Securing and Hardening Red Hat Linux Production Systems

A Practical Guide to Basic Linux Security in Production Enterprise Environments

This article is a practical step-by-step guide for securing Linux production systems. It discusses basic Linux Security requirements for systems that need to pass various audits in an enterprise environment. If you work on a corporate Linux Security Standard, or if you do Sarbanes-Oxley Act (SOX) or Statement on Auditing Standards No. 70 (SAS 70) related work, then this article should provide you a good baseline.

su

DiskSanitizer

DiskSanitizer

/

/boot

/usr

/var

/tmp

/home

/var

/tmp

/opt

iptables

iptables

iptables

rpm -qa

rpm -qi <package_name>

rpm -e --test <package_name>

# netstat -tulp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:auth *:* LISTEN 2328/xinetd tcp 0 0 localhost.localdomain:smtp *:* LISTEN 2360/sendmail: acce tcp 0 0 *:ssh *:* LISTEN 2317/sshd

xinetd

sendmail

sshd

sendmail

# nmap -sTU <remote_host> Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-12-10 22:51 CST Interesting ports on jupitor (172.16.0.1): (The 3131 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 113/tcp open auth Nmap run completed -- 1 IP address (1 host up) scanned in 221.669 seconds #

nmap

-U

nmap

nmap

xinetd

auth

sendmail

lsof

# lsof -i -n | egrep 'COMMAND|LISTEN|UDP' COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME sshd 2317 root 3u IPv6 6579 TCP *:ssh (LISTEN) xinetd 2328 root 5u IPv4 6698 TCP *:auth (LISTEN) sendmail 2360 root 3u IPv4 6729 TCP 127.0.0.1:smtp (LISTEN) #

chkconfig --list |grep on

kudzu

gpm needed if you want to use the mouse at the console kudzu important for detecting new hardware syslog important for syslog services netfs needed only if there are NFS shares that should be mounted at boot time network important for starting network interfaces (e.g. eth0, eth1, bonding,...) random used for the system entropy pool atd needed if the at(1) service is used instead of cron apmd Advanced Power Management (APM) daemon is used for laptops and some desktops isdn needed if ISDN is being used iptables needed if Netfilter (iptables) Firewall is being used ip6tables needed if ip6tables Firewall is being used pcmcia not needed on servers - needed for laptops irqbalance important for distributing interrupts across all CPUs sendmail needed if Sendmail is used - Procmail should be used which is more secure autofs needed if automounter is used - production applications should not be dependent on automounter sshd important for logins via SSH portmap needed if e.g. NFS is being used nfslock needed if NFS shares are mounted nfs needed if server runs the NFS server mdmonitor needed only if software RAID is being used crond important for running cron jobs xinetd needed if xinetd services are being used, see /etc/xinetd.d/ for list of services cups needed if CUPS is used for the printing system rhnsd needed if server should connect to RHN to check for software updates etc. sysstat needed to reset system statistics logs audit needed only if Linux Audit Subsystem (LAuS) should run for collecting system call audit records psacct needed only if kernel process accounting information is needed smartd important for monitoring disk problems if hard disks support SMART technology netdump important if kernel oops data and memory dumps should be sent to a Netdump server for server crashes

/etc/init.d

atd

/etc/init.d

atd

atd

daemon /usr/sbin/atd

atd

atd

man atd

nfs

chkconfig nfs off

nfs

/etc/init.d/nfs stop

xinetd

inetd

/etc/xinetd.d

xinetd

# chkconfig --list xinetd xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off # /etc/init.d/xinetd status xinetd (pid 2619) is running... #

xinetd

xinetd

/etc/xinetd.d

xinetd

# chkconfig --list | awk '/xinetd based services/,/""/' xinetd based services: krb5-telnet: off rsync: off eklogin: off gssftp: off klogin: off chargen-udp: off kshell: off auth: on chargen: off daytime-udp: off daytime: off echo-udp: off echo: off services: off time: off time-udp: off cups-lpd: off #

