[SGVLUG] Hardening RedHat
Scott Packard via SGVLUG
sgvlug at sgvlug.net
Fri Sep 7 09:21:11 PDT 2018
I've gotten into hardening RHEL6 and RHEL7 lately.
I've never seen that discussed on the list.
It comes with a tool from www.open-scap.org; unfortunately for my work
I have to put that aside and get a (download restricted) tool from
iase.disa.mil.
The tool is restricted, but the content the tool uses is not.
To download the content, you'd select STIGs, STIGs Master List (A to Z),
and
look on the 2nd page for the Red Hat Benchmark .zip file appropriate for the
OS version.
I haven't compared content to see if they are similar; I believe they would
be though.
https://www.open-scap.org/getting-started/ has a tutorial on how to get
started.
You basically cycle through scanning a host, looking at the results, and
follow
mostly well-written steps to apply hardening, and scan again.
I say mostly because there are some security features that it just wants to
see on
but doesn't care how badly you shoot yourself in the foot with.
Those features are where the learning curve (and pain) are.
- iptables (netfilter), configured as deny by default, allow by explicit
rule. Having
INPUT, OUTPUT, and FORWARD configured to DROP is different from most
examples you can google, and where you start to realize you can't admin by
cookbook.
- SELinux (mandatory access control) set to enforcing
Here I'm still learning how to look for problems, correct them, how to test
if the
correction is loaded, how to unload a policy, whether or not I need a
reboot, etc.
For instance, I work with Centrify tools to make a host join a Windows
domain,
and use their tools for centrally managing automounts. One of their perl
scripts
was denied access to a auto.home.lck file. I looked at their knowledgebase
and
found a KB with a .te file that was supposed to correct the denial, but
when I compiled
the file and applied the profile I still saw a denial.
I'm not sure it was the 'exactly right' thing to do, but I changed the .te
file to allow
ioctl rather than just { read write }, because the error message I was
seeing was
ioctl was being denied, and that stopped the error messages from appearing.
- aide (tool to scan a host and record a db of it's config, then daily
scan and report
any changes)
I don't think anybody gets into this area of RedHat unless they have a job
requirement
for it. In my case, it's gov't. contractor work. It seems the payment
card industry
uses this, with their own ruleset. But, the tools are all there, and it
does make it
easier for the security folks to push their requirements and to verify
they've been met.
Regards, Scott Packard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20180907/c61e1a92/attachment-0001.html>
More information about the SGVLUG
mailing list