RHEL 5: security of a default install and hardening

["Erling Ringen Elvsrud" <erlingre () gmail com>]

Hello,

I have recently started to work with RHEL 5 and administration of RHEL
in general. At my current workplace they have used
Bastille earlier to harden RHEL 4 machines, but Bastille does not work
properly on RHEL 5 (When run, it gives error messages about not being
able to detect which version of RH that is installed, a new version
was announced to be released by the 14. january, but is not published
yet).

The servers I work with are not very accessible from the Internet, and
behind one or several firewalls.

I have also a internal hardening document to work from that describes
standard steps in the organization for hardening Linux and Unix
machines.
Some of these steps are confusing and/or I doubt how much impact they
will have in terms of increasing the security.
Like for instance:

- "netstat and uucpd must be deactivated unless really needed". I can
understand that uucpd should be deactivated (where is it activated
anyway?), but netstat? it is really useful for debugging problems and
if an intruder has a local shell available it should not be that
difficult to get a working
netstat from outside anyway. Do you think removing or removing execute
permissions for all users (using a special group like wheel) for
netstat)
will increase the security of a system noteably?

- "verify that the permissions of /etc/services are 600". Unless
customized, this file is public information avaliable from IANA. Is it
really worth
breaking standard unix/linux behaviour to alter permissions of this file?

Do you think a default install of RHEL 5 needs much constomization to
be sufficiently secure for fairly normal tasks like application
servers as
long as it is placed behind firewalls and the services available from
the internet are sufficiently.

Do you know any alternatives to Bastille that works with RHEL 5 or
what is happening with the Bastille project? it seems farily slow
moving...

Thanks,

Erling