On Thu, 6 Nov 2003, Lambert, Eric wrote: >Does anyone have a kickstart and/or %post they are willing to share >which builds a hardened OS (using general best practices for securing >linux)? I'm looking mostly at RH7.3 or AS2.1 or 3.0. Thanks in >advance. It really does depend on your setup. Looking at my standard %post, I'd suggest covering at least the following: - Review entire installed RPM list (rpm -qa) and cut out any you don't need. Pay particular attention to "rpm -qf /etc/*" and "rpm -qf /etc/init.d/*" packages. - Add an alias for root's mail so you see errors, rather than let them store up. - Consider setting TMOUT and/or autologout shell variables in /etc/profile.d, to timeout shell logins after a period of inactivity. - Remove SUID/SGID bits from files which don't absolutely need them. For the ones which are left, consider using the wheel group to restrict execution to specific accounts. - Turn off services you don't absolutely need. Check "chkconfig --list | grep on" Cheers, Phil
