This is a follow on post from my guide to
installing CentOS 6.2. We will go through some of the steps required to secure your server and get it ready for production use.
These steps will outline how to check what is installed on your system and whether your system has been compromised.
- Log in as root and grab a current software list (check out my previous blog post on this topic).
#Using RPM
rpm -qa
#Using yum
yum list installed
- Check to ensure that yum is forced to check the gpg signature when installing packages. This is default behaviour in CentOS 6.2, but for the sake of completeness I have included this step. Check /etc/yum.conf and all the files in /etc/yum.repos.d/ for the following line:
gpgcheck=1
- AIDE is an intrusion dectection environment that checks the integrity of installed packages and files. It can report on the changes to your system. Install it using yum:
yum install aide
- It should be your priority to read and understand /etc/aide.conf and tailor it to your system. While the defaults should be adequate for most installations, you should nevertheless know what AIDE does.
- Generate the initial AIDE database (by default it will be stored as /var/lib/aide/aide.db.new.gz):
/usr/sbin/aide --init
- Back up the database (in this example we are copying it to root's home directory):
cp /var/lib/aide/aide.db.new.gz ~/
- Install the AIDE database:
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
- Run a manual check:
/usr/sbin/aide --check
- Stop the yum update daemon (we are going to write our own). If you followed the above guide the service won't even be installed, but again I am including it here for completeness.
chkconfig yum-updatesd off
- Edit /etc/crontab by adding the following line (this will do a daily check of the system with AIDE):
50 4 * * * root /usr/sbin/aide --check
- Add a file called update.cron in /etc/cron.weekly/ and add in the following (NOTE!: cron.weekly is run by the anacron service. Keep this in mind when you are disabling services later on in this guide).
#!/bin/sh
#
# Update yum, then the rest of the system
/usr/bin/yum -R 120 -e 0 -d 0 -y update yum
/usr/bin/yum -R 10 -e -0 -d 0 -y update
#
# Save a list of software currently installed on the system
/bin/rpm -qa > /root/`/bin/hostname -s`_software_`/bin/date +%Y%m%d`.txt
#
# OPTIONAL: Fix all the prelinks (otherwise you may get alot of prelink messages)
/usr/sbin/prelink --all
#
# Update the AIDE database
/usr/sbin/aide --update
#
# Make a back-up of the new database
/bin/cp /var/lib/aide/aide.db.gz /root/aide.db.`/bin/date +%Y%m%d`.gz
- Make /etc/cron.weekly/update.cron executable:
chmod 755 /etc/cron.weekly/update.cron
References
No comments:
Post a Comment
Thanks for contributing!! Try to keep on topic and please avoid flame wars!!