Baseline Configuration Standard (Linux)

PATCHES, PACKAGES AND INITIAL LOCKDOWN   Action
If this is a new system protect it from the network until the OS is hardened and patches are installed.   Required
Apply latest OS Patches   Required
Install and Configure SSH   Required
Install Zabbix Install and Configure Zabbix on system Required
Install and Run Bastille Bastille is a system hardening tool for Red Hat and many other Unix and Linux systems. Bastille hardens the operating system based on the answers to a series of scripted questions. Remove from list
MINIMIZE XINETD NETWORK SERVICES Description Action
Disable Standard Services Xinetd has superseded inetd as the default network superserver. The stock configuration of both xinetd and inetd contain a number of standard services that are not necessary if the use of SSH as a secure login mechanism is present in the environment. Recommended "Minimal" Installation | Other installation type: Required
Configure iptables Configure iptables for minimum required access to ports. Required
Only Enable telnet If Absolutely Necessary Telnet uses an unencrypted network protocol, which means data from the login session (such as passwords and all other data transmitted during the session) can be stolen by eavesdroppers on the network, and also that the session can be hijacked by outsiders to gain access to the remote system. Required
Only Enable ftp If Absolutely Necessary Like telnet, the FTP protocol is unencrypted, which means passwords and other data transmitted during the session can be captured by sniffing the network, and that the FTP session itself can be hijacked by an external attacker. Required
Only Enable rlogin/rsh/rcp If Absolutely Necessary The r-commands suffer from the same hijacking and sniffing issues as telnet and ftp, and in addition have a number of well-known weaknesses in their authentication scheme. Required
Only Enable TFTP Server if Absolutely Necessary TFTP is typically used for network booting of diskless workstations, X-terminals, and other similar devices. It is also used if a Kickstart server is present in the environment. Required
Only Enable IMAP if Absolutely Necessary Remote mail clients (like Eudora, Netscape Mail and Kmail) may retrieve mail from remote mail servers using IMAP, the Internet Message Access Protocol, or POP, the Post Office Protocol. Required
Only Enable POP if Absolutely Necessary Remote mail clients (like Eudora, Netscape Mail and Kmail) may retrieve mail from remote mail servers using IMAP, the Internet Message Access Protocol, or POP, the Post Office Protocol. Required
MINIMIZE BOOT SERVICES Description Action
Set Daemon umask The system default umask should be set to at least 027 in order to prevent daemon processes (such as the syslog daemon) from creating world-writable files by default. Optional
Disable xinetd, If Possible If possible completely disable the xinetd service on the system. Required
Disable sendmail Server, If Possible If a server is not acting as a mail server the sendmail daemon can be disabled. Required
Disable GUI Login Disable X Windows and GUI-based logins Required
Disable X Font Server If the X Windows Server is not being used you should also disable the X Font Server. Required
Disable Standard Boot Services Each system daemon that does not have a clear and necessary purpose on the host should be deactivated. Optional
Only Enable SMB (Windows File Sharing) Processes If Absolutely Necessary Red Hat Linux includes the popular Open Source Samba server for providing file and print services to Windows-based systems. This allows a Unix system to act as a file or print server in on a Windows network, and even act as a Domain Controller (authentication server) to older Windows operating systems. However, if this functionality is not required by the site, the service should be disabled. Required
Only Enable NFS Server Processes If Absolutely Necessary NFS is frequently exploited to gain unauthorized access to files and systems. Required
Only Enable NFS Client Processes If Absolutely Necessary NFS is frequently exploited to gain unauthorized access to files and systems. Required
Only Enable NIS Client Processes If Absolutely Necessary Unless this site must use NIS, it should really be avoided. While it can be very useful for transparently scaling the number of workstations, it's not well designed for security. Required
Only Enable NIS Server Processes If Absolutely Necessary Unless this site must use NIS, it should be avoided. While it can be very useful for transparently scaling the number of workstations, it is not well designed for security. Required
Only Enable RPC Portmap Processes If Absolutely Necessary RPC-based services typically use very weak or non-existent authentication and yet may share very sensitive information. Required
Only Enable netfs Script If Absolutely Necessary If there are no network file sharing protocols being used, one can deactivate the netfs script. This script mounts network drives on the client. Required
Only Enable Printer Daemon Processes If Absolutely Necessary If users will never print files from this machine and the system will never be used as a print server by other hosts on the network, then it is safe to disable the print daemon, lpd or cupsd. Required
Only Enable Web Server Processes If Absolutely Necessary Unfortunately web servers tend to be enabled on many systems that don’t need the web service, and are often not properly secured and administered. Required
Only Enable SNMP Processes If Absolutely Necessary If SNMP is used to monitor the hosts on this network, experts recommend changing the default community string used to access data via SNMP. Required
Only Enable DNS Processes If Absolutely Necessary BIND DNS has been widely implemented but has also had a history of security flaws. Required
Only Enable SQL Server Processes If Absolutely Necessary If your server does not need to run the mainstream database (SQL) servers Postgres or MySQL, it is safe to deactivate them. Required
Only Enable Webmin Processes If Absolutely Necessary One can remotely administer a system through the relatively safe SSH remote shell system. Webmin, and other tools like it, can be dangerous as they have a history of bad authentication or session management. Required
Only Enable SQUID Caching Server if Absolutely Necessary Squid can actually be beneficial to security, as it imposes a proxy between the client and server. On the other hand, if it is not being used, it should be deactivated and removed. Required
Only Enable Kudzu Hardware Detection if Absolutely Necessary Kudzu is Red Hat's hardware detection program, which is normally set to run during system startup. It detects changes in hardware and, without demanding authentication of any sort, allows the user at the console to configure that hardware. This lack of authentication presents the primary danger – any user sitting at the console during a reboot can configure any new devices added to the system. Required
KERNEL TUNING Description Action
Network Parameter Modifications Modification of configuration file that sets network parameters at boot time. Required
Additional Network Parameter Modifications Further modification of configuration file that sets network parameters at boot time. Required
LOGGING Description Action
Capture Messages Sent To Syslog AUTHPRIV Facility The default installation of Red Hat Enterprise Linux already has this enabled. It is included in case it had been previously disabled. Required
Turn On Additional Logging For FTP Daemon Whereas FTP is a more vulnerable protocol in a security sense, additional logging for the ftp daeamon should be configured. Required
Confirm Permissions On System Log Files Protect system log files from being modified by unauthorized individuals by confirming log file permissions on a regular basis. Required
Install Splunk Install and configure Splunk Required
FILE/DIRECTORY PERMISSIONS/ACCESS Description Action
Add 'nodev' Option To Appropriate Partitions In /etc/fstab Placing "nodev" on these partitions prevents users from mounting unauthorized devices on any partitions that we know should not contain devices. There should be little need to mount devices on any partitions other than /dev. Optional
Add 'nosuid' and 'nodev' Option For Removable Media In /etc/fstab Removable media is one vector by which malicious software can be introduced onto the system. By forcing these file systems to be mounted with the nosuid option, the administrator prevents users from bringing set-UID programs onto the system via CDROMs and floppy disks. Required on Physical Hardware
Disable User-Mounted Removable File Systems Disable the ability of regular users to mount removable file systems. Required
Verify passwd, shadow, and group File Permissions The file permissions for passwd, shadow, and group should be periodically checked. Required
World-Writable Directories Should Have Their Sticky Bit Set When the sticky-bit is set on a directory, only the owner of a file can remove that file from the directory, preventing users from overwriting each other’s files. Required
Find Unauthorized World-Writable Files Data in world-writable files can be modified and compromised by any user on the system. Required
Find Unauthorized SUID/SGID System Executables Administrators should ensure no rogue set-UID programs are introduced into systems. Required
Find All Unowned Files Unowned files should not be allowed and, if present, may be an indication an intruder has accessed the system. Required
Disable USB Devices PCMCIA cards, USB drives and memory devices represent another attack vector against your systems. The prices for a 512MB or even 1GB USB memory device have become very affordable, and is enough storage to transport vast quantities of data off a system. Optional
SYSTEM ACCESS, AUTHENTICATION, AND AUTHORIZATION Setting Adjustment
Remove .rhosts Support In PAM Configuration Files Used in conjunction with the BSD-style "r-commands" (rlogin, rsh, rcp), the .rhosts files implement a weak form of authentication based on the network address or host name of the remote computer (which can be spoofed by a potential attacker to exploit the local system).
s and other network security elements should actually block rlogin/rsh/rcp access from external hosts.
Required
Create ftpusers Files /etc/ftpusers and /etc/vsftp.ftpusers contain a list of users who are not allowed to access the system via FTP—there should be no reason for “system” type accounts to be transferring information via FTP and certainly root should not be used to transfer files via ftp. Don't enable FTP
Prevent X Server From Listening on Port 6000/tcp X servers listen on port 6000/tcp for messages from remote clients running on other systems. X Windows users a relatively insecure authentication protocol and an attacker who is able to gain authorized access to the local X server can easily compromise the system. Don't enable X
Restrict at/cron To Authorized Users The cron.allow and at.allow files are a list of users who are allowed to run the crontab and at commands to submit jobs to be run at scheduled intervals. Required
Restrict Permissions On crontab files The system crontab files are accessed only by the cron daemon (which runs with superuser priveleges) and the crontab command (which is set-UID to root). Allowing unprivileged users to read or (even worse) modify system crontab files can create the potential for a local user on the system to gain elevated priveleges. Required
Configure xinetd Access Control Configure xinetd to use simple IP-based access control and log connections. Required if xinetd is installed
Restrict Root Logins to System Console Anonymous root logins should never be allowed, except on the system console in emergency situations. Required
Set LILO/GRUB Password By default on most Linux systems, the boot loader prompt allows an attacker to subvert the normal boot process very easily. Adding a boot loader password adds and extra layer of security. Optional
Require Authentication for Single-User Mode By default on Red Hat Linux, you can enter single user mode simply by typing “linux single” at the LILO prompt or in the GRUB boot-editing menu. Optional - Suggested
Restrict NFS Client Requests to Privileged Ports Setting the secure parameter causes the NFS server process on the local system to ignore NFS client requests that do not originate from the privileged port range (ports less than 1024). Required
Only enable syslog to Accept Messages If Absolutely Necessary By default the system logging daemon, syslogd, does not listen for log messages from other systems on the network port 514/udp. It is a considered a “good practice” to setup a central log server but if a server is not a central log server, it should not be listening on port 514/udp. Remove from list
USER ACCOUNTS AND ENVIRONMENT    
Block System Accounts Non-human system accounts should be made less useful to an attacker by locking them and setting the shell to a shell not in /etc/shells. Required
Verify That There are No accounts with Empty Password Fields An account with an empty password field means that anybody may log in as that user without providing a password at all. All account should have strong passwords. Required
Set Account Expiration Parameters On Active Accounts Force users to change passwords every 90 days, prevent password changes for seven days thereafter. Required -Kerberos should enforce account expiration
Verify No Legacy ‘+’ Entries Exist In passwd, shadow, And group Files ‘+’ entries in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries may provide an avenue for attackers to gain privileged access on the system, and should be deleted if they exist. Optional
No ‘.’ Or Group/World-Writable Directory in Root’s $PATH Including the current working directory (‘.’) or other writable directory in root’s executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a Trojan Horse program. Required
User Home Directories Should Be Mode 750 or More Restrictive Group or World-Writable user home directories may enable malicious users to steal or modify other users’ data or to gain another user’s system privileges. Required
No User Dot-Files Should Be World-Writable World-writable user configuration files may enable malicious users to steal or modify other users’ data or to gain another users’ system privileges. Required
Remove User .netrc Files .netrc files may contain unencrypted passwords which may be used to attack other  systems. Required
Set Default umask For Users A default umask setting of 077—files and directories created by users will not be readable by any other system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system. Required
Disable core dumps Core dumps can consume large amounts of disk space and may contain sensitive data. Required
Limit Access To The Root Account From su Limit the amount of people who can access the root account via ‘su’. Required - su or ksu