Securing+and+Hardening+Red+Hat+Linux+Production+Systems

7/25/2019 Securing+and+Hardening+Red+Hat+Linux+Production+Systems

1/39

Securing and Hardening Red Hat Linux Production SystemsA Practical Guide to Basic Linux Security in Production Enterprise Environments

Written by Werner Puschitz

www.puschit .com

This article is a practical step-by-step guide for securing Linux production systems. It discusses basic Linux Security requirements for systems that need to pass various audits in an enterpriseenvironment. If you work on a corporate Linux Security Standard or if you do Sarbanes-!xley"ct #S!$% or Statement on "uditing Standards &o. '( #S"S '(% related work then you will finduseful and practical information here.

!ocus o" this Article

This Linux Security )!*T! is intended for a technical audience Linux system administratorsand security people in corporations and organi+ations that have to use commercial Linuxdistributions for their production environment. If you are a Linux expert you may find knownmaterial here but you will have difficulties to find documentation on various topics likerestricting su access to system and shared accounts which is covered in this article see,estricting su "ccess to System and Shared "ccounts . If you need to make Linux productionsystems compliant with various audit requirements then this article should be a good starting

point. The main ob ective of this Linux Security guide is to discuss basic Linux security

requirements including account policies for production systems that are being audited. Thisdocument covers various system services like SS) which are usually enabled and required on allLinux production servers. It does not cover services or applications like "pache Samba etc.since these applications services are usually not needed across all Linux servers and shouldtherefore not be installed on all systems. In fact these applications warrant their own security)!*T!. "lso this article does not cover security features that require kernel patching. This isnot an option for most companies due to vendor support issues.

This Linux Security /ookbook has been tested on ,ed )at Linux but should also be applicableto many other Linux distributions like &ovell S0S1.

!eed#ac$

This document comes without warranty of any kind. 2ut every effort has been made to providethe information as accurate as possible. I welcome emails from any readers with commentssuggestions and corrections at webmaster3at3puschit+.com. If you believe that I did not addressa basic and important Linux security topic please drop me an email.

%ontents
http://www.puschitz.com/http://en.wikipedia.org/wiki/Sarbanes-Oxley_Acthttp://en.wikipedia.org/wiki/Sarbanes-Oxley_Acthttp://en.wikipedia.org/wiki/Sarbanes-Oxley_Acthttp://www.sas70.com/about.htmhttp://www.puschitz.com/SecuringLinux.shtml#RestrictingSuAccessToSystemAndSharedAccountshttp://en.wikipedia.org/wiki/Sarbanes-Oxley_Acthttp://en.wikipedia.org/wiki/Sarbanes-Oxley_Acthttp://www.sas70.com/about.htmhttp://www.puschitz.com/SecuringLinux.shtml#RestrictingSuAccessToSystemAndSharedAccountshttp://www.puschitz.com/


2/39

&General&Removing 'nnecessary So"tware Pac$ages (RP)s*&Patching Linux Systems&+etecting Listening ,etwor$ Ports

&%losing ,etwor$ Ports and +isa#ling Runlevel System Services&%losing ,etwor$ Ports and +isa#ling -inetd Services&Reviewing nitta# and Boot Scripts&Restricting System Access "rom Servers and ,etwor$s&Securing SSH&Securing Post"ix&Securing Sendmail&Securing ,!S&%opying !iles 'sing SSH /ithout Providing Login Prompts&0ernel 1una#le Security Parameters&%hec$ing !ile Permissions and 2wnership

&%hec$ing Accounts&Ena#ling Password Aging&En"orcing Stronger Passwords&Restricting 'se o" Previous Passwords&Loc$ing 'ser Accounts A"ter 1oo )any Login !ailures&Restricting +irect Login Access "or System and Shared Accounts&Restricting su Access to System and Shared Accounts&Preventing Accidental +enial o" Service&+isplaying Login Banners&)iscellaneous&Bi#liography and Re"erences

GeneralPhysical Security

4hysical security should be of the utmost concern. Linux production servers should be in lockeddatacenters where only people with passed security checks have access. 2ut physical security isout of scopy for this article. 5epending on the environment and circumstances you may want toconsider boot loader passwords.

3eri"ying Security Action tems

It is strongly recommended to have scripts available which verify that all security action itemshave been executed. 1ven the best sysadmins can make mistakes and miss steps. If you have alarger Linux environment it would be a good investment to write scripts for checking Linuxsecurity action items.

Retiring Linux Servers with Sensitive +ata
http://www.puschitz.com/SecuringLinux.shtml#Generalhttp://www.puschitz.com/SecuringLinux.shtml#RemovingUnnecessarySoftwarePackagesRPMshttp://www.puschitz.com/SecuringLinux.shtml#PatchingLinuxSystemshttp://www.puschitz.com/SecuringLinux.shtml#DetectingListeningNetworkPortshttp://www.puschitz.com/SecuringLinux.shtml#ClosingNetworkPortsAndDisablingRunlevelSystemServiceshttp://www.puschitz.com/SecuringLinux.shtml#ClosingNetworkPortsAndDisablingXinetdServiceshttp://www.puschitz.com/SecuringLinux.shtml#ReviewingInittabAndBootScriptshttp://www.puschitz.com/SecuringLinux.shtml#RestrictingSystemAccessFromServersAndNetworkshttp://www.puschitz.com/SecuringLinux.shtml#SecuringSSHhttp://www.puschitz.com/SecuringLinux.shtml#SecuringPostfixhttp://www.puschitz.com/SecuringLinux.shtml#SecuringSendmailhttp://www.puschitz.com/SecuringLinux.shtml#SecuringNFShttp://www.puschitz.com/SecuringLinux.shtml#CopyingFilesUsingSshWithoutProvidingLoginPromptshttp://www.puschitz.com/SecuringLinux.shtml#KernelTunableSecurityParametershttp://www.puschitz.com/SecuringLinux.shtml#CheckingFilePermissionsAndOwnershiphttp://www.puschitz.com/SecuringLinux.shtml#CheckingAccountshttp://www.puschitz.com/SecuringLinux.shtml#EnablingPasswordAginghttp://www.puschitz.com/SecuringLinux.shtml#EnforcingStrongerPasswordshttp://www.puschitz.com/SecuringLinux.shtml#RestrictingUseOfPreviousPasswordshttp://www.puschitz.com/SecuringLinux.shtml#LockingUserAccountsAfterTooManyLoginFailureshttp://www.puschitz.com/SecuringLinux.shtml#RestrictingDirectLoginAccessForSystemAndSharedAccountshttp://www.puschitz.com/SecuringLinux.shtml#RestrictingSuAccessToSystemAndSharedAccountshttp://www.puschitz.com/SecuringLinux.shtml#PreventingAccidentalDenialOfServicehttp://www.puschitz.com/SecuringLinux.shtml#DisplayingLoginBannershttp://www.puschitz.com/SecuringLinux.shtml#Miscellaneoushttp://www.puschitz.com/SecuringLinux.shtml#BibliographyAndReferenceshttp://www.puschitz.com/SecuringLinux.shtml#Generalhttp://www.puschitz.com/SecuringLinux.shtml#RemovingUnnecessarySoftwarePackagesRPMshttp://www.puschitz.com/SecuringLinux.shtml#PatchingLinuxSystemshttp://www.puschitz.com/SecuringLinux.shtml#DetectingListeningNetworkPortshttp://www.puschitz.com/SecuringLinux.shtml#ClosingNetworkPortsAndDisablingRunlevelSystemServiceshttp://www.puschitz.com/SecuringLinux.shtml#ClosingNetworkPortsAndDisablingXinetdServiceshttp://www.puschitz.com/SecuringLinux.shtml#ReviewingInittabAndBootScriptshttp://www.puschitz.com/SecuringLinux.shtml#RestrictingSystemAccessFromServersAndNetworkshttp://www.puschitz.com/SecuringLinux.shtml#SecuringSSHhttp://www.puschitz.com/SecuringLinux.shtml#SecuringPostfixhttp://www.puschitz.com/SecuringLinux.shtml#SecuringSendmailhttp://www.puschitz.com/SecuringLinux.shtml#SecuringNFShttp://www.puschitz.com/SecuringLinux.shtml#CopyingFilesUsingSshWithoutProvidingLoginPromptshttp://www.puschitz.com/SecuringLinux.shtml#KernelTunableSecurityParametershttp://www.puschitz.com/SecuringLinux.shtml#CheckingFilePermissionsAndOwnershiphttp://www.puschitz.com/SecuringLinux.shtml#CheckingAccountshttp://www.puschitz.com/SecuringLinux.shtml#EnablingPasswordAginghttp://www.puschitz.com/SecuringLinux.shtml#EnforcingStrongerPasswordshttp://www.puschitz.com/SecuringLinux.shtml#RestrictingUseOfPreviousPasswordshttp://www.puschitz.com/SecuringLinux.shtml#LockingUserAccountsAfterTooManyLoginFailureshttp://www.puschitz.com/SecuringLinux.shtml#RestrictingDirectLoginAccessForSystemAndSharedAccountshttp://www.puschitz.com/SecuringLinux.shtml#RestrictingSuAccessToSystemAndSharedAccountshttp://www.puschitz.com/SecuringLinux.shtml#PreventingAccidentalDenialOfServicehttp://www.puschitz.com/SecuringLinux.shtml#DisplayingLoginBannershttp://www.puschitz.com/SecuringLinux.shtml#Miscellaneoushttp://www.puschitz.com/SecuringLinux.shtml#BibliographyAndReferences


3/39

To retire servers with sensitive data it is important to ensure that data cannot be recovered fromthe hard disks. To ensure that all traces of data are removed the DiskSanitizer tool can beused. This tool can be operated from a floppy disk and it removes data according with the 0.S.5epartment of 5efense #5o5% standards. DiskSanitizer is available at

http6 freshmeat.net pro ects disksaniti+er .

