#; #; Quick and Dirty Guide to Hardening Redhat 8 #; ------------------------------------------- #; #; The following guide should be used to configure basic host-level #; security on a Redhat Linux 8.0 host. These configuration #; recommendations meet our red, yellow, orange and green level #; security classification requirements, and have been tested to work #; with Redhat Linux on x86 for deployment on the DePaul network. #; Other deployments may require modifications to this template. #; #; If you have any questions regarding this template, please feel free #; to contact the DePaul University Information Security Team via #; email at . #; #; The Information Security Team #; #; 1. Disable administrative access to the machine to the DePaul network. 2. Replace TELNET and FTP with SSH version 2. 3. Change the following user shells to /sbin/nologin sync, shutdown, news, rpm 4. Where possible, disable portmap. 5. Install qmail/postfix as a replacement for sendmail. Configure the MTA as a local forwarder only. 6. Where possible, log syslog messages to network log server. 7. Remove SUID bits on the following binaries. /usr/bin/chage /usr/bin/gpasswd /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/at /usr/bin/rcp /usr/bin/rlogin /usr/bin/rsh /usr/libexec/openssh/ssh-keysign /usr/libexec/pt_chown /usr/sbin/ping6 /usr/sbin/traceroute6 /usr/sbin/usernetctl /usr/sbin/userhelper /usr/sbin/userisdnctl /usr/sbin/traceroute /bin/ping /bin/mount /bin/umount 8. Remove SGID bits on the following binaries. /usr/bin/wall /usr/bin/write /usr/bin/lockfile /usr/bin/slocate /usr/sbin/utempter /usr/sbin/gnome-pty-helper /usr/sbin/lockdev /usr/sbin/sendmail.sendmail /sbin/netreport 9. Where possible, remove the following packages. yp-tools-2.7-3 aspell-0.33.7.1-16 finger-0.17-14 fontconfig-2.0-3 wireless-tools-25-1 net-snmp-5.0.1-6 ppp-2.4.1-7 mtr-0.49-7 kernel-pcmcia-cs-3.1.31-9 audiofile-0.2.3-3 cyrus-sasl-md5-2.1.7-2 python-2.2.1-17 libpng10-1.0.13-5 man-1.5j-11 vim-common-6.1-14 redhat-menus-0.26-1 mouseconfig-4.26-1 tcpdump-3.6.3-3 gmp-4.1-4 dosfstools-2.8-3 htmlview-2.0.0-6 minicom-2.00.0-6 stunnel-3.22-4 apmd-3.0.2-12 ethtool-1.6-2 whois-1.0.10-4 pine-4.44-13 eject-2.0.12-7 isdn4k-utils-3.1-58 mt-st-0.7-6 wget-1.8.2-3 esound-0.2.28-1 openldap-2.0.25-1 kbdconfig-1.9.16-1 at-3.1.8-31 procmail-3.22-7 make-3.79.1-14 wvdial-1.53-7 timeconfig-3.2.9-1 rdist-6.1.5-24 nfs-utils-1.0.1-2 dos2unix-3.1-12 statserial-1.1-30 vim-minimal-6.1-14 freetype-2.1.2-7 krbafs-1.1.1-6 lrzsz-0.12.20-14 nscd-2.2.93-5 pspell-0.12.2-14 ypbind-1.11-2 gtk+-1.2.10-22 gnupg-1.0.7-6 rsync-2.5.5-1 gpg-pubkey-db42a60e-37ea5438 rdate-1.2-5 10. Kill off gpmd. 11. Kill off atd. 12. Remove kerberos packages if not using kerberized authentication. 13. Add the following users in /etc/cron.deny and /etc/ftpusers bin, daemon, adm, lp, sync, shutdown, halt, mail, news uucp, operator, games, gopher, ftp, nobody, rpc, vcsa, nscd, sshd, rpm, mailnull, smmsp, rpcuser, nfsnobody, pcap 14. Modify syslog to save all failed authentication log messages, and all critical daemon messages, locally for 12 months. 15. Add the logon banner found at the following URL to /etc/issue and /etc/issue.net. Remove the vendor/version strings from these files. Ensure SSH is configured to use /etc/issue.net as it's logon banner. 16. chgrp wheel /usr/bin/sudo ; chmod /usr/bin/sudo to 4110. *OR* Add a "sudo" group substitute this group name for "wheel". 17. Use the following configuration in /etc/ntp.conf server ntp1.depaul.edu server ntp2.depaul.edu server time.nist.gov server tick.usnogps.navy.mil authenticate no 18. Configure and install AIDE or Samhain for baseline file integrity checking. Ensure that the configuration file is on read-only media (floppy, CDROM, etc.). 19. Keep the host up-to-date by installing the latest patches. For automatic security alerts, join the INFOSEC Alerts mailing list by emailing . #; #; $Id: rhl8-hardening.txt,v 1.1.1.1 2003/09/25 19:23:57 epancer Exp $ #;