Australia's Leading Computer Emergency Response Team

UNIX and Linux Security Checklist v3.0 Notes - Linux
Date: 13 February 2007
Original URL:

OS Specific footnotes - Linux
OS Specific Footnotes - Linux

For Debian systems, refer to the "Securing Debian Manual", available at

For Red Hat systems, refer to the "Red Hat Enterprise Linux Security Guide" available at

Another useful online resource is the "Linux Administrator's Security Guide", available at

C.2 Verify integrity of all patches and updates

Red Hat / Fedora:

  • The signatures on Red Hat RPM packages can be verified using the command
    rpm -K packagename.rpm
  • If the Red Hat public key is not yet known by rpm, the key is available on the installation CDs or in /usr/share/rhn and can be provided to rpm using the command
    rpm --import RPM_GPG_KEY

D.3 Minimize SetUID/SetGID programs

On Debian systems:

  • The checksecurity(8) script, run daily from cron, will alert any changes to the list of SetUID programs.
  • After manually removing SetUID/SetGID permissions from a program, the dpkg-statoverride command can be used to make sure that these permissions are not automatically re-added when dpkg updates the package.

E. Secure Base OS
E.3.1.3 Ensure all accounts have passwords or are disabled

Debian's checksecurity(8) script will alert daily if any accounts have blank passwords.

E.3.3 PAM Pluggable Authentication Modules

Full information about configuring PAM on Linux is available from:

E.4.2 Filesystem attributes

Under Linux the chattr(1) command can be used to set file attributes including "i" for immutable and "a" for append only.

E.4.3 Role Based Access Control

Several different RBAC implementations are available for Linux.

  • SE Linux (described below) uses roles to restrict which security domains a particular user can enter, thus determining their access on the system.
  • The GRsecurity project provides multiple security enhancements for Linux systems, including role based access control as one aspect.
  • The RSBAC project implements role based access control among its other models (see E.4.5 below).

E.4.5 Consider mandatory access control features

SE Linux provides fine grained mandatory access control for all resources on the system, using a Type Enforcement access model. It can also optionally be configured to enforce the standard Bell La Padula mandatory access control model.

SE Linux may be active by default on some Linux distributions, such as Red Hat Enterprise Linux and Fedora Core. On other Linux systems including Gentoo and Debian it can be optionally installed.

For information on using SE Linux on specific systems, see:

An alternative implementation of mandatory access control for Linux that uses the Bell La Padula model integrated with Role Based Access Control is the RSBAC project:

F.1.3 Other confinement mechanisms

SE Linux (see E.4.5 above) allows highly configurable confinement of processes that is stronger than the confinement provided by chroot as it covers access to all resources. It is also more convenient than chroot in that it does not require an alternate filesystem to be set up.

Similarly, GRsecurity ( allows highly configurable confinement of processes. It also provides patches to strengthen chroot itself, removing many of the loopholes that attackers use to escape a chroot jail.

G.3 Enable trusted audit subsystem

As of Linux kernel versions 2.6.6 and later, Linux now has its own audit subsystem controlled by the auditctl(8) utility. This can be configured with audit rules to monitor events of interest including specific system calls or access to specific files.

Alternatively, SNARE for Linux is a third party audit subsystem that includes graphical reporting and configuration. It is available for download at

H.1.1 Identify host firewall software

The "netfilter" host firewall packet filter is part of the Linux kernel. It is controlled using the iptables(8) command. Further details and the iptables HOWTO document are available at

H.3 Network stack hardening / sysctls

IP forwarding is controlled by the sysctl parameters net.ipv4.ip_forward and net.ipv6.conf.all.forwarding The forwarding may already be off by default, and otherwise can be disabled in /etc/sysctl.conf or by using the commands echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding

The use of SYN cookies is controlled by the sysctl parameter net.ipv4.tcp_syncookies This may already be on by default, and otherwise can be set in /etc/sysctl.conf or using the command echo 1 > /proc/sys/net/ipv4/tcp_syncookies

A further sysctl net.ipv4.conf.all.rp_filter can be used to reject some kinds of spoofed packets. This feature checks the source address of a received packet to check it is coming in through the right interface, by comparing to the current route to that IP address.

Note that rp_filter does not address the weak end system issue, which involves the destination IP rather than the source IP. Therefore, for systems with more than one network interface it is best to explicitly add iptables rules to block packets received on one interface but addressed to the IP of another interface.

These and other Linux network sysctls are documented in the Linux source in the file Documentation/networking/ip-sysctl.txt