Bac$ups

If your system gets compromised your backups become invaluable. 2ut also in cases like bugsaccidents etc. backups can be used to compare you current system against your backed-upsystem. For production systems it is very important to take some Backups offsite for cases likedisasters.

7or legal reasons some firms and organi+ations must be careful about backing up too muchinformation and holding it too long. If your environment has a policy regarding the destruction of

old paper files you might have to extend this policy to Linux backup tapes as well.

+is$ Partitions

Servers should have separate partitions for at least / /boot /usr /var /tmp and /home . 8oudon9t want that e.g. logging and temporary space under /var and /tmp fill up the root partition.Third party applications should be on separate filesystems as well e.g. under /opt .

!irewall (ipta#les*

I will not cover iptables in this paper. :ost companies use hardware based firewalls to protect

their servers in a production network which is strongly recommended for such environments. Ifyou are interested in a Linux Stateful 7irewall using iptables check out my )!*T! forStateful 7irewall and :asquerading on Linux . 7or lots of iptables tutorials and examples seehttp6 www.linuxguru+.com iptables .

0ernel Security !eatures

;ernel Tunable Security 4arameters67or more information see ;ernel Tunable Security 4arameters .

.

SELinux

S1Linux is an advanced technology for securing Linux systems. )ardening Linux usingS1Linux technology on its own warrants it9s own security )!*T! and is out of scope for this
http://freshmeat.net/projects/disksanitizerhttp://www.puschitz.com/FirewallAndRouters.shtmlhttp://www.linuxguruz.com/iptables/http://www.puschitz.com/SecuringLinux.shtml#KernelTunableSecurityParametershttp://searchopensource.techtarget.com/tip/1,289483,sid39_gci1144658,00.htmlhttp://searchopensource.techtarget.com/tip/1,289483,sid39_gci1144658,00.htmlhttp://lwn.net/Articles/121845/http://lwn.net/Articles/121845/http://freshmeat.net/projects/disksanitizerhttp://www.puschitz.com/FirewallAndRouters.shtmlhttp://www.linuxguruz.com/iptables/http://www.puschitz.com/SecuringLinux.shtml#KernelTunableSecurityParametershttp://searchopensource.techtarget.com/tip/1,289483,sid39_gci1144658,00.htmlhttp://searchopensource.techtarget.com/tip/1,289483,sid39_gci1144658,00.htmlhttp://lwn.net/Articles/121845/


4/39

guide. I highly recommend the book S1Linux6 &S"9s !pen Source Security 1nhanced Linux .

!1P4 telnet4 and rlogin (rsh*

7T4 telnet and rlogin #rsh% are vulnerable to eavesdropping which is one of the reasons why

SS) S/4 S7T4 should be used instead. It is highly recommended not to run these services. 5ueto the high risk this guide does not cover these services. It would also be a good idea not to have7T4 and Telnet server ,4:s installed on the system.

Removing 'nnecessary So"tware Pac$ages (RP)s*" very important step in securing a Linux system is to determine the primary function or role ofthe Linux server. 8ou should have a detailed knowledge of what is on your system. !therwiseyou will have a difficult time to understand what needs to be secured and hence securing yourLinux systems proactively won9t be that effective. Therefore it is very critical to look at thedefault list of software packages and remove unneeded packages or packages that don9t comply

with your security policy. If you do that you will have less packages to update and to maintainwhen security alerts and patches are released. 7or example you should not have "pache orSamba installed on your system if you don9t use them. "lso it is a good practice not to havedevelopment packages desktop software packages #e.g. $ Server% etc. installed on productionservers. !ther packages like 7T4 and Telnet daemons should not be installed as well unless thereis a ustified business reason for it #SS) S/4 S7T4 should be used instead%.

One of the first action items should be to create a Linu ima!e that only contains "P#s neededby the applications$ and needed for maintenance and troubleshootin! purposes. % !oodapproach is to start with a minimum list of "P#s and then add packa!es as needed. &t may betime'consumin! but worth the efforts.

To get a list of all installed ,4:s you can use the following command6rpm -qa

If you want to know more about a particular ,4: run6rpm -qi ?package3name@

To check for and report potential conflicts and dependencies for deleting a ,4: run6rpm -e 55test ?package3name@

7or information on performing ;ickstart installations and how to build an image see ;ickstartInstallations for more information.

Patching Linux Systems2uilding an infrastructure for patch management is another very important step to proactivelysecure Linux production environments. It is recommended to have a written security policy and

procedure to handle Linux security updates and issues.

7or example a security policy should detail the timeframe for assessment testing and rollout of
http://www.bookpool.com/ss?qs=selinux&x=0&y=0http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/s1-kickstart2-howuse.htmlhttp://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/s1-kickstart2-howuse.htmlhttp://www.bookpool.com/ss?qs=selinux&x=0&y=0http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/s1-kickstart2-howuse.htmlhttp://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/s1-kickstart2-howuse.html


5/39

patches. &etwork related security vulnerabilities should get the highest priority and should beaddressed immediately within a short timeframe.

7or example a security procedure should detail the process for assesment testing and rollout of patches. The assessment phase should occur within a testing lab and initial rollout should occur

on development systems first.

" separate security log should detail what Linux security notices have been received when patches have been researched and assessed when patches have been applied etc.

7or ,ed )at systems I recommend ,ed )at &etwork #,)&% for patch management. In fact forsecure environments you may have to consider ,ed )at9s Satellite solution. 7or moreinformation see ,ed )at &etwork "rchitectural !verview .

+etecting Listening ,etwor$ Ports

!ne of the most important tasks is to detect and close network ports that are not needed.

To get a list of listening network ports #T/4 and 054 sockets% you can run the followingcommand6# netstat -tulp"ctive Internet connections #only servers%4roto ,ecv-A Send-A Local "ddress 7oreign "ddress State 4I5 4rogram nametcp ( ( B6auth B6B LIST1& =C=D xinetdtcp ( ( localhost.localdomain6smtp B6B LIST1& =C>( sendmail6 accetcp ( ( B6ssh B6B LIST1& =CE' sshd

7rom the output you can see that xinetd sendmail and sshd are listening.

!n all newer ,ed )at Linux distributions sendmail is configured to listen for local connectionsonly. Sendmail should not listen for incoming network connections unless the server is a mail orrelay server. ,unning a port scan from another server will confirm that #make sure that you have

permissions to probe a machine%6# nmap -sT0 ?remote3host@

Starting nmap C.'( # http6 www.insecure.org nmap % at =((F-E=-E( ==6GE /STInteresting ports on upitor #E'=.E>.(.E%6#The CECE ports scanned but not shown below are in state6 closed%4!,T ST"T1 S1,>H seconds

&ote that the above nmap command can take a while. If you remove the 054 port scan #withoutthe option J -U J% thennmap will finish the port scan immediately. If you run it on the localmachine it will also complete very fast. "lso note that nmap might not show all listening networksockets if a firewall is being used to block ports.
http://www.redhat.com/software/rhn/http://www.redhat.com/software/rhn/architecture/http://www.redhat.com/software/rhn/http://www.redhat.com/software/rhn/architecture/


6/39

7rom the output above you can see that the xinetd daemon is listening on port auth #port EEC%for I51&T #for more information on this service see below%. 8ou can also see that sendmail isnot listening for remote incoming network connections see also Securing Sendmail .

"nother method to list all of the T/4 and 054 sockets to which programs are listening is lsof 6

# lsof -i -n K egrep 9/!::"&5KLIST1&K0549/!::"&5 4I5 0S1, 75 T841 51


7/39

sshd important for logins via SSportmap needed if e g !S is being usednfslock needed if !S shares are mountednfs needed if server runs the !S servermdmonitor needed only if software 0(+D is being usedcrond important for running cron 1obsxinetd needed if xinetd services are being used% see /etc/xinetd d/for list of servicescups needed if .U)S is used for the printing systemrhnsd needed if server should connect to 0 to check for softwareupdates etcsysstat needed to reset system statistics logsaudit needed only if 2inux (udit Subsystem "2(uS' should run forcollecting system call audit recordspsacct needed only if kernel process accounting information is neededsmartd important for monitoring disk problems if hard disks supportS*(03 technologynetdump important if kernel oops data and memory dumps should be sentto a etdump server for server crashes

The start stop scripts of all runlevel services can be found in the /etc/init d directory. 7orexample if you don9t know what the atd service does go to /etc/init d and open the file atd ."nd in the script look for lines that start programs. In the atd script the J daemon/usr/sbin/atd J line starts the binary atd . &ow having the name of the program that is started

by this service you can check the online pages of atd by running man atd . This will help you tofind out more about a system service.

To permanently disable e.g. the runlevel service nfs run6chkconfig nfs off

To immediately disable the runlevel service nfs run6etc init.d nfs stop

%losing ,etwor$ Ports and +isa#ling -inetd ServicesThe xinetd daemon is a replacement for inetd the internet services daemon. It monitors the

ports for all network services configured in /etc/xinetd d and starts the services in responseto incoming connections.

To check if xinetd is enabled and running execute6# chkconfig --list xinetdxinetd (6off E6off =6off C6on F6on G6on >6off

etc init.d xinetd statusxinetd #pid =>EH% is running...

