Sr.No.

Security Feature
1

SU

SUDO

Disable services

Key-baseauthentication

BIOS and Boot

loader security

Disabling Interactive
Startup

Password security

password ageing

Disallowing Root
Access

10

Enabling automatic
logouts

11

Limiting Root Access

12

How to implement
1. Add username as a member of wheel group in /etc/group file to whome su access to be allowed.
2. Remove hash from line "#auth required pam _wheel.so use_uid" from /etc/pam.d/su file

1. Edit /etc/sudoers file with visudo command.

2. By default, sudo stores the sudoer's password for a five minute timeout period. Any
subsequent uses of the command during this period will not prompt the user for a password.
This could be exploited by an attacker if the user leaves his workstation unattended and
unlocked while still being logged in. T his behavior can be changed by adding the following line
to the /etc/sudoers file.
Defaults timestamp_timeout=<value>
where <value> is the desired timeout length in minutes. Setting the <value> to 0 causes
sudo to require a password every time.
3. Each successful authentication using the sudo is logged to the file /var/log/messages and the
command issued along with the issuer's username is logged to the file /var/log/secure. Should you
require additional logging, use the pam _tty_audit module to enable T T Y auditing for specified users by adding the following line to your /etc/pam .d/
session required pam _tty_audit.so disable=<pattern> enable=<pattern>
where pattern represents a comma-separated listing of users with an optional use of globs. For
example, the following configuration will enable T T Y auditing for the root user and disable it for all other users.
session required pam _tty_audit.so disable=* enable=root
4. To give someone full administrative privileges, type visudo and add a line similar to the following in the user privilege specification section:
juan ALL=(ALL) ALL
This example states that the user, juan, can use sudo from any host and execute any command.
5. The example below illustrates the granularity possible when configuring sudo:
%users localhost=/sbin/shutdown -h now
This example states that any user can issue the command /sbin/shutdown -h now as long as it is
issued from the console
chkconfig telnet off / chkconfig rsh off / chkconfig rlogin off / chkconfig vsftpd off
open the /etc/ssh/sshd_config configuration file
in a text editor such as vi or nano, and change the PasswordAuthentication option as follows : PasswordAuthentication no

T o do this, first choose a strong

password, open a shell, log in as root, and then type the following command:
/sbi n/grub-md5-crypt
When prompted, type the GRUB password and press Enter. T his returns an MD5 hash of the
password.
Next, edit the GRUB configuration file /boot/grub/grub.conf. Open the file and below the tim eout
line in the main section of the document, add the following line:
password --m d5 <password-hash>
Replace <password-hash> with the value returned by /sbin/grub-md5-crypt
Unfortunately, this solution does not prevent an attacker from booting into an insecure operating system
in a dual-boot environment. For this, a different part of the /boot/grub/grub.conf file must be edited.
Look for the title line of the operating system that you want to secure, and add a line with the lock
directive immediately beneath it.
For a DOS system, the stanza should begin similar to the following:
title DOS
lock
A password line must be present in the main section of the /boot/grub/grub.conf file for
this method to work properly. Otherwise, an attacker can access the GRUB editor interface and remove the lock line.
T o create a different password for a particular kernel or operating system, add a lock line to the stanza, followed by a password line.
Each stanza protected with a unique password should begin with lines similar to the following example:
title DOS
lock
password --m d5 <password-hash>

T o prevent users from starting up the system interactively, as root, disable the PROMPT parameter in the
/etc/sysconfig/init file:
PROMPT=no

T here are two primary programs used to specify password aging under Red Hat Enterprise Linux: the chage command or the graphical User Manager
Shadow passwords must be enabled to use the chage command.
The -M option of the chage command specifies the maximum number of days the password is valid. For example, to set a user's password to expire in
chage -M 90 <username> ( T o disable password expiration, it is traditional to use a value of 99999 after the -M option (this equates to a little over 27
Use the following command to enter interactive mode
change <username>
Force immediate password expiration by running the following command as root.
change -d 0 <username>
Option Description
-d days Specifies the number of days since January 1, 1970 the password
was changed.
-E date Specifies the date on which the account is locked, in the format YYYYMMDD. Instead of the date, the number of days since January 1, 1970
can also be used.
-I days Specifies the number of inactive days after the password expiration before locking the account. If the value is 0, the account is not locked after
-l Lists current account aging settings.
-m days Specify the minimum number of days after which the user must change
passwords. If the value is 0, the password does not expire.
-M days Specify the maximum number of days for which the password is valid.
When the number of days specified by this option plus the number of
days specified with the -d option is less than the current day, the user
must change passwords before using the account.
-W days Specifies the number of days before the password expiration date to
warn the user.

