RHEL 6 OS Hardening procedure
Hi
I am new to Linux environment. We have started setting up RHEL Servers and as part of going forward, we are looking ways to harden the RHEL 6 OS that we are going to use. We are not going to use this servers in a domain environment. This servers will be standalone.
Could some experts from the Linux community let me know the simple and best procedure to get the OS Hardened?
Looking forward for some assistance from the community.
Regards
Jo
Responses
Depends on the application...but some basic things you can do...
1) Enable IPTables
2) Leave SELinux in enforcing mode
3) Make use of /etc/security/access.conf
4) Use TCPWrappers when you can
Rule of thumb is, the more layers, the better
Check this CIS benchmark: http://benchmarks.cisecurity.org/downloads/show-single/?file=rhel6.120 for hardening guide.
Also install OSSEC HIDS and SNORT
br,
Eero
Guru
2135 points
I follow the CIS benchmarks, but there are also other good standards out there.
Have a look at: https://fedorahosted.org/aqueduct/ to see links to other hardening guidelines. The Aqueduct project aims to script the necessary changes to allow automated builds to be hardened without (too much) Sys Admin intervention.
There's also a good kickstart project on github: https://github.com/major/securekickstarts to give as much of the CIS guidelines straight from a kickstart.
Cheers
Duncan
Active Contributor
110 points
Thanks Guys for the responses. As I mentioned in my discussion, I am very new to Linux OS. So I would like to start with a simple but detailed hardening procedure. The links that you mentioned will be useful for a experienced user.
I would request for a simple by details OS hardening procedure. Looking for some advise from the community.
Regards
Jo
how about: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security_Guide/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf
Eero
Community Member
79 points
Best way at first disable root access, and allow sudoers, look at dueSecurity for second factor of auth.
Hardening your system is a a skill that will hopefully get better over time. The basic problem facing you is that you need to balance the security of the system with usability. For example, the easiest and most effective way to secure your system would be to disconnect it from the internet, or any other network. Now you're 100% secure from outside attackers ... but your users are most likely very disappointed with this solution :)
The point is that you need to have patience with yourself and get comfortable with the idea that you're not going to become an expert by next week. I would start with the Benchmarks for Internet Security - they publish "Benchmarks" which are guides detailing how you can secure your system. Also, the OpenSCAP Fedora project provides a useful tool for auditing your system for compliance.
In general, your basic philosophy is like this:
- Disable unneeded services
- Ensure logging is configured correctly - if you can't get information on system activity then it probably isn't set up correctly
- Outline user roles which will inform the type of access controls you use
A please, for the love of god, when you see some error about "sealert" don't just run 'setenforce 0' since thats the first solution you saw on a forum. You're making somebody cry, and SELinux is a very useful tool to know.
Guru
6863 points
nice response!
Jo - everyone else has already mentioned a number of resources (and I will do the same ;-)
Red Hat Enterprise Security Network Services (RHS333)
http://www.redhat.com/training/courses/rhs333/
I believe if you ask most folks which was the most challenging course on their way to an RHCA, they will tell you the security portion ;-) So, prepare to feel challenged.
Also - and I will WARN you... these product can impact your remote systems... you can look into independent tools to analyze your systems. Nessus, TripWire, etc.. most of them have (or had) free versions but I have not worked directly with those products in a while. Search for "pentest" as in Penetration Test and I'm sure a few products will catch your eye.
Red Hat
Guru
3719 points
The RHS333 course was discontinued. (I think the last public run is this week in DC.)
333 was replaced by the RH413 Server Hardening course.
Hi,
Take also look at http://www.redhat.com/training/courses/rh413/ (server hardening course).
From remote point of view you can use nmap and openvas (or nessus) to evaluate security status of your server.
Eero
Hello Jo, I am also quite new to RHEL. As such I remember stumbling and fumbling with windows, So when I started with Red Hat I purchased the three year support (premium level) yes it's a bit pricey. But it gives you access to a Engineer who looks the situation over and walks you through the process, Explains everything and answers questions. My best to you let me know how it goes -Sam
Also http://www.bastille-linux.org (bastille linux) might be the easiest way to newbie, but be careful with it.
For the benefit of the thread (and likely not the OP due to my late arrival), can I suggest the following guide:
http://iase.disa.mil/stigs/os/unix/red_hat.html (Red Hat 6 STIG - Version 1 Release 2)
This is a great guide to use as it explains why configuration changes should be made when a lot of the automated tools people use just tell you to change the config without any additional information.
I would suggest the SCAP-SECURITY-GUIDE group. It is for RHEL6, and has a lot of effert behind it. Works great with openscap.
https://fedorahosted.org/scap-security-guide/
Guru
6827 points
Those dealing with IAVAs, there is a 'magic decoder ring' to translate CVEs to IAVAs (that is updated too) at http://iase.disa.mil/stigs/iavm-cve.html
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.