Quote:
Originally Posted by mrBlik
Is there a way to verify the packages using RPM (or similar) before placing them on the RKH white-list? I would like to make sure they are in fact 'user-modified' by the WHM instead of malicious files / modifications.
|
Apart from the suggestion of running
Aide,
Samhain or even tripwire, running 'rpm -Vv [packagename]|grep -v "^\.\{8\}";' gets you the modification alerts if any. To investigate changes you would need to compare with 0) yum log if changes due to package ops seem plausible, 1) a "known good" copy in your backup if item #0 is not or 2) a "known good" copy from a trusted repo if the above doesn't apply.
Quote:
Originally Posted by mrBlik
Is there a tutorial you can point me to that explains proper hardening of a server? The items I put in place were mostly from this and similar forums
|
Red Hat, Fedora and any RHEL derivatives due to Red Hat legacy, come with extensive documentation. If you use RHEL or a derivative then you should read the
Red Hat Enterprise Linux 5 Installation Guide and the
Red Hat Enterprise Linux 5 Deployment Guide to get acquainted (also see:
Rute Tutorial & Exposition,
Linux Documentation Project,
LinuxSelfHelp,
Linux Newbie Admin Guide) with your distribution and because the installation defaults and suggestions provided are sane operational and security defaults.
* You see there's not one single manual as there is no single fix and security does not equal applying any single fix either:
security is a perpetual process.
I suggest reading the
NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5 (PDF), the
NIST SCAP Guide To The Secure Configuration of RHEL5 and when you start to grok the playing field with respect to vulnerabilities and attacks the
Hardening Red Hat Enterprise Linux 5 presentation (PDF) by Steve Grubb of Red Hat. I'm deliberately placing the
NSA Hardening Tips For Default Installation of Red Hat Enterprise Linux 5 (PDF) cheat sheet here snice you should not be looking for quick fixes and leave the rest for later: security is not to be bolted on as afterthought. For Fedora you'll find documentation at their site and the
Securing Debian manual is one of the oldest and most all-encompassing ones. I still use it as "meditation". Also there's whole sections of
the SANS Reading Room or you could also try the first part of the first post and the sixth post of the
LQ FAQ: Security references.
* Do pace yourself and realize
half of knowledge is not in knowing but knowing where to find sources of knowledge.
What does this all lead to? First and foremost: reading. Secondly: thinking before you act. because creating baseline data (a mix of "known good" distribution packages, off-site backups, system configuration placed under version control) should be done right after OS installation (and before alterations) after which you would perform local tests with like GNU Tiger or the SCAP tools or using the
Center for Internet Security benchmarks and an assessment from a networked point of view (use a remote host) using say OpenVAS or Nessus. Depending on machine purpose this should give you a better view of what is in need of hardening as opposed to just installing some tool like RKH and just running it. There are many roads leading to Rome (or
Wome as MPFC fans would have it) so alternative paths to hardening are possible, however the documents and sites mentioned above are about propagating and applying security
standards. Adherence requires you to invest time and effort. The end result, your ROI, will be running GNU/Linux protecting assets and providing services in a continuous, stable and secure way.
* Use what you learn well:
Linux may be free to use but using it is not free of responsibilities.
HTH & GL