You can also use the graphical User Manager application to create password aging policies, as follows. Note: you need Administrator privileges to perfo
1. Click the System menu on the Panel, point to Administration and then click Users and Groups
to display the User Manager. Alternatively, type the command system -config-users at a shell
prompt.
2. Click the Users tab, and select the required user in the list of users.
3. Click Properties on the toolbar to display the User Properties dialog box (or choose
Properties on the File menu).
4. Click the Password Info tab, and select the check box for Enable password expiration.
5. Enter the required value in the Days before change required field, and click OK.

T o prevent users from logging in directly as root, the system administrator can set the root account's shell to /sbin/nologin in the /etc/passwd file.
T o prevent root logins via the SSH protocol, edit the SSH daemon's configuration file, /etc/ssh/sshd_config, and change the line that reads: Perm itRoo
Make sure the screen package is installed. You can do so by running the following command as root : yum i nstal l screen OR rpm -qa | grep -i screen.
As root, add the following line at the beginning of the /etc/profile file to make sure the processing of this file cannot be interrupted: trap "" 1 2 3 15.
Add the following lines at the end of the /etc/profile file to start a screen session each time a user logs in to a virtual console or remotely:
SCREENEXEC="screen"
if [ -w $ (tty) ]; then
trap "exec $ SCREENEXEC" 1 2 3 15
echo -n 'Starting session in 10 seconds'
sleep 10
exec $ SCREENEXEC
fi

Note that each time a new session starts, a message will be displayed and the user will have to wait ten seconds. T o adjust the time to wait before st
command.

Add the following lines to the /etc/screenrc configuration file to close the screen session after a given period of inactivity: idle 120 quit autodetach off.
Alternatively, you can configure the system to only lock the session by using the following lines instead: idle 120 lockscreen autodetach off.
T his way, a password will be required to unlock the session. The changes take effect the next time a user logs in to the system
Via SU OR SUDO configuration

# Turn on the tcp_sack

net.ipv4.tcp_sack = 1
# tcp_fack should be on because of sack
net.ipv4.tcp_fack = 1
# Turn on the tcp_timestamps
net.ipv4.tcp_timestamps = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Don't Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
# Make more local ports available
net.ipv4.ip_local_port_range = 1024 65000
# Increase maximum amount of memory allocated to shm
kernel.shmmax = 1073741824
# Improve file system performance
vm.bdflush = 100 1200 128 512 15 5000 500 1884 2
# This will increase the amount of memory available for socket input/output queues
net.ipv4.tcp_rmem = 4096 25165824 25165824
net.core.rmem_max = 25165824
net.core.rmem_default = 25165824
net.ipv4.tcp_wmem = 4096 65536 25165824
net.core.wmem_max = 25165824
net.core.wmem_default = 65536
net.core.optmem_max = 25165824
# If you are feeling daring, you can also use these settings below, otherwise just remove them. (Should increase performance)

Lin
Sr.No.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

Commands
dmidecode
rhn_register
yum update package_name
yum update all
yum list installed
yum list all
yum install package_name
yum groupinstall groupname or groupid / yum install @group
yum remove package_name
yum groupremove groupname
yum grouplist
yum repolist
yum info package_name
yum history or yum history list
yum history list all
yum history summary
yum history info id
yum history addon-info id
yum -q history addon-info id saved_tx > fi l e_name

20

yum load-transaction file_name

Yum history
yum history rollback/undo/redo <ID>

21
22
23

yum history new

/var/log/yum.log
ntsysv

24
25

chkconfig
ip route add X.X.X.X

26

ip route add X.X.X.X/Y

27

Entries in route-eth0 file

default via 192.168.0.1 dev eth0
10.10.10.0/24 via 192.168.0.1 dev eth0
172.16.1.0/24 via 192.168.0.1 dev eth0
Network/Netmask Directives Format for permamnent route entries in
route-interface name file
ADDRESS0=10.10.10.0
NETMASK0=255.255.255.0
GATEWAY0=192.168.0.1
ADDRESS1=172.16.1.0
NETMASK1=255.255.255.0
GATEWAY1=192.168.0.1