If xinetd is active it is important to check which 0nix services are active and controlled byxinetd . The following command shows all services configured in /etc/xinetd d and wheterxinetd monitors the ports for these services6


8/39

# chkconfig --list K awk 9 xinetd based services JJ 9xinetd based services6 krbG-telnet6 off rsync6 off eklogin6 off gssftp6 off

klogin6 off chargen-udp6 off kshell6 off auth6 on chargen6 off daytime-udp6 off daytime6 off echo-udp6 off echo6 off services6 off time6 off time-udp6 off cups-lpd6 off

To get a list of only active services for which xinetd monitors the ports you could run6# chkconfig --list K awk 9 xinetd based services JJ 9 K grep -v off xinetd based services6 auth6 on

In the above example you can see that the telnet-server ,4: is not installed on the system. If the Telnet Server package telnet-server would be installed it would show up on the listwhether it9s active or not.

)ere is an example how to disable a service. "ssuming the telnet service is active run the

following commands to disable it and to see how the telnet service entries are being updated6# chkconfig --list telnettelnet on

cat etc xinetd.d telnet K grep disable disable M no

chkconfig telnet off chkconfig --list telnet

telnet off cat etc xinetd.d telnet K grep disable

disable M yes

7or the telnet service it would be better to remove the package from the system since SS)

should be used instead6# rpm -e telnet-server

It is important to investigate all active xinetd services and to disable them if they are notneeded.


9/39

)ere is an example how to find out what a service does. "ssuming you don9t know what the authservice does which is listed as active in the list above run the following commands6# grep J serverJ etc xinetd.d auth server M usr sbin in.authd server3args M -t>( --xerror --os -1

man in.auth &o manual entry for in.auth

rpm -qf usr sbin in.authdauthd-E.F.E-E.rhelC

rpm -qi authd-E.F.E-E.rhelC K awk 9 5escription JJ 95escription 6authd is a small and fast ,7/ EFEC ident protocol daemonwith both xinetd server and interactive modes thatsupports I4v> and I4vF as well as the more popular featuresof pidentd.

rpm -ql authd-E.F.E-E.rhelCetc ident.keyetc xinetd.d authusr sbin in.authdusr share doc authd-E.F.Eusr share doc authd-E.F.E /!48I&Nusr share doc authd-E.F.E ,1"5:1.htmlusr share doc authd-E.F.E rfcEFEC.txtusr share locale a L/3:1SS"N1S authd.mo

This example shows what can be done if there exists no online manuals for the binary in authd that is started by xinetd . The steps above should be helpful for finding out more about services.

The auth service #aka I51&T see ,7/ EFEC% allows remote daemons to query informationabout users establishing T/4 connections on the local server. In a trusted environment it helps a

server to identify who is trying to use it. 7or example it can provide vital information fortroubleshooting and who has done what. I51&T requests are needed by some applications likeI,/. )owever I51&T can be a security risk.

To disable the auth service run the following command6# chkconfig auth off

The xinetd daemon is quite flexible and has many features. )ere are ust a few functionalities of $inetd6- "cces control for T/4 054 and ,4/ services- "cess limitations based on time- 4rovides mechanisms to prevent 5oS attacks

7or more information on $inetd see http6 www.xinetd.org andhttp6 www.macsecurity.org resources xinetd tutorial.shtml .
http://www.xinetd.org/http://www.macsecurity.org/resources/xinetd/tutorial.shtmlhttp://www.xinetd.org/http://www.macsecurity.org/resources/xinetd/tutorial.shtml


10/39

Reviewing nitta# and Boot ScriptsThe inittab file etc inittab also describes which processes are started at bootup and during normaloperation. 7or example !racle uses it to start cluster services at bootup. Therefore it isrecommended to ensure that all entries in /etc/inittab are legitimate in your environment.

I would at least remove the /T,L-"LT-51L1T1 trap entry to prevent accidental reboots6# sed -i 9s ca66ctrlaltdel6 ca66ctrlaltdel6 g9

The default runlevel should be set to C since in my opinion $EE #$ *indows System% should not be running on a production server. In fact it shouldn9t even be installed.# grep 96initdefault9 etc inittabid666initdefault6

"nd depending on your environment you might want to comment out the 04S entries as well.

To have changes in /etc/inittab become effective immediately you can run6# init q

The etc rc.local script is used for commands or startup scripts which are pertinent only to aspecific server. # /etc/rc local is a link to /etc/rc d/rc local %.1nsure that all startup scripts in etc rc.d rc.local are legitimate.

Restricting System Access "rom Servers and ,etwor$s0sually a firewall is used to protect a server from other servers and networks. )owever in somecases you may also want to protect a server within a network by using a T/4 *rapper.

The $inetd super server that comes with most Linux distributions includes a built-in T/4wrapper. It can be used to explicitly define network services to accept incoming connectionsfrom specified servers and networks. The T/4 wrappers implements access control through theuse of two files /etc/hosts allow and /etc/hosts deny . &ote that the hosts allow filetakes precedence over the hosts deny file. "nd you may want to change the permissions on thetwo configuration files since they are both world readable.

" recommended security-strategy is to block all incoming requests by default but allow specifichosts or networks to connect. This is the strategy I will describe here.

To deny everything by default add the following line to etc hosts.deny 6"LL6 "LL

To accept incoming SS) connections from e.g. nodes racEcluster rac=cluster and racCclusteradd the following line to etc hosts.allow 6

sshd6 racEcluster rac=cluster racCcluster


11/39


12/39


13/39

# alternatives --set mta usr sbin sendmail.postfix

The following parameters in etc postfix main.cf should be set to ensure that 4ostfix accepts onlylocal emails for delivery6

mydestination M Qmyhostname localhost.Qmydomain localhost

inet3interfaces M localhostThe parameter mydestination lists all domains to receive emails for.The parameter inet8interfaces specifies the network to liston on.

!nce you9ve configured 4ostfix restart the mail system with the following command6# etc init.d postfix restart

To verify whether 4ostfix is still listening for incoming network request you can run one of thefollowing commands from another node6# nmap -sT -p =G ?remode3node@

telnet ?remote3node@ =G5on9t run these commands on the local host since 4ostfix is supposed to accept connections fromthe local node.

If you believe that I should cover other parameter#s% or if you think that other parameter#s%should explicitly be set changed for local mail delivery please drop me an email.

Securing SendmailThis article focuses on security issues that pertain to most Linux servers in a productionenvironment. Therefore securing a mail or relay server is out of scope for this article since notall Linux servers in a production environment are mail or relay servers. )owever Sendmail or4ostfix is usually required for local mail delivery. &ote that it is recommended to use 4ostfixover Sendmail for various security reasons see Securing 4ostfix for more information.

!n newer Linux systems Sendmail is configured to run in the background for local mail deliveryand not to accept incoming network connections. If your server is not a mail or relay server thenit is important that Sendmail is not accepting incoming network connections from any host otherthan the local server.

The default sendmail cf configuration file on ,ed)at does not allow Sendmail to acceptincoming network connections. The following setting in etc mail sendmail.cf tells Sendmail not toaccept incoming network connections from servers other than the local node6

! 5aemon4ort!ptionsM4ortMsmtp "ddrME='.(.(.E &ameM:T"

If that9s not the case on your system you can change it by setting or uncommenting theD(:*; 8;)3+; S parameter in the /etc/mail/sendmail mc file. 0ncomment the5"1:!&3!4TI!&S line in etc mail sendmail.mc to read6

5"1:!&3!4TI!&S#R4ortMsmtp "ddrME='.(.(.E &ameM:T"9%dnl
http://www.puschitz.com/SecuringLinux.shtml#SecuringPostfixhttp://www.puschitz.com/SecuringLinux.shtml#SecuringPostfix


14/39

Then run6# mv etc mail sendmail.cf etc mail sendmail.cf.old

mF etc mail sendmail.mc @ etc mail sendmail.cf etc init.d sendmail restart

To verify whether Sendmail is still listening for incoming network request you can run one ofthe following commands from another node #make sure that you have permissions to probe amachine%6# nmap -sT -p =G ?remode3node@

telnet ?remote3node@ =G

5on9t run these commands on the local host since Sendmail is supposed to accept connectionsfrom the local node.

Securing ,!SGeneral

&7S #&etwork 7ile System% allows servers to share files over a network. 2ut like all networkservices using &7S involves risks.

)ere are some basic rules6- &7S should not be enabled if not needed.- If you must use &7S use T/4 wrapper to restrict remote access.- :ake sure you export to only those machines that you really need to.- 0se fully qualified domain names to diminish spoofing attempts.- 1xport only directories you need to export.- 1xport read-only wherever possible.- 0se &7S over T/4.

If you don9t have shared directories to export ensure that the &7S service is &!T enabled andrunning6# service nfs statusrpc.mountd is stoppednfsd is stoppedrpc.rquotad is stopped

chkconfig --list nfsnfs (6off E6off =6off C6off F6off G6off >6off

8ou probably don9t need the portmap service as well which is used by &7S #the portmap daemonregisters rpc-based services for services like &7S &IS etc.%6# service portmap status

portmap is stoppedchkconfig --list portmap

portmap (6off E6off =6off C6off F6off G6off >6off


15/39

Ena#ling and Starting ,!S Server

If you must use &7S it can be activated using the following commands on ,ed )at Linux6chkconfig portmap on

chkconfig nfs onservice portmap startservice nfs start

The J portmap J service starts the portmap daemon.5epending on the Linux !S distribution and version the J nfs J service starts the rpc r uotadnfsd lockd rpciod rpc mountd and rpc idmapd daemons on ,ed )at 7edora /ore C whichis the !S that ,ed )at "dvanced Server F is based on. !n ,ed )at "dvanced Server C the &7Sservice starts rpc mountd nfsd and rpc r uotad .

