The Internet has become a far more dangerous place than it was 20 years ago. Nowadays, Operating System and application security is an integral part of a server configuration and, while firewalls are very important, they are not the panacea. This list of steps is intended as a guideline with a practical approach. We’ll try to provide a complete picture without getting into unnecesary details. This list won’t replace a good book on secure systems administration, but it will be useful as a quick guide.
Before we get started it’s worth to mention that security is not a status: it’s just a process. The correct initial setup of the server only provides a good start and helps you get half the way through. But you actually need to walk the other half of the road, by providing proper security vigilance, monitoring and updating.
I wonder why he/she is suggesting 2 years old system ?
Is it still so good ?
It is just an example of a file integrity verification systems.
Other alternatives are Tripwire (TM) (http://www.tripwire.com), Integrit (http://integrit.sourceforge.net), etc.
Flavio
Mount /tmp, /home and /var with, at least, the following options: noexec, nodev and nosuid (why would anybody need to create a device, an executable or, even worse, a setuid executable in these three directories anyway?).
Next step: be surprised about how many things don’t work anymore.
good article for new sys admins.
Next step: be surprised about how many things don’t work anymore.
Sometimes yes that’s true.But i think it’s better to sacrifice comfort sometimes when the overall system security can be meaningfull improved.Although i have the experience that problems with restrictive mount optionds varies between the distros.
On my SuSE 9.3 the following works well and everything works exept the install of software outside an users home directory.For me that isn’t aproblem when i have everything installed what i need on my workstation.
/boot acl,xattr,ro
/home acl,xattr,nosuid
/opt acl,xattr,ro
/tmp acl,xattr,noexec
/usr acl,xattr,ro
/var acl,xattr,noexec
For example Openoffice 2.0 wouldn’t run with the above settings on some other distro i wouldn’t say because i don’t want to provoke anything but a constructive debate.
Why does such a secure OS need to be hardened?
> Why does such a secure OS need to be hardened?
Recall, Unix was created back when security wasn’t much of an issue. Back then, the only folks connecting to the box were you and your trusted colleagues. The net was a very small place back then.
Oh, I see your point! When Microsoft created its first OS computers were to be used by a single person so …
Seriously, nothing that is created by man (women may be) is perfect and many times we have to trade something for security.
See http://www.quepublishing.com/articles/article.asp?p=376256&seqNum=1…
Any OS is only as secure as you want it to be. A poorly configured Unix box is just as bad as a poorly configured Windows box.
On my SuSE 9.3 the following works well and everything works exept the install of software outside an users home directory.For me that isn’t aproblem when i have everything installed what i need on my workstation.
/boot acl,xattr,ro
/home acl,xattr,nosuid
/opt acl,xattr,ro
/tmp acl,xattr,noexec
/usr acl,xattr,ro
/var acl,xattr,noexec
Tell me, how does this improve security on your machine?
Tell me, how does this improve security on your machine?
For example the kernel source is in /usr/src/.. ,important libraries are in /usr/lib or /usr/lib64 ,the binairies within /usr/(s)bin should all be read-only too and executable once you have a sytem that satisfies your needs.So by putting “ro” in “/etc/fstab” as showed in the part of the fstab makes sure that the whole /usr directory is mounted read-only at boot time,and everything has a better change this way to stay the way they are one everything is according to your needs.Obvious everything that doesn’t interfere with you being productive and can be limited is a good thing.
the line: /boot acl,xattr,ro would mean
acl (access controll lists) applied
xattr(extended file attributes)
ro ( as said read-only)
specifics can be easily googled though
There is no need for the /boot directory to be rw (read-write) for the overall system to function properly.Setting a boot password is good practice to ensure nobody but you has easy access and can pass boot parameters.
Setting a boot password and also the who /boot directory read-only is even better.
As said the goal is disabling everything you don’t need and thus doesn’t interfere with you being productive with whatever role the box may have.Setting restrictive mount options is just a small part of it.Disabling unnecesary services is another one (what doesn’t run can’t be an attack vector).
For example the kernel source is in /usr/src/.. ,important libraries are in /usr/lib or /usr/lib64 ,the binairies within /usr/(s)bin should all be read-only too and executable once you have a sytem that satisfies your needs.So by putting “ro” in “/etc/fstab” as showed in the part of the fstab makes sure that the whole /usr directory is mounted read-only at boot time,and everything has a better change this way to stay the way they are one everything is according to your needs.Obvious everything that doesn’t interfere with you being productive and can be limited is a good thing.
Humbug. These files should be at most 755 anyway, so only root can write there. And you’re not protecting yourself against an attacker with root-access either because he can remount the filesystem rw anyway. Same for /boot. So again, you’re not securing anything.