28
29
30
31
32
33

ifup / ifdown
runlevel
pvs,pvdisplay,pvscan
lvmdiskscan
pvchange -x n /dev/sdk1

34
35
36
37
38
39

pvchange -x y /dev/sdk1
pvresize
pvremove
vgs
vgchange -l 128 vg00
lvchange

40
41

vgsplit
vgspl i t bi gvg smal l vg /dev/ram15

42

vgmerge -v databases my_vg

43

vgcfgbackup

44
45

vgcfgrestore
vgrename

46
47

vgrename /dev/vg02 /dev/my_vo l ume_gro up OR

vgrename vg02 my_vo l ume_gro up
lvcreate -L 10G vg1

48

lvcreate -l 60%VG -n mylv testvg

49
50

lvcreate -l 100%FR EE -n yo url v testvg

lvconvert -m1 vg00/l vo l 1

51
52

lvconvert -m0 vg00/l vo l 1

To see what is configurd

53
54
55
56
57
58
59
60
61
63
64
65
66
67
68

1. iptables -A INPUT -s 192.168.75.0/24 -j REJECT

2. iptables -A INPUT -s 192.168.25.200 -p icmp -j DROP
service iptables save
chkconfig --list iptables
chkconfig iptables on
date +%D -s YYYY-MM-DD
date +%T -s HH:MM:SS
date +%T -s HH:MM:SS -u
ntpdate -q server-address
ntpdate server-address
ethtool em1
lsblk
ethtool -s eth0 speed 100 duplex full
ethtool -s eth0 speed 100 duplex half
mii-tool eth0
fsck -N /dev/sdb1 or file -sL /dev/sdb1

Linux commands
Use
To show system information
To register system to the RHN
To update specific package
To update all packages
To list all installed packages on the system
To Lists all installed and available packages
To install specific package
To install a package group by passing its full group name or groupid
To remove specific package
To remove a package group
To Lists all package groups
To Lists the repository ID, name, and number of packages it provides for each enabled repository
T o display information about one or more packages
T o display a list of twenty most recent transactions, as root
T o display all transactions
To display a summary of all past transactions
T o examine a particular transaction or transactions in more detail
To display additional information for a certain transaction
T o store the transaction details to a file, type the following at a shell prompt as root

Once you copy this file to the target system, you can repeat the transaction by using the following com
To check the last updated/installed history with time stamp and ID.
It 'll rollback the privicelly installed or updated rpms by using the ID.

T o start new transaction history. T his will create a new, empty database file in the /var/lib/yum /histo
transaction history will be kept, but will not be accessible as long as a newer database file is present i
yum log file
To configure which services are to be started in selected runlevels

To specify in which runlevel to start a selected service, as well as to list all available services along wit
setting
To add static route - host specific

To add a static route to a network, where X.X.X.X is the IP address of the network in dotted decimal no
network prefix. The network prefix is the number of enabled bits in the subnet mask.

Static route configuration is stored per-interface in a /etc/sysconfig/network-scripts/route-interface file

routes for the eth0 interface would be stored in the /etc/sysconfig/network-scripts/route-eth0 file. The
has two formats: IP command arguments and network/netmask directives.

Global default gateway configuration is stored in the /etc/sysconfig/network file. This file specifies gate
information for all network interfaces

This is a sample route-eth0 file using the IP command arguments format. The default gateway is 192.1
eth0. The two static routes are for the 10.10.10.0/24 and 172.16.1.0/24 networks:

his is a sample route-eth0 file using the Network/Netmask Directives Format

To bring up / down interface.
To check in which runlevel you are operating,
to display properties of LVM physical volumes
scan for block devices that may be used as physical volumes
T his command disallows the allocation of physical extents on /dev/sdk1

