This section will outline how to lock down your partitions and file system. We will assume that you went for a file system structure similar to the one outlined in the above blog post.
Since the filesystem flags will be the most foriegn concept in this guide, I will give a quick outline about file system flags. However, I strongly suggest you follow the links provided in the references for more in-depth detail on any topic provided in this guide.
- nosuid disallows the filesystem from granting a user the temporary elevated privileges of a file's owner or group.
- noexec disallows the filesystem from running an executable.
- nodev disallows the filesystem from running files as block devices (i.e. treat the file as an I/O source or sink).
- Secure your partitions by editing /etc/fstab as follows:
- Add nosuid, noexec, and nodev to partitions like /dev/shm, /var/log, /tmp, and /var/log/audit. Basically any partition where you only expect to read and write files.
- Add nodev to all non-root file systems like /home and /var/www. You can add the noexec flag if you want, but note that cgi scripts stored in /var/www will break (as well as any scripts stored in the user's home directory).
- Add nosuid only to file systems like /var.
- DO NOT ADD ANY OF THESE FLAGS TO /!!!!!
- Add the following line to /etc/fstab to hardlink /var/tmp to /tmp
/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0
- Disable the autofs service if you do not need NFS (unless you have already un-installed the service):
chkconfig autofs off
References
- Howto Forge's guide: 'The Perfect Server - CentOS 6.2 x86_64 with Apache2'
- Howto Forge's guide: 'Installing Apache2 with PHP5 and MySQL support on CentOS 6.2'
- Red Hat Linux 5 Hardening Tips - National Security Agency
- Guide to the secure configuration of Red Hat Linux 5 - National Security Agency
- CentOS wiki on hardening the OS
No comments:
Post a Comment
Thanks for contributing!! Try to keep on topic and please avoid flame wars!!