Some time ago, the NSA released an excellent guide how to harden RHEL5 systems.
Despite of being written for RHEL5, it partially also applies to RHEL6 and newer versions of Fedora. It is also worth looking at it for users of non-RH breed distributions. To be mentioned: Its clearly focused on server systems, not desktops.
Some of the topics are really basic stuff which is already in place as industries “best practices”, other methods are not that well known.
Most of the items can be implemented very easy, others should be reviewed if the complexity is worth the gain of security.
Minimize Software to Minimize Vulnerability is a good starting point. RHEL5 is quite bad on this point, a default installation comes with a complete desktop environment. RHEL6 made a lot of progress on this issue as I wrote about it in a earlier post.
The default file system layout of most Linux distributions is suboptimal. At least /var, /tmp and /home should be on separate file systems. You can enhance the systems security by setting mount options such as noexec, nodev and nosuid where appropriate.
Always set SELinux to Enforcing mode where possible. Since tools like audit2allow and selinux-polgengui enables users to easily create basic policies, its no more rocket science. For further readings and hints about SElinux, have look on Dan Walsh’s Blog.
Check if only needed daemons are running. I. e if you are not using NFS, disable portmapper and friends.
Other things things disabling rhnsd is IMHO not a good idea. Enabling a warning banner for pre-login texts is just clueless.
NSA provides a nice guide which is really worth reading for server administrators. Some topics described in the guide are maybe overkill and complex, while others are easy to implement and maintain. Hopefully NSA will soon update its paper to RHEL6.
It also shows that Linux distributors have room for improvements to provide a better default security.
One thought on “How to harden RHEL systems”
I agree, the NSA guide is very good. It tires to find a good balance between functionality and security. I learned a lot just reading through it.
The warning banner is a requirement for most (if not all) government systems. If I understand the reasoning correctly, the idea is to eliminate any possibility that someone could gain access to the system and still claim that they didn’t know they were accessing a government system and were subject to monitoring. I don’t recall if they NSA guide gives exact wordings for the banner, but the required Dept of Defense statement is a couple of hundred words long and leaves no doubt that the system is not to be used by unauthorized personnel.