LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 03-09-2005, 02:52 PM   #1
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,745

Rep: Reputation: 71
Slackware hardening guide


I found this guide quite a while ago.
http://www.cochiselinux.org/files/sy...dening-0.4.txt

It is a couple years old and some things have changed. I have used it as a guide to harden a few servers.

I have been thinking about upgrading it for Slackware 10.0 and/or 10.1. There are somethings in it that I do not understand. So, when I get a rough draft done. Is there anyone here willing to look it over and give me feed back or make corrections?

I have a real rough draft right now and I just need to clean it up. So I can post it on the web by the weekend.
 
Old 03-09-2005, 03:24 PM   #2
jxi
Member
 
Registered: Feb 2003
Location: Richmond VA
Distribution: Slackware 11 -- CentOS 4.4
Posts: 115

Rep: Reputation: 15
i'll be glad to review it as I'm currently working on a slack equivelent of the CIS RH9 system hardening document (found at
http://www.cisecurity.org/bench_linux.html
 
Old 03-09-2005, 04:46 PM   #3
Genesee
Member
 
Registered: Dec 2002
Distribution: Slackware
Posts: 927

Rep: Reputation: 30
you can post it here, and then as a linux answer when it's done. or you can do it as a wiki article (http://wiki.linuxquestions.org/wiki/Main_Page), and post a link to it here - there are lots of people here to help edit.
 
Old 03-11-2005, 09:55 PM   #4
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,745

Original Poster
Rep: Reputation: 71
I threw together the rough draft. It is here:
http://www.hclg.org/slack_sec.html
 
Old 03-14-2005, 10:47 PM   #5
jxi
Member
 
Registered: Feb 2003
Location: Richmond VA
Distribution: Slackware 11 -- CentOS 4.4
Posts: 115

Rep: Reputation: 15
first, my disclaimer: I'm not a sysadmin or my any means an expert. I'm learning linux (like a lot of us here at LQ)

regarding the changes to /etc/rc.d startup scripts: in most cases the lines targeted for commenting out aren't going to do anything if the specified service doesn't have an executable
/etc/rc.d/rc.SOMESERVICE. E.g., in /etc/rc.d/rc.S the reference to isapnp (mine starts on line 192 btw)
needs (line 193) a /etc/rc.d/rc.isapnp with the execute bit(s) set. Could you accomplish a lot of these changes by simply chmod -x rc.SOMESERVICE? Wouldn't that be like chkconfig in redhattish distros?

viz: in rh i might say `chkconfig --level 35 xinetd off` which would simply remove the links with names like /etc/rc3.d/S56xinetd /etc/rc5.....

that way you minimize the chance of some typo in your init scripts: leave them as close to the original as possible.

exceptions to this : rc.S - continue to comment out writing over motd (line 283 in my 10.1 install)
rc.M - apm (it looks for [ -x /usr/sbin/apmd ])
rc.M - atd ( [ -x /usr/sbin/atd ] )
...(you could also chmod -x those binaries but it would be a pain to keep track of)

the cis benchmark guide mentioned above recommends also disabling gpm . i'm not sure why it's a risk.

rc.inet2: (reference to line 20) instead of commenting out mounting of nfs (and samba at line 49) you can just ensure that the nfs (and smbfs) mounts in /etc/fstab are commented out (or don't exist at all).

all these are just suggestions. if the proper permissions / immutable attributes are set in /etc/rc.d I don't think the above is necessarily insecure (if someone can get in and change the permissions back to
executable they could do a lot more besides...)

Just one more thought here (perhaps along the line of making it more n00b friendly):
even though at the beginning of the original document there is sufficient warning and a reminder to 'make a backup of anything ...important' chances are some will launch right in without doing a backup. you might have a script at the beginning that would explicitly reference all possibly targeted files
e.g. for F in /etc/password /etc/shadow /etc/hosts.allow....... do cp -v $F $F-preHardN
I can post the ones I used with slack 10.1 recently but they won't contain everything referenced here.
(that's straight from the CIS benchmark document. Bastille, as another example, does it automatically, saving the original of each changed file in /var/log/Bastillerevert/backup/...)

finally, I wish you all success in completing your document

John
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
My Slackware Guide iotc247 Slackware 16 12-15-2005 03:25 PM
Slackware Install Guide? carlosinfl Slackware - Installation 5 12-11-2005 05:57 PM
Hardening Slackware AhYup Slackware 8 03-07-2005 07:35 PM
guide for apache on slackware? Smokey Slackware 2 08-23-2004 12:10 PM
Slackware 8.0 install guide Colonel Panic Linux - Software 3 09-15-2001 08:08 AM


All times are GMT -5. The time now is 12:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration