Hello,
I’m securing my box. I plan to do some tasks and I’d like to be sure there isn’t interworx impacts.
Hereunder the full list of the task
Securing transversal path : Only root
I will secure some paths.
Action
chmod the directories to 711
List of directories chmoded
/
/home
/etc
/var
/usr/etc
/usr/local/etc
/var/log
/sbin
/usr/sbin
/usr/local/sbin
Securing BIN : Only root
I will secure some bin.
Action
chmod the bin to 700
List of BIN chmoded
/bin/df /bin/dmesg /bin/mount /bin/rpm /usr/bin/write /usr/bin/talk /usr/bin/ipcrm /usr/bin/ipcs /usr/bin/free /usr/bin/locate /usr/bin/wall /usr/bin/finger /sbin/arp /sbin/ifconfig /usr/sbin/repquota /usr/sbin/tcpdump /usr/bin/nmap /usr/bin/wget /usr/bin/lynx /usr/lib/bcc /usr/lib/bcc/bcc-cc1 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1 /usr/bin/perlcc /usr/bin/byacc /usr/bin/yacc /usr/bin/bcc /usr/bin/kgcc /usr/bin/cc /usr/bin/gcc /usr/bin/who /usr/bin/w
Securing RPM PACKAGES : Immutable
I will secure some rpm packages.
Action
chattr +i
List of rpm packages
modutils diffutils jfsutils findutils glibc-utils elfutils krbafs-utils elfutils patchutils psutils bind-utils irda-utils iputils db4-utils sharutils rhdb-utils rpm shadow-utils crypto-utils shedutils fileutils binutils sh-utils textutils initscripts mkinitrd
(maybe all utils*)
Securing PROFILE : Immutable
I will secure interactive user profile.
Action
chmod 644
chattr +i
List
/etc/profile /etc/bashrc /etc/csh.login /etc/csh.cshrc /etc/tcshrc /etc/zprofile /etc/zlogin /etc/zlogout /etc/zshrc /etc/zshenv
And in every $userprofil
.bash_profile .bashrc .bash_logout .cshrc .tcshrc .zshrc .zlogin .zlogout .zprofile .zshenv
I’ll also optimizing some network kernel sysctl
#====================================
PASCAL adds
#====================================
Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 30
Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
Turn off the tcp_sack
net.ipv4.tcp_sack = 0
Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
I also did setup for RAID1 software. As I’m not so good with this I have only set up RAID on 3 partitions : / /boot and /swap (next time I’ll partition by box differently like : / /var /home /usr /tmp /swap )
I don’t think doing this will have impacts on interworx box, but I prefer ask before doing
Is it Ok ?
Pascal