Scientific Linux 6 security package
 

hey there,

i wanted to ask you if anyone could recommend a scientific linux security package.
i know there is a default security package in linux
but i want anyone has experience in this topic to recommend any other packages to me.
and if i can activate this default package and the
non-default package together.

i have a cluster and i want to protect my network
and my machines from catching any outside world bugs.

so anyone can help me on this?? :)
thanks

Scientific Linux comes with SELinux enabled if I'm not mistaken. As far as security concerns in a clustered environment there aren't any special security applications that I'm aware of. There are always host based security packages that check for rootkits like chkrootkit and rkhunter, as well as general configuration helps.. I still use the bastille linux script sometimes , its older but it still helps to automate a lot of the tasks I am too lazy to do. What type of "outside world bugs" are you concerned about? If your concerned about network worms and other types of trojans , they don't officially exist on linux.. there are root-kits and exploits, which you can mitigate the risks of those by always using signed packages from a trusted repository, keeping your machine up to date and disabled un needed services. If your concerned about firewalls which block network attacks Scientific Linux should have a config tool to set the security level, try running this as a Root user from the terminal "system-config-securitylevel-tui" this should start the firewall config tool. Other than that just be vigilant with your logs and if possible have the logging send via syslog to another machine.

In other words (loosely speaking), on MS it wasn't really originally designed with security in mind; more an ease of use, so they started trying to bolt on security afterwards. Not the best approach.
Unix was more designed to have security built-in, so most security is just a matter of tweaking the settings of what you've got.


As above, SELinux should already be there. You can add chkrootkit, rkhunter.
Read the stickies at the top of this Security forum and apply the advice.

Do ask if you have more specific qns.

Unless you have some custom built program that might be busted by an update ,install the normal updates - there are not many .
Just read the list to make 100% sure that they will not be in conflict with any custom software

as to security set SELinux to enforcing and targeted - the install DEFAULT
make sure that SELinuxTroubleShooter is running and solve any warnings .

that is the normal everyday things
now if you where a tin foil hat there are other things but unless you are the CIA or NSA ( FBI is using windows) that is mostly it .

...not directly, but...

I don't know exactly what you mean by this (the idea that Linux is more secure than some other systems by default, something in particular, like iptables, SELinux...); please try to give more detail.

The important thing with 'hardening' scripts or procedures like this is knowing what that is relevant to your situation that they don't do. Yes, they do a lot of useful stuff and with close to zero effort they may well do 80% of what you want in some particular situation, but if that then gives you a false sense security that leads you to ignore the other 20%, then it is not such a good deal.

So you still have to understand the threats and take measures to cope with each of them and if you think that you can 'lazy' your way out of that with a script, then that is self-deception. (And, by the way, I used to like Bastille, too. Not sure what the recent state of development of Bastille is, though. Next time, I intend to look at GNU Tiger, to see what that does, but haven't yet had the excuse.)


For that, we'd have to know exactly what you mean by the default. But these things tend to be modular, and there shouldn't really be any problem using more than one security package, provided that they don't run two programs for the exact same thing. You wouldn't want to run two (real) firewalls on one box, for example (but, then you wouldn't even try to run iptables twice, would you?). But running iptables and SELinux - good, even if you take the step of describing SELinux as an application firewall.

It sounds as though this is something like a compute cluster, and you could firewall off your cluster from the outside world (ie, allow the outside world to start no connections to the cluster, and only allow the cluster to get anything from the outside world under the tightest of restrictions). If that's the case, the concern about nasty people in the outside world doing nasty things go down considerably.

Note that no hardening script will know whether it is appropriate to your circumstances and architecture to wall off the cluster from the outside world, so, ultimately, you have to sort that out yourself, rather than the script sorting it out for you.

Contrariwise, if that is the case, you can't ignore the inside (ie, your users dragging in bad stuff and putting it on to your cluster), and you may be being too casual about that aspect. Or not. Just don't say 'My users are infinitely trustworthy (both failures of competence and active malevolence), I don't ever have to worry about that' because, at least some of the time, that won't actually be true.