nsa-rhel5-guide-i731.pdf
(
1117 KB
)
Pobierz
595178700 UNPDF
GuidetotheSecureConfigurationof
RedHatEnterpriseLinux5
Revision4.1
February28,2011
OperatingSystemsDivisionUnixTeam
ofthe
SystemsandNetworkAnalysisCenter
NationalSecurityAgency
9800SavageRd.Suite6704
Ft.Meade,MD20755-6704
2
Warnings
ˆ
Donotattempttoimplementanyoftherecommendationsinthisguidewithoutfirsttestinginanon-
productionenvironment.
ˆ
Thisdocumentisonlyaguidecontainingrecommendedsecuritysettings.Itisnotmeanttoreplacewell-
structuredpolicyorsoundjudgment.Furthermorethisguidedoesnotaddresssite-specificconfiguration
concerns.Caremustbetakenwhenimplementingthisguidetoaddresslocaloperationalandpolicy
concerns.
ˆ
ThesecuritychangesdescribedinthisdocumentapplyonlytoRedHatEnterpriseLinux5.Theymaynot
translategracefullytootheroperatingsystems.
ˆ
Internetaddressesreferencedwerevalidasof1Dec2009.
TrademarkInformation
RedHatisaregisteredtrademarkofRedHat,Inc.Anyothertrademarksreferencedhereinarethepropertyof
theirrespectiveowners.
ChangeLog
Revision4.1isanupdateofRevision4datedSeptember14,2010.
ˆ
Addedsection2.2.2.6,DisableAllGNOMEThumbnailersifPossible.
ˆ
AddedCommonConfigurationEnumeration(CCE)identifierstoassociatedsectionswithintheguide,and
anoteaboutCCEinsection1.2.4,FormattingConventions.
ˆ
Updatedsection2.3.3.2,SetLockoutsforFailedPasswordAttempts.Thereisnolongertheneedtoadd
the
pamtally2
moduleintoeachprogram’sPAMconfigurationfile,ortocommentoutsomelinesfrom
/etc/pam.d/system-auth
.The
pamtally2
modulecannowbereferenceddirectlyfrom
/etc/pam.d/
system-auth
.
ˆ
Correctedsection2.6.2.4.5titlefromEnsureauditdCollectsLogonandLogoutEventstoRecordAttemptsto
AlterLogonandLogoutEventInformation.
ˆ
Correctedsection2.6.2.4.6titlefromEnsureauditdCollectsProcessandSessionInitiationInformationto
RecordAttemptstoAlterProcessandSessionInitiationInformation
Note:Theabovechangesdidnotaectanyofthesectionnumbering.
TABLEOFCONTENTS
3
TableofContents
1Introduction
13
1.1GeneralPrinciples
............................................ 13
1.1.1EncryptTransmittedDataWheneverPossible
........................ 13
1.1.2MinimizeSoftwaretoMinimizeVulnerability
......................... 13
1.1.3RunDierentNetworkServicesonSeparateSystems
..................... 13
1.1.4ConfigureSecurityToolstoImproveSystemRobustness
................... 14
1.1.5LeastPrivilege
.......................................... 14
1.2HowtoUseThisGuide
......................................... 14
1.2.1ReadSectionsCompletelyandinOrder
............................ 14
1.2.2TestinNon-ProductionEnvironment
............................. 14
1.2.3RootShellEnvironmentAssumed
............................... 14
1.2.4FormattingConventions
..................................... 15
1.2.5RebootRequired
......................................... 15
2System-wideConfiguration
17
2.1InstallingandMaintainingSoftware
.................................. 17
2.1.1 InitialInstallationRecommendations
.............................. 17
2.1.1.1DiskPartitioning
.................................... 17
2.1.1.2BootLoaderConfiguration
.............................. 18
2.1.1.3NetworkDevices
.................................... 19
2.1.1.4RootPassword
..................................... 19
2.1.1.5SoftwarePackages
................................... 19
2.1.1.6First-bootConfiguration
............................... 19
2.1.2UpdatingSoftware
........................................ 20
2.1.2.1ConfigureConnectiontotheRHNRPMRepositories
............... 20
2.1.2.2Disablethe
rhnsd
Daemon
.............................. 21
2.1.2.3ObtainSoftwarePackageUpdateswith
yum
..................... 21
2.1.3SoftwareIntegrityChecking
................................... 22
2.1.3.1ConfigureAIDE
.................................... 23
2.1.3.2VerifyPackageIntegrityUsingRPM
......................... 24
2.2FilePermissionsandMasks
....................................... 25
2.2.1RestrictPartitionMountOptions
................................ 25
2.2.1.1Add
nodev
OptiontoNon-RootLocalPartitions
.................. 25
2.2.1.2Add
