Linux Security Check List

Linux Security Checklist

Hey people stop reading…if the box ya want to make secure is not getting powered ON… ya got it…!!


Introduction

I gotta an assaignment to prepare a securitY check-list and here I make it general for anybodY who wanna have a look…I spent quite some time over the jungle…..
This crap maY provide ya some of the keY concepts that can go a long way in keeping a Linux system in secure[/insecure :-P].

General
0.Hardware
1.OS Distribution
2. File System Allocation( Disk Partitions)
3.OS Installation / Package Selection
4.Physical Security
5.Back-Ups
6.Expired Systems
7.Make a Boot and Rescue Media
8.Remove Unnecessary Software Package
9.Keep the System Patched and Up-to-Date
10.Set Off the Unnecessary Services
11.Disable the Unused Ports
12.Cross Check for Xinetd Services
13.Check Security on Key Files
14.User Account Management
15.Remove Unwanted/Zombie Files
16.Customized Banners
17.Harden the Services/Applications which are Required
0.nfs
1.ssh
2.ftp
3.xinetd
4.sendmail
5.apache (httpd)

18.Kernel Tunable Security Parameters
19.iptables
20.TCP Wrappers
21.Pluggable Authentication Module (PAM)
22.Proper System Logging
23.SELinux
24.Tripwire

General
To say ideally, the check list start right from the Hardware, OS Distribution, File System Allocation( Disk Partitions), OS Installation, Physical Security, Back-Ups and finally dump the system by ensuring that data can not be recovered from the Hard disk(s).

Hardware

Is that an OS distro certified hardware vendor?
Choose the hardware vendor who are good at customer support.
Choose the hardware, which meet our requirements (do we need a dual CPU, what is going to be its future role)
Have a plan for Annual Maintenance Contract (AMC) and how long we need it.

OS Distribution
This is all about our choice but must consider the facts, getting security updates, bug-fixes, enhancements and patch management within a short time-frame and in priority wise is an important step to be pro-actively secure the Linux System.

File System Allocation (Disk Partitions)
The system should have separate partitions to avoid “panics�?. This is just a DIVIDE & RULE Policy for better management and for recovery when we had troubles. Make separate partitions and allocate required space for /boot, /, /usr, /home, /var, /tmp and /opt for your optional and third party applications. This step is very important for both Production Servers, Workstations and Desktops (I mean to say, when you do a Linux installation)

OS Installation (Package Selection)

Do you need an Office Suite or xpdf to run your Database Server ? NO. So smart package selection avoid unwanted services and reduce the Risk Factor. May be the vulnerability is more for a package that you really never use.

Physical Security
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards (Gene Spafford)
The systems should be in locked Server-Rack and locked room/datacenter. Physical access to the systems are restricted to authorized users. Set BIOS and Grub password (These days KVM switches can handle from BIOS level to avoid remote reboot chaos).
I am not saying anything hereabout Disaster Recovery Management and room Air Conditioning.

Back-Ups

Data are important for any level of organizations, so the back-up.
Simple back-up utilities are tar, gzip, bzip2, dump – for multiple level of back-up for the entire file-system, rsync – for transfer data between servers and keep in sync, amanda – for a client-server environment.

Expired Systems

Make sure the data can not be recovered from the hard-disks of the systems which is expired and not in use anymore. Disksanitizer is a tool to remove from all traces of data from the storage media according to the U.S. DoD standards.

Make a Boot and Rescue Media
…I just gotta finger pain…but to be continued…. (…where is the vicks bottle…hmm..)

Leave a Reply