On 04/22/15 01:13, Earl A Ramirez wrote:
> Dear All,
>
> About a week ago; I posted a proposal over on the centos-devel mailing
> list, the proposal is for a SIG 'CentOS hardening', there were a few of
> the members of the community who are also interested in this. Therefore,
> I am extending that email to this community; where there is a larger
> community.
>
> Some things that we will like to achieve are as follows:
> SSH:
> disable root (uncomment 'PermitRootLogin' and change to no)
> enable 'strictMode'
> modify 'MaxAuthTries'
> modify 'ClientAliveInterval'
> modify 'ClientAliveCountMax'
>
> Gnome:
> disable Gnome user list
>
> Console:
> Remove reboot, halt poweroff from /etc/security/console.app
>
> Applying security best practises from various compliance perspective,
> e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure
> configuration guide to get some insight or use it as a baseline. The
> members of the community who are interested in this SIG or are willing
> to contribute are:
> Leam Hall
> Corey Henderson
> Jason Pyeron
>
> You can find the post here [0]
>
> We will really like to get SIG approved by the CentOS board so if anyone
> is interested or willing to contribute we will be happy to have you
> onboard.
>
> [0]
> http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html
>
These are all wicked good ideas for machines connected to the internet.
I hope you also plan on making it easy to turn off these otherwise
useful "features" for systems with no exposure to the internet. Don't
make it difficult/impossible to use rsync to back up between machines on
the local intranet. Rsync has to run as root to access and maintain
correct file ownership and permissions.
--
_
°v°
/(_)\
^ ^ Mark LaPierre
Registered Linux user No #267004
https://linuxcounter.net/
****
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
