CIS 290 LINUX Security

1
CIS 290LINUX Security

• Basic OS Hardening Procedures

2
Physical security

• Lock it up!
• BIOS Password
• Disable BIOS alternate boot devices
• Disable interactive boot
• vi /etc/sysconfig/init
• PROMPTno
• Password protected GRUB boot
• Console locking yum install vlock, xlock
• Lock desktop GUI, or no Xwindows at all.
• Disable Ctrl/Alt/Del (procedure varies)

3
Software maintenance

• Install Red Hat GPG key from installation CD-ROM
  or DVD.
• rpm --import /mnt/cdrom/RPM-GPG-KEY
• Display a list of all keys installed for RPM
  verification
• rpm -qa gpg-pubkey
• Display specific key
• rpm -qi gpg-pubkey-db4 2a60e-37ea5438
• Verify package keys
• rpm -K /root/updates/.rpm
• Automatic GPG signature verification enabled
  under the main section of your /etc/yum.conf
• gpgcheck1
• Cleanup Yum Repositories. Only what you need.
• Remove unneeded software.

4
Filesystem security

• Mount options (-o ) noexec (especially /tmp),
  nosetuid, nosuid, ro (!)
• Encrypted File System (Dangerous), TruCrypt
  containers , encrypted hardrive (hardware,
  software)
• Noowner Files
• find /dir -xdev \( -nouser -o -nogroup \) print
• World-Writable Files
• find /dir -xdev -type d \( -perm -0002 -a !
  -perm -1000 \) -print
• Disable Unwanted SUID and SGID Binaries
• See all set user id filesfind / -perm 4000
  See all group id filesfind / -perm 2000 Or
  combine both in a single commandfind / \( -perm
  -4000 -o -perm -2000 \) -printfind / -path
  -prune -o -type f -perm 6000 ls