Regardless of crossing over the half-decade mark since its launch, Purple Hat Enterprise Linux (RHEL) 5 continues to be in widespread use—and can proceed to be supported by Purple Hat by means of November thirtieth 2020. Safety enhancements in later variations of RHEL like improved Safety Enhanced Linux (SELinux) and digital machine safety (i.e., Svirt) warrant a well timed improve, however organizations unable to take action can nonetheless bolster RHEL 5 for a powerful safety posture.
The next are 10 vital safety checks for making certain that your RHEL 5 deployment is sufficiently hardened towards cyber assaults.
Prime 10 Important Safety Checks for RHEL 51. Mount Filesystems With Consumer-Writable Directories on Separate Partitions.
Be certain that filesystems with user-writable directories are mounted on separate partitions throughout preliminary set up. The next are examples of such directories:
2. Use nosuid, nodev, and no exec.
In lots of instances hackers will use momentary storage directories akin to /tmp to retailer and execute malicious packages. Altering mount choices in /and so forth/fstab to limit person entry on acceptable filesystems throughout system configuration can stop this:
noexec prevents execution of binaries on a file systemnosuid will stop the setuid bit from taking effectnodev choice prevents use of machine information on the filesystem3. Disable Booting from Detachable Media.
Configuring your system’s BIOS to disable booting from CDs/DVDs/USB drives prevents malicious software program from being surreptitiously loaded. Moreover, entry to BIOS settings must be password-protected.
4. Set a Password For the GRUB Bootloader.
The GRUB bootloader must be password protected, as would-be attackers can use it in addition into single person mode to achieve root entry.
Generate a password hash through the use of /sbin/grub-md5-cryptAdd the hash to the primary line of /and so forth/grub.conf: password –md5 passwordhash
This successfully prevents customers from coming into single person mode.
5. Don’t Use Default yum-updatesd.
Updates are vital to holding your system safe, however default variations of yum-updatesd are defective; as an alternative, apply updates by organising a cron job. This may be achieved by means of the next steps:
1. Disable the yum-updatesd service: /sbin/chkconfig yum-updatesd off2. Create the yum.cron file:
#!/bin/sh/usr/bin/yum -R 120 -e 0 -d 0 -y replace yum/usr/bin/yum -R 10 -e 0 -d 0 -y replace
This file ought to executable and positioned in /and so forth/cron.day by day or /and so forth/cron.weekly.
6. Take away X Home windows From the System.
Likelihood is you will not be needing a GUI for common server administration duties. It is subsequently greatest to take away X Home windows to get rid of the opportunity of it being exploited:
yum groupremove “X Window System”7. Make Sure /boot is Read-Only.
This folder is set to RW mode by default, despite only being used for reading/loading modules and the kernel. It should therefore be set to read-only in /etc/fstab:
/dev/sda1 /boot ext2 defaults ro 1 28. Restrict SSH Access.
SSH should be both restricted from root access and limited to a subset of users. This can accomplished by adding the following to /etc/ssh/sshd_config:
PermitRootLogin noProtocol 2
The sshusers group should then be added to /etc/ssh/sshd_config:
AllowGroups sshusers
9. Ensure that Unnecessary Services are Disabled.
Use the following command to disable superfluous services:
/sbin/chkconfig servicename off
The following services can safely be disabled if not in use:
anacronapmdautofsavahi-daemonbluetoothcupsfirstbootgpmhaldaemonhiddhplipisdnkdumpkudzumcstransmdmonitormessagebusmicrocode_ctlpcscdreadahead_earlyreadahead_laterrhnsdsetroubleshoot10. Configure Your System to Prompt for the Root Password Before Entering Single User Mode.
Your system should be configured to prompt for the root password before entering single user mode to prevent potential exploitation (e.g., dumping password hashes). This can be accomplished by adding the following line to /etc/inittab:
Looking for a way to verify that these security checks are in place automatically, with just a few mouse clicks? ScriptRock’s policy-driven testing suite can validate that these security checks are in place and consistent across all your RHEL 5 server nodes. Give it a test drive today on us.
Sources
http://www.puschitz.com/SecuringLinux.shtml
Able to see Cybersecurity in motion?
Prepared to avoid wasting time and streamline your belief administration course of?