To probe the portmapper for all registered &7S related ,4/ programs you can run rpcinfo . !n,ed )at "dvanced Server C the output will look like this6

# rpcinfo -p ?server@ program vers proto port E((((( = tcp EEE portmapper E((((( = udp EEE portmapper E(((EE E udp >(' rquotad E(((EE = udp >(' rquotad E(((EE E tcp >E( rquotad E(((EE = tcp >E( rquotad E((((C = udp =(FH nfs E((((C C udp =(FH nfs E((((C = tcp =(FH nfs E((((C C tcp =(FH nfs E((((G E udp >=C mountd

E((((G E tcp >=> mountd E((((G = udp >=C mountd E((((G = tcp >=> mountd E((((G C udp >=C mountd E((((G C tcp >=> mountd

Restricting ncoming ,!S Re7uests

"s I showed at ,estricting System "ccess from Servers and &etworks a recommended security-strategy is to block all incoming requests by default but allow specific hosts or networks toconnect. This is the strategy I will use here.

The portmap program and some of the &7S programs include a built-in T/4 wrapper. To verifyif a program includes a T/4 wrapper you can run the following commands6# strings sbin portmap K egrep Jhosts.denyKhosts.allowKlibwrapJhosts3allow3tablehosts3deny3table8etc8hosts.allow8etc8hosts.deny
http://www.puschitz.com/SecuringLinux.shtml#RestrictingSystemAccessFromServersAndNetworkshttp://www.puschitz.com/SecuringLinux.shtml#RestrictingSystemAccessFromServersAndNetworkshttp://www.puschitz.com/SecuringLinux.shtml#RestrictingSystemAccessFromServersAndNetworks


16/39

strings usr sbin rpc.rquotad K egrep Jhosts.denyKhosts.allowKlibwrapJli#wrap.so.9

ldd usr sbin rpc.rquotad K grep libwrap li#wrap.so.9 M@ usr lib libwrap.so.( #(x((D'F(((%

If hosts deny and hosts allow are displayed or if libwrap is displayed then the programincludes a built-in T/4 wrapper. If none of these strings are displayed then adding the programname to /etc/hosts deny and /etc/hosts allow will most probably have no effect.

To block all incoming requests by default add the following line to etc hosts.deny if you have notdone so yet6

"LL6 "LL

hosts allow>libwrap? J command I described above.

!n ,ed )at "dvanced Server C the /usr/sbin/rpc r uotad program includes a built-in T/4wrapper. !n ,ed )at 7edora /ore C /usr/sbin/rpc mountd now also includes a built-in T/4wrapper.

To allow &7S requests from e.g. servers racEpub.example.com rac=pub.example.comracCpub.example.com and from the .subnet.puschit+.com network the configuration inetc hosts.allow would look like as follows6 portmap6 racEpub.example.com rac=pub.example.com racCpub.example.com .subnet.puschit+.com

rpc.mountd6 racEpub.example.com rac=pub.example.com racCpub.example.com .subnet.puschit+.com rpc.rquotad6 racEpub.example.com rac=pub.example.com racCpub.example.com .subnet.puschit+.com

:ake sure to test &7S access thoroughly when using T/4 wrappers. If a T/4 wrapper has beenadded to another &7S related program please drop me a note.

7or portmapper you can now test access from trusted servers or networks using the rpcinfo command6# rpcinfo -p ?server@ program vers proto port E((((( = tcp EEE portmapper E((((( = udp EEE portmapper E(((EE E udp >(' rquotad E(((EE = udp >(' rquotad E(((EE E tcp >E( rquotad E(((EE = tcp >E( rquotad E((((C = udp =(FH nfsR


17/39

E((((C C udp =(FH nfs E((((C = tcp =(FH nfs E((((C C tcp =(FH nfs E((((G E udp >=C mountd E((((G E tcp >=> mountd E((((G = udp >=C mountd E((((G = tcp >=> mountd E((((G C udp >=C mountd E((((G C tcp >=> mountd

If you run it from an JuntrustedJ server or network you should get the following output6# rpcinfo -p ?server@

&o remote programs registered.

Exporting ,!S !ile Systems

To allow a client access to a filesystem or directory the etc exports serves as the access controllist.

To give the network Jsubnet.example.comJ read-only access to pub the entries in etc exports would look like as follows6pub B.subnet.example.com# ro sync%

It is very important &!T to give write access to &7S clients if not absolutely needed 1ntries in/etc/exports are exported read-only #J ro J option% by default.

To allow servers racEpub rac=pub and racCpub read-write access to the data !racle"rchdirectory the entries in etc exports would look like as follows6data !racle"rch racEpub.example.com#rw sync% rac=pub.example.com#rw sync% racCpub.example.com#rw sync%

&ote that options :0ST &!T be separated from hostnames or networks with whitespace#s%. %nd use fully (ualified domain names to diminish spoofin! attempts.

"ll entries in /etc/exports are exported with the root3squash option #9root squashing9% by default.This means that a root user on a client machine does not have root privileges #root access% toroot-owned files on exported &7S filesystems directories. It is not recommended to turn 9rootsquashingJ off using the no8root8s uash option

"fter you9ve made all your entries in etc exports you can export all filesystems directories using

the following command6# exportfs -a

To unexport all shared filesystems directories run6# exportfs -ua

To see all shared filesystems directories run6# showmount -e localhost


18/39

1xport list for localhost6pub B.subnet.example.comdata !racle"rch racCpub.example.com rac=pub.example.com racEpub.example.com

'sing ,!S over 1%P

If you need &7S it is recommended to use &7S over T/4 since &7S over 054 is not verysecure. "ll =.F and =.> kernels support &7S over T/4 on the client side. Server support for T/4appears in later =.F kernels and in all =.> kernels.

To verify whether your server supports &7S over T/4 use the wire-test command#/usr/sbin/wire-test is part of the am-utils package%. If your server supports &7S overT/4 the output looks like this6# wire-test localhost

&etwork E6 wireMJE'=.E>.E.(J #netnumberME'=.E>.E%. &etwork =6 wireMJE'=.E>.E.EJ #netnumberME'=.E>.E%.:y I4 address is (xacE((E(E.

&7S .E%. &etwork =6 wireMJE'=.E>.E.EJ #netnumberME'=.E>.E%.:y I4 address is (xacE((E(E.

&7S

To mount a shared directory using &7S over T/4 use the J protoMtcpJ mount option6# mount 5o proto:tcp ?nfs3server3name@6 pub usr local pub

:ake sure the target directory in this example usr local pub exists on the client.

8ou can verify the &7S over T/4 mount using the mount command6# mount...nfsserver6 pub on usr local pub type nfs #rw proto:tcp addrME'=.E>.E(.D%...

To have the shared directory mounted on the client at boot time use the etc fstab file.7or the above example the etc fstab entry could look like this6nfsserver6 pub usr local pub n"s rsi+eMDEH= wsi+eMDEH= timeoMEF intrtcp ( (


19/39

%opying !iles 'sing SSH /ithout Providing Login PromptsThe following example is a suggestion you may want to use in some cases. It shows how filescan be copied over the network using ssh without providing an interactive login prompt.

SS) allows you to do a forced command using the JcommandJ option. *hen you use this optionyou can disable scp and enforce every passed ssh command to be ignored.!n the server side where you want to retrieve the file from add the following entry to the

beginning of the SS) key in the .ssh authori+ed3keys= file6commandMJ bin cat ?file3name@J ssh-dss """22CC&+a...!penSS) key

To copy now the file from the remote server you can run the following command6ssh ?user@P?server@ @ ?local3file@

Since /bin/cat is executed on the server side the output has to be redirected to the local file.

"nother approach is to replace /bin/cat with your own script that checks the passed SS)

commands by reading the environment variable QSS)3!,INI&"L3/!::"&5 . 7or example6#@/bin/ksh

if AA BSS 8;0+C+ (28.;**( D ?!ile&? >> BSS 8;0+C+ (28.;**( D ?!ile5? EE then /bin/cat BSS 8;0+C+ (28.;**( D else echo ?+nvalid file name@? exit & fi

So you replace /bin/cat with the script name in .ssh authori+ed3keys= and run the followingcommand to copy J7ileEJ6

ssh ?user@P?server@ 7ileE @ ?local3file@

To copy J7ile =J run6ssh ?user@P?server@ 7ile= @ ?local3file@

1very other passed parameter will return an error.

0ernel 1una#le Security ParametersThe following list shows tunable kernel parameters you can use to secure your Linux serveragainst attacks.

7or each tunable kernel parameters I will show the entry that needs to be added to theetc sysctl.conf configuration file to make the change permanent after reboots. To activate theconfigured kernel parameters immediately at runtime use6# sysctl -p

Ena#le 1%P S?, %oo$ie Protection


20/39

" JS8& "ttackJ is a denial of service attack that consumes all the resources on a machine. "nyserver that is connected to a network is potentially sub ect to this attack.

To enable T/4 S8& /ookie 4rotection edit the etc sysctl.conf file and add the following line6net.ipvF.tcp3syncookies M E

+isa#le P Source Routing

Source ,outing is used to specify a path or route through the network from source to destination.This feature can be used by network people for diagnosing problems. )owever if an intruderwas able to send a source routed packet into the network then he could intercept the replies andyour server might not know that it9s not communicating with a trusted server.

