Re: SIG - Hardening

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Am 23.04.2015 um 02:49 schrieb Mark LaPierre <marklapier@xxxxxxxxx>:
> On 04/22/15 01:13, Earl A Ramirez wrote:
>> Dear All,
>> 
>> About a week ago; I posted a proposal over on the centos-devel mailing
>> list, the proposal is for a SIG 'CentOS hardening', there were a few of
>> the members of the community who are also interested in this. Therefore,
>> I am extending that  email to this community; where there is a larger
>> community. 
>> 
>> Some things that we will like to achieve are as follows:
>> SSH:
>> disable root (uncomment 'PermitRootLogin' and change to no)
>> enable 'strictMode'
>> modify 'MaxAuthTries'
>> modify 'ClientAliveInterval'
>> modify 'ClientAliveCountMax'
>> 
>> Gnome:
>> disable Gnome user list
>> 
>> Console:
>> Remove reboot, halt poweroff from /etc/security/console.app
>> 
>> Applying security best practises from various compliance perspective,
>> e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure
>> configuration guide to get some insight or use it as a baseline. The
>> members of the community who are interested in this SIG or are willing
>> to contribute are:
>> Leam Hall
>> Corey Henderson
>> Jason Pyeron
>> 
>> You can find the post here [0]
>> 
>> We will really like to get SIG approved by the CentOS board so if anyone
>> is interested or willing to contribute we will be happy to have you
>> onboard.
>> 
>> [0]
>> http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html
>> 
> 
> These are all wicked good ideas for machines connected to the internet.
> I hope you also plan on making it easy to turn off these otherwise
> useful "features" for systems with no exposure to the internet.  Don't
> make it difficult/impossible to use rsync to back up between machines on
> the local intranet.  Rsync has to run as root to access and maintain
> correct file ownership and permissions.



grep OPTIONS /etc/sysconfig/sshd 
OPTIONS="-o PermitRootLogin=without-password"

--
LF


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux