I. Disable Unnecessary Services
Disabling or removing unused programs and services from your host is the most
effective way to limit threats originating from a remote host. Use your distributions
package management tools to scan the list of installed packages, then remove
those that are unnecessary.
• Many of the services running from inetd are legacy programs, which are hardly
ever required, yet typically enabled by default. The file /etc/inetd.conf is
used to specify which services are offered. Disable all services that you do not
want to provide by commenting them out using the # character in the first column
of the line.
• The /etc/rc*.d or /etc/rc.d/rc* directories contains shell scripts that
control the execution of network and system services during runlevels. Rename or
otherwise disable any that are not required or remove the package entirely. Red
Hat users can use /sbin/chkconfig --list to list which services run in which
runlevel, and /sbin/chkconfig --del <name> to disable a service.
• If you don’t understand what a particular service does, disable it until you find out.
Use netstat and ps to confirm they have not been started after a reboot.
Use /bin/netstat -a -p --inet to determine which are available and the
process ID associated with them.
• A port scanner should also be used to get a view of what remote hosts see.
II. Using RPM and dpkg
The /bin/rpm program on Red Hat and derivitives and the /usr/bin/dpkg on
Debian and derivitives are used to control the management of packages.
• Remove a package
# rpm -e <package-name>
# dpkg -r <package-name>
• List contents of entire package
# rpm -qvl <package-name.rpm>
# dpkg -c <package-name.deb>
• List all installed packages with info about each
# rpm -qvia
# dpkg -l
• List contents of a package
# rpm -qvpl <package-name.rpm>
# dpkg -c <package-name.deb>
• Print information about a package
# rpm -qpi <package-name.rpm>
# dpkg -I <package-name.deb>
• Verify package characteristics (basic integrity check)
# rpm -Va
# debsums -a
• Determine to which package a file belongs
# rpm -qf </path/to/file>
# dpkg -S </path/to/file>
• Install new package
# rpm -Uvh <package-name.rpm>
# dpkg -i <package-name.deb>
III. Configuring Syslog
• The syslogd is responsible for capturing logging information generated by
system processes. The klogd is responsible for capturing logging information
generated by the kernel. System logs provide the primary indication of a potential
problem.
• Fine-tune the default /etc/syslog.conf to send log information to specific
files for easier analysis.
# Monitor authentication attempts
auth.*;authpriv.* /var/log/authlog
# Monitor all kernel messages
kern.* /var/log/kernlog
# Monitor all warning and error messages
*.warn;*.err /var/log/syslog
# Send a copy to remote loghost. Configure syslogd init
# script to run with -r -s domain.com options on log
# server. Ensure a high level of security on the log
# server!
*.info @loghost
auth.*;authpriv.* @loghost
• Restrict access to log directory and syslog files for normal users using:
# chmod 751 /var/log /etc/logrotate.d
# chmod 640 /etc/syslog.conf /etc/logrotate.conf
# chmod 640 /var/log/*log
IV. Install and Configure Tripwire
• Tripwire is a program that monitors file integrity by maintaining a database of
cryptographic signatures for programs and configuration files installed on the
system, and reports changes in any of these files.
• A database of checksums and other characteristics for the files listed in the
configuration file is created. Each subsequent run compares any differences to
the reference database, and the administrator is notified.
• The greatest level of assurance that can be provided occurs if Tripwire is run
immediately after Linux has been installed and security updates applied, and
before it is connected to a network.
• A text configuration file, called a policy file, is used to define the characteristics for
each file that are tracked. Your level of paranoia determines the frequency in
which the integrity of the files are checked. Administration requires constant
attention to the system changes, and can be time-consuming if used for many
systems. Available in unsupported commercial binary for Red Hat and similar.
