-
-
Notifications
You must be signed in to change notification settings - Fork 618
Maintaining Software
You can file an issue about it and ask that it be added.
Software mintenance is extremely important to maintaining a secure system. It is vital to patch software as soon as it becomes available in order to prevent attackers from using known holes to infiltrate your system.
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
gpgcheck=1
- Configuring Yum and Yum Repositories [Official]
Software updates offer plenty of benefits. It’s all about revisions. These might include repairing security holes that have been discovered and fixing or removing bugs.
U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.
Some benefits:
- close up problems of security that has been discovered
- it can improve the stability of the system
- improvements the system stacks or network stacks
yum update
Before updating the system, I do it in the console:
# This one-liner save the update process session:
script -t 2>~/upgrade.time -a ~/upgrade.script
Also these one-liners are important:
yum check-update
yum --security upgrade
yum history undo <id>
- Yum [Official]
- How to use yum history to roll back an update in Red Hat Enterprise Linux 6 , 7? [Official]
- In CentOS, what is the difference between yum update and yum upgrade?
The best protection against vulnerable software is running less software.
From C2S/CIS: These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Removing the rsh package removes the clients for rsh,rcp, and rlogin.
yum remove rsh
C2S/CIS: CCE-27274-0 (unknown)
From C2S/CIS: The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
systemctl disable rlogin.socket
From C2S/CIS: The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
systemctl disable rexec.socket
From C2S/CIS: The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
systemctl disable rsh.socket
From C2S/CIS: Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.
rm /etc/hosts.equiv
rm ~/.rhosts
From C2S/CIS: The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
# Edit /etc/xinetd.d/telnet:
disable = yes
From C2S/CIS: The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session.
yum erase ypserv
From C2S/CIS: Disabling the tftp service ensures the system is not acting as a TFTP server, which does not provide encryption or authentication.
systemctl disable tftp.service
From C2S/CIS: The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services.
systemctl disable xinetd.service
From C2S/CIS: The talk software presents a security risk as it uses unencrypted protocols for communications.
yum erase talk
From C2S/CIS: The talk software presents a security risk as it uses unencrypted protocols for communications.
yum erase talk-server
From C2S/CIS: Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information.
systemctl disable vsftpd.service
C2S/CIS: CCE-80244-7 (Unknown)
From C2S/CIS: X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.
yum groupremove "X Window System"
yum remove xorg-x11-server-common
From C2S/CIS: Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.
systemctl disable avahi-daemon.service
C2S/CIS: CCE-80338-7 (Unknown)
The C2S/CIS standard also explains the following services. You should consider which ones are use. If they are not use on the local system then this service should be disabled.
From C2S/CIS: Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed.
systemctl disable snmpd.service
C2S/CIS: CCE-80274-4 (Unknown)
From C2S/CIS: All network services involve some risk of compromise due to implementation flaws and should be disabled if possible.
systemctl disable named.service
C2S/CIS: CCE-80325-4 (Unknown)
From C2S/CIS: Unnecessary packages should not be installed to decrease the attack surface of the system.
yum erase openldap-servers
C2S/CIS: CCE-80293-4 (Unknown)
From C2S/CIS: Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed.
systemctl disable smb.service
C2S/CIS: CCE-80277-7 (Unknown)
From C2S/CIS: Running web server software provides a network-based avenue of attack, and should be disabled if not needed.
systemctl disable httpd.service
C2S/CIS: CCE-80300-7 (Unknown)
From C2S/CIS: Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments.
systemctl disable rhnsd.service
C2S/CIS: CCE-80269-4 (Unknown)
From C2S/CIS: Running proxy server software provides a network-based avenue of attack, and should be removed if not needed.
systemctl disable squid.service
C2S/CIS: CCE-80285-0 (Unknown)
From C2S/CIS: Unmanaged or unintentionally activated DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site DHCP server if there is one.
systemctl disable dhcpd.service
From C2S/CIS: Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed.
systemctl disable dovecot.service
C2S/CIS: CCE-80294-2 (Unknown)
From C2S/CIS: All of these daemons (nfslock, rpcgssd, and rpcidmapd) run with elevated privileges, and many listen for network connections.
systemctl disable rpcbind.service
From C2S/CIS: Unnecessary services should be disabled to decrease the attack surface of the system.
systemctl disable nfs.service
C2S/CIS: CCE-80237-1 (Unknown)
From C2S/CIS: Turn off unneeded services to reduce attack surface.
systemctl disable cups.service
C2S/CIS: CCE-80282-7 (Unknown)
The best protection against vulnerable software is running less software.
From C2S/CIS: Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.
systemctl enable crond.service
From C2S/CIS: Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges.
yum install tcp_wrappers
From C2S/CIS: Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. The chronyd and ntpd NTP daemons offer all of the functionality of ntpdate, which is now deprecated.
systemctl enable chronyd
# or
systemctl enable ntpd
The Practical Linux Hardening Guide provides a high-level overview of the hardening GNU/Linux systems. It is not an official standard or handbook but it touches and use industry standards.