To enable Source ,oute


21/39

If you want or need Linux to ignore broadcast requests edit the etc sysctl.conf file and add thefollowing line6

net.ipvF.icmp3echo3ignore3broadcasts M E

Ena#le Bad Error )essage Protection

To alert you about bad error messages in the network edit the etc sysctl.conf file and add thefollowing line6

net.ipvF.icmp3ignore3bogus3error3responses M E

Ena#le Logging o" Spoo"ed Pac$ets4 Source Routed Pac$ets4 Redirect Pac$ets

To turn on logging for Spoofed 4ackets Source ,outed 4ackets and ,edirect 4ackets edit theetc sysctl.conf file and add the following line6

net.ipvF.conf.all.log3martians M E

Re"erences "or 0ernel 1una#le Parameters

&etwork Security with proc sys net ipvF I4 Spoofing6 0nderstanding the basics

%hec$ing !ile Permissions and 2wnership+e"ault umas$

The umask #user file-creation mode mask% command is a shell built-in command whichdetermines the default file permissions for newly created files. This can be overwritten by systemcalls but many programs and utilities make use of umask.

2y default ,ed )at sets umask to (== or ((= which is fine. If the name of the user account andthe group account is the same and the 0I5 is E(( or larger then umask is set to ((= otherwiseit9s set to (== see /etc/bashrc for bash shells.B iduidMG(H#test% gidMGE(#test% groupsME((#users% GE(#test% contextMuser3u6system3r6unconfined3tQumask (((=Q

iduidM(#root% gidM(#root% groupsM(#root% E#bin% =#daemon% C#sys% F#adm% >#disk% E(#wheel%contextMroot6system3r6unconfined3t

umask ((==

)ere is an example how umask works6
http://www.linuxsecurity.com/content/view/111337/65/http://www.linuxsecurity.com/content/view/111337/65/http://www.linuxexposed.com/internal.php?op=modload&name=News&file=article&sid=550http://www.linuxexposed.com/internal.php?op=modload&name=News&file=article&sid=550http://www.linuxsecurity.com/content/view/111337/65/http://www.linuxexposed.com/internal.php?op=modload&name=News&file=article&sid=550


22/39

B umask (((Qtouch fileEQls -l fileE5rw5rw5rw5 E oracle oinstall ( 5ec => EH6=F fileEQumask ((=Qtouch file=

Qls -l file=5rw5rw5r55 E oracle oinstall ( 5ec => EH6=F file=Qumask (==Qtouch fileCQls -l fileC5rw5r55r55 E oracle oinstall ( 5ec => EH6=G fileCQ

7or the bash shell you can find the setting of umask in etc bashrc . The /etc/bashrc file is forsystem-wide aliases and functions and is invoked by 9/ bashrc .

S' +8SG + !iles

*hen the S0I5 #set user I5% or SNI5 #set group I5% bits are set on an executable it executeswith the 0I5 or NI5 of the owner of the executable rather than that of the person executing it.This means that e.g. all executables that have the S0I5 bit set and are owned by root areexecuted with the 0I5 of root. " good example is the passwd command that allows ordinaryusers to update the password field in the /etc/shadow file which is owned by root.

2ut S0I5 SNI5 bits can be misused when the S0I5 SNI5 executable has a security hole.Therefore you might want to search the entire system for S0I5 SNI5 executables and documentit. 7or example ensure that code developers don9t set S0I5 SNI5 bits on their programs if it9snot an absolute requirement. ((( -ls

The -prune option in this example is used to skip the /proc filesystem.

/orld5/rita#le !iles

*orld-writable files are a security risk since it allows anyone to modify them. "dditionallyworld-writable directories allow anyone to add or delete files.

To locate world-writable files and directories you can use the following command6find -path proc -prune -o -perm -= -type l -ls

The J @ -type l J parameter skips all symbolic links since symbolic links are always world-writable. )owever this is not a problem as long as the target of the link is not world-writablewhich is checked by the above find command.


23/39

*orld-*ritable directories with sticky bit such as the /tmp directory do not allow anyone exceptthe owner of a file to delete or modify it in this directory. The sticky bit makes files stick to theuser who created it and it prevents other users from deleting and renaming the files. Thereforedepending on the purpose of the directory world-writable directories with sticky are usually notan issue. "n example is the /tmp directory6

B ls -ld tmpdrwxrwxrw t ED root root E>CDF 5ec =C ==6=( tmp

The J t J mode which denotes the sticky bit allows files to be deleted and renamed only if theuser is the owner of this file or the owner of the directory.

'nowned !iles

7iles not owned by any user or group might not necessarily be a security problem in itself.)owever unowned files could pose a security problem in the future. 7or example if a new useris created and the new users happens to get the same 0I5 as the unowned files have then thisnew user will automatically become the owner of these files.

To locate files not owned by any user or group use the following command6find -path proc -prune -o -nouser -o -nogroup

%hec$ing Accounts%hec$ing "or 'nloc$ed Accounts

It is important that all system and vendor accounts that are not used for logins are locked.

To get a list of unlocked accounts on your system you can check for accounts that do &!T havean encrypted password string starting with J J or JBJ in the /etc/shadow file. If you lock anaccount using passwd -l it will put a 9 9 in front of the encrypted password effectivelydisabling the password. If you lock an account using usermod -2 it will put a 9 9 in front of theencrypted password. :any system and shared accounts are usually locked by default by having a9B9 or 9 9 in the password field which renders the encrypted password into an invalid string.

)ence to get a list of all unlocked #encryptable% accounts run6# egrep -v 9.B6VBK6V 9 etc shadow K awk -76 9Wprint QEX9

"lso make sure all accounts have a 9x9 in the password field in /etc/passwd . The followingcommand lists all accounts that do not have a 9x9 in the password field6# grep -v 96x69 etc passwd

" 9x9 in the password fields means that the password has been shadowed i.e. the encrypted password has to be looked up in the /etc/shadow file. If the password field in /etc/passwd isempty then the system will not lookup the shadow file and it will not prompt the user for a

password at the login prompt.

%hec$ing "or 'nused Accounts


24/39

"ll system or vendor accounts that are not being used by users applications by the system or bydaemons should be removed from the system. 8ou can use the following command to find out ifthere are any files owned by a specific account6# find -path proc -prune -o -user ?account@ -ls

The -prune option in this example is used to skip the proc filesystem.

If you are sure that an account can be deleted you can remove the account using the followingcommand6# userdel -r ?account@

*ithout the J -r J option userdel will not delete the user9s home directory and mail spool#/var/spool/mail/


25/39

etc login.defs

:I&3 5"8S

the last change.

etc login.defs

4"SS3 :I&3L1&

na

This parameter does not work. It is superseded by the 4": moduleJpam3cracklibJ. See 1nforcing Stronger 4asswords for moreinformation.

etc login.defs

4"SS3 *",&

3"N1

' &umber of days when the password change reminder starts.

etc defaultuseradd

I&"/TI(6'6EF66

8ou can change the password aging any time using the chage command.

To disable password a!in! for system and shared accounts$ you can run the followin! cha!e command* # chage -: HHHHH ?system3account3name@
http://www.puschitz.com/SecuringLinux.shtml#EnforcingStrongerPasswordshttp://www.puschitz.com/SecuringLinux.shtml#EnforcingStrongerPasswords


26/39

To get password expiration information6# chage -l ?system3account3name@

7or example6# chage -l test:inimum6 ':aximum6 >(*arning6 'Inactive6 EFLast /hange6 Yan EE =((G4assword 1xpires6 :ar E= =((G4assword Inactive6 :ar => =((G"ccount 1xpires6 &ever

En"orcing Stronger PasswordsPractical %onsiderations

!n an audited system it is important to restrict people from using simple passwords that can becracked too easily. )owever if the passwords being enforced are too strong people will writethem down. Strong passwords that are written down are not much safer than weak passwords.Some will argue that strong passwords protect you against e.g. 5ictionary "ttacks and you candefeat it by locking the accounts after a few failed attempts. )owever this is not always anoption. "s I will show at Locking 0ser "ccounts "fter Too :any Login 7ailures locked systemaccounts could bring down your applications and systems which would be nothing short of adenial of service attack.

0ndoubtedly it is important to practise safe password management. In my opinion a passwordshould have at least one digit number one other character and one upper case letter. 2ut keep inmind not to make it overly complicated.

How to En"orce Stronger Passwords

The pam8cracklib module checks the password against dictionary words and other constraints.0nfortunately however the original Linux 4": module pam8cracklib uses a creditmechanism. 1.g. if you define password length minlen &$ then you will get E credit for e.g.using a single digit number in your password if you defined dredit & . This means thatpam8cracklib will accept a password of the length of minlen-credit . If you don9t use a digitnumber then the minimum length of the password would be minlen . There was no way to tellthe module that a password 3must3 include a digit number.

2ack in =((( I wrote a patch for the pam8cracklib module where you can assign negativevalues to the pam8cracklib parameters lcredit% ucredit% dcredit% and ocredit . 0singnegative values will disable the credit mechanism. 7or example if you define dredit -& thenthe module will only accept a password if it includes at least one digit number and if the

password has a length of at least minlen .