# Create policy file from text file
/usr/TSS/bin/twadmin -m P policy.txt
# Initialize database according to policy file
/usr/TSS/bin/tripwire —init
# Print database
/usr/TSS/bin/twprint -m d
# Generate daily report file
/usr/TSS/bin/tripwire -m c -t 1 -M
# Update database according to policy file and report file
/usr/TSS/bin/tripwire --update --polfile policy/tw.pol \--twrfile report/<hostname>-<date>.twr
V. Critical System Files
File/Directory Perms Description
/var/log 751 Directory containing all log files
/var/log/messages 644 System messages
/etc/crontab 600 System-wide crontab file
/etc/syslog.conf 640 Syslog daemon configuration file
/etc/logrotate.conf 640 Controls rotating of system log files
/var/log/wtmp 660 Who is logged in now. Use who to view
/var/log/lastlog 640 Who has logged in before. Use last to view
/etc/ftpusers 600 List of users that cannot FTP
/etc/passwd 644 List of the system’s user accounts
/etc/shadow 600 Contains encrypted account passwords
/etc/pam.d 750 PAM configuration files
/etc/hosts.allow 600 Access control file
/etc/hosts.deny 600 Access control file
/etc/lilo.conf 600 Boot loader configuration file
/etc/securetty 600 TTY interfaces that allow root logins
/etc/shutdown.allow 400 Users permitted to ctrl-alt-del
/etc/security 700 System access security policy files
/etc/rc.d/init.d 750 Program start-up files on Red Hat systems
/etc/init.d 750 Program start-up files on Debian systems
/etc/sysconfig 751 System and network config files on Red Hat
/etc/inetd.conf 600 Internet SuperServer configuration file
/etc/cron.allow 400 List of users permitted to use cron
/etc/cron.deny 400 List of users denied access to cron
/etc/ssh 750 Secure Shell configuration files
/etc/sysctl.conf 400 Contains kernel tunable options on recent Red Hat
+Tripwire, Inc. +Tripwire Interactive +Tripwire +Linux Security Group +Secure Linux Outpost +Securitron Linux blog. +Linux +The Linux Foundation
Disabling or removing unused programs and services from your host is the mosteffective way to limit threats originating from a remote host. Use your distributions
package management tools to scan the list of installed packages, then remove
those that are unnecessary.
• Many of the services running from inetd are legacy programs, which are hardly
ever required, yet typically enabled by default. The file /etc/inetd.conf is
used to specify which services are offered. Disable all services that you do not
want to provide by commenting them out using the # character in the first column
of the line.
• The /etc/rc*.d or /etc/rc.d/rc* directories contains shell scripts that
control the execution of network and system services during runlevels. Rename or
otherwise disable any that are not required or remove the package entirely. Red
Hat users can use /sbin/chkconfig --list to list which services run in which
runlevel, and /sbin/chkconfig --del <name> to disable a service.
• If you don’t understand what a particular service does, disable it until you find out.
Use netstat and ps to confirm they have not been started after a reboot.
Use /bin/netstat -a -p --inet to determine which are available and the
process ID associated with them.
• A port scanner should also be used to get a view of what remote hosts see.
II. Using RPM and dpkg
The /bin/rpm program on Red Hat and derivitives and the /usr/bin/dpkg on
Debian and derivitives are used to control the management of packages.
• Remove a package
# rpm -e <package-name>
# dpkg -r <package-name>
• List contents of entire package
# rpm -qvl <package-name.rpm>
# dpkg -c <package-name.deb>
• List all installed packages with info about each
# rpm -qvia
# dpkg -l
• List contents of a package
# rpm -qvpl <package-name.rpm>
# dpkg -c <package-name.deb>
• Print information about a package
# rpm -qpi <package-name.rpm>
# dpkg -I <package-name.deb>
• Verify package characteristics (basic integrity check)
# rpm -Va
# debsums -a
• Determine to which package a file belongs
# rpm -qf </path/to/file>
# dpkg -S </path/to/file>
• Install new package
# rpm -Uvh <package-name.rpm>
# dpkg -i <package-name.deb>
III. Configuring Syslog
• The syslogd is responsible for capturing logging information generated by
system processes. The klogd is responsible for capturing logging information
generated by the kernel. System logs provide the primary indication of a potential
problem.
• Fine-tune the default /etc/syslog.conf to send log information to specific
files for easier analysis.
# Monitor authentication attempts
auth.*;authpriv.* /var/log/authlog
# Monitor all kernel messages
kern.* /var/log/kernlog
# Monitor all warning and error messages
*.warn;*.err /var/log/syslog
# Send a copy to remote loghost. Configure syslogd init
# script to run with -r -s domain.com options on log
# server. Ensure a high level of security on the log
# server!
*.info @loghost
auth.*;authpriv.* @loghost
• Restrict access to log directory and syslog files for normal users using:
# chmod 751 /var/log /etc/logrotate.d
# chmod 640 /etc/syslog.conf /etc/logrotate.conf
# chmod 640 /var/log/*log
IV. Install and Configure Tripwire
• Tripwire is a program that monitors file integrity by maintaining a database of
cryptographic signatures for programs and configuration files installed on the
system, and reports changes in any of these files.
• A database of checksums and other characteristics for the files listed in the
configuration file is created. Each subsequent run compares any differences to
the reference database, and the administrator is notified.
• The greatest level of assurance that can be provided occurs if Tripwire is run
immediately after Linux has been installed and security updates applied, and
before it is connected to a network.
• A text configuration file, called a policy file, is used to define the characteristics for
each file that are tracked. Your level of paranoia determines the frequency in
which the integrity of the files are checked. Administration requires constant
attention to the system changes, and can be time-consuming if used for many
systems. Available in unsupported commercial binary for Red Hat and similar.
# Create policy file from text file
/usr/TSS/bin/twadmin -m P policy.txt
# Initialize database according to policy file
/usr/TSS/bin/tripwire —init
# Print database
/usr/TSS/bin/twprint -m d
# Generate daily report file
/usr/TSS/bin/tripwire -m c -t 1 -M
# Update database according to policy file and report file
/usr/TSS/bin/tripwire --update --polfile policy/tw.pol \--twrfile report/<hostname>-<date>.twr
V. Critical System Files
File/Directory Perms Description
/var/log 751 Directory containing all log files
/var/log/messages 644 System messages
/etc/crontab 600 System-wide crontab file
/etc/syslog.conf 640 Syslog daemon configuration file
/etc/logrotate.conf 640 Controls rotating of system log files
/var/log/wtmp 660 Who is logged in now. Use who to view
/var/log/lastlog 640 Who has logged in before. Use last to view
/etc/ftpusers 600 List of users that cannot FTP
/etc/passwd 644 List of the system’s user accounts
/etc/shadow 600 Contains encrypted account passwords
/etc/pam.d 750 PAM configuration files
/etc/hosts.allow 600 Access control file
/etc/hosts.deny 600 Access control file
/etc/lilo.conf 600 Boot loader configuration file
/etc/securetty 600 TTY interfaces that allow root logins
/etc/shutdown.allow 400 Users permitted to ctrl-alt-del
/etc/security 700 System access security policy files
/etc/rc.d/init.d 750 Program start-up files on Red Hat systems
/etc/init.d 750 Program start-up files on Debian systems
/etc/sysconfig 751 System and network config files on Red Hat
/etc/inetd.conf 600 Internet SuperServer configuration file
/etc/cron.allow 400 List of users permitted to use cron
/etc/cron.deny 400 List of users denied access to cron
/etc/ssh 750 Secure Shell configuration files
/etc/sysctl.conf 400 Contains kernel tunable options on recent Red Hat
+Tripwire, Inc. +Tripwire Interactive +Tripwire +Linux Security Group +Secure Linux Outpost +Securitron Linux blog. +Linux +The Linux Foundation
No comments:
Post a Comment