Archive:Docs/Drafts/CryptoGuide/BasicHardeningGuide
From FedoraProject
Moving to XML
.png){kind=small}
It is still under construction and content may change. Do not rely on the information on this page.
Contents |
Documentation Summary
Purpose:
Audience:
Approach:
Assumptions:
Related Documents:
Lead Writer: EricChristensen
Basic Hardening Guide
Introduction
The National Security Agency (NSA) has developed two guides for hardening a default installation of Red Hat Enterprise Linux 5. Many of the tips provided in these guides are also valid for installations of Fedora. This Basic Hardening Guide will cover portions of the NSA's Hardening Tips and will explain why implementing these tips are important. This document does not represent the full NSA Hardening Guide.
As with any change to a system these changes could cause unintended results. Changes should be evaluated for appropriateness on your system before implementing.
General Principles
From the NSA
- Encrypt all data transmitted over the network. Encrypting authentication information (such as passwords) is particularly important.
- Minimize the amount of software installed and running in order to minimize vulnerability.
- Use security-enhancing software and tools whenever available (e.g. SELinux and IPTables)
- Run each network service on a separate server whenever possible. This minimizes the risk that a compromise of one service could lead to a compromise of others.
- Maintain user accounts. Create a good password policy and enforce its use. Delete unused user accounts.
- Review system and application logs on a routine basis. Send logs to a dedicated log server. This prevents intruders from easily avoiding detection by modifying the local logs.
- Never log in directly as root, unless absolutely necessary. Administrators should use sudo to execute commands as root when required. The accounts capable of using sudo are specified in /etc/sudoers, which is edited with the visudo utility. By default, relevant logs are written to /var/log/secure.
Why is this important?
The General Principles from the NSA represent a best practices overview of security. There are items in the above list that probably won't be used by everyone and there are items missing that should be stressed as a best practice. Additional information on these ideas and others will be explained below.
Physical Security
Physical security of the system is of utmost importance. Many of the suggestions given here won't protect your system if the attacker has physical access to the system.
From the NSA
Configure the BIOS to disable booting from CDs/DVDs, floppies, and external devices, and set a password to protect these settings. Next, set a password for the GRUB bootloader. Generate a password hash using the command /sbin/grub-md5-crypt. Add the hash to the first line of /etc/grub.conf using password --md5 passwordhash. This prevents users from entering single user mode or changing settings at boot time.
Why this is important
An attacker could take complete control of your system by booting from an external source. By booting from an external source (e.g. a live Linux CD) many of the security settings are bypassed. If the attacker can modify the GRUB settings they can boot into single user mode which allows admin access to the system.
What else can I do?
Fedora 9 supports LUKS encryption to protect data stored in a LUKS encrypted partition. When you install Fedora 9, check the box to encrypt your file system when you setup your file system. By encrypting your root partition and your /home partition (or the single / partition if you accept the default file system) attackers using an external source or booting into single user mode. Of course you use a strong passphrase to protect your data.
