Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 600217 Details for
Bug 842936
Empty sections in Security Guide
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
Full chapter
Basic_Hardening.xml (text/xml), 9.31 KB, created by
eric
on 2012-07-25 03:03:56 UTC
(
hide
)
Description:
Full chapter
Filename:
MIME Type:
Creator:
eric
Created:
2012-07-25 03:03:56 UTC
Size:
9.31 KB
patch
obsolete
><?xml version='1.0' encoding='utf-8' ?> ><!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ >]> > ><chapter id="chap-Security_Guide-Basic_Hardening"> ><title>Basic Hardening Guide</title> > <para> > The <ulink url="http://www.nsa.gov">US National Security Agency</ulink> (NSA) has developed two guides for hardening a default installation of Red Hat Enterprise Linux 5. Many of the tips provided in these guides are also valid for installations of Fedora. This Basic Hardening Guide will cover portions of the NSA's Hardening Tips and will explain why implementing these tips are important. This document does not represent the full NSA Hardening Guide. > </para> > <para> > As with any change to a system these changes could cause unintended results. Changes should be evaluated for appropriateness on your system before implementing. > </para> > <section id="sect-Security_Guide-Basic_Hardening-General_Principles"> > <title>General Principles</title> > <para><simplelist> > <member>Encrypt all data transmitted over the network. Encrypting authentication information (such as passwords) is particularly important.</member> > <member>Minimize the amount of software installed and running in order to minimize vulnerability.</member> > <member>Use security-enhancing software and tools whenever available (e.g. SELinux and IPTables).</member> > <member>Run each network service on a separate server whenever possible. This minimizes the risk that a compromise of one service could lead to a compromise of others.</member> > <member>Maintain user accounts. Create a good password policy and enforce its use. Delete unused user accounts.</member> > <member>Review system and application logs on a routine basis. Send logs to a dedicated log server. This prevents intruders from easily avoiding detection by modifying the local logs.</member> > <member>Never log in directly as root, unless absolutely necessary. Administrators should use <command>sudo</command> to execute commands as root when required. The accounts capable of using sudo are specified in <filename>/etc/sudoers</filename>, which is edited with the visudo utility. By default, relevant logs are written to <filename>/var/log/secure</filename>.</member> > </simplelist></para> > </section> > <section id="sect-Security_Guide-Basic_Hardening-General_Principles-Why_is_this_important"> > <title>Why is this important?</title> > <para>The general principles from the NSA represent a best practices overview of security. There are items in the above list that probably won't be used by everyone and there are items missing that should be stressed as a best practice. Additional information on these ideas and others will be explained below.</para> > </section> > <section id="sect-Security_Guide-Basic_Hardening-Physical_Security"> > <title>Physical Security</title> > <para>Physical security of the system is of utmost importance. Many of the suggestions given here won't protect your system if the attacker has physical access to the system.</para> > <important><para>This section contains information regarding GRUB Legacy and not the current release of GRUB (also known as GRUB2). Fedora 16 does not use GRUB Legacy so many of the commands below will not function in Fedora 16 or later versions.</para></important> > <para>Configure the BIOS to disable booting from CDs/DVDs, floppies, and external devices, and set a password to protect these settings. Next, set a password for the GRUB bootloader. Generate a password hash using the command ''/sbin/grub-md5-crypt''. Add the hash to the first line of ''/etc/grub.conf'' using '' password --md5'' '''passwordhash'''. This prevents users from entering single user mode or changing settings at boot time.</para> > </section> > <section id="sect-Security_Guide-Basic_Hardening-Physical_Security-Why_is_this_important"> > <title>Why this is important</title> > <para>An attacker could take complete control of your system by booting from an external source. By booting from an external source (e.g. a live Linux CD) many of the security settings are bypassed. If the attacker can modify the GRUB settings they can boot into single user mode which allows admin access to the system.</para> > </section> > <section id="sect-Security_Guide-Basic_Hardening-Physical_Security-What_else_can_I_do"> > <title>What else can I do?