Security Basics mailing list archives
RHEL 5: security of a default install and hardening
From: "Erling Ringen Elvsrud" <erlingre () gmail com>
Date: Wed, 6 Feb 2008 10:00:01 +0100
Hello, I have recently started to work with RHEL 5 and administration of RHEL in general. At my current workplace they have used Bastille earlier to harden RHEL 4 machines, but Bastille does not work properly on RHEL 5 (When run, it gives error messages about not being able to detect which version of RH that is installed, a new version was announced to be released by the 14. january, but is not published yet). The servers I work with are not very accessible from the Internet, and behind one or several firewalls. I have also a internal hardening document to work from that describes standard steps in the organization for hardening Linux and Unix machines. Some of these steps are confusing and/or I doubt how much impact they will have in terms of increasing the security. Like for instance: - "netstat and uucpd must be deactivated unless really needed". I can understand that uucpd should be deactivated (where is it activated anyway?), but netstat? it is really useful for debugging problems and if an intruder has a local shell available it should not be that difficult to get a working netstat from outside anyway. Do you think removing or removing execute permissions for all users (using a special group like wheel) for netstat) will increase the security of a system noteably? - "verify that the permissions of /etc/services are 600". Unless customized, this file is public information avaliable from IANA. Is it really worth breaking standard unix/linux behaviour to alter permissions of this file? Do you think a default install of RHEL 5 needs much constomization to be sufficiently secure for fairly normal tasks like application servers as long as it is placed behind firewalls and the services available from the internet are sufficiently. Do you know any alternatives to Bastille that works with RHEL 5 or what is happening with the Bastille project? it seems farily slow moving... Thanks, Erling
Current thread:
- RHEL 5: security of a default install and hardening Erling Ringen Elvsrud (Feb 06)
- Re: RHEL 5: security of a default install and hardening Ansgar -59cobalt- Wiechers (Feb 06)
- Re: RHEL 5: security of a default install and hardening Mike Harlan (Feb 07)
- RE: RHEL 5: security of a default install and hardening jmacaranas (Feb 07)