-
-
Notifications
You must be signed in to change notification settings - Fork 629
Maintaining Software
You can file an issue about it and ask that it be added.
Software mintenance is extremely important to maintaining a secure system. It is vital to patch software as soon as it becomes available in order to prevent attackers from using known holes to infiltrate your system.
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
gpgcheck=1- Configuring Yum and Yum Repositories [Official]
Software updates offer plenty of benefits. It’s all about revisions. These might include repairing security holes that have been discovered and fixing or removing bugs.
U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.
Some benefits:
- close up problems of security that has been discovered
- it can improve the stability of the system
- improvements the system stacks or network stacks
yum updateBefore updating the system, I do it in the console:
# This one-liner save the update process session:
script -t 2>~/upgrade.time -a ~/upgrade.scriptAlso these one-liners are important:
yum check-updateyum --security upgradeyum history undo <id>- Yum [Official]
- How to use yum history to roll back an update in Red Hat Enterprise Linux 6 , 7? [Official]
- In CentOS, what is the difference between yum update and yum upgrade?
The best protection against vulnerable software is running less software.
From C2S/CIS: These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Removing the rsh package removes the clients for rsh,rcp, and rlogin.
yum remove rshC2S/CIS: CCE-27274-0 (unknown)
From C2S/CIS: The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
systemctl disable rlogin.socketFrom C2S/CIS: The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
systemctl disable rexec.socketFrom C2S/CIS: The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
systemctl disable rsh.socketFrom C2S/CIS: Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.
rm /etc/hosts.equiv
rm ~/.rhostsFrom C2S/CIS: The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
# Edit /etc/xinetd.d/telnet:
disable = yesFrom C2S/CIS: The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session.
yum erase ypservFrom C2S/CIS: Disabling the tftp service ensures the system is not acting as a TFTP server, which does not provide encryption or authentication.
systemctl disable tftp.serviceThe Practical Linux Hardening Guide provides a high-level overview of the hardening GNU/Linux systems. It is not an official standard or handbook but it touches and use industry standards.