,ed )at has finally applied my pam8cracklib patch and you don9t have to patch the
http://www.puschitz.com/SecuringLinux.shtml#LockingUserAccountsAfterTooManyLoginFailureshttp://www.puschitz.com/SecuringLinux.shtml#LockingUserAccountsAfterTooManyLoginFailures


27/39

pam8cracklib module any more. The new pam8cracklib feature works in ,ed )at 1nterpriseLinux F and ,ed )at 7edora /ore C. This feature is now also included with the ,ed )at1nterprise Linux C 0pdate F and ,ed )at 1nterprise Linux =.E 0pdate > release. If the Linuxdistribution you are using does not use the patched pam8cracklib module yet you can find the

procedure for patching pam8cracklib here .

In the following example I9ll assume that you are using the new pam8cracklib module or thatyou patched the module if your Linux distribution doesn9t include the patched version yet.

The following example shows how to enforce the following password rules6- :inimum length of password must be D- :inimum number of lower case letters must be E- :inimum number of upper case letters must be E- :inimum number of digits must be E- :inimum number of other characters must be E

pam3cracklib.so minlenMD :inimum length of password is D

pam3cracklib.so lcreditM5E :inimum number of lower case letters is E

pam3cracklib.so ucreditM5E :inimum number of upper case letters is E

pam3cracklib.so dcreditM5E :inimum number of digits is E

pam3cracklib.so ocreditM5E :inimum number of other characters is E

To setup these password restrictions edit the etc pam.d system-auth file and add change thefollowing pam8cracklib arguments highlighted in blue6auth re uired /lib/security/B+S(/pam8env soauth sufficient /lib/security/B+S(/pam8unix so likeauth nullokauth re uired /lib/security/B+S(/pam8deny so

account re uired /lib/security/B+S(/pam8unix soaccount sufficient /lib/security/B+S(/pam8succeed8if so uid < &$$ uietaccount re uired /lib/security/B+S(/pam8permit sopassword re uisite /lib/security/B+S(/pam8cracklib so retry 6 minlenMDlcreditM-E ucreditM-E dcreditM-E ocreditM-E

password sufficient lib security QIS" pam3unix.so nullok use3authtok mdG shadow password required lib security QIS" pam3deny.sosession required lib security QIS" pam3limits.sosession required lib security QIS" pam3unix.so
http://www.puschitz.com/pam_cracklib_patch.shtmlhttp://www.puschitz.com/pam_cracklib_patch.shtml


28/39

&ow verify that the new password restrictions work for new passwords. Simply login to a non-root account and change the password using the passwd command. &ote that the aboverequirements are not enforced if you run the passwd command under root.

,21E@ The /etc/pam d/system-auth 4": configuration file is auto-generated and containsrecords which dictate a generic authentication scheme. ;eep in mind that authconfig mightclobber some changes you made. Since I never run authconfig I usually make changes to thisfile because it9s used by many 4": aware applications. !therwise I9d have to make changes tomany configuration files. /hanging system-auth is usually the preferred method. 8ou mighteven want to disable all execution bits from the /usr/bin/authconfig binary to preventauthconfig from clobbering your changes.

Restricting 'se o" Previous PasswordsThe pam8unix module parameter remember can be used to configure the number of previous

passwords that cannot be reused. "nd the pam8cracklib module parameter difok can be used tospecify the number of characters hat must be different between the old and the new password.

In the following example I will show how to tell the system that a password cannot be reused forat least > months and that at least C characters must be different between the old and new

password.

,emember that in the chapter 1nabling 4assword "ging we set )(SS8*+ 8D(FS to G whichspecifies the minimum number of days allowed between password changes. )ence if we tellpam8unix to remember => passwords then the previously used passwords cannot be reused forat least > months #=>B' days%.

)ere is an example. 1dit the etc pam.d system-auth file and add change the followingpam8cracklib and pam8unix arguments6auth re uired /lib/security/B+S(/pam8env soauth sufficient /lib/security/B+S(/pam8unix so likeauth nullokauth re uired /lib/security/B+S(/pam8deny soaccount re uired /lib/security/B+S(/pam8unix soaccount sufficient /lib/security/B+S(/pam8succeed8if so uid < &$$ uietaccount re uired /lib/security/B+S(/pam8permit sopassword re uisite /lib/security/B+S(/pam8cracklib so retry 6 minlen Hlcredit -& ucredit -& dcredit -& ocredit -& difokMC

password sufficient lib security QIS" pam3unix.so nullok use3authtok mdG shadow rememberM=>

password required lib security QIS" pam3deny.sosession required lib security QIS" pam3limits.sosession required lib security QIS" pam3unix.so

&!T16If the /etc/security/opasswd doesn9t exist create the file.# ls -l /etc/security/opasswd-rw------- & root root $ Dec H $,47I /etc/security/opasswd
http://www.puschitz.com/SecuringLinux.shtml#EnablingPasswordAginghttp://www.puschitz.com/SecuringLinux.shtml#EnablingPasswordAging


29/39

Loc$ing 'ser Accounts A"ter 1oo )any Login !ailuresI do not recommend that the system automatically locks system and shared accounts after toomany failed login or su attempts. This could lead to outages if the application9s account getslocked due to too many login failures like in this example6

# su oracle -c idsu6 incorrect password

This could be an easy target for a denial of service attack. %t "estrictin! +irect Lo!in %ccess for,ystem and ,hared %ccounts & will show how to disable direct lo!ins for system or sharedaccounts.

In the following example I will show how to lock only individual user accounts after too manyfailed su or login attempts.

"dd the following two lines highlighted in blue to the etc pam.d system-auth file as shown below6

auth re uired /lib/security/B+S(/pam8env soauth required lib security QIS" pam3tally.so onerrMfail no3magic3rootauth sufficient lib security QIS" pam3unix.so likeauth nullok auth required lib security QIS" pam3deny.soaccount required lib security QIS" pam3unix.soaccount required lib security QIS" pam3tally.so per3user denyMG no3magic3root resetaccount sufficient lib security QIS" pam3succeed3if.so uid ? E(( quietaccount required lib security QIS" pam3permit.so

password requisite lib security QIS" pam3cracklib.so retryMC password sufficient lib security QIS" pam3unix.so nullok use3authtok mdG shadow password required lib security QIS" pam3deny.sosession required lib security QIS" pam3limits.sosession required lib security QIS" pam3unix.so

The first added line counts failed login and failed su attempts for each user. The default locationfor attempted accesses is recorded in /var/log/faillog .

The second added line specifies to lock accounts automatically after G failed login or su attempts#denyMG%. The counter will be reset to ( #reset% on successful entry if deny n was not exceeded.2ut you don9t want system or shared accounts to be locked after too many login failures #denialof service attack%. To exempt system and shared accounts from the deny n parameter I added theper8user parameter to the module. The per8user parameter instructs the module &!T to usethe deny n limit for accounts where the maximum number of login failures is set explicitly. 7orexample6# faillog -u oracle -m -E

faillog -u oracle0sername 7ailures )aximum Latestoracle ( -E 7ri 5ec E( =C6G'6GG -(>(( =((G on unknown

The faillog command with the option J -m -& J has the effect of not placing a limit on thenumber of failed logins. To instruct the module to activate the deny n limit for this accountagain run6
http://www.puschitz.com/SecuringLinux.shtml#RestrictingDirectLoginAccessForSystemAndSharedAccountshttp://www.puschitz.com/SecuringLinux.shtml#RestrictingDirectLoginAccessForSystemAndSharedAccountshttp://www.puschitz.com/SecuringLinux.shtml#RestrictingDirectLoginAccessForSystemAndSharedAccountshttp://www.puschitz.com/SecuringLinux.shtml#RestrictingDirectLoginAccessForSystemAndSharedAccounts


30/39

# faillog -u oracle -m (

2y default the maximum number of login failures for each account is set to ( which instructspam8tally to use the deny n parameter. The faillog manual page on my ,ed )at system saysthat selecting maximum number of login failures of ( will deactivate deny n for the account.The 4": documentation however says that per8user will only work if the fail8max field

contains a non-+ero value. "fter testing both values setting it to -& worked. :aybe because it9sread as a high unsigned valueZ

To see failed login attempts run6# faillog

To unlock an account after too many login failures run6# faillog -u ?user@ -r

:ake sure to test these changes thoroughly on your system using e.g. ssh and su and make sureroot does not get locked

To lock unlock accounts manually you can run one of the following commands6# passwd -l ?user@

usermod -L ?user@ passwd -u ?user@usermod -0 ?user@

,21E@

Since the /var/log/faillog is owned by root and only root can write to the/var/log/faillog file xscreensaver and vlock won9t work correctly. 1ach timexscreensaver or vlock is executed as a non-root user you won9t be able to do an unlock sincethese programs can9t write to /var/log/faillog . I don9t have a good solution for that. I canonly think of setting the S0I5 bits on these programs.

Restricting +irect Login Access "or System and SharedAccounts!n an audited production system it is very important to know who switched to which system orshared account. Therefore it is prudent to restrict direct logins for all system and shared accountwhere more than one individual knows the password. "ll users should do a direct login using

their own account and then switch to the system or shared account. #If you are ust interested inrestricting direct root SS) logins see Securing SS) .%

)owever there are situations where you have to allow direct logins for system or sharedaccounts. 7or example within an !racle ,"/ cluster you have to enable direct ssh logins fororacle . 2ut in such an environment you have to protect the whole cluster as a single entityagainst incoming ssh connection i.e. direct oracle logins should not work if you come from anode that is not part of the cluster. In the following example I will show how to achieve this goal
http://www.puschitz.com/SecuringLinux.shtml#SecuringSSHhttp://www.puschitz.com/SecuringLinux.shtml#SecuringSSHhttp://www.puschitz.com/SecuringLinux.shtml#SecuringSSHhttp://www.puschitz.com/SecuringLinux.shtml#SecuringSSH


31/39

as well.

