Firewall Wizards mailing list archives
Hardeing a UNIX box HOWTO (Was Re: Hardening RH 7.2)
From: Carson Gaspar <carson () taltos org>
Date: Tue, 16 Jul 2002 17:26:09 -0400
--On Tuesday, July 16, 2002 2:26 PM -0400 Jon Czerwinski <joncz () mindspring com> wrote:
Any recommended websites or documents detailing hardening a RedHat 7.2 server?
I've seen various forms of this question for a while. Here's the approach I take (and have some scripts that automate the process). It's seems a lot more straightforward (and more draconian) than a lot of the docs I've read, and is much shorter ;-)
To harden a UNIX box: - Install the OS (full install if you feel like it) - Remove the setuid bit from all files - Remove the setgid bit from all files - Remove group writability from all files and directories - Remove world writability from all files and directories - Make all files and directories owned by root Now this is where it starts to vary by platform:- Disable all non-essential start scripts (or portions thereof, for the rc.local folks out there) - Re-add permissions to the small number of files/dirs that actually need them. A good starting list (from Solaris - YMMV):
World Writeable Directories (all should be mode 1777): /tmp /var/tmp /var/preserve (if you use vi, and care) SetUID binaries (mode 4111 through 4755, depending on paranoia) su passwd pt_chmod (or equivilant helper binary, if your platform needs it) utmp_update (as above) Group writeable directories (mostly mode 660, or 2660) /tmp/ps_dataYou also may want to create an "operator" group, to allow non-root users to run diagnostic tools. If so, you probably want to make the following setuid root (mode 4110 - mode 4750), group operator. If you have file system ACLs, you can make some of them setgid sys/mem/whatever instead, with an ACL enabling the operator group to execute them.
netstat ping traceroute tcpdump prtconf top ps sysdef - Reboot your machine- You should now have a minimally functional system (console text login as root or as a non-root user) - Run "netstat -na". You should see nothing listening (unless you left something enabled on purpose, such as sshd)
Now this part _really_ requires expertise:- Enable each service you require, understanding the security requirements of each. E-mail can be particularly tricky, requiring world and/or group writable directories, and setuid and/or setgid binaries.
-- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Hardening RH 7.2 Jon Czerwinski (Jul 16)
- Re: Hardening RH 7.2 Patrick Darden (Jul 16)
- Hardeing a UNIX box HOWTO (Was Re: Hardening RH 7.2) Carson Gaspar (Jul 16)
- Re: Hardeing a UNIX box HOWTO (Was Re: Hardening RH 7.2) Jason Guidry (Jul 19)