nodev
,
nosuid
,and
noexec
OptionstoRemovableStoragePartitions
... 26
2.2.1.3Add
nodev
,
nosuid
,and
noexec
OptionstoTemporaryStoragePartitions
... 26
2.2.1.4Bind-mount
/var/tmp
to
/tmp
............................ 26
2.2.2RestrictDynamicMountingandUnmountingofFilesystems
................ 27
2.2.2.1RestrictConsoleDeviceAccess
............................ 27
2.2.2.2DisableUSBDeviceSupport
............................. 27
4
TABLEOFCONTENTS
2.2.2.3DisabletheAutomounterifPossible
......................... 28
2.2.2.4DisableGNOMEAutomountingifPossible
..................... 29
2.2.2.5DisableMountingofUncommonFilesystemTypes
................. 29
2.2.2.6DisableAllGNOMEThumbnailersifPossible
................... 30
2.2.3VerifyPermissionsonImportantFilesandDirectories
.................... 30
2.2.3.1VerifyPermissionson
passwd
,
shadow
,
group
and
gshadow
Files
......... 30
2.2.3.2VerifythatAllWorld-WritableDirectoriesHaveStickyBitsSet
......... 31
2.2.3.3FindUnauthorizedWorld-WritableFiles
...................... 31
2.2.3.4FindUnauthorizedSUID/SGIDSystemExecutables
................ 31
2.2.3.5FindandRepairUnownedFiles
........................... 33
2.2.3.6VerifythatAllWorld-WritableDirectoriesHaveProperOwnership
....... 33
2.2.4RestrictProgramsfromDangerousExecutionPatterns
.................... 33
2.2.4.1SetDaemon
umask
................................... 33
2.2.4.2DisableCoreDumps
.................................. 34
2.2.4.3EnableExecShield
................................... 35
2.2.4.4Enable
ExecuteDisable
(XD)or
NoExecute
(NX)Supporton32-bitx86Systems
35
2.2.4.5ConfigurePrelink
................................... 36
2.3AccountandAccessControl
....................................... 37
2.3.1ProtectAccountsbyRestrictingPassword-BasedLogin
................... 37
2.3.1.1RestrictRootLoginstoSystemConsole
....................... 37
2.3.1.2Limit
su
AccesstotheRootAccount
........................ 38
2.3.1.3Configure
sudo
toImproveAuditingofRootAccess
................ 39
2.3.1.4BlockShellandLoginAccessforNon-RootSystemAccounts
........... 39
2.3.1.5VerifyProperStorageandExistenceofPasswordHashes
............. 40
2.3.1.6VerifythatNoNon-RootAccountsHaveUID0
.................. 40
2.3.1.7SetPasswordExpirationParameters
......................... 41
2.3.1.8RemoveLegacy’+’EntriesfromPasswordFiles
.................. 42
2.3.2UseUnixGroupstoEnhanceSecurity
............................. 42
2.3.2.1CreateaUniqueDefaultGroupforEachUser
................... 42
2.3.2.2CreateandMaintainaGroupContainingAllHumanUsers
............ 42
2.3.3ProtectAccountsbyConfiguringPAM
............................. 43
2.3.3.1SetPasswordQualityRequirements
......................... 43
2.3.3.2SetLockoutsforFailedPasswordAttempts
..................... 44
2.3.3.3Use
pamdeny.so
toQuicklyDenyAccesstoaService
............... 45
2.3.3.4RestrictExecutionof
userhelper
toConsoleUsers
................ 45
2.3.3.5UpgradePasswordHashingAlgorithmtoSHA-512
................. 46
2.3.3.6LimitPasswordReuse
................................. 46
2.3.3.7Removethe
pamccreds
PackageifPossible
..................... 47
2.3.4SecureSessionConfigurationFilesforLoginAccounts
.................... 47
2.3.4.1EnsurethatNoDangerousDirectoriesExistinRoot’sPath
............ 47
2.3.4.2EnsurethatUserHomeDirectoriesarenotGroup-WritableorWorld-Readable
. 48
2.3.4.3EnsurethatUserDot-FilesarenotWorld-writable
................. 48
2.3.4.4EnsurethatUsersHaveSensibleUmaskValues
................... 49
2.3.4.5EnsurethatUsersdonotHave
.netrc
Files
.................... 49
2.3.5ProtectPhysicalConsoleAccess
................................ 49
2.3.5.1SetBIOSPassword
.................................. 50
2.3.5.2SetBootLoaderPassword
.............................. 50
2.3.5.3RequireAuthenticationforSingle-UserMode
.................... 50
2.3.5.4DisableInteractiveBoot
................................ 51
2.3.5.5 ImplementInactivityTime-outforLoginShells
................... 51
2.3.5.6ConfigureScreenLocking
............................... 52
2.3.5.7DisableUnnecessaryPorts