xinetd

# chkconfig --list | awk '/xinetd based services/,/""/' | grep -v off xinetd based services: auth: on #

telnet-server

telnet-server

telnet

telnet

# chkconfig --list telnet telnet on # cat /etc/xinetd.d/telnet | grep disable disable = no # chkconfig telnet off # chkconfig --list telnet telnet off # cat /etc/xinetd.d/telnet | grep disable disable = yes #

telnet

# rpm -e telnet-server

xinetd

auth

# grep " server" /etc/xinetd.d/auth server = /usr/sbin/in.authd server_args = -t60 --xerror --os -E # man in.auth No manual entry for in.auth # rpm -qf /usr/sbin/in.authd authd-1.4.1-1.rhel3 # rpm -qi authd-1.4.1-1.rhel3 | awk '/Description/,/""/' Description : authd is a small and fast RFC 1413 ident protocol daemon with both xinetd server and interactive modes that supports IPv6 and IPv4 as well as the more popular features of pidentd. # rpm -ql authd-1.4.1-1.rhel3 /etc/ident.key /etc/xinetd.d/auth /usr/sbin/in.authd /usr/share/doc/authd-1.4.1 /usr/share/doc/authd-1.4.1/COPYING /usr/share/doc/authd-1.4.1/README.html /usr/share/doc/authd-1.4.1/rfc1413.txt /usr/share/locale/ja/LC_MESSAGES/authd.mo #

in.authd

xinetd

auth

auth

# chkconfig auth off

xinetd

/etc/inittab

/etc/inittab

# sed -i 's/ca::ctrlaltdel:/#ca::ctrlaltdel:/g'

# grep ':initdefault' /etc/inittab id:3:initdefault: #

/etc/inittab

# init q

/etc/rc.local

/etc/rc.local

/etc/rc.d/rc.local

/etc/rc.d/rc.local

/etc/hosts.allow

/etc/hosts.deny

hosts.allow

hosts.deny

/etc/hosts.deny

ALL: ALL

/etc/hosts.allow

sshd: rac1cluster rac2cluster rac3cluster

/etc/hosts.allow

sshd: rac1cluster rac2cluster rac3cluster .subnet.example.com

/etc/hosts.allow

portmap: 192.168.0.1 192.168.5.

.subnet.example.com

cracker.subnet.example.com

/etc/hosts.allow

ALL: .subnet.example.com EXCEPT cracker.subnet.example.com

/etc/hosts.deny

/etc/hosts.allow

sshd: rac1cluster rac2cluster rac3cluster sshd: ALL: DENY

/etc/hosts.allow

sshd: ALL : spawn echo "Login from %c to %s" | mail -s "Login Info for %s" log@loghost

man 5 hosts_access

xinetd

xinetd

telnet

rlogin

rsh

/etc/ssh/sshd_config

root

PermitRootLogin no

UsePrivilegeSeparation yes

Protocol 2

AllowTcpForwarding no X11Forwarding no

StrictModes

~/.ssh

~/.ssh/authorized_keys

StrictModes yes

IgnoreRhosts yes HostbasedAuthentication no RhostsRSAAuthentication no

sftp

#Subsystem sftp /usr/lib/misc/sftp-server

sshd

/etc/init.d/sshd restart

# alternatives --set mta /usr/sbin/sendmail.postfix

/etc/postfix/main.cf

mydestination = $myhostname, localhost.$mydomain, localhost inet_interfaces = localhost

mydestination

inet_interfaces

# /etc/init.d/postfix restart

# nmap -sT -p 25 <remode_node> # telnet <remote_node> 25

sendmail.cf

/etc/mail/sendmail.cf

O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA

DAEMON_OPTIONS

/etc/mail/sendmail.mc

DAEMON_OPTIONS

/etc/mail/sendmail.mc

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

# mv /etc/mail/sendmail.cf /etc/mail/sendmail.cf.old # m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf # /etc/init.d/sendmail restart

