Best Practices of Linux Security

  • User Security
  • Password Security
  • Securing the root account
  • File System Security
  • System Security

User Security

  • Avoid shared accounts
  • Ensure each user is assigned a unique account name and a unique UID
  • Ensure a log0n-warining banner is displayed on all devices and sessions at the initial logon
  • Enable account locking after three consecutive failed logon attemplts
  • Lock accounts after 30 days inactivity or durin employee vacations
  • Configure systems to lock out interactive processes(i.e., terminal sessions, SSH sessions, etc..) after 15 minutes of iactivity or ensure a password protected screen lock mechanism is used and is set to lock the screen after 15 minutes of inactivity
  • Assign every user a home directory in the /etc/passwd file
  • Ensure all home directories denied in the /etc/passwd file exist
  • Configure user home directories to have initial permissions of 700, and never more permissive than 750
  • Ensure the user’s home directory is owned by the user

Password Security

  • Ensure easily guessed passwords are not used
  • Ensure passwords are not reused within the last ten changes
  • Ensure the system global password configuration files are configured per password requirements.
  • Change the root password whenever an individual with access to the root password is reassigned
  • Ensure passwords are not changed more than once a day
  • Ensure passwords meet complexity and length requirements
  • Ensure passwords do not contain personally information
  • Ensure passwords are changed at least every 90 days, including the root password

Securing the root account

  • Ensure only root has a UID of 0
  • Limit access to the root account to security and administrative users who require such access and document this access
  • Ensure root is assigned a home directory other than ‘/'(e.g. /roothome)
  • Permit root to only log on as root from the system console, and thn only when necessary to perform system maintenance
  • Don’t define any remote consoles
  • Enforce users requiring root privileges to log on to their personal account and use the su or sudo command to switch to root

File Security

  • Ensure all files have a valid owner and group
  • Ensure all daemons have permissions of 755, or more restrictive
  • Ensure all system commands have permissions of 755, or more restrictive
  • Ensure the owner of all system files, programs, and directories is a system account
  • Ensure the group owner of all system files, programs, and directories is a system group
  • Ensure all system log files have permissions of 640,or more restrictive
  • Ensure all system library files have permissions of 755, or more restrictive
  • Ensure the /etc/passwd file has permissions of 644, or more restrictive
  • Ensure the owner of the /etc/passwd and /etc/shadown files (or equivalent) is root
  • Ensure the /etc/shadow file (or equivalent) has permissions of 400
  • Configure default unmask to be 037

System Security

  • Ensure the host is configured to require a password for access to single-user and maintenance modes
  • Keep track of and install vendor recommended and required security patches
  • Create and maintain asystem baeline(all device files, all sgid and suid files, and system libraries and binaries), to include cryptographic hashed of files in the baseline
  • Ensure run control scripts have permissions of 755, or more restrictive
  • Ensure global initialization files have permissions of 644, or more restrictive
  • Ensue the owner of global initialization files is root, and that the group owner of global initializatin files is root, sys, bin, other, or the system default
  • Ensure .rhost is not supported in the pluggable authentication module (PAM)
  • Don’t configure any shells to have the suid or the sgid bit set
  • Configure the system and user umask to at least 037, and mo more permissive than 022
  • Ensure logon capability to default system accounts (e.g., bin, lib, uucp, new, sys, guest, daemon, and any default account not normally logged onto) will be disabled by making the default shell /bin/false, /usr/bin/false, /sbin/false, /sbin/nologin, or /dev/null, and by locking the password
  • Control access to the cron utlities via the cron.allow and/or cron.deny file(s)
  • Ensure the cron.allow file has permissions of 600, or more restrictive
  • Configure separate filesystem partitions for /home, /export/home, and /var

Auditing

  • Configure and implement auditing
  • Ensure audit data files and directories will be readable only personnel authorized
  • Ensure audit data files have permissions of 640, or more restrictive
  • Configure the auditing system to audit the following events for all users and root :
  • Logon (unsuccessful and successful) and logout(successful)
  • Process and session initiation(unsuccessful and successful)
  • Discretionary access control permission modification(unsuccessful and succesful use of chown/chmod)
  • Use of privileged commands(unsuccessful and successful)
  • Use of print command (unsuccessful and successful)
  • Export to media(successful)
  • System startup and shutdown(unsuccessful and successful)
  • System startup and shutdown(unsucceddful and successful)
  • Files and programs deleted by the user (successful and unsuccessful)
  • All system administration actions
  • All security personnel actions
  • On a daily basis, review the audit trails and/or system logs for:
  • Excessive logon attempt failures by single or multiple users
  • Logons at unusual/non-work hours
  • Failed attempts to access restricted system or data files indicating unauthorized browsing
  • Unusual or unauthorized activity by System Administrators
  • Command-line activity by a user that should not have that capability

Network Security

  • Basic network security practices include:
  • Disable source routed packets
  • Disable, for Ipv6, source routed packets
  • Disable source routed return packets
  • Ensure all network services not required for operations are disabled
  • Ensure xinetd is disabled if all xinetd based services are disabled
  • Ensur the owner of the xintd.conf file and the xinetd.d directory file is root or bin
  • Ensure NFS client requests are restricted
  • Ensure the owner of the services file is root or bin
  • Ensure the services file has permissions of 644, or more restrictive
  • Ensure remote login and remote shell are not enabled
  • Ensure rexec is not enabled
  • Ensure finger is not enabled
  • Avoid using telnet and FTP – Use SSH instead
Rajesh Kumar
Follow me