For Debian systems, refer to the "Securing Debian Manual", available at http://www.debian.org/doc/user-manuals#securing
For Red Hat systems, refer to the "Red Hat Enterprise Linux Security Guide" available at http://www.redhat.com/docs/manuals/enterprise/
Another useful online resource is the "Linux Administrator's Security Guide", available at http://www.seifried.org/lasg/
Red Hat / Fedora:
- The signatures on Red Hat RPM packages can be verified using the command
rpm -K packagename.rpm
- If the Red Hat public key is not yet known by rpm, the key is available on
the installation CDs or in /usr/share/rhn and can
be provided to rpm using the command
rpm --import RPM_GPG_KEY
On Debian systems:
- The checksecurity(8) script, run daily from cron, will alert any changes to the list of SetUID programs.
- After manually removing SetUID/SetGID permissions from a program, the dpkg-statoverride command can be used to make sure that these permissions are not automatically re-added when dpkg updates the package.
Debian's checksecurity(8) script will alert daily if any accounts have blank passwords.
Full information about configuring PAM on Linux is available from: http://www.kernel.org/pub/linux/libs/pam/
Under Linux the chattr(1) command can be used to set file attributes including "i" for immutable and "a" for append only.
Several different RBAC implementations are available for Linux.
- SE Linux (described below) uses roles to restrict which security domains a particular user can enter, thus determining their access on the system.
- The GRsecurity project provides multiple security enhancements for Linux systems, including role based access control as one aspect. http://www.grsecurity.net/
- The RSBAC project implements role based access control among its other models (see E.4.5 below).
SE Linux provides fine grained mandatory access control for all resources on the system, using a Type Enforcement access model. It can also optionally be configured to enforce the standard Bell La Padula mandatory access control model. http://www.nsa.gov/selinux/
SE Linux may be active by default on some Linux distributions, such as Red Hat Enterprise Linux and Fedora Core. On other Linux systems including Gentoo and Debian it can be optionally installed.
For information on using SE Linux on specific systems, see:
An alternative implementation of mandatory access control for Linux that uses the Bell La Padula model integrated with Role Based Access Control is the RSBAC project: http://www.rsbac.org/
SE Linux (see E.4.5 above) allows highly configurable confinement of processes that is stronger than the confinement provided by chroot as it covers access to all resources. It is also more convenient than chroot in that it does not require an alternate filesystem to be set up.
Similarly, GRsecurity (http://www.grsecurity.net/) allows highly configurable confinement of processes. It also provides patches to strengthen chroot itself, removing many of the loopholes that attackers use to escape a chroot jail.
As of Linux kernel versions 2.6.6 and later, Linux now has its own audit subsystem controlled by the auditctl(8) utility. This can be configured with audit rules to monitor events of interest including specific system calls or access to specific files.
Alternatively, SNARE for Linux is a third party audit subsystem that includes graphical reporting and configuration. It is available for download at http://www.intersectalliance.com/projects/Snare/
The "netfilter" host firewall packet filter is part of the Linux kernel. It is controlled using the iptables(8) command. Further details and the iptables HOWTO document are available at http://www.netfilter.org/
IP forwarding is controlled by the sysctl parameters
The forwarding may already be off by default, and otherwise can
be disabled in /etc/sysctl.conf or by using the commands
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
The use of SYN cookies is controlled by the sysctl parameter net.ipv4.tcp_syncookies This may already be on by default, and otherwise can be set in /etc/sysctl.conf or using the command echo 1 > /proc/sys/net/ipv4/tcp_syncookies
A further sysctl net.ipv4.conf.all.rp_filter can be used to reject some kinds of spoofed packets. This feature checks the source address of a received packet to check it is coming in through the right interface, by comparing to the current route to that IP address.
Note that rp_filter does not address the weak end system issue, which involves the destination IP rather than the source IP. Therefore, for systems with more than one network interface it is best to explicitly add iptables rules to block packets received on one interface but addressed to the IP of another interface.
These and other Linux network sysctls are documented in the Linux source in the file Documentation/networking/ip-sysctl.txt