Identify all hardware
Note - hardware identification is not always necessary, however Linux may not install or work properly with all configurations, especially if it's an older version of Linux with newer hardware. If Linux installs but some things don't work properly (video, network, sound) you may need to upgrade to a later Linux version or different hardware. For instance installing RedHat 6.2 on some PC's with the newer AGP video card will not work in graphics (X11) mode, but will work if ISA video card is installed or if RedHat 7.0 is installed.
Check for Bios and chipset updates
Check the www site of the hardware manufacturer(s) for updates.
IP Address and Host Name Contact the CNE to register the host
name and obtain an IP address. The host name should describe what the server is doing but should not
contain the type of operating system nor should it tell the user it's primary
application. For example, linuxfinance or oraclegsfc are not good names. Orion
and Sunspot are good names. If you are re-using an IP address, confirm that the IP address, Subnet Mask,
Default Gateway, and DNS settings are correct for the machine. If you are
uncertain how to check, contact your system administrator. Incorrect settings
can be a risk. If the system has been compromised do not use the IP address again
and do not connect the machine to the LAN until it has passed a security
scan. Typically the hacker or hackers will post the IP address of the
compromised machine on their web site. Approval from the CSO must be obtained
if you wish to reuse a compromised IP address. Acquire Linux Updates System administrators for Code 580 regularly create new CD's with the
recent patches and updates for RedHat and Mandrake Linux systems. Please
contact your system administrator or CSO for a copy of the CD. In addition to
patches, the CD also has the latest version of this document as well as
additional s/w packages and files for setting up and securing your Linux
system. You should get a copy of this CD prior to starting the Linux
installation. The following sites have the very latest s/w updates and patches: Install Linux Operating System Installing Linux using one of the major distributions (RedHat, Mandrake,
SuSE, etc.) is usually very straight forward. Consult the vendor documentation
for details. Before installation, at a minimum you should have the following in your possession: During installation, you should do the following: After installation, if you didn't already, you should make a boot floppy: Use rpm to manually remove packages which will not be used Turn off unused network services Some of the above services can be disabled by removing the associated rpm
package (See previous step). Others can be disabled
by running the 'chkconfig' command and selecting all levels off (example:
'chkconfig --level 123456 sendmail off'). Still others can be disabled by
removing entries from the /etc/inetd.conf file or the modifying the appropriate
file in the /etc/xinetd directory (later versions of chkconfig will modify the
xinetd entries for you). Install Additional Packages from Update CD-ROM Install patches from the Update CD-ROM Note: -F is used in the 'rpm' command to freshen the operating system and will not install the
packages that were removed. Sometimes, package dependencies change from one version to the next. This
is common with RedHat. Therefore it is very likely that the rpm -Fvh might fail
the first time around. If it does, then manually resolve those dependencies by
'rpm -Uvh <needed packages>' and then attempt the rpm -Fhv again.
Continue to resolve any dependencies. When all dependencies have been resolved,
rpm -Fvh will proceed to update all remaining packages without complaint. If
you have difficulty determining which package will resolve needed dependency,
point your web browser to www.rpmfind.net
and it will help. Experience has shown that all dependencies can be resolved
with the packages contained in the update directory on the CD-ROM but it is not
always obvious which package to load. Check the LILO boot path to the kernel If the kernel was updated but the boot record doesn't point to the new
kernel file then the system will become unbootable (except via floppy)! If
there is a problem, the lilo command above will complain. If lilo does
complain, check the /etc/lilo.conf configuration file and fix whatever problems
might exist, like an incorrect kernel entry, or initrd (see below) not updated
properly Check Initial Root Disk (only if booting with SCSI disk) Most vender default kernels do not have SCSI support built in. Instead an
initial root disk (initrd) is used in RAM on boot which contains SCSI modules.
On a SCSI system, that initrd might not be updated both in /etc/lilo.conf and
the image file itself. BEFORE updating the kernel, the quickest way to
determine if you will need to run initrd is to check /etc/lilo.conf, if there
is a line such as 'initrd=/boot/initrd.img' then you should run mkinitrd after
updating the kernel to be safe.
You might need the floppy if you run into problems with the Updates later on.
It's a good idea to have one anyway.
If you want details on an installed package type:
Remove all program packages (one at a time) that you will not be using:
Change all vendor default passwords.
Rules of Thumb for Strong Passwords
Don't use a common word that can be identified in a password, such as your name, the names of family members, or any dictionary words including foreign words. These are the kinds of password features that thieves and hackers first try, so don't make it easy for someone to break into your account. Use upper and lower case letters if the system requesting a password can distinguish between them. It makes your passwords that much stronger because you now have, effectively, 52 letters to work with.
Use passwords with a minimum of 8 characters made up of letters and symbols based upon the other recommendations in this list. Use a different password for each site or service that requires one. Otherwise, a security flaw or irresponsible operator of a favorite Web site could expose the password that you use to protect your brokerage account. The best rule is to use a unique, long, strong password for each site and purpose.
