| Throughout this chapter, I've been suggesting that systems ought to provide only the minimum amount of services and access that are needed. This is especially true for important server systems, especially but not limited to ones at site boundaries. The process of making a system more secure than the level the default installed operating system provides is known as hardening the system. In this section, we'll look at the general principles of system hardening. Naturally, the actual process is very operating system-specific. Some vendors provide information and/or tools for automating some of the process. There are also some open source and commercial tools related to this topic. Here is a list of helpful websites related to system hardening that are available at this writing (July 2002): - AIX
http://biss.beckman.uiuc.edu/security/workshops/1999-10/ - FreeBSD
http://www.trustedbsd.org http://draenor.org/securebsd/ - HP-UX
http://www.interex.org/conference/iworks2001/proceedings/5103/5103.pdf http://www.bastille-linux.org (This tool works under HP-UX as well.) - Linux
http://www.linux-sec.net/Distro/distro.gwif.html http://www.bastille-linux.org - Solaris
http://wwws.sun.com/software/security/blueprints/ http://www.yassp.org - Tru64
http://www.maths.usyd.edu.au/u/psz/securedu.html  | Many operating systems are available in an enhanced security or "trusted" version. This is true of AIX, HP-UX, Solaris, and Tru64. There are several heightened-security Linux distributions and BSD projects with the same goal. |
|
What follows is a discussion of the most important concepts and tasks related to system hardening. Be aware that the order of activities in this discussion is not rigorous, and actual task ordering would need to considered carefully prior to making any changes to a system.  | Hardening activities must be completed before the system is placed on the network for the first time. |
|
7.7.1 Plan Before Acting Before you begin the hardening process, it's only common sense to plan the steps you plan to take. In addition, it's a good idea to perform the process on a practice system before doing so on a production system. Other important preliminary activities include: Plan the filesystem and disk partition layout with security in mind (see below). Familiarize yourself with recent security bulletins. Sign up for security mailing lists if you have not already done so. Download any software packages you will need. Finally, as you go through the hardening process, take notes to document what you did. 7.7.2 Secure the Physical System One of the first decisions to make is where to physically locate the server. Important servers should not be in public areas. In addition, consider these other items: Secure the physical location with locks and the like. Assign a BIOS/RAM/EEPROM password to prevent unauthorized users from modifying setup settings or perform unauthorized boots. Attach any equipment identification tags/stickers used by your organization to the computer and its components. 7.7.3 Install the Operating System It is much easier to harden a system whose operating system you've installed yourself, because you know what it includes. You might want to install only the minimum bootable configuration and then add the additional packages that you need in a separate step. Once you've done the latter, there are some additional tasks: Set up disk partitioning (or logical volumes), taking into account any security considerations (see below). Apply any operating system patches that have been released since the installation media was created. Enable the high-security/trusted operating system version if appropriate. Build a custom kernel that supports only the features you need. Remove support for ones you don't need. For systems that are not operating as routers, you should remove the IP forwarding capabilities. Intruders can't exploit features that aren't there. Configure automatic so that administrator intervention is not allowed (if appropriate). 7.7.4 Secure Local Filesystems You'll also need to secure the filesystem. This task includes: Looking for inappropriate file and directory permissions and correcting any problems that are found. To review, the most important of these are: Decide on mount options for local filesystems. Take advantage of any security features provided by the operating system. For example, Solaris allows you to mount a filesystem with the option nosuid, which disables the setuid bit on every file within it. Isolating nonsystem files into a separate filesystem allows you to apply this option to those files. On some systems under some conditions, if /usr is a separate filesystem, it can be mounted read-only. Encrypt sensitive data present on the system. 7.7.5 Securing Services Securing the system's services represents a large part of the hardening task. In this area, the guiding principle should be to install or enable only the ones the system actually needs. Disable all unneeded services. Keep in mind that services are started in several different ways: within /etc/inittab, from system boot scripts, by inetd. Alternatively, when possible, the software for an unneeded service can be removed from the system completely. Use secure versions of daemons when they are available. If at all possible, run server processes as a special user created for that purpose and not as root. Specify the maximum number of instances to run, for each server that lets you specify a maximum, or use xinetd. Doing so can help prevent some denial-of-service attacks. Specify access control and logging for all services. Install TCP Wrappers if necessary. Allow only the minimum access necessary. Include an entry in /etc/hosts.deny that denies access to everyone (so only access allowed in /etc/hosts.allow will be permitted). Use any per-service user level access control that is provided. For example, the cron and at subsystems allow you to restrict which users can use them at all. Some people recommend limiting at and cron to administrators. Secure all services, whether they seem security-related or not (e.g., printing). 7.7.6 Restrict root Access Make sure that only authorized people can use root privileges: Select a secure root password, and plan a schedule for changing it regularly. Use sudo or system roles to grant ordinary users limited root privilege. Prevent root logins except on the system console. 7.7.7 Configure User Authentication and Account Defaults Decide on and implement user account controls, setting up the default before adding users if possible. Related activities include: Set up the shadow password file if necessary. Configure PAM as appropriate for the relevant commands. Define user account password selection and aging settings. Set up other default user account restrictions as appropriate (e.g., resource limits). Plan the system's group structure if necessary, as well as other similar items, such as projects. Set up default user initialization files in /etc/skel or elsewhere. Ensure that administrative and other accounts to which no one should ever log in have a disabled password and /bin/false or another nonlogin shell. Remove unneeded predefined accounts. 7.7.8 Set up Remote Authentication Disable hosts.equiv and .rhosts passwordless authentication. Use ssh for remote user access. Configure PAM as appropriate for the relevant commands. 7.7.9 Install and Configure Ongoing Monitoring Set up ongoing monitoring and auditing, including procedures for checking their results over time. Configure the syslog facility. Send/copy syslog messages to a central syslog server for redundancy. Enable process accounting. Install and configure any necessary software (e.g., swatch) and write any necessary scripts. Install Tripwire, configure it, and record system baseline data. Write the data to removable media and then remove it from the system. 7.7.10 Backup Creating and implementing a backup schedule is an important part of securing a system. In addition, performing a full backup of the system once it is set up is essential: 7.7.11 Other Activities Add the new host to the security configuration on other system, in router access control lists, and so on, as necessary. |
