##### Security stuff ### NSA PDF * bookmarks: page 63; 90 # General * Use the idea of "least privilege": limit sudo and logins to only administrators * BIOS and bootloader passwords a must for systems with physical access # OS stuff * consider requiring authentication for single user mode * disable interactive boot (/etc/sysconfig/init PROMPT=np) * lock system accounts and supply invalid shells * disable service rhnsd unless regular updates must be scheduled; use cron and yum instead * autofs can be disabled despite network file systems provided that they have entries in fstab * consider bind mounting temporary directories off /tmp to /tmp, e.g. /var/tmp to /tmp * disable uncommon file systems from mounting in /etc/modprobe.conf: install FS /bin/true \ install FS /bin/true * restrict logins via system console (/etc/securetty) * disable least amount of OS details (/etc/issue) * world writeable directories should always have a sticky bit set * check for unauthorized suid/sgid binaries # authentication (local accounts) * set password requirements (age, min change, complexity) * use pam_tally to lock out accounts after n password failures * use sha512 password hashing * limit password reuse # networking * disable ip forwarding and redirects on machines not acting as gateways or firewall hosts * consider using hosts.{allow,deny} # Software * always use gpgcheck=1 with yum repositories * use rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey to verify RPM keys * use gpg --query --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release to verify fingerprints #### auditing * audisp = audit dispatcher daemon * auditctl = audit control utility * aureport = get an entire report * ausearch = search for specific events ** There are three audit rules: control rules, file system rules, system call rules ** Rules are configured via /etc/audit/audit.rules (survive reboots) or via auditctl ** Default rules available in /usr/share/doc/audit-version/*.rules ** -F "actions" can be used on file watches too # example usage with auditctl * auditctl -l = lists all current rules on system * auditctl -w path/to/file -p permissions(r,w,x,a) -k key_name(string value) ; set file auditing on file * auditctl -a action(always|never),filter(task,exit,user,exclude) -S syscall -F field=value -k key_name(string); set auditing on syscall * see auditctl(8) for all field types and values # example searching with ausearch ** -ts,-te fields can use: now, recent, today, yesterday, this-week, this-month, this-year or LC_TIME ** -a (event id), -c (command name), -e (syscall exit code), -f (file name) -hn (host name), -i (human readable) ** -if (input log), -k (key field), -m (message type), -p/-pp (pid/parent pid), -sc (syscall name), -sv (yes/no success) ** -ui/ul (uid,username), -x (executable name) ausearch -ul tgreen -ts this-month -m USER_CMD ausearch -ul desantis -i -ts this-month -m USER_CMD,USER_START # consider using pam_tty_audit (no passwords by default) to log keystrokes # after security incidents? session required pam_tty_audit.so disable= enable= (password-auth & system-auth)