A final consideration: How do you keep track of all these strong passwords? Posting them on a sticky note on the side of your monitor is a very bad idea because they become public knowledge. One option is to keep your list of passwords in a safe place away from your computer. Another way to keep track of passwords is with a tools such as PGP (Pretty Good Privacy), GPG (Gnu Privacy Guard), or Password Safe, each of which allows you to keep all of your passwords in a restricted file that is encrypted and restricted by password. You only need to remember that password to get into the safe.
Make a strong root password
Root Password: This is the most critical password. Of all of the passwords this is the one that has to be strong. Strong being minimum 8 characters of which at least two of the characters should be numbers or special characters.
Disable all unused accounts
Run linuxconf and modfify the the user account to disable the ones that you don't need. Don't delete the accounts until you've confirmed that they are not needed - some services require special accounts.
Install an Access Warning Banner
The Access Warning Banner you should use is located on the Update CDROM you obtained from the CSO. The banner needs to be installed for each of the appropriate network services which you are offering. Usually updating /etc/issue and /etc/issue.net is sufficient. Note - on Redhat systems the /etc/issue and /etc/issue.net files are overwritten at each boot. To avoid this, modify the file /etc/rc.local to leave your changes intact.
Configure Bastille-Linux
Bastille-Linux was installed in an earlier step. "The Bastille Hardening System attempts to 'harden' or 'tighten' the Linux operating system. It currently supports Red Hat and Mandrake systems."
Run the following command:
Use the following as a basic guide for the Bastille settings:
Configure TCP/IP wrappers
Configure TCP-wrappers after you have run the Bastille setup.
Ensure that all possible TCP and UDP services that allow external connections that can be protected by TCP-wrappers are indeed wrapped. Ensure that the allowed external connections to the machine are the minimum possible and that the system "trusts" the fewest number of other systems that it can and still perform its required function.
If you are running an earlier version of Linux (1 year or more older) then your system is probably using inetd. Check the documentation (readme file) that is with the software in TCP-wrappers directory on the update CD-ROM. For a quick installation, it is recommended you follow the instructions in section '7.2 - Advanced configuration and installation'. This method requires you to update the /etc/inetd.conf file and leave your executables in place.
If you are running a later version of Linux that uses xinetd then you do not need to configure TCP-wrappers; xinetd has the wrappering capability built in. Here are some tips on configuring xinetd (do this after Bastille setup since it makes some changes also):
First check the /etc/xinet.conf file. The /etc/xinetd.conf contains default values for the services it runs. It may also contain specific settings for the individual services or a reference (includedir) to a directory where the individual services are configured. In the 'defaults' section ensure the following are set:
no_access = 0.0.0.0 this denies all connections by default. This must be enabled on a per service basis. Bastille setup should have made this setting for you already. log_type = SYSLOG authpriv this causes the log messages to use the syslog facility. /etc/syslog.conf will tell you where the 'authpriv' messages are sent. log_on_success = HOST PID
log_on_failure = HOSTthese indicate what info to log for each connection attempt. Next ensure that only the services you need are turned on. 'chkconfig --list' will show you the status of the xinetd services. Turn on only the ones you need, all others should be off. For instance, to turn off telnet and turn on wu-ftpd do this:
chkconfig --list chkconfig telnet off chkconfig wu-ftpd onFor each service that you enable, make the following entry in the corresponding service file in the /etc/xinetd.d directory (or in the /etc/xinetd.conf if the services are defined there).
only_from = 128.183.0.0 this permits connections only from 128.183 (gsfc) network. all others are denied. If you need global access the use 0.0.0.0 - this permits connections from anywhere on the Internet. Be sure to check the logfile for reports. no_access = 205.105.0.0 this example denies connections from any machine in the 205.105 network. by combining 'only_from' and 'no_access' values you can tweak who can and cannot access your services. Be sure to check the logfile for failed connections.
Configure SSH
You should have installed the SSH rpm from the update cdrom in an earlier step. This should have enabled the service for you. To confirm, type 'chkconfg --list' and look for the sshd entry - it should be on for at least the default run level (default run level is listed in /etc/inittab). The default settings for sshd are ususally pretty good - if you need to change any they are located in the /etc/ssh/sshd_config file.
Configure Tripwire
You should have installed the tripwire rpm from the update cdrom in an earlier step. To configure it for your system do the following:
Check for running Network Services
Type the following two commands to check for running network services:
Check the output - does it seem reasonable? Do you know what it means? Are these the network services you expect to be offering with this machine? Do you need all of them? Do you know what they are? If no to any of these questions then please identify what the services are and disable the ones you do not need. For instance, if you will not be using nfs, then you probably don't need portmap either. If you need it later it can always be enabled. If this machine is strictly a workstation you can probably get by with only sshd, X related services, and lpd for printing. Remember, YOU are responsible for this machine and the services it offers.