# nmap -sT -p 25 <remode_node> # telnet <remote_node> 25

# service nfs status rpc.mountd is stopped nfsd is stopped rpc.rquotad is stopped # chkconfig --list nfs nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off #

portmap

# service portmap status portmap is stopped # chkconfig --list portmap portmap 0:off 1:off 2:off 3:off 4:off 5:off 6:off #

chkconfig portmap on chkconfig nfs on service portmap start service nfs start

portmap

portmap

nfs

rpc.rquotad

nfsd

lockd

rpciod

rpc.mountd

rpc.idmapd

rpc.mountd

nfsd

rpc.rquotad

rpcinfo

# rpcinfo -p <server> program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100011 1 udp 607 rquotad 100011 2 udp 607 rquotad 100011 1 tcp 610 rquotad 100011 2 tcp 610 rquotad 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100005 1 udp 623 mountd 100005 1 tcp 626 mountd 100005 2 udp 623 mountd 100005 2 tcp 626 mountd 100005 3 udp 623 mountd 100005 3 tcp 626 mountd #

portmap

# strings /sbin/portmap | egrep "hosts.deny|hosts.allow|libwrap" hosts_allow_table hosts_deny_table /etc/hosts.allow /etc/hosts.deny # strings /usr/sbin/rpc.rquotad | egrep "hosts.deny|hosts.allow|libwrap" libwrap.so.0 # ldd /usr/sbin/rpc.rquotad | grep libwrap libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00874000) #

hosts.deny

hosts.allow

libwrap

/etc/hosts.deny

/etc/hosts.allow

/etc/hosts.deny

ALL: ALL

# rpcinfo -p <server> No remote programs registered. #

/etc/hosts.allow

/etc/init.d/nfs

strings <program> | egrep "hosts.deny|hosts.allow|libwrap"

/usr/sbin/rpc.rquotad

/usr/sbin/rpc.mountd

/etc/hosts.allow

portmap: rac1pub.example.com rac2pub.example.com rac3pub.example.com .subnet.puschitz.com rpc.mountd: rac1pub.example.com rac2pub.example.com rac3pub.example.com .subnet.puschitz.com rpc.rquotad: rac1pub.example.com rac2pub.example.com rac3pub.example.com .subnet.puschitz.com

rpcinfo

# rpcinfo -p <server> program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100011 1 udp 607 rquotad 100011 2 udp 607 rquotad 100011 1 tcp 610 rquotad 100011 2 tcp 610 rquotad 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100005 1 udp 623 mountd 100005 1 tcp 626 mountd 100005 2 udp 623 mountd 100005 2 tcp 626 mountd 100005 3 udp 623 mountd 100005 3 tcp 626 mountd #

# rpcinfo -p <server> No remote programs registered. #

/etc/exports

/etc/exports

/pub *.subnet.example.com(ro,sync)

/etc/exports

ro

/etc/exports

/data/OracleArch rac1pub.example.com(rw,sync) rac2pub.example.com(rw,sync) rac3pub.example.com(rw,sync)

/etc/exports

root_squash

no_root_squash

/etc/exports

# exportfs -a

# exportfs -ua

# showmount -e localhost Export list for localhost: /pub *.subnet.example.com /data/OracleArch rac3pub.example.com,rac2pub.example.com,rac1pub.example.com

wire-test

/usr/sbin/wire-test

am-utils

# wire-test localhost Network 1: wire="172.16.1.0" (netnumber=172.16.1). Network 2: wire="172.16.1.1" (netnumber=172.16.1). My IP address is 0xac100101. NFS Version and protocol tests to host "localhost"... testing vers=2, proto="udp" -> found version 2. testing vers=3, proto="udp" -> found version 3. testing vers=2, proto="tcp" -> found version 2. testing vers=3, proto="tcp" -> found version 3. #