T his command allows the allocation of physical extents on /dev/sdk1 which has been previously disa
to change the size of an underlying block device for any reason to update LVM with the new size
If a device is no longer required for use by LVM, you can remove the LVM label
check whether an existing volume group is a clustered volume group
changes the maximum number of logical volumes of volume group vg00 to 128
You can deactivate individual logical volumes
T o split the physical volumes of a volume group and create a new volume group, use the vgsplit
command
T he example splits off the new volume group sm allvg from the original volume group bigvg

T o combine two volume groups into a single volume group, use the vgm erge command. You can mer
an inactive "source" volume with an active or an inactive "destination" volume if the physical extent s
of the volume are equal and the physical and logical volume summaries of both volume groups fit into
destination volume groups limits.
T he following command merges the inactive volume group m y_vg into the active or inactive volume
group databases giving verbose runtime information
By default, the metadata backup is stored in
the /etc/lvm /backup file and the metadata archives are stored in the /etc/lvm /archives file. You
can manually back up the metadata to the /etc/lvm /backup file with the vgcfgbackup command
T he vgcfrestore command restores the metadata of a volume group from the archive to all the
physical volumes in the volume groups
to rename an existing volume group
Either of the commands renames the existing volume group vg02 to m y_volum e_group
creates a logical volume 10 gigabytes in size in the volume group vg1
T he following command creates a logical volume called mylv that uses 60% of the total
space in volume group testvg

You can also use the -l argument of the lvcreate command to specify the percentage of the
remaining free space in a volume group as the size of the logical volume. T he following command
creates a logical volume called yourlv that uses all of the unallocated space in the volume group
testvg.
T he following command converts the linear logical volume vg00/lvol1 to a mirrored logical volume
T he following command converts the mirrored logical volume vg00/lvol1 to a linear logical volume,
removing the mirror leg
iptables -L

Examples of iptables :
1. Rejects all traffic from the 192.168.75.0 subnet, and it sends a "destination unreachable" error mes
client that tried to connect.
2. To stop users from the computer with an IP address of 192.168.25.200 from "pinging" your system.
Saves firewall configuration to a file
To check the iptables service status
To activate iptables service
To set the date
To set the time
To set the clock to use UTC
To check whether selected ntpserver is available
To sync the date with ntp server
To check the physical connectivity of the LAN Card
To list disk devices
To change the networke interface card speed to full
To change the networke interface card speed to full
To check the interface card speed and helth.
To check the file system type

Sr.No.
1
2
3
4
5
6

8
9

10
11

12

13

14

15

16

17

18
19

20

21

22
23
24

25

Commands
yum check-update
yum update package_name
yum history
yum update
yum search term
yum list ( and related commands )
yum list all
yum
yum
yum
yum
yum

list installed ( eg. Yum list installed "krb?-*" )

list available
grouplist
repolist
info paackage-name

yumdb info package-name

yum install package-name
yum install package-name package-name

yum install ( yum install sqlite2.i 586 )

yum install audacious-plugins-\*
yum
yum
yum
yum
yum
yum
yum

install /usr/sbin/named
install @group
groupinstall group-name
groupinstall groupid
provides "*/file_name"
remove package-name
remove package-name package-name

Similar to install yum takes argumen

yum groupremove package-group
yum remove @group
yum
yum
yum
yum
yum
yum
yum

history
history
history
history
history
history
history

list
list all
list start_id..end_id
list glob_expression
list 1..5
summary
summary id

yum history info id

yum history addon-info id

yum history undo id

yum history redo id
yum -q history addon-info id saved-tx > file_name
yum load-transaction file_name
yum version nogroups
yum history new
/etc/yum.conf
/etc/yum.repos.d

[main]
cachedir=/var/cache/yum /$ basearch/$ releasever (default )
keepcache=0
debuglevel=2 ( vaule between 1 t o10, setting higher value gives more detailed information. settin
means disabled debug)
logfile=/var/log/yum .log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=3
Creating a yum repository
yum install createrepo
/mnt/local_repo
createrepo --database /mnt/local_repo
yum check-update --security
yum update --security
yum update-minimal --security
yum install httpd --downloadonly

yum install --downloadonly --downloaddir= /patches --security

yum update --security --skip -y --downloadonly --downloaddir=/packages/security-updates/

# cat /etc/yum/pluginconf.d/downloadonly.conf
[main]
enabled=1
yum-plugin-security, yum security

yum updateinfo list available

yum updateinfo list sec
yum updateinfo list security all
yum update --cve <CVE>
EG : yum update --cve CVE-2008-0947

yum updateinfo list available

Use
T o see which installed packages on your system have updates available, use the following comma
T o update a single package, run the following command as root
To view yum transaction history use the command
To update all packages and their dependencies, simply enter yum update (without any arguments)
To search all RPM package names, descriptions and summaries by using the command
Provides information about packages, package groups, and repositories
Lists all installed and available packages.

