Re: hardening script?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 6 Nov 2003, Lambert, Eric wrote:

>Does anyone have a kickstart and/or %post they are willing to share
>which builds a hardened OS (using general best practices for securing
>linux)?  I'm looking mostly at RH7.3 or AS2.1 or 3.0.  Thanks in
>advance.

It really does depend on your setup. Looking at my standard %post, I'd
suggest covering at least the following:

- Review entire installed RPM list (rpm -qa) and cut out any you don't
need. Pay particular attention to "rpm -qf /etc/*" and
"rpm -qf /etc/init.d/*" packages.

- Add an alias for root's mail so you see errors, rather than let them
store up.

- Consider setting TMOUT and/or autologout shell variables in
/etc/profile.d, to timeout shell logins after a period of inactivity.

- Remove SUID/SGID bits from files which don't absolutely need them. For
the ones which are left, consider using the wheel group to restrict
execution to specific accounts.

- Turn off services you don't absolutely need.
Check "chkconfig --list | grep on"


Cheers,
Phil




[Index of Archives]     [Red Hat General]     [CentOS Users]     [Fedora Users]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux