Top Banner

Click here to load reader

Rhel5 Guide i731

Sep 11, 2014

ReportDownload

Documents

dmitri-ko

Guide to the Secure Conguration of Red Hat Enterprise Linux 5Revision 4.1 February 28, 2011

Operating Systems Division Unix Team of the Systems and Network Analysis Center National Security Agency 9800 Savage Rd. Suite 6704 Ft. Meade, MD 20755-6704

2

Warnings Do not attempt to implement any of the recommendations in this guide without rst testing in a nonproduction environment. This document is only a guide containing recommended security settings. It is not meant to replace wellstructured policy or sound judgment. Furthermore this guide does not address site-specic conguration concerns. Care must be taken when implementing this guide to address local operational and policy concerns. The security changes described in this document apply only to Red Hat Enterprise Linux 5. They may not translate gracefully to other operating systems. Internet addresses referenced were valid as of 1 Dec 2009.

Trademark InformationRed Hat is a registered trademark of Red Hat, Inc. Any other trademarks referenced herein are the property of their respective owners.

Change LogRevision 4.1 is an update of Revision 4 dated September 14, 2010. Added section 2.2.2.6, Disable All GNOME Thumbnailers if Possible. Added Common Conguration Enumeration (CCE) identiers to associated sections within the guide, and a note about CCE in section 1.2.4, Formatting Conventions. Updated section 2.3.3.2, Set Lockouts for Failed Password Attempts. There is no longer the need to add the pam tally2 module into each programs PAM conguration le, or to comment out some lines from /etc/pam.d/system-auth. The pam tally2 module can now be referenced directly from /etc/pam.d/ system-auth. Corrected section 2.6.2.4.5 title from Ensure auditd Collects Logon and Logout Events to Record Attempts to Alter Logon and Logout Event Information. Corrected section 2.6.2.4.6 title from Ensure auditd Collects Process and Session Initiation Information to Record Attempts to Alter Process and Session Initiation Information

Note: The above changes did not aect any of the section numbering.

TABLE OF CONTENTS

3

Table of Contents1 Introduction 1.1 General Principles . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1 Encrypt Transmitted Data Whenever Possible . . . . . 1.1.2 Minimize Software to Minimize Vulnerability . . . . . . 1.1.3 Run Dierent Network Services on Separate Systems . . 1.1.4 Congure Security Tools to Improve System Robustness 1.1.5 Least Privilege . . . . . . . . . . . . . . . . . . . . . . . 1.2 How to Use This Guide . . . . . . . . . . . . . . . . . . . . . . 1.2.1 Read Sections Completely and in Order . . . . . . . . . 1.2.2 Test in Non-Production Environment . . . . . . . . . . 1.2.3 Root Shell Environment Assumed . . . . . . . . . . . . 1.2.4 Formatting Conventions . . . . . . . . . . . . . . . . . . 1.2.5 Reboot Required . . . . . . . . . . . . . . . . . . . . . . 13 13 13 13 13 14 14 14 14 14 14 15 15 17 17 17 17 18 19 19 19 19 20 20 21 21 22 23 24 25 25 25 26 26 26 27 27 27

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

2 System-wide Conguration 2.1 Installing and Maintaining Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1 Initial Installation Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1.1 Disk Partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1.2 Boot Loader Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1.3 Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1.4 Root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1.5 Software Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1.6 First-boot Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.2 Updating Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.2.1 Congure Connection to the RHN RPM Repositories . . . . . . . . . . . . 2.1.2.2 Disable the rhnsd Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.2.3 Obtain Software Package Updates with yum . . . . . . . . . . . . . . . . . . 2.1.3 Software Integrity Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.3.1 Congure AIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.3.2 Verify Package Integrity Using RPM . . . . . . . . . . . . . . . . . . . . . . 2.2 File Permissions and Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.1 Restrict Partition Mount Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.1.1 Add nodev Option to Non-Root Local Partitions . . . . . . . . . . . . . . . 2.2.1.2 Add nodev, nosuid, and noexec Options to Removable Storage Partitions 2.2.1.3 Add nodev, nosuid, and noexec Options to Temporary Storage Partitions 2.2.1.4 Bind-mount /var/tmp to /tmp . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.2 Restrict Dynamic Mounting and Unmounting of Filesystems . . . . . . . . . . . . . 2.2.2.1 Restrict Console Device Access . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.2.2 Disable USB Device Support . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . .

4

TABLE OF CONTENTS 2.2.2.3 Disable the Automounter if Possible . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.2.4 Disable GNOME Automounting if Possible . . . . . . . . . . . . . . . . . . . . . 2.2.2.5 Disable Mounting of Uncommon Filesystem Types . . . . . . . . . . . . . . . . . 2.2.2.6 Disable All GNOME Thumbnailers if Possible . . . . . . . . . . . . . . . . . . . 2.2.3 Verify Permissions on Important Files and Directories . . . . . . . . . . . . . . . . . . . . 2.2.3.1 Verify Permissions on passwd, shadow, group and gshadow Files . . . . . . . . . 2.2.3.2 Verify that All World-Writable Directories Have Sticky Bits Set . . . . . . . . . 2.2.3.3 Find Unauthorized World-Writable Files . . . . . . . . . . . . . . . . . . . . . . 2.2.3.4 Find Unauthorized SUID/SGID System Executables . . . . . . . . . . . . . . . . 2.2.3.5 Find and Repair Unowned Files . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.3.6 Verify that All World-Writable Directories Have Proper Ownership . . . . . . . 2.2.4 Restrict Programs from Dangerous Execution Patterns . . . . . . . . . . . . . . . . . . . . 2.2.4.1 Set Daemon umask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.4.2 Disable Core Dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.4.3 Enable ExecShield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.4.4 Enable Execute Disable (XD) or No Execute (NX) Support on 32-bit x86 Systems 2.2.4.5 Congure Prelink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Account and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.1 Protect Accounts by Restricting Password-Based Login . . . . . . . . . . . . . . . . . . . 2.3.1.1 Restrict Root Logins to System Console . . . . . . . . . . . . . . . . . . . . . . . 2.3.1.2 Limit su Access to the Root Account . . . . . . . . . . . . . . . . . . . . . . . . 2.3.1.3 Congure sudo to Improve Auditing of Root Access . . . . . . . . . . . . . . . . 2.3.1.4 Block Shell and Login Access for Non-Root System Accounts . . . . . . . . . . . 2.3.1.5 Verify Proper Storage and Existence of Password Hashes . . . . . . . . . . . . . 2.3.1.6 Verify that No Non-Root Accounts Have UID 0 . . . . . . . . . . . . . . . . . . 2.3.1.7 Set Password Expiration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.1.8 Remove Legacy + Entries from Password Files . . . . . . . . . . . . . . . . . . 2.3.2 Use Unix Groups to Enhance Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.2.1 Create a Unique Default Group for Each User . . . . . . . . . . . . . . . . . . . 2.3.2.2 Create and Maintain a Group Containing All Human Users . . . . . . . . . . . . 2.3.3 Protect Accounts by Conguring PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.3.1 Set Password Quality Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.3.2 Set Lockouts for Failed Password Attempts . . . . . . . . . . . . . . . . . . . . . 2.3.3.3 Use pam deny.so to Quickly Deny Access to a Service . . . . . . . . . . . . . . . 2.3.3.4 Restrict Execution of userhelper to Console Users . . . . . . . . . . . . . . . . 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 . . . . . . . . . . . . . . . . . 2.3.3.6 Limit Password Reuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.3.7 Remove the pam ccreds Package if Possible . . . . . . . . . . . . . . . . . . . . . 2.3.4 Secure Session Conguration Files for Login Accounts . . . . . . . . . . . . . . . . . . . . 2.3.4.1 Ensure that No Dangerous Directories Exist in Roots Path . . . . . . . . . . . . 2.3.4.2 Ensure that User Home Directories are not Group-Writable or World-Readable . 2.3.4.3 Ensure that User Dot-Files are not World-writable . . . . . . . . . . . . . . . . . 2.3.4.4 Ensure that Users Have Sensible Umask Values . . . . . . . . . . . . . . .