The following tips assume that the reader is starting with Physical Security Items marked with a * are

Items marked with a * are network services. It is particularly

a default installation of Red Hat Enterprise Linux 5. This important to disable these. Additionally, the following services
Configure the BIOS to disable booting from CDs/DVDs,
high-impact guidance can be applied quickly, but is by no can be safely disabled if NFS is not in use: netfs, nfslock,
floppies, and external devices, and set a password to protect
means complete. For more complete guidance, please see portmap, rpcgssd, and rpcidmapd. Some software relies on
these settings.
our other publication, “Guide to the Secure Configuration haldaemon and messagebus, so care should be taken when
Next, set a password for the GRUB bootloader. Generate a
of Red Hat Enterprise Linux 5,” which can be found disabling them. Changes will take effect after a reboot.
password hash using the command /sbin/grub-md5-crypt.
online at http://www.nsa.gov. These tips may or may not
Add the hash to the first line of /etc/grub.conf as follows: Disable SUID and SGID Binaries
translate gracefully for other Linux distributions or modified
installations of RHEL. password --md5 passwordhash
To find SUID and SGID files on the system, use the following
This prevents users from entering single user mode or command:
General Principles changing settings at boot time. find / \( -perm -4000 -o -perm -2000 \) -print
• Encrypt all data transmitted over the network.
Encrypting authentication information (such as Keep Software Up to Date The following files can have their SUID or SGID bits safely
passwords) is particularly important. Either download updates manually through the Red Hat disabled (using chmod -s filename) unless required for the
• Minimize the amount of software installed and running Network (http://rhn.redhat.com) or register each system with purpose listed in the second column:
in order to minimize vulnerability. RHN to apply updates automatically. Security updates should
File: Required For:
• Use security-enhancing software and tools whenever be applied as soon as possible. /bin/ping6 IPv6
available (e.g., SELinux and Iptables). /sbin/mount.nfs NFS
• Run each network service on a separate server whenever The default version of yum-updatesd does not function /sbin/mount.nfs4 NFS
possible. This minimizes the risk that a compromise of reliably. A better solution is to apply updates through a cron /sbin/netreport network control
one service could lead to a compromise of others. job. First, disable the service with: /sbin/umount.nfs NFS
• Maintain user accounts. Create a good password policy /sbin/umount.nfs4 NFS
/sbin/chkconfig yum-updatesd off /usr/bin/chage passwd
and enforce its use. Delete unused user accounts.
/usr/bin/chfn account info
• Review system and application logs on a routine basis. Second, create the file yum.cron, make it executable, place /usr/bin/chsh account info
Send logs to a dedicated log server. This prevents it in /etc/cron.daily or /etc/cron.weekly, and ensure /usr/bin/crontab cron
intruders from easily avoiding detection by modifying that it reads as follows: /usr/bin/lockfile Procmail
the local logs. #!/bin/sh
/usr/bin/rcp rsh
• Never log in directly as root, unless absolutely necessary. /usr/bin/yum -R 120 -e 0 -d 0 -y update yum /usr/bin/rlogin rsh
/usr/bin/rsh rsh
Administrators should use sudo to execute commands as /usr/bin/yum -R 10 -e 0 -d 0 -y update
/usr/bin/wall console messaging
root when required. The accounts capable of using sudo
are specified in /etc/sudoers, which is edited with the Disable Unnecessary Services /usr/bin/write console messaging
/usr/bin/Xorg Xorg
visudo utility. By default, relevant logs are written to To list the services configured to start at boot, run the /usr/kerberos/bin/ksu Kerberos
/var/log/secure. following command: /usr/libexec/openssh/ssh- SSH host-based
keysign authentication
Disk Partitions and Mounting /sbin/chkconfig --list
/usr/lib/vte/gnome-pty-helper Gnome, Xorg
Find the column for the current run level to see which /usr/sbin/ccreds_validate Pam auth caching
During initial installation, ensure that filesystems with /usr/sbin/suexec Apache, CGI
user‑writeable directories such as the following are mounted services are enabled. The default run level is 5. To disable a
/usr/sbin/userisdnctl ISDN
on separate partitions: /home, /tmp, /var/tmp. service, run the following command: /usr/sbin/usernetctl network control
/sbin/chkconfig servicename off
During system configuration, change mount options in To see which RPM package each file belongs to, run
Unless they are required, disable the following: rpm -qf filename. If the package is not necessary, remove
/etc/fstab to limit user access on appropriate filesystems.
The defaults option is equal to rw,suid,dev,exec,auto anacron haldaemon messagebus it with rpm -e packagename. Precise control over the
apmd hidd microcode_ctl
,nouser,async. Using noexec instead prevents execution autofs` hplip* pcscd packages installed during initial system installation can be
of binaries on a file system (though it will not prevent scripts avahi-daemon* isdn readahead_early achieved using a Kickstart file.
bluetooth kdump readahead_later
from running). Using nosuid will prevent the setuid bit cups* kudzu rhnsd*
firstboot mcstrans setroubleshoot
from having effect. The nodev option prevents use of device gpm mdmonitor xfs
files on the filesystem.
Remove X Windows net.ipv4.icmp_ignore_bogus_error_messages=1
kernel.exec-shield=1
A server will not typically need X Windows to provide its kernel.randomize_va_space=1

Hardening Tips
services, so remove it if possible:
For more possible parameters, including settings for IPv6,
yum groupremove “X Window System” please see our complete guide.
Installation of X Windows can also be completely prevented NTP For Default Installation of
during initial system installation.
For most systems, the ntpd service introduces unnecessary
Configure and Use Iptables and TCP Wrapper overhead. Instead, call its update utility, ntpdate, directly

Red Hat
through a cron job. Create the file /etc/cron.d/ntpdate
The Iptables firewall should be configured to allow only
with the following line:
necessary network communications. For workstations, this
may entail blocking all incoming communications, except for 15 * * * * root /usr/sbin/ntpdate server
those related to connections the system initiated. If Iptables

Enterprise
Substitute an appropriate NTP server for server. Hosts on
is currently running, view the current firewall policy with the a network should synchronize their time from a local NTP
following command: server, and then only this local NTP server should acquire the
/sbin/iptables -L time from an external, trusted source.
By default, the output should correspond to rules stored
in the file /etc/sysconfig/iptables. Understand and
edit these rules, removing any lines that allow unnecessary
Configure or Disable SSH
SSH is often required, but if it is not, disable it:
Linux 5
communications. To activate the updated rules, restart the /sbin/chkconfig sshd off
service.
If SSH is required, ensure the SSH configuration file
/etc/ssh/sshd_config includes the following lines:
Also configure the TCP Wrapper library to protect network
daemons that support its use by adding appropriate rules to PermitRootLogin no
Protocol 2
/etc/hosts.allow and /etc/hosts.deny.
If possible, limit SSH access to a subset of users. Create
Configure and Use SELinux a group called sshusers and only add the users that
The default SELinux policy, called targeted, provides need remote access. Then, add the following line to
protection against compromised or misconfigured system /etc/ssh/sshd_config:
services. This policy should not interfere with normal system
AllowGroups sshusers
operation. Ensure that /etc/selinux/config includes the
following lines: Restart the service so that these changes take effect.
SELINUX=enforcing
SELINUXTYPE=targeted Disable IPv6
Unless your policy or network configuration requires it,
Stronger policies such as strict and mls can be used if
disable IPv6. To do so, prevent the kernel module from
appropriate. However, these require customization to operate
loading by adding the following line to
successfully for many general-purpose usage scenarios.
/etc/modprobe.conf:
Systems and Network Analysis Center
Set Kernel Parameters install ipv6 /bin/true National Security Agency
At boot, the system reads and applies a set of kernel 9800 Savage Rd.
Next, add or change the following lines in
parameters from /etc/sysctl.conf. Add the following Ft. Meade, MD 20755
/etc/sysconfig/network:
http://www.nsa.gov
lines to that file to prevent certain kinds of attacks:
NETWORKING_IPV6=no
net.ipv4.conf.all.rp_filter=1 IPV6INIT=no
net.ipv4.conf.all.accept_source_route=0
net.ipv4.icmp_echo_ignore_broadcasts=1