1 / 4

CIS 290 LINUX Security

CIS 290 LINUX Security. Basic OS Hardening Procedures. Physical security . Lock it up! BIOS Password Disable BIOS alternate boot devices Disable interactive boot: vi /etc/sysconfig/init PROMPT=no Password protected GRUB boot Console locking: yum install vlock, xlock

feng
Télécharger la présentation

CIS 290 LINUX Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIS 290LINUX Security Basic OS Hardening Procedures

  2. Physical security • Lock it up! • BIOS Password • Disable BIOS alternate boot devices • Disable interactive boot: vi /etc/sysconfig/init PROMPT=no • Password protected GRUB boot • Console locking: yum install vlock, xlock • Lock desktop GUI, or no Xwindows at all. • Disable Ctrl/Alt/Del (procedure varies)

  3. Software maintenance • Install Red Hat GPG key from installation CD-ROM or DVD. rpm --import /mnt/cdrom/RPM-GPG-KEY • Display a list of all keys installed for RPM verification: rpm -qagpg-pubkey* • Display specific key: rpm -qi gpg-pubkey-db4 2a60e-37ea5438 • Verify package keys: rpm -K /root/updates/*.rpm • Automatic GPG signature verification enabled: under the [main] section of your /etc/yum.conf: gpgcheck=1 • Cleanup Yum Repositories. Only what you need. • Remove unneeded software. • Keep the OS up to date. NO AUTO UPDATES!! • Kernel compile options – tricky, hard work to get it right

  4. Filesystem security • Mount options (-o ): noexec (especially /tmp), nosetuid, nosuid, ro (!) • Encrypted File System (Dangerous), TruCrypt containers , encrypted hardrive (hardware, software) • Noowner Files find /dir -xdev \( -nouser -o -nogroup \) –print • World-Writable Files find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print • Disable Unwanted SUID and SGID Binaries #See all set user id files:find / -perm +4000# See all group id filesfind / -perm +2000# Or combine both in a single commandfind / \( -perm -4000 -o -perm -2000 \) -printfind / -path -prune -o -type f -perm +6000 –ls

More Related