|
Here’s a couple of things to get you started.
# Setup the sysctl.conf file cat <<SYSCTL > /etc/sysctl.conf # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) for # more details. # # Disables packet forwarding net.ipv4.ip_forward = 0 # Enables source route verification net.ipv4.conf.all.rp_filter = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Disables the magic-sysrq key kernel.sysrq = 0 # Disable response to ping. net.ipv4.icmp_echo_ignore_all = 1 # Disable response to broadcasts. # You don't want yourself becoming a Smurf amplifier. net.ipv4.icmp_echo_ignore_broadcasts = 1 # Don't accept source routed packets. Attackers use source routing to generate # traffic pretending to be from inside your network, but is routed back along # the path from which it came, namely outside, so attackers can compromise your # network. Source routing is rarely used for legitimate purposes. net.ipv4.conf.all.accept_source_route = 0 # Disable ICMP redirect acceptance. ICMP redirects are used to alter routing # tables, possibly to a bad end. net.ipv4.conf.all.accept_redirects = 0 # Enable bad error message protection. net.ipv4.icmp_ignore_bogus_error_responses = 1 # Log spoofed packets, source routed packets, redirect packets. net.ipv4.conf.all.log_martians = 1 # Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1 SYSCTL #
# Add to allow serial console access cat <<TTY >> /etc/securetty ttyS0 TTY
cat <<INIT >> /etc/inittab # Listen on the serial console port s0:12345:respawn:/sbin/mgetty -x 0 -s 9600 -r /dev/ttyS0 INIT
-----Original Message-----
Does anyone have a kickstart and/or %post they are willing to share which builds a hardened OS (using general best practices for securing linux)? I'm looking mostly at RH7.3 or AS2.1 or 3.0. Thanks in advance. Eric Lambert ------------------------------------------------------------------------------------------------- |
