Are you a spammer

Please note, that the first 3 posts you make, will need to be approved by a forum Administrator or Moderator before they are publicly viewable.
Each application to join this forum is checked at the Stop Forum Spam website. If the email or IP address appears there when checked, you will not be allowed to join this forum.
If you get past this check and post spam on this forum, your posts will be immediately deleted and your account inactivated.You will then be banned and your IP will be submitted to your ISP, notifying them of your spamming. So your spam links will only be seen for an hour or two at most. In other words, don't waste your time and ours.

This forum is for the use and enjoyment of the members and visitors looking to learn about and share information regarding the topics listed. It is not a free-for-all advertising venue. Your time would be better spent pursuing legitimate avenues of promoting your websites.

Securing your RPM Based Distro's

Build it and learn to secure your system/server.

Securing your RPM Based Distro's

Postby Micro » Wed Apr 17, 2013 3:41 pm

I was recently asked by a friend on how to secure data and ensure network integrity for a new department he was adding to his small business. He is currently running CentOS Boxes. So I thought I'd share a piece of my instructions and hope that someone may have some interest in them. ;) Although I've implemented much much more, here are just a few Security Measures and Instructions for your RPM Based Distro's. Keep in mind that these may not translate to all Linux based OS's:


***Encrypt your swap space. When memory is low, the kernel will swap the contents of the page to the swap space. The contents of this page can include such sensitive contents as your bank PIN, your passwords or GPG passphrase. This information is in cleartext which means an attacker can read the contents at their leisure. Encrypting your swap space protects its contents against unauthorized reading and various forensic attacks should your machine be removed from your possession and/or compromised.

***Be sure to set a boot loader passwords prevent local users with direct physical access from changing system startup configurations. From the boot menu, any user can easily login into a single user mode without the password which might result into compromise system security.

Certain system directories need to be put on their own partition to protect data.

/tmp is world -writable directory that is used by software to temporary store large files. If parted be sure to give it adequate space or atleast 5GB

/var is a directory stores frequently changing data and is used by services and daemons and may contain world-writable directories. (Yum uses /var to store data) If parted be sure to give it adequate space or atleast 5GB

***To be even more precise you can part /var/log and /var/log/audit also.

/home contains a a subdirectory for each user's settings and files which contain all the data & settings of that user. It should be parted enless your /home will be mounted from nfs server or other external mountpoint. This will allow for ease of future system upgrades.

Verify Package Integrity Using RPM

The RPM package management system includes the ability to verify the integrity of installed packages by com-
paring the installed files with information about the files taken from the package metadata stored in the RPM
database. To determine which files on the system differ from what is expected by the RPM database:

Code: Select all
# rpm -qVa

A “c” in the second column indicates that a file is a configuration file (and may be expected to change). In
order to exclude configuration files from this list, run:

Code: Select all
# rpm -qVa | awk '$2!="c" {print $0}'

File Permissions and Masks

Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from
reading or modifying files to which they should not have access. Adhere to the principle of least privilege —
configure each file, directory, and filesystem to allow only the access needed in order for that file to serve its
purpose. However, Linux systems contain a large number of files, so it is often prohibitively time-consuming to ensure that
every file on a machine has exactly the permissions needed.

The following command prints a list of ext2,ext3 and ext4 partitions on a given machine:

Code: Select all
# mount -t ext2,ext3,ext4 | awk '{print $3}'

If your local filesystem uses file types other than ext2,ext3, or ext4 you will need to modify this command.

Restrict Partition Mount Options

System partitions can be mounted with certain options which limit what files on those partitions can do. These
options are set in the file /etc/fstab, and can be used to make certain types of malicious behavior more difficult.

Add nodev Option to Non-Root Local Partitions

Edit the file /etc/fstab. The important columns are column 2 (mount point),
column 3 (filesystem type), and column 4 (mount options). For any line which satisfies all of the conditions:
The filesystem type is ext2, ext3, or ext4
The mount point is not /
add the text “,nodev” to the list of mount options in column 4.

The nodev option prevents users from mounting unauthorized devices on any partition which is known not to
contain any authorized devices. The root partition typically contains the /dev directory, which is the primary
location for authorized devices, so this option should not be set on /. However, if system programs are being
run in chroot jails, this advice may need to be modified further, since it is often necessary to create device
files inside the chroot directory for use by the restricted program.

Add nodev, nosuid, and noexec Options to Removable Storage Partitions

Edit the file /etc/fstab. Filesystems which represent removable media can be located by finding lines whose
mount points contain strings like floppy or cdrom. For each line representing a removable media mountpoint, add
the text noexec,nodev,nosuid to the list of
mount options in column 4.

Filesystems mounted on removable media also provide a way for malicious executables to potentially enter the
system, and should be mounted with options which grant least privilege. Users should not be allowed to introduce
arbitrary devices or setuid programs to a system. In addition, while users are usually allowed to add executable
programs to a system, the noexec option prevents code from being executed directly from the media itself, and
may therefore provide a line of defense against certain types of worms or malicious code.
Mount points in /etc/fstab may not exist on a modern system with typical hardware. The dynamic mounting
mechanism may be controlled through other means (which may or may not allow control of the mount options).
Adding noexec will cause problems if it is necessary in your environment to execute code from removable media,
though that behavior carries risks as well.

Add nodev, nosuid, and noexec Options to Temporary Storage Partitions

Temporary storage directories such as /tmp and /dev/shm potentially provide storage space for malicious exe-
cutables. Although mount options options cannot prevent interpreted code stored there from getting executed
by a program in another partition, using certain mount options can be disruptive to malicious code.

Add nodev, nosuid, and noexec Options to /tmp

Edit the file /etc/fstab. Add the text ,nodev,nosuid,noexec to the list of mount options in column 4.

Add nodev, nosuid, and noexec Options to /dev/shm

Edit the file /etc/fstab. Add the text ,nodev,nosuid,noexec to the list of mount options in column 4.

Code: Select all
Bind-mount /var/tmp to /tmp

Edit the file /etc/fstab. Add the following line:

0 0

This line will bind-mount the world-writeable /var/tmp directory onto /tmp, using the restrictive mount options
Thermaltake Series Core X9 SPCC E-ATX Cube Case
CORSAIR Vengeance LPX 64GB Quad Channel DDR4
EVGA 120-G1-0750-XR 80 PLUS GOLD 750W PSU
APC BR1300G Back-UPS Pro 780W/1300VA UPS
ASRock X99 Extreme4 LGA X99 Motherboard
OC-Intel Core i7-5820K @ 4.1GHz × 12
Corsair H100i V2 CPU Cooler. 240mm
Kernel Linux 4.6.4-1-ARCH x86_64
MATE Desktop Environment 1.12.1
OS - SAMSUNG 950 PRO M.2 512GB
NVIDIA GeForce GTX750 Ti
ViewSonic PJD7820HD
OS - Filesystem F2FS
Arch Linux
User avatar
Site Admin
Posts: 485
Joined: Tue Apr 24, 2012 1:16 pm
Age: 40
Operating System: Other Linux

Re: Securing your RPM Based Distro's Part 1

Postby Ironmahn » Wed Apr 17, 2013 8:29 pm

I can see this also helping to protect some users from making mistakes with limiting permissions. Nice write up on plugging some security holes indeed.

CPU: AMD FX-8320 Vishera w/ COOLER MASTER Hyper 212 EVO
MEM: G.SKILL Ares Series 16GB (2x 8GB) 1866 MHz
VID: XFX Radeon HD 7850 PCI Express 3.0
HDD: Mushkin Enhanced Chronos Deluxe 240GB (SSD)
OS: Ultimate Edition 3.4 Lite 64-bit
User avatar
Site Admin
Posts: 62
Joined: Sun Oct 28, 2007 9:22 pm
Location: U.S.A.
Operating System: Ultimate Edition Developer

Return to Server and Security

Who is online

Users browsing this forum: No registered users and 1 guest