• Don't attach the machine to an insecure network until all steps in this document have been addressed - preferably, perform all installations on the machine while it is completely isolated from any network. This may be facilitated by the use of patches stored on a CD or file server located within an isolated staging network.

• Retrieve the latest patch list from your vendor and retrieve any recommended security patches not included with your system. Some patches may re-enable default configurations so it is important to go through this checklist after installing any new patches or packages. Information about where to obtain operating system patches or packages is available in the USC at Section IV. Patches for software applications not supplied by the operating system vendor should be obtained directly from the software vendor's web site.

• Ensure that software patches and packages are only downloaded from a reliable source (i.e. direct from the vendor or a trusted mirror). This also applies to the operating system if it is publicly-available or open-source.

• Verify the cryptographic digital signature of any signed downloaded files to ensure integrity. Don't use a file whose signature doesn't match its contents! Information about PGP/GnuPG is available in the USC at A.2.10 PGP/GnuPG.

• Verify the md5 checksum, when possible, of any downloaded patches with a utility like md5(1) or md5sum(1). Information about obtaining an MD5 utility is available in the USC at A.2.6 MD5.

• Subscribe to the vendor's security update mailing list for your particular operating system. Information for individual vendors is available in the USC at Section IV.

• Subscribe to security advisory mailing lists from your local incident response team (if you have one). These mailing lists are typically low volume and provide invaluable information for system and security administrators. Information on subscribing to mailing lists is available in the USC at B.2.3 Mailing Lists.

Before the System is "Live"

Step One - Patches

• Check for last-minute updates for your system that need to be performed subsequent to installation.

• Install security patches retrieved before installation.

• Check for the availability of a hardening script package for your particular system. Information on hardening scripts is available in the USC at Section IV - Specific Operating Systems.

Step Two - System Configuration

• For more detailed information, refer to the USC at 2.0 Network Services

• Disable any services which you do not absolutely require, by commenting out individual lines in /etc/inetd.conf with a "#" character, then reenabling essential services only. See 2.1 /etc/inetd.conf.

• Unless "r" commands (i.e. rsh, rlogin) are required, remove or empty the file /etc/hosts.equiv.

• If "r" commands are required, consider replacing them with secure alternatives, such as ssh. See A.2.13 ssh in the USC for more information.

• Configure tcp_wrappers in /etc/inetd.conf to provide greater access and logging on enabled services if using the inetd daemon. See 2.2 tcp_wrapper. If using Xinetd, ensure that it is correctly configured in /etc/xinetd.conf. See 2.1 /etc/inetd.conf.

• Edit /etc/hosts.allow to include this entry as the first uncommented line AFTER any configuration lines allowing connections for any specific services required:

  ALL:ALL:deny

• Edit /etc/hosts.deny to include this entry as the first uncommented line in the file:

  ALL:ALL

• Verify that you have disabled any unnecessary startup scripts under /etc, /etc/rc.d or /etc/init.d (or startup script directory for your system) and disabled any unneeded services from starting in these scripts.

• Remove unneeded accounts/groups and disable interactive login access to system accounts.

• After restarting the machine, check for running network services by issuing the command netstat -a. Ensure that only required services are running and listening for connections. This helps in preventing security compromises on possibly unknown and unpatches services.

• On systems that implement the /etc/login.access file, consider modifying this file to disallow remote access to privileged accounts. An example to disallow non-local logins to privileged accounts (group wheel):

  -:wheel:ALL EXCEPT LOCAL

  See also 2.10 /etc/login.access

• Ensure that the terminal security file (for example, /etc/securetty or /etc/ttys) is configured to deny privileged (root) access from any external connections. See 2.15 Secure Terminals.

• Check that the configuration files for PAM (/etc/pam.conf, /etc/pam.d/*) are secure. See 2.13 PAM (Pluggable Authentication Modules)

• Ensure that the file /etc/ftpusers contains the names of all system accounts, as well as root. See 5.3 Special accounts

• Prevent lpd and syslogd from listening for network connections if possible. Caution should be exercised to ensure outbound connections are still allowed if required for your system configuration. This may be accomplished with command-line arguments and/or tcp_wrappers - refer to your system's info or man pages.

• Clear /etc/hosts.lpd if not required. If the host is a print server, ensure that only fully qualified domain names are specified ie. hostname.domainname. See 2.9 /etc/hosts.lpd

Step Three - Network Options

• At a minimum, make use of any built-in firewalling utility that the operating system provides. For example: Linux has ipchains and iptables (See A.4.2.4 and A.4.2.5), BSD has ipfw (See A.4.2.1), Sun Solaris includes a "light" version of their SunScreen product with Solaris 8 (See A.4.2.6).

• Ensure that the host is configured against IP spoofing and attacks with kernel and firewall rules. See 3.1 Packet Filtering and 3.2 Denial of Service Attacks.

• If you wish to remotely administer your host, don't use unencrypted channels to do so (like telnet). Configure your host to use encrypted communications with a utility like SSH. See 3.3 Encryption and Strong Authentication

Step Four - System Monitoring and Additional Tools

• Implement and maintain utilities for intrusion detection. At a minimum, implement a file integrity checker to monitor file-system changes. More information is available in the USC at 4.0 File System Security

• Additional information on security and monitoring tools is available in the USC at Appendix A

Step Five - Final Updates

• Ensure you implement a procedure to regularly parse and check system log outputs for unusual activity.

• Make a backup of the completed system before putting it on a production network. This allows you a clear path to restore the system to an operational state. You should also implement a continuing backup policy.

• Create and maintain a logbook for each system. This allows you to document any changes made to system configurations.