Hello,

I’m securing my box. I plan to do some tasks and I’d like to be sure there isn’t interworx impacts.

Hereunder the full list of the task

Securing transversal path : Only root

I will secure some paths.

Action

chmod the directories to 711

List of directories chmoded

/
/home
/etc
/var
/usr/etc
/usr/local/etc
/var/log
/sbin
/usr/sbin
/usr/local/sbin

Securing BIN : Only root

I will secure some bin.

Action

chmod the bin to 700

List of BIN chmoded

/bin/df /bin/dmesg /bin/mount /bin/rpm /usr/bin/write /usr/bin/talk /usr/bin/ipcrm /usr/bin/ipcs /usr/bin/free /usr/bin/locate /usr/bin/wall /usr/bin/finger /sbin/arp /sbin/ifconfig /usr/sbin/repquota /usr/sbin/tcpdump /usr/bin/nmap /usr/bin/wget /usr/bin/lynx /usr/lib/bcc /usr/lib/bcc/bcc-cc1 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1 /usr/bin/perlcc /usr/bin/byacc /usr/bin/yacc /usr/bin/bcc /usr/bin/kgcc /usr/bin/cc /usr/bin/gcc /usr/bin/who /usr/bin/w

Securing RPM PACKAGES : Immutable

I will secure some rpm packages.

Action

chattr +i

List of rpm packages

modutils diffutils jfsutils findutils glibc-utils elfutils krbafs-utils elfutils patchutils psutils bind-utils irda-utils iputils db4-utils sharutils rhdb-utils rpm shadow-utils crypto-utils shedutils fileutils binutils sh-utils textutils initscripts mkinitrd

(maybe all utils*)

Securing PROFILE : Immutable

I will secure interactive user profile.

Action

chmod 644
chattr +i

List

/etc/profile /etc/bashrc /etc/csh.login /etc/csh.cshrc /etc/tcshrc /etc/zprofile /etc/zlogin /etc/zlogout /etc/zshrc /etc/zshenv

And in every $userprofil
.bash_profile .bashrc .bash_logout .cshrc .tcshrc .zshrc .zlogin .zlogout .zprofile .zshenv

I’ll also optimizing some network kernel sysctl

#====================================

PASCAL adds

#====================================

Disables IP source routing

net.ipv4.conf.all.accept_source_route = 0

Enable ignoring broadcasts request

net.ipv4.icmp_echo_ignore_broadcasts = 1

Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects = 0

Enable IP spoofing protection, turn on Source Address Verification

net.ipv4.conf.all.rp_filter = 1

Decrease the time default value for tcp_fin_timeout connection

net.ipv4.tcp_fin_timeout = 30

Decrease the time default value for tcp_keepalive_time connection

net.ipv4.tcp_keepalive_time = 1800

Turn off the tcp_window_scaling

net.ipv4.tcp_window_scaling = 0

Turn off the tcp_sack

net.ipv4.tcp_sack = 0

Turn off the tcp_timestamps

net.ipv4.tcp_timestamps = 0

I also did setup for RAID1 software. As I’m not so good with this I have only set up RAID on 3 partitions : / /boot and /swap (next time I’ll partition by box differently like : / /var /home /usr /tmp /swap )

I don’t think doing this will have impacts on interworx box, but I prefer ask before doing

Is it Ok ?

Pascal

A few things may cause problems.

The ‘chattr +i’ on the RPMs will break updating if any of the listed packages have updated available. Most likely this will stop updating 100% of any of those packages are in the update list due to YUM errors.

The rest look fine but you may still find small problems Pascal.

Chris

I knew about the chattr and the impossibility to update these rpms, but I didn’t know it will cause yum update to stop, I thought it will ignore the errors. No pbm It is not so important to secure them. At lleast I’d like to secure the BIN and the PATHS

Thanks Chris

Pascal