Securing Red Hat Linux (Step-by-Step Security Guide/HOWTO), http://www.blacksheepnetworks.com/security/resources/redhat-7.3-securi...

Werner Puschitz
Last fiddled: July 7, 2002.
For information on Red Hat Linux, Installation, Documentation, Kernel, Oracle, and Linux in general,
see www.puschitz.com.

Securing Red Hat Linux 7.3

This is a work in progress and is NOT completed! Actually I started to write this article a few days ago.
This article will become a step-by-step procedure for securing a RedHat Linux server.
If you are maybe interested in Oracle9i on RedHat Linux 7.x, then check my other article.

General
Log Files

Errors and system messages:

/var/log/dmesg (kernel boot messages)
/var/log/boot (runlevel boot logging messages)
/var/log/messages (system messages)
...

Authentication Files:
/var/run/utmp
/var/log/wtmp
/var/log/btmp
/var/log/secure
/var/log/lastlog

Server-specific Logs:
/var/log/xferlog (ftpd logging information)
/var/log/maillog (sendmail logging information)
/var/log/pacct
...

Connect Accounting Utilities

Here is a list of commands you can use to get data about user logins:

who Shows a listing of currently logged-in users. This command reads /var/log/utmp.
w Shows who is logged on and what they are doing.
last Shows a list of last logged-in users, including login time, logout time etc. This command reads
/var/log/wtmp.
lastb Same as last, except that by default it shows a log of the file /var/log/btmp, which contains
all the bad login attempts.
lastlog This command reports data maintained in /var/log/lastlog, which is a record of the last
time a user logged in.
ac Prints out the connect time in hours on a per-user basis or daily basis etc. This command reads
/var/log/wtmp.
dump-utmp Converts the raw data from /var/run/utmp or /var/log/wtmp into ASCII-parsable format.
ftpwho The ftpwho program utility displays all active ftp users, and their current process information

1 of 5 2/25/2010 11:29 AM
Securing Red Hat Linux (Step-by-Step Security Guide/HOWTO), http://www.blacksheepnetworks.com/security/resources/redhat-7.3-securi...

on the system.
The output of the command is in the format of the "/bin/ps" command.
ftpcount The ftpcount program utility, a simplified version of ftpwho, shows only the current number of
users logged in to
the system, and the maximum number of users allowed.

RedHat Package Manager (RPM)

You should make sure that you remove all packages you don't need on a production server (e.g compilers,
development packages, X, etc.).

Here are some basic RPM options for maintaining packages:

To install a RPM package:

rpm -ivh package_name.rpm
To delete a RPM package:
rpm -e package_name.rpm
To check what happens if a package gets deleted (dependency checks etc.):
rpm -e --test package_name.rpm
To install or upgrade a RPM package that is currently installed to a newer version:
rpm -Uvh package_name.rpm
To upgrade a RPM package only if an earlier version currently exists:
rpm -Fvh package_name.rpm
To query for all packages:
rpm -qa
To get package information about a specific package:
rpm -qi package_name.rpm
To list all files and directories that belong to a RPM package:
rpm -ql package_name.rpm
To query for the package that owns a specific file on your server:
rpm -qf /bin/ls

The /etc/inittab File

"Control-Alt-Del"

You might want to disable the "Control-Alt-Del" key sequence. To do that, make sure the
following line is commented out in the /etc/inittab file:
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

Make sure that the change becomes effective immediately by invoking the following command:
init q

"Single User Mode Password"

Some recommend to add, for example, the following line in the /etc/inittab file to ensure that
a root password is required for the Single User Mode logon:
~~:S:wait:/sbin/sulogin
But this would give you a false sense of security. When you get into the Single User Mode, it will
certainly ask you for the root password. But it's too easy to get around. Instead of using "linux
single", you can also use "linux init=/bin/bash" which will not ask for the root password.

2 of 5 2/25/2010 11:29 AM
Securing Red Hat Linux (Step-by-Step Security Guide/HOWTO), http://www.blacksheepnetworks.com/security/resources/redhat-7.3-securi...

Your server should be physically secured anyway.