0sually all system and shared accounts have one thing in common that is they are not in theJusers J group. The following example assumes that all individual user accounts are in theJusers J group but system and shared accounts like root and oracle are not. If you want to go a

step further a good solution would be to implement a new 9logingroup9 users group which wouldrequire users to be given explicit access.

In this example I will show how to restrict direct logins for6- SS "/etc/pam d/sshd'- .onsole 2ogin "/etc/pam d/login'- Craphical Cnome 2ogin "/etc/pam d/gdm- or for all logins "/etc/pam d/system-auth'

To accomplish this goal I will add the pam3access module to the 4": configuration files listedabove. This module provides logdaemon-style login access control based on login names hostnames I4 addresses etc. The 4": module type that has to be used in the configuration files isaccount . This module type does the authori+ation i.e. is the user allowed to login #e.g. time day%Z5on9t confuse the 4": module type account with auth which does the authentication forexample checking the password. "nd the control flag I will use is required . It specifies thatSuccess is required 7ailure means that it will still call the remaining modules but the result isalready determined.

7or SSH Logins add the pam3access module to etc pam.d sshd as follows6auth re uired pam8stack so service system-authauth re uired pam8nologin soaccount required pam3access.soaccount required pam3stack.so serviceMsystem-auth

password required pam3stack.so serviceMsystem-authsession required pam3stack.so serviceMsystem-auth

7or %onsole Logins add the pam3access module to etc pam.d login as follows6auth re uired pam8securetty soauth re uired pam8stack so service system-authauth re uired pam8nologin soaccount required pam3access.soaccount required pam3stack.so serviceMsystem-auth

password required pam3stack.so serviceMsystem-authsession required pam3selinux.so closesession required pam3stack.so serviceMsystem-auth

session optional pam3console.sosession required pam3selinux.so multiple open

7or Graphical Gnome Logins add the pam3access module to etc pam.d gdm as follows6auth re uired pam8env soauth re uired pam8stack so service system-authauth re uired pam8nologin soaccount required pam3access.soaccount required pam3stack.so serviceMsystem-auth


32/39

password required pam3stack.so serviceMsystem-authsession required pam3stack.so serviceMsystem-authsession optional pam3console.so

&ow add the following line to the etc security access.conf configuration file6

-6"LL 1$/14T users 6"LLThe /etc/security/access conf configuration file is read by the pam8access module. Thisentry specifies that no users are accepted except users that are in the J users J group. Since thepam8access module has been configured for J"uthori+ationJ # account % in the above 4":configuration files it denies direct logins for all accounts except the ones that are in the J users Jgroup.

&ow on some systems like !racle ,"/ clusters you have to enable direct ssh logins for oracle within the cluster. !n such systems you can enable direct ssh logins for oracle within the cluster

by adding changing the following lines in /etc/security/access conf 6-6"LL 1$/14T users oracle 6"LL5@oracle@ALL E-%EP1 rac cluster.example.com rac=cluster.example.com rac6cluster.example.com

The first line has been edited to include the oracle account which will allow general directlogins. )owever the second line specifies that direct logins for oracle are only allowed from!racle ,"/ nodes #racEcluster rac=cluster and racCcluster% that are part of the cluster.

,21E@

In ,)1LF pam8access is already configured for crond 6# grep pam3access etc pam.d Betc pam.d crond6account required pam3access.so accessfileM etc security access-cron.conf

This means that the above entries in /etc/security/access conf will stop cron from working. -ote that it is very prudent to always check whether pam_access is confi!ured for any other service on the system)

To ensure that all users on the system can still run cron obs you can add the following argumentto pam8access in etc pam.d crond 6account re uired pam8access so accessfileM etc security access-cron.conf

This ensures that the /etc/security/access conf configuration file is not invoked by crond .Since pam8cracklib does not grant permissions if the configuration file does not exist executethe following command to create an empty file6# touch etc security access-cron.conf

&ow verify that cron obs can be launched by any user on the system.

,21E@

The above example will only work if there exists no JusersJ account in the /etc/passwd file onthe system which is usually the case. !therwise you have to either delete the JusersJ account or


33/39

you have to designate or create another group name.

Restricting su Access to System and Shared AccountsThis chapter shows how to restrict people from su-ing to system and shared accounts even if theyknow the passwords.

0sers usually don9t share the passwords of their own accounts but are less hesitant to share it forshared accounts. This chapter helps to mitigate this problem.

The following example shows how to restrict su access to the root oracle and postgres account to a specific set of users.

,21E@ The documentation about the pam8wheel module included in many Linux distributionsis wrong. 7or instance in ,ed )at "dvanced Server =.E the pam8wheel module does not only

restrict people from su-ing to the root account like it used to be. It restricts people from su-ingto any account.

Example "or Restricting su Access to root4 oracle4 and postgres Accounts

/reate a new group for each set of users that are allowed to su to the root oracle andpostgres account6# groupadd rootmembers

groupadd oraclemembersgroupadd postgresmembers

"dd all users who are allowed to su to the root oracle and postgres account to the newmember groups created above.The following requirement will be configured6- !nly admin& should be able to su to root oracle and postgres .- !nly oracledba& should be able to su to oracle .- !nly postgresdba& should be able to su to postgres .- &o one else on the system should be able to su to any account.# usermod -N rootmembers adminuserE

usermod -N oraclemembers oracleuserEusermod -N postgresmembers postgresuserE

"s you probably noted I did not add adminuser& to the other member groups. Instead I willshow how to give people in the rootmembers group automatically su access to the oracle andpostgres account without adding them to the oraclemembers and postgresmembers groups. Iconsider root admins an exception. They should not be added to all member groups on thesystem.

&ext add the three authentication lines highlighted in blue to the etc pam.d su file as shown below6


34/39

auth sufficient /lib/security/B+S(/pam8rootok soauth re uired /lib/security/B+S(/pam8stack so service system-authauth sufficient lib security QIS" pam3stack.so serviceMsu-root-membersauth sufficient lib security QIS" pam3stack.so serviceMsu-other-membersauth required lib security QIS" pam3deny.soaccount required lib security QIS" pam3stack.so serviceMsystem-auth

password required lib security QIS" pam3stack.so serviceMsystem-authsession required lib security QIS" pam3selinux.so closesession required lib security QIS" pam3stack.so serviceMsystem-authsession required lib security QIS" pam3selinux.so open multiplesession optional lib security QIS" pam3xauth.so

These additional authentication lines specify that nobody should be able to su to any accountunless at least one of the 4": services su-root-members or su-other-members returnsSuccess. The control flag sufficient means that a Success will bypass the remainingauthentication modules and overall Success is returned for the authentication part. 7ailure meansthat the failed authentication 4": service is ignored. If both authentication 4": services failthen the last authentication module pam8deny is invoked which will deny all requests for anyavailable authentication module. This will cause the authentication part to fail for the su command.

&ext the new authentication 4": service configuration files /etc/pam d/su-root-members and /etc/pam d/su-other-members need to be created.

The file etc pam.d su-root-members referenced in /etc/pam d/su should read like6auth required lib security pam3wheel.so use3uid groupM rootmem#ersauth required lib security pam3listfile.so itemMuser senseMallow onerrMfail fileM etc security su5rootmem#ers5access

The file etc security su5rootmem#ers5access referenced in /etc/pam d/su-root-members shouldread like6rootoracle

postgres

The control flag re uired which is specified for both modules means that both modules have toreturn Success. !therwise this 4": service will return 7ailure to the JsuJ 4": serviceconfigured in /etc/pam d/su . The first line returns Success only if the user is in therootmembers groups. The second line allows only access #senseMallow% to those users specifiedin /etc/security/rootusername which is root oracle and postgres - these are the only usersthat will be accepted as a user argument to su . The item user argument instructs pam8listfilethat the entries in /etc/security/rootusername are usernames. If an error occurs such as an

unreadable configuration file access is denied #onerrMfail%.

,21E@ !nce su access to root is working for users in the rootmembers I recommend to avoidmaking any changes to the /etc/pam d/su-root-members file in the future. :aking a mistakein this file could revoke access to root for all users on the system. That9s the reason why I createdtwo 4": service files /etc/pam d/su-root-members for people in the rootmembers groupand /etc/pam d/su-other-members #see below% for all other member groups since you willmost probably add more member groups to this file in the future.


35/39

&ext the file etc pam.d su-other-members referenced in /etc/pam d/su should be created and readlike6auth sufficient lib security pam3stack.so serviceMsu-oracle-membersauth sufficient lib security pam3stack.so serviceMsu-postgres-members

auth required lib security pam3deny.soIf one of the two 4": services returns Success it will return Success to the JsuJ 4": serviceconfigured in /etc/pam d/su . !therwise the last module will be invoked which will deny allfurther requests and the authentication fails.

&ext the 4": services Jsu-oracle-membersJ and Jsu-postgres-membersJ have to be created.

