/its/policies/opsmanual/dataclassification.php 8http://www.utexas.edu/its/policies/opsmanual/secstd.php528http://www.utexas.edu/its/policies/opsmanual/secstd.php418http://www.utexas.edu/its/policies/opsmanual/secstd.php51K_3http://security.utexas.edu/admin/redhat-linux.htmlr1/>8http://www.utexas.edu/its/policies/opsmanual/secstd.php$%Dhttp://www.utexas.edu/its/policies/opsmanual/dataclassification.php$% Dhttp://www.utexas.edu/its/policies/opsmanual/dataclassification.php#d 3http://security.utexas.edu/admin/redhat-linux.htmlnote+\Chttps://security.utexas.edu/admin/cis/CIS_RHEL5_Benchmark_v1.1.pdf#d3http://security.utexas.edu/admin/redhat-linux.htmlnote2|http://security.utexas.edu/  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry FCTData SZ1Table72WordDocument7SummaryInformation(DocumentSummaryInformation8@%CompObjy  F'Microsoft Office Word 97-2003 Document MSWordDocWord.Document.89q