Services
To get a list of all enabled services, execute the following command:
chkconfig --list

TO BE CONTINUED... :-)

TCP Wrapper
TO BE CONTINUED... :-)

Settings for /etc/passwd and /etc/shadow

The following files and parameters are used when a new account is created with the Linux command
'useradd'. These settings are recorded for each user account in the files /etc/passwd and /etc/shadow. It is
important to have the following changes in place before adding any user accounts on the node. Here is an
example:

/etc/login.defs PASS_MAX_DAYS 58 Maximum number of days a password is valid

/etc/login.defs PASS_MIN_DAYS 7 Minimum number of days allowed between password
changes
/etc/login.defs PASS_WARN_AGE 7 Number of days before a forced password change
/etc/login.defs UID_MIN 500 Min value for automatic UID selection
/etc/login.defs GID_MIN 500 Min value for automatic GID selection
/etc/login.defs PASS_MIN_LEN n/a Minimum acceptable password length. This does NOT
work. It is superseded by the PAM module
"pam_cracklib"!
/etc/default GROUP 100 Default group
/useradd
/etc/default HOME /home Default user home location
/useradd
/etc/default INACTIVE 14 Maximum number of days after a password expired that a
/useradd user can change the expired password
/etc/default EXPIRE Expiration date of an account in the format
/useradd YYYY-MM-DD.
/etc/default SHELL /bin/bash Default shell
/useradd
/etc/default SKEL /etc/skel Default profile directory
/useradd

When a new user account is created with useradd, some of these settings are recorded in the /etc/passwd

3 of 5 2/25/2010 11:29 AM
Securing Red Hat Linux (Step-by-Step Security Guide/HOWTO), http://www.blacksheepnetworks.com/security/resources/redhat-7.3-securi...

and /etc/shadow files as follows:

/etc/passwd:
<username>:x:UID_MIN+:GROUP:<GECOS>:HOME/<username>:SHELL

/etc/shadow:
<username>:<password>:<date>:PASS_MIN_DAYS:PASS_MAX_DAYS:PASS_WARN_AGE:INACTIVE:EXPIRE:

Here is an example how to add a user with the useradd command:

useradd -n -c "Werner Puschitz" -G wheel wernerp

-n specifies that the user's primary group name should not be the same as the user being added; the user's
primary group will be "users".
-c specifies the name of the user.
-G weel specifies that the user will be added to the supplementary group "wheel". Users who are member of
the "wheel" group will be able to successfully switch to the user root with the "su" command. See PAM how
you can use pam_wheel to enforce the restriction of successful "su to root" executions.

Pluggable Authentication Modules (PAM)

/etc/pam.d/su: /lib/security/pam_wheel.so parameters

This PAM module permits root authentication to members of the wheel group only. Ensure that the following
parameters are set:

/lib/security/pam_wheel.so use_uid

TO BE CONTINUED... :-)

Linux Security Books

If you want to read a very good book on Linux Security, then you should check out Gerhard Mourani's
security book, which covers security very thoroughly and which is intended for a technical audience and
Linux administrators. But it also covers material for home users and others as well. I had the opportunity to
contribute to the development of the second edition. The edition " Securing & Optimizing Linux: The
Ultimate Solution " is now the successor of the very popular book "Securing and Optimizing Linux: Red Hat
Edition".

Securing and Optimizing Linux: Red Hat Edition (First Edition)

This edition can be downloaded for free in PDF format at http://www.linuxsecurity.com/docs/Securing-

Optimizing-Linux-RH-Edition-1_3.pdf , or
You can browse through the book in HTML format at http://www.linuxdoc.org/LDP/solrhe/Securing-
Optimizing-Linux-RH-Edition-v1.3 .

Securing & Optimizing Linux: The Ultimate Solution (Second Edition)

You can buy this 850 pages book at www.openna.com or

4 of 5 2/25/2010 11:29 AM
Securing Red Hat Linux (Step-by-Step Security Guide/HOWTO), http://www.blacksheepnetworks.com/security/resources/redhat-7.3-securi...

You can buy it in PDF format at www.openna.com

If you find any errors or mistakes, please let me know at comments@puschitz.com !

Warning and Disclaimer: Every effort has been made to provide the information as accurate as possible, but no warranty or fitness is
implied. The author shall have no liability nor responsibility to any loss or damages arising from the information contained on this
web site.

Comments? comments@puschitz.com

5 of 5 2/25/2010 11:29 AM