# wire-test localhost Network 1: wire="172.16.1.0" (netnumber=172.16.1). Network 2: wire="172.16.1.1" (netnumber=172.16.1). My IP address is 0xac100101. NFS Version and protocol tests to host "localhost"... testing vers=2, proto="udp" -> found version 2. testing vers=3, proto="udp" -> found version 3. testing vers=2, proto="tcp" -> failed! testing vers=3, proto="tcp" -> failed! #

proto=tcp

# mount -o proto=tcp <nfs_server_name>:/pub /usr/local/pub

mount

# mount ... nfsserver:/pub on /usr/local/pub type nfs (rw,proto=tcp,addr=172.16.10.8) ...

/etc/fstab

/etc/fstab

nfsserver:/pub /usr/local/pub nfs rsize=8192,wsize=8192,timeo=14,intr,tcp 0 0

ssh

scp

ssh

~/.ssh/authorized_keys2

command="/bin/cat ~/<file_name>" ssh-dss AAABB33Nza...OpenSSH key

ssh <user>@<server> > <local_file>

/bin/cat

/bin/cat

$SSH_ORIGINAL_COMMAND

#!/bin/ksh if [[ $SSH_ORIGINAL_COMMAND = "File1" || $SSH_ORIGINAL_COMMAND = "File2" ]] then /bin/cat $SSH_ORIGINAL_COMMAND else echo "Invalid file name!" exit 1 fi

/bin/cat

~/.ssh/authorized_keys2

ssh <user>@<server> File1 > <local_file>

ssh <user>@<server> File2 > <local_file>

/etc/sysctl.conf

# sysctl -p

/etc/sysctl.conf

net.ipv4.tcp_syncookies = 1

/etc/sysctl.conf

net.ipv4.conf.all.accept_source_route = 0

/etc/sysctl.conf

net.ipv4.conf.all.accept_redirects = 0

/etc/sysctl.conf

net.ipv4.conf.all.rp_filter = 1

/etc/sysctl.conf

net.ipv4.icmp_echo_ignore_all = 1

/etc/sysctl.conf

net.ipv4.icmp_echo_ignore_broadcasts = 1

/etc/sysctl.conf

net.ipv4.conf.all.log_martians = 1

umask

default

umask

/etc/bashrc

bash

$ id uid=509(test) gid=510(test) groups=100(users),510(test) context=user_u:system_r:unconfined_t $ umask 0002 $ # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t # umask 0022 #

umask

$ umask 000 $ touch file1 $ ls -l file1 -rw-rw-rw- 1 oracle oinstall 0 Dec 26 19:24 file1 $ umask 002 $ touch file2 $ ls -l file2 -rw-rw-r-- 1 oracle oinstall 0 Dec 26 19:24 file2 $ umask 022 $ touch file3 $ ls -l file3 -rw-r--r-- 1 oracle oinstall 0 Dec 26 19:25 file3 $

bash

umask

/etc/bashrc

/etc/bashrc

~/.bashrc

passwd

/etc/shadow

find / -path /proc -prune -o -type f -perm +6000 -ls

-prune

/proc

find / -path /proc -prune -o -perm -2 ! -type l -ls

! -type l

find

/tmp

/tmp

$ ls -ld /tmp drwxrwxrwt 18 root root 16384 Dec 23 22:20 /tmp

t

find / -path /proc -prune -o -nouser -o -nogroup

/etc/shadow

passwd -l

usermod -L

# egrep -v '.*:\*|:\!' /etc/shadow | awk -F: '{print $1}'

/etc/passwd

# grep -v ':x:' /etc/passwd

/etc/shadow

/etc/passwd

# find / -path /proc -prune -o -user <account> -ls

# userdel -r <account>

-r

userdel

/var/spool/mail/<user>

/etc/inittab

~~:S:wait:/sbin/sulogin

init=/bin/bash

# su oracle -c id You are required to change your password immediately (password aged) Changing password for test (current) UNIX password:

useradd

/etc/shadow

useradd

/etc/login.defs PASS_MAX_DAYS 60 Maximum number of days a password is valid. /etc/login.defs PASS_MIN_DAYS 7 Minimum number of days before a user can change the password since the last change. /etc/login.defs PASS_MIN_LEN n/a This parameter does not work. It is superseded by the PAM module "pam_cracklib". See Enforcing Stronger Passwords for more information. /etc/login.defs PASS_WARN_AGE 7 Number of days when the password change reminder starts. /etc/default/useradd INACTIVE 14 Number of days after password expiration that account is disabled. /etc/default/useradd EXPIRE Account expiration date in the format YYYY-MM-DD.

