NSA Hardening Tips for Red Hat Enterprise Linux 5 (RHEL5)
The NSA publishes guidelines for securing various operating systems - most interestingly, RHEL5.
NSA has developed and distributed configuration guidance for Red Hat Enterprise Linux 5 that is currently being used throughout the government and by numerous entities as a security baseline for their Red Hat Enterprise Linux 5 systems.
The introductory points:
- Encrypt all data transmitted over the network. Encrypting authentication information (such as passwords) is particularly important.
- Minimize the amount of software installed and running in order to minimize vulnerability.
- Use security-enhancing software and tools whenever available (e.g., SELinux and Iptables).
- Run each network service on a separate server whenever possible. This minimizes the risk that a compromise of one service could lead to a compromise of others.
- Maintain user accounts. Create a good password policy and enforce its use. Delete unused user accounts.
- Review system and application logs on a routine basis. Send logs to a dedicated log server. This prevents intruders from easily avoiding detection by modifying the local logs.
- Never log in directly as root, unless absolutely necessary. Administrators should use
sudo
to execute commands as root when required. The accounts capable of usingsudo
are specified in/etc/sudoers
, which is edited with thevisudo
utility. By default, relevant logs are written to/var/log/secure
.
There are security guides on the same page for OS X (Leopard, Snow Leopard), Windows (various versions) and Sun Solaris (9, 10).