The file etc pam.d su-oracle-members referenced in /etc/pam d/su-other-members should readlike6auth required lib security pam3wheel.so use3uid groupM oraclemem#ersauth required lib security pam3listfile.so itemMuser senseMallow onerrMfail fileM etc security su5

oraclemem#ers5accessThe file etc security su5oraclemem#ers5access referenced in etc pam.d su-oracle-members shouldread like6oracle

The file etc pam.d su-postgres-members referenced in /etc/pam d/su-other-members should readlike6auth required lib security pam3wheel.so use3uid groupM postgresmem#ersauth required lib security pam3listfile.so itemMuser senseMallow onerrMfail fileM etc security su5postgresmem#ers5access

The file etc security su5postgresmem#ers5access referenced in /etc/pam d/su-postgres-members should read like6 postgres

&ow verify that adminuser& can su to root oracle and postgres . &o one else should be ableto su to root . oracleuser& should be able to su to oracle only and postgresuser& should beable to su to postgres only. &o one else on the system should be able su to any of theseaccounts even if they know the password.

Preventing Accidental +enial o" ServiceGeneral

Linux allows you to set limits on the amount of system resources that users and groups can use.This is also very handy if bugs in programs accidentally use up too much resources slow downthe machine or even render the system unusable. I9ve seen systems where incorrect settings haveallowed programs to use up too much resources which made the server unresponsible for new


36/39

connections or local logins #e.g. a program uses up all file handles on the system%. This could become a security issue if someone is allowed to use up all resources and causes a denial ofservice attack. 5epending on your environment you may want to review resource limits for useraccounts and groups.

Example "or Restricting System Resources

The following example shows a practical use of setting or restricting system resources for an!racle user account. 7or a list of system resource settings see /etc/security/limits conf . Itwould be a good idea to review the default settings of system resource.

:ost shells like 2ash provide control over various resources like the maximum allowablenumber of open file descriptors or the maximum number of processes available to a user. To seeall shell limits run6ulimit -a

7or more information on ulimit for the 2ash shell see man bash and search for ulimit .

mportant ,ote@Setting JhardJ and JsoftJ limits in the following examples might not work properly when youlogin to oracle using a SS) session. It should work if you log in as root and su to oracle .,esource limits should also work if the application is started automatically during the boot

process. 2ut if you experience the problem that the changed resource limits in/etc/security/limits conf are not applied when logging in through SS) then you may haveto try to set Use)rivilegeSeparation in /etc/ssh/sshd8config to J no J and restart the SS)daemon by executing /etc/init d/sshd restart . 0nfortunately privilege separation does notwork properly with 4": on some Linux distributions. 2ut also note that turning off privilegeseparation is not really recommended since it9s a valuable security feature that has already

prevented exploitation of SS) vulnerabilities.

7or example to change the number of file handles or open files that the !racle user can use youhave to edit the file /etc/security/limits conf as root and make the following changes oradd the following lines respectively6oracle soft nofile I$J,oracle hard nofile ,676,

The Jsoft limitJ in the first line defines the number of file handles or open files that the !racleuser will have after login. If the !racle user gets error messages about running out of filehandles then the !racle user can increase the number of file handles like in this example up to

>CGC> #Jhard limitJ% by running the following command6ulimit -n ,676,

8ou can set the JsoftJ and JhardJ limits higher if necessary. -ote that & do not recommend to setthe hard limit for nofile for the oracle user e(ual to /proc/sys/fs/file-max . &f you dothat and the oracle user uses up all the file handles$ then the whole system will be out of filehandles. This could mean that you won/t be able to initiate new remote lo!ins any more since the

system won/t be able to open any P%# modules which are re(uired for performin! a lo!in.


37/39

8ou also need to ensure that pam8limits is configured in the file /etc/pam d/system-auth orin /etc/pam d/sshd #for SS)% /etc/pam d/su #for su% or/etc/pam d/login #local loginsand telnet% if you don9t want to enable it for all logins or if /etc/pam d/system-auth does notexist like on S0S1. This is the 4": module that will read the /etc/security/limits conf file. The entry should read like6

session re uired /lib/security/pam8limits so)ere are the two JsessionJ entries I have in my /etc/pam d/system-auth file6session re uired /lib/security/pam8limits sosession re uired /lib/security/pam8unix so

&ow login to the oracle account again since the changes will become effective for new loginsessions only.B su - oracleQulimit -nF(H>Q

-ote that the ulimit options are different for other shells.

The default limit for oracle is now F(H> and the oracle user can increase the number of filehandles up to >CGC>6B su - oracleQulimit -nF(H>Qulimit -n >CGC>Qulimit -n>CGC>Q

To make this change permanent add J ulimit -n ,676, J #for 2ash% to the9oracle/ bash8profile file which is the user startup file for the 2ash shell on ,ed )at Linux#to verify your shell run6 echo QS)1LL %. To do this you could simply copy paste the followingcommands for the oracle 9s 2ash shell6su - oraclecat @@ oracle .bash3profile ?? 1!7ulimit -n >CGC>1!7

+isplaying Login BannersIt is prudent to place a legal banner on login screens on all servers for legal reasons and to

potentially deter intruders among other things. /onsult legal counsel for the content of the banner.

If you want to print a legal banner after a user logs in using ssh local console etc. you can usethe etc motd file. /reate the file if it doesn9t exist and type in the banner that applies to yourorgani+ation.# cat etc motdThis system is classified...0se of this system constitutes consent to official monitoring.


38/39

7or SS) you can edit the 2anner parameter in the etc ssh sshd3config file which will display the banner before the login prompt.

7or local console logins you can edit the etc issue which will display the banner before the login prompt.

7or N5: you could make the following changes to require a user to acknowledge the legal banner by selecting 98es9 or 9&o9. 1dit the etc $EE gdm 4reSession 5efault file and add the followinglines at the beginning of the script6if gdialog --yesno 9VnThis system is classified...Vn9 E( E([ then sleep E( exit E[fi

8ou have to add a sleep of E( seconds otherwise N5: will believe that $ crashed if the session

lasted less than E( seconds. 0nfortunately at the time of this writing the E( seconds timeout ishardcoded and there is no configuration parameter to change it. I checked the source codemyself.

)iscellaneousHost5Based Linux )onitoring and ntrusion +etection

2efore you put a server into production or better before you put a server on the network youshould have an integrity checker installed on your system that lets you check if unauthori+edchanges have been made. In this way if an intruder compromises your system you will know

what changed on your server. 8ou should also have an Intrusion 5etection Software #I5S%solution in place that alarms you about intrusions as well as Intrusion 4revention software.

It is outside the scope of this article to cover Linux :onitoring and Intrusion 5etection solutions.There are lots of interesting articles out there to read and there are several good productsavailable on the market including open source solutions. 7or a powerful open source network-intrusion prevention and detection system see Securing your system with Snort .

%onnect Accounting 'tilities

)ere is a list of commands you can use to get data about user logins6

who Shows a listing of currently logged-in users.w Shows who is logged on and what they are doing.last Shows a list of last logged-in users including login time logout time login I4 address etc.

lastb Same as last except that by default it shows a log of the file /var/log/btmp whichcontains all the bad login attempts.lastlog This command reports data maintained in /var/log/lastlog which is a record of the
http://www.redhat.com/magazine/013nov05/features/snort/http://www.redhat.com/magazine/013nov05/features/snort/http://www.redhat.com/magazine/013nov05/features/snort/


39/39

last time a user logged in.ac 4rints out the connect time in hours on a per-user basis or daily basis etc. This commandreads /var/log/wtmp .dump-utmp /onverts raw data from /var/run/utmp or /var/log/wtmp into "S/II-parsableformat.

"lso check the /var/log/messages file.

2ther

The following items may not necessarily be Linux security related but should be configuredcorrectly on all audited Linux systems6

,esolver # /etc/hosts /etc/resolv conf /etc/nsswitch conf %

&T4 #/etc/ntp conf %

Bi#liography and Re"erencesLinux 4": 5ocumentation Linux System Security

&ine principles of security architecture Securing \ !ptimi+ing Linux Smarter 4assword :anagement

&etwork Intrusion 5etection S1Linux - &S"9s !pen Source Security 1nhanced Linux

5IS/L"I:1,6 The information provided on this website comes without warranty of any kind

and is distributed "S IS. 1very effort has been made to provide the information as accurate as possible but no warranty or fitness is implied. The information may be incomplete may contain

errors or may have become out of date. The use of this information described herein is your responsibility and to use it in your own environments do so at your own risk.

%opyright =99C P'S%H 1D.%2)
http://cvs.sourceforge.net/viewcvs.py/pam/Linux-PAM/doc/http://search.barnesandnoble.com/booksearch/isbnInquiry.asp?userid=aF8DrMPAIW&isbn=0130470112&TXT=Y&itm=1http://software.newsforge.com/software/05/11/14/2115222.shtml?tid=78http://software.newsforge.com/software/05/11/14/2115222.shtml?tid=78http://www.openna.com/products/books.phphttp://www.freesoftwaremagazine.com/free_issues/issue_01/passwd_management/http://www.bookpool.com/.x/6fim6431ii/sm/0735712654http://www.bookpool.com/.x/6fim64ts50/ss?qs=selinux&x=0&y=0http://cvs.sourceforge.net/viewcvs.py/pam/Linux-PAM/doc/http://search.barnesandnoble.com/booksearch/isbnInquiry.asp?userid=aF8DrMPAIW&isbn=0130470112&TXT=Y&itm=1http://software.newsforge.com/software/05/11/14/2115222.shtml?tid=78http://www.openna.com/products/books.phphttp://www.freesoftwaremagazine.com/free_issues/issue_01/passwd_management/http://www.bookpool.com/.x/6fim6431ii/sm/0735712654http://www.bookpool.com/.x/6fim64ts50/ss?qs=selinux&x=0&y=0

Documents

Securing+and+Hardening+Red+Hat+Linux+Production+Systems