OS Specific Footnotes - Linux
C.2 Verify integrity of all patches and updates
D.3 Minimize SetUID/SetGID programs
Red Hat / Fedora:
- The signatures on Red Hat RPM packages can be verified using the command
rpm -K packagename.rpm
- If the Red Hat public key is not yet known by rpm, the key is available on
the installation CDs or in /usr/share/rhn and can
be provided to rpm using the command
rpm --import RPM_GPG_KEY
E. Secure Base OS
E.3.1.3 Ensure all accounts have passwords or are disabled
On Debian systems:
- The checksecurity(8) script, run daily from cron,
will alert any changes to the list of SetUID programs.
- After manually removing SetUID/SetGID permissions from a program, the
dpkg-statoverride command can be used to make sure that these permissions
are not automatically re-added when dpkg updates the package.
E.3.3 PAM Pluggable Authentication Modules
E.4.2 Filesystem attributes
Debian's checksecurity(8) script will alert daily if any accounts
have blank passwords.
E.4.3 Role Based Access Control
Under Linux the chattr(1) command can be
used to set file attributes including "i" for immutable and "a" for append only.
E.4.5 Consider mandatory access control features
Several different RBAC implementations are available for Linux.
- SE Linux (described below) uses roles to restrict which security domains
a particular user can enter, thus determining their access on the
- The GRsecurity project provides multiple security enhancements for Linux
systems, including role based access control as one aspect.
- The RSBAC project implements role based access control among its
other models (see E.4.5 below).
F.1.3 Other confinement mechanisms
SE Linux provides fine grained mandatory access control for all resources on
the system, using a Type Enforcement access model. It can also optionally
be configured to enforce the standard Bell La Padula mandatory access
control model. http://www.nsa.gov/selinux/
SE Linux may be active by default on some Linux distributions, such as
Red Hat Enterprise Linux and Fedora Core. On other Linux systems including
Gentoo and Debian it can be optionally installed.
For information on using SE Linux on specific systems, see:
An alternative implementation of mandatory access control for Linux
that uses the Bell La Padula model integrated with Role Based Access Control
is the RSBAC project:
G.3 Enable trusted audit subsystem
SE Linux (see E.4.5 above) allows highly configurable confinement
of processes that is stronger than the confinement provided by chroot
as it covers access to all resources. It is also more convenient than
chroot in that it does not require an alternate filesystem to be set up.
Similarly, GRsecurity (http://www.grsecurity.net/)
allows highly configurable confinement of processes. It also provides
patches to strengthen chroot itself, removing many of the loopholes that attackers use to escape a chroot jail.
H.1.1 Identify host firewall software
As of Linux kernel versions 2.6.6 and later, Linux now has its own audit
subsystem controlled by the auditctl(8) utility.
This can be configured with audit rules to monitor events of interest
including specific system calls or access to specific files.
Alternatively, SNARE for Linux is a third party audit subsystem that
includes graphical reporting and configuration. It is available for download at
H.3 Network stack hardening / sysctls
The "netfilter" host firewall packet filter is part of the Linux
kernel. It is controlled using the iptables(8) command.
Further details and the iptables HOWTO document are available at
IP forwarding is controlled by the sysctl parameters
The forwarding may already be off by default, and otherwise can
be disabled in /etc/sysctl.conf or by using the commands
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
The use of SYN cookies is controlled by the sysctl parameter
This may already be on by default, and otherwise can be set in
/etc/sysctl.conf or using the command
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
A further sysctl net.ipv4.conf.all.rp_filter
can be used to reject some kinds of spoofed packets. This feature checks
the source address of a received packet to check it is coming in through
the right interface, by comparing to the current route to that IP address.
Note that rp_filter does not address the weak end system issue, which
involves the destination IP rather than the source IP.
Therefore, for systems with more than one network interface it is
best to explicitly add iptables rules to block packets received on
one interface but addressed to the IP of another interface.
These and other Linux network sysctls are documented in the Linux
source in the file Documentation/networking/ip-sysctl.txt