Red Hat has announced the release of Red Hat Enterprise Linux (RHEL) 7.1, the first point update in the distribution's latest stable branch: 'Red Hat, Inc. Today announced the general availability of Red Hat Enterprise Linux 7.1, the first minor release of Red Hat Enterprise Linux 7, which launched in June 2014. Red Hat Enterprise Linux 7.1 offers improved development and deployment tools, enhanced.
The hardening checklists are based on the comprehensive checklists produced by CIS. The has distilled the CIS lists down to the most critical steps for your systems, with a particular focus on configuration issues that are unique to the computing environment at The University of Texas at Austin. How to use the checklist Print the checklist and check off each item you complete to ensure that you cover the critical steps for securing your server. The Information Security Office uses this checklist during risk assessments as part of the process to verify that servers are secure.
How to read the checklist Step - The step number in the procedure. If there is a for this step, the note # corresponds to the step #. Check √ - This is for administrators to check off when she/he completes this portion. To Do - Basic instructions on what to do to harden the respective system CIS - Reference number in the Center for Internet Security. The CIS document outlines in much greater detail how to complete each step. UT Note - The at the bottom of the page provides additional detail about the step for the university computing environment.
Cat I - For systems that include, required steps are denoted with the! All steps are recommended.
Cat II/III - For systems that include, all steps are recommended, and some are required (denoted by the!). Min Std - This column links to the specific requirement for the university in the document. Server Information. 1 If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall in between the network and the host to be protected. 5 Since /tmp is intended to be world writable, creating a separate partition for it can prevent resource exhaustion. Setting nodev prevents users from creating or using block or special character devices.
Setting noexec prevents users from running binary executables from /tmp. Setting nosuid prevents users from creating set userid files in /tmp. 6 Multiple partitions are recommended to protect against resource exhaustion conditions if a partition fills up, as well as to allow for the setting of various options on individual partitions to support increased security (e.g.
Nodev, nosuid, noexec). 11 Install and use the yum-security plugin. To install the plugin run. Kernel.randomizevaspace = 2 20 Disable any xinetd services you do not absolutely require by setting 'disable=yes' in /etc/xinetd.d/. Configure TCP wrappers for access control. Edit /etc/hosts.deny to include this entry as the first uncommented line in the file: ALL:ALL Ensure /etc/hosts.allow is edited appropriately to allow the administrator(s) to connect.
Verify that you have disabled any unnecessary startup scripts under /etc, /etc/rc.d, or /etc/init.d (or startup script directory for your system) and disabled any unneeded services from starting in these scripts. Unnecessary services can be disabled with. Sudo service xinetd stop; sudo chkconfig xinetd off 25 RHEL7 comes with firewalld, however iptables may be installed and used instead.
This is documented at: Below is a list of some iptables resources: 33 If you decide to utilize, the ISO highly recommends the following:. Change the port from port 22 to something/anything else. There are scripts online that malicious hackers can use against an SSH server. These scripts almost always only attack port 22 since most people do not change the default port.
Use SSH2 (by setting Protocol 2 in the sshdconfig file) as it remediates many vulnerabilities from SSH1. Restrict access to the SSH port using a hardware or software firewall.
If possible, use keys with passphrase instead of just passwords. To create rsa keys, follow these commands. Ssh-keygen -t rsa ssh server 'mkdir.ssh; chmod 0700.ssh' scp./ssh/idarsa.pub server.ssh/authorizedkeys2. The CIS Solaris Benchmark covers some suggested basic settings to place in the configuration file.
You may also want to visit the. 34 INFO is a basic logging level that will capture user login and logout activity. Other logging levels may be used, but may generate more noise. The DEBUG logging level is not recommended for production servers. 35 Do not permit root logins via SSH.
If root access over SSH is absolutely necessary, require administrators to authenticate with an individual account first and then use su or sudo. This is to prevent remote brute force attacks against the root user account as well as to create an audit trail of administrative activity in the event of a compromise. 37 There is a license fee for Tripwire. The Tripwire management console can be very helpful for managing more complex installations. AIDE is a free tool.
Is another free tool, as is. 38 Many resources exist for understanding and configuring SELinux:. SELinux is enabled by default with RHEL systems and should not be disabled unless absolutely necessary.
39 OSSEC is a free, open-source host-based intrusion detection system, which performs log analysis, file integrity checking, and rootkit detection, with real time alerting, in an effort to identify malicious activity. It is available at. 40 ITS Networking operates two stratum 2 NTPv4 (NTP version 4) servers for.
41 Auditd monitors various system activity, such as system logins, authentications, account modifications, and SELinux denials. These records may help administrators identify malicious activity or unauthorized access. 42 Rsyslog is a third-party package which is intended to replace the standard syslog daemon. The CIS benchmark has several recommendations for configuring rsyslog. Some benefits of rsyslog include transmission of logs over TCP and support for encryption of log data when transmitting over a network. 44 It is highly recommended that logs are shipped from any Category I devices to a service like Splunk, which provides log aggregation, processing, and real-time monitoring of events among many other things. This helps to ensure that logs are preserved and unaltered in the event of a compromise, in addition to allowing proactive log analysis of multiple devices.
Splunk licenses are available through ITS at no charge. ITS also maintains a centrally-managed Splunk service that may be leveraged. 45. Check in /etc/sudoers to see who has sudo rights. Check in /etc/groups to see what groups your users belong to. Check in /etc/passwd and/or /etc/shadow for blank passwords.
Check the strength of users' passwords with tools such as. Seek approval from. Consider using a simple dictionary for easily guessed passwords.
Develop a procedure to report and remediate easily guessed passwords. 46 Ensure the following are set in /etc/pam.d/other:. auth required. auth required. account required. account required. password required.
password required. session required. session required.
session required Warn will report alerts to syslog. 48 To require strong passwords, in compliance with section 5.18 of the Information Resources Use and Security Policy: For RHEL 6: In /etc/pam.d/system-auth, add or change the file as required to read. Password required pampwquality.so tryfirstpass localusersonly retry=3 authtoktype= password sufficient pamunix.so sha512 shadow tryfirstpass useauthtok remember=10 password required pamdeny.so 49 Ensure that the terminal security file (for example, /etc/securetty or /etc/ttys) is configured to deny privileged (root) access. On a Red Hat box, this means that no virtual devices (such as /dev/pty.) appear in this file. 50 The text of the can be found on the ITS Web site.
You may add localized information to the banner as long as the university banner is included. 51 The text of the can be found on the ITS Web site.
You may add localized information to the banner as long as the university banner is included. 52 There are few viruses that infect Linux computers; therefore, it is understandable for most Linux servers to have an exception to this rule. See the Operations Manual for information on the.
You may choose any proven anti-virus product. One option is. 53 There are few viruses that infect Linux computers; therefore, it is understandable for most Linux servers to have an exception to this rule. See the Operations Manual for information on the. 54 There are a variety of methods available to provide encrypted storage. Two good candidates are and (free).