Continuing along, following our first 3 posts on basic Linux and Unix installation security, even more security measures and user, group and account-based security, we're ready to move on to the next section. Today, we'll be focusing more specifically on locking down and/or removing existing software on your newly-installed system.
Again, I hope this series of posts is able to help out, if just a little bit, and I welcome any suggestions for improvement or expansion to include other OS's :)
See you tomorrow for the wrap-up!
OS Installation Guidelines, Part 3: Existing Software Modifications
1. chmod o-w /var/adm/utmp, /var/adm/wtmp, /var/adm/wtmpx, /var/adm/utmpx - any and/or all on Solaris. On RedHat, these files should be in /var/log. If only one of the four files exists, you're okay.
2. touch /var/adm/loginlog.
3. Add “/usr/lib/acct/accton /var/adm/pacct” to /etc/init.d/syslog, if possible considering the caveats in our previous posts. Again, this is only necessary on Solaris. The psacct RPM for RedHat should take care of this for you.
4. chmod 0 /usr/bin/at or /usr/sbin/at.
5. chmod 0 /usr/bin/finger or /usr/sbin/finger.
6. rm /etc/acct/holidays (If this generates errors, just create a file with one line, indicating what year it is).
7. chmod o-rwx /etc/security. On RedHat, or Solaris with PAM enabled, limit access to /etc/pam.d, as well, if possible.
IMPORTANT NOTE: For points 8 through 15, the file locations are general and your particular release of either Solaris of RedHat may place the binaries elsewhere, but you can generally find them in one of the directories we go through in these steps. It should also be noted that, removing the pkg's or RPM's associated with these files should have, theoretically, removed them already, but I don't believe in things working the way they should (a hazard of my profession ;) Obviously, if you're using lp or CUPS, you won't want to delete any of the print commands. For all of these steps, my recommendation is to always ask if you're unsure. If I started a new job and removed all the NIS commands on a box and then found out that's what they used for their directory service... ouch!
8. In /usr/bin, rm if necessary and possible (ask first, if unsure):
rsh <--- The remote shell as opposed to restricted sh!
9. In /etc, rm if possible (ask first, if unsure):
10. In /usr/lib, rm if possible (ask first, if unsure):
11. In /usr/sbin, rm if possible (ask first, if unsure):
12. For /usr/sbin/in.*, remove all except the following files, if possible (ask first, if unsure):
13. In /usr/sbin/static (on Solaris only), rm if possible (ask first, if unsure):
14. In /usr/ucb (also only on Solaris), rm if possible (ask first, if unsure):
15. In /var, rm if possible (ask first, if unsure):
16. Comment out all of /etc/rpc except the rpcbind line. NOTE: If using Solstice Disk Suite (Volume Manager) software, do not comment out the following lines (on Solaris 9 leave all lines uncommented near the bottom of the file, beginning with the line for metad and ending with the last line of the file). As always, be sure not to comment out any services you really need:
17. chmod –R 0 , if possible, /usr/openwin/bin/* on Solaris and /usr/X11R6 on RedHat.
18. chmod –R 0 , if possible, /usr/dt/bin/* on Solaris. Additional locations of X-Windows binary files might be in many different locations on RedHat. Check out the man pages for your system and Gnome, KDE, etc, to be sure that you're disabling all access to the GUI.
19. All device files have should have good permissions at first. Do not change them unless it's really necessary or you're looking to do enhanced network security of the order we went over in an older post on securing all network programs at once using extended ACL's. That goes a bit beyond the scope of this series ;)
to be continued...
Sunday, June 22, 2008