Lists all packages installed on your system. The rightmost column in the output lists the repository
was retrieved.
Lists all available packages in all enabled repositories
Lists all package groups
Lists the repository ID, name, and number of packages it provides for each enabled repository
To display information about package

For alternative and useful information about the package.

This command provides additional information about a package, including the checksum of the pac
(and algorithm used to produce it, such as SHA-256), the command given on the command line tha
invoked to install the package (if any), and the reason that the package is installed on the system (
user indicates it was installed by the user, and dep means it was brought in as a dependency). For
example, to display additional information about the yum package, type:
T o install a single package and all of its non-installed dependencies, enter a command
To install multiple packages simultaneously by appending their names as arguments

If you are installing packages on a multilib system, such as an AMD64 or Intel64 machine, you can
specify the architecture of the package (as long as it is available in an enabled repository) by appe
.arch to the package name
Using glob expressions

If you know the name of the binary you want to install, but not its package name, you can give yum
install the path name
Install package group
Install package group
Install by group ID
is a common and useful trick to find the package(s) that contain file_name
T o uninstall a particular package, as well as any packages that depend on it, run the following com
To uninstall multiple packages at a time.
nts: package names, global expression, package files, package provides
To remove package group
To remove package group
T o display a list of twenty most recent transactions, as root, either run yum history with no
additional arguments
T o display all transactions, add the all keyword
T o display only transactions in a given range
To list only transactions regarding a particular package or packages
List of the first five transactions
To display summary of all past transactions
To display summary of single transaction

To examine particular transaction in more detail ( If id is omit, then by default last transaction is ex
For additional info

T o revert a transaction
To repeat a particular transaction
To Store a transaction details to a file

After copying the above file to the target system, transaction can be repeated by executing the com
version should be same on the source and atrget system )
To verify the rpmdb version

This command will create new empty database under /var/lib/yum/history directory. The old transa
but will not be accessible as long as newer database file is present in the directory.
Yum configuration file location
Individual repositories located under.

Sample yum.conf configuration file.

Install createrepo package
Copy all the packages that you want to have it in your repository under one folder
T his creates the necessary metadata for your Yum repository, as well as the sqlite database for
speeding up yum operations.
To check security related updates

To update those packages which are affected by security advisories. will update all packages affect
by a security advisory to the latest version of that package available
updates them to the latest packages which were released as part of a security advisory
to download the latest version of the httpd package, without installing it:
By default, packages downloaded using the --downloadonly option are saved in one of the
subdirectories of the /var/cache/yum directory, depending on the Red Hat Enterprise Linux
variant and architecture.
to specify an alternate directory to save the packages
To download only the security updates without installing it

to enable the plugin of downloadonly option

plugin to download security patches

Tolist all available errataswithout installing them, run:

Tolist all available security updateswithout installing them, run:
To get a list of thecurrently installedsecurity updates this command can be used:

olist all available errataswithout installing them, run:

To check the Avl pakes

To check pkg instlled r not
To install the pkg
Remove the pkg
check the avl group(bundle) pkg
to install the bundle of pkgs
to list the avl repo's
intall the pk from purticuler repo
to install and remove pk simultaneously
Enable/Disable/refresh the repos

List only enabled repos

Instll the patch
check avl patches

zypper se <pkname>
zypper info <pkname>
zypper in <pkname>
zypper remove <pkname>
zypper se -t pattern
zypper in -t pattern <bundle>
zypper lr
zypper -v in --from <reponame> <pkgname>
zypeer in <pkgname> -<pkgname>
zypper mr --enable <reponame>
zypper mr --disable <reponame>
zypper re -s (refresh all repos)
zypper reps -E
zypper patch
zypper list-patches