</title> > <para>Ever since Fedora 9, LUKS encryption has been natively supported to protect data stored in a LUKS encrypted partition. When you install Fedora 9, check the box to encrypt your file system when you setup your file system. By encrypting your root partition and your <filename>/home</filename> partition (or the single / partition if you accept the default file system) attackers using an external source or booting into single user mode. Of course you use a strong passphrase to protect your data.</para> > </section> > <section id="sect-Security_Guide-Basic_Hardening-Networking"> > <title>Networking</title> > <para>The computer's network connection is the gateway to your system. Your files and processor time could be available to anyone who successfully connects to your system via this network connection if other safeguards have not been implemented. One of the primary ways to keep you in control of your system is to prevent the attackers from gaining access to your system in the first place.</para> > <section id="sect-Security_Guide-Basic_Hardening-Networking-iptables"> > <title>iptables</title> > <para><application>iptables</application> is the most widely used firewall software on Linux systems today. This program intercepts packets coming into your computer via the network connection and filters them according to rules you have specified. Additional information can be found in <xref linkend="sect-Security_Guide-IPTables" />.</para> > </section> > <section id="sect-Security_Guide-Basic_Hardening-Networking-IPv6"> > <title>IPv6</title> > <para>IPv6 is the latest Internet protocol which aims to solve the address quantity shortfall inherent to IPv4. And while there are no security risks directly associated with the new protocol there are a few things to understand before utilizing this new technology.</para> > <para>Most system administrators are familiar with IPv4 and the work-arounds that were put in place to make IPv4 work. One of these work-arounds is network address translation, or <firstterm>NAT</firstterm>. NAT is traditionally used to keep the number of needed public IP addresses to a minimum when setting up a local area network. Systems on these networks do not all require public IP addresses and valuable address space can be saved by implementing this technology. There are some security features that were side effects to NAT; the biggest being that outside traffic cannot make it inside the network unless a port is forwarded across the router. Because IPv6 solves the addressing problem there is no longer a need to use NAT. Everything can have a public IP address and, by extension, everything is not publically routable across the Internet when physical and logical connections are made.</para> > <para>Another thing to worry about is how security software deals with this new protocol. <application>iptables</application> does not know or understand IPv6 and so it ignores those packets altogether. That means if your network is utilizing IPv6 and you have not activated <application>ip6tables</application> then you have just left the door to your system open to the world.</para> > <para>Using IPv6 is not dangerous as long as you know and understand the changes that your system's software went through to make it possible to use this new network protocol.</para> > </section> > </section> > <section id="sect-Security_Guide-Basic_Hardening-Up_to_date"> > <title>Keeping software up to date</title> > <para>Software gets patched everyday. Some of these updates fix security problems that were identified by the developers. When these patches become available it is important that they are applied to your system as soon as possible. One of the easier ways to manage updates for your system is using <application>yum</application>. A special plugin is available to allow only security updates to be installed while ignoring bugfixes and enhancements. This plugin is explained better at <xref linkend="sect-Security_Guide-CVE-yum_plugin" />.</para> > </section> > <section id="sect-Security_Guide-Basic_Hardening-Services"> > <title>Services</title> > <para>Services in Linux are programs that run as daemons in the background. It is important to audit these programs regularly to determine if they need to be running. Many daemons open network ports in order to listen for calls. Having unnecessary ports open can harm the overall security of the system. An unknown security flaw in a piece of software can allow a hacker into a system for no good reason.</para> > </section> > <section id="sect-Security_Guide-Basic_Hardening-NTP"> > <title>NTP</title> > <para>Network Time Protocol, or <firstterm>NTP</firstterm>, keeps the time on your systems accurate. Time is a very important piece of the security puzzle and should be maintained as precisely as possible. Time is used in log files, timestamps, and in encryption. If someone is able to control the time settings on one of your systems then they are able to make the recreation of a break-in that much more difficult.</para> > </section> ></chapter>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=600217">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 842936
:
600205
|
600212
| 600217