.............................. 53
TABLEOFCONTENTS
5
2.3.6UseaCentralizedAuthenticationService
........................... 53
2.3.7WarningBannersforSystemAccesses
............................. 54
2.3.7.1ModifytheSystemLoginBanner
.......................... 54
2.3.7.2 ImplementaGUIWarningBanner
.......................... 54
2.4SELinux
.................................................. 55
2.4.1HowSELinuxWorks
....................................... 55
2.4.2EnableSELinux
......................................... 56
2.4.2.1EnsureSELinuxisProperlyEnabled
........................ 56
2.4.3DisableUnnecessarySELinuxDaemons
............................ 57
2.4.3.1DisableandRemoveSETroubleshootifPossible
.................. 57
2.4.3.2DisableMCSTranslationService(
mcstrans
)ifPossible
.............. 57
2.4.3.3RestoreconService(
restorecond
)
.......................... 58
2.4.4CheckforUnconfinedDaemons
................................. 58
2.4.5CheckforUnlabeledDeviceFiles
................................ 58
2.4.6DebuggingSELinuxPolicyErrors
............................... 58
2.4.7FurtherStrengthening
...................................... 60
2.4.7.1StrengthentheDefaultSELinuxBooleanConfiguration
.............. 61
2.4.7.2UseaStrongerPolicy
................................. 61
2.4.8SELinuxReferences
....................................... 62
2.5NetworkConfigurationandFirewalls
.................................. 62
2.5.1KernelParameterswhichAectNetworking
.......................... 62
2.5.1.1NetworkParametersforHostsOnly
......................... 62
2.5.1.2NetworkParametersforHostsandRouters
..................... 63
2.5.1.3EnsureSystemisNotActingasaNetworkSnier
................. 63
2.5.2WirelessNetworking
....................................... 64
2.5.2.1RemoveWirelessHardwareifPossible
........................ 64
2.5.2.2DisableWirelessThroughSoftwareConfiguration
................. 64
2.5.3 IPv6
................................................ 65
2.5.3.1DisableSupportforIPv6unlessNeeded
....................... 65
2.5.3.2ConfigureIPv6SettingsifNecessary
......................... 66
2.5.4TCPWrapper
.......................................... 68
2.5.4.1HowTCPWrapperProtectsServices
........................ 68
2.5.4.2RejectAllConnectionsFromOtherHostsifAppropriate
............. 69
2.5.4.3AllowConnectionsOnlyFromHostsinThisDomainifAppropriate
....... 69
2.5.4.4MonitorSyslogforRelevantConnectionsandFailures
............... 69
2.5.4.5FurtherResources
................................... 70
2.5.5 IptablesandIp6tables
...................................... 70
2.5.5.1 InspectandActivateDefaultRules
......................... 70
2.5.5.2UnderstandtheDefaultRuleset
........................... 71
2.5.5.3StrengthentheDefaultRuleset
............................ 72
2.5.5.4FurtherStrengthening
................................. 75
2.5.5.5FurtherResources
................................... 75
2.5.6SecureSocketsLayerSupport
.................................. 76
2.5.6.1CreateaCAtoSignCertificates
........................... 76
2.5.6.2CreateSSLCertificatesforServers
.......................... 77
2.5.6.3EnableClientSupport
................................. 78
2.5.6.4FurtherResources
................................... 79
2.5.7UncommonNetworkProtocols
................................. 79
2.5.7.1DisableSupportforDCCP
.............................. 79
2.5.7.2DisableSupportforSCTP
.............................. 80
2.5.7.3DisableSupportforRDS
............................... 80
2.5.7.4DisableSupportforTIPC
............................... 80
Plik z chomika:
xterm
Inne pliki z tego folderu:
nsa-rhel5-guide-i731.pdf
(1117 KB)
Deploying Oracle 11gR2 on Red Hat Enterprise Linux 6.pdf
(3194 KB)
Leadership TPC-C benchmark performance and price-performance using Red Hat Enterprise Linux 6.2.pdf
(1055 KB)
Deploying a Highly Available Web Server on Red Hat Enterprise Linux 6.pdf
(1982 KB)
deploying clustered samba on rhel6.pdf
(1244 KB)
Inne foldery tego chomika:
rhev
rhn-export
Zgłoś jeśli
naruszono regulamin