/etc/login.defs

/etc/default/useradd

useradd

/etc/shadow

<username>:<password>:<date>: PASS_MIN_DAYS : PASS_MAX_DAYS : PASS_WARN_AGE : INACTIVE : EXPIRE :

useradd -c "Test User" -g users test

-g

# id test uid=509(test) gid=100(users) groups=100(users)

/etc/login.defs

/etc/default/useradd

/etc/shadow

# grep test /etc/shadow test:!!:12742:7:60:7:14::

chage

chage

# chage -M 99999 <system_account_name>

# chage -l <system_account_name>

# chage -l test Minimum: 7 Maximum: 60 Warning: 7 Inactive: 14 Last Change: Jan 11, 2005 Password Expires: Mar 12, 2005 Password Inactive: Mar 26, 2005 Account Expires: Never

pam_cracklib

pam_cracklib

minlen=10

dredit=1

pam_cracklib

minlen-credit

minlen

pam_cracklib

pam_cracklib

lcredit, ucredit, dcredit, and ocredit

dredit=-1

minlen

pam_cracklib

pam_cracklib

pam_cracklib

pam_cracklib

pam_cracklib

pam_cracklib

pam_cracklib.so

minlen=8

Minimum length of password is 8

pam_cracklib.so

lcredit=-1

Minimum number of lower case letters is 1

pam_cracklib.so

ucredit=-1

Minimum number of upper case letters is 1

pam_cracklib.so

dcredit=-1

Minimum number of digits is 1

pam_cracklib.so

ocredit=-1

Minimum number of other characters is 1



/etc/pam.d/system-auth

pam_cracklib

auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so

passwd

passwd

/etc/pam.d/system-auth

authconfig

authconfig

system-auth

/usr/sbin/authconfig

pam_unix

remember

pam_cracklib

difok

PASS_MIN_DAYS

7

pam_unix

/etc/pam.d/system-auth

pam_cracklib

pam_unix

auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=26 password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so

/etc/security/opasswd

# ls -l /etc/security/opasswd -rw------- 1 root root 0 Dec 8 06:54 /etc/security/opasswd

# su oracle -c id su: incorrect password #

/etc/pam.d/system-auth

auth required /lib/security/$ISA/pam_env.so auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account required /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root reset account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so

/var/log/faillog

deny=n

deny=n

per_user

per_user

deny=n

# faillog -u oracle -m -1 # faillog -u oracle Username Failures Maximum Latest oracle 0 -1 Fri Dec 10 23:57:55 -0600 2005 on unknown

faillog

-m -1

deny=n

# faillog -u oracle -m 0

pam_tally

deny=n

faillog

deny=n

per_user

.fail_max

-1

# faillog

# faillog -u <user> -r

ssh

su

root

# passwd -l <user> # usermod -L <user> # passwd -u <user> # usermod -U <user>

NOTE:

/var/log/faillog

/var/log/faillog

xscreensaver

vlock

xscreensaver

vlock

/var/log/faillog

root

oracle

oracle

users

users

root

oracle

- SSH (/etc/pam.d/sshd) - Console Login (/etc/pam.d/login) - Graphical Gnome Login (/etc/pam.d/gdm - or for all logins (/etc/pam.d/system-auth)

pam_access

account

account

auth

required

pam_access

/etc/pam.d/sshd

auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_access.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth

pam_access

/etc/pam.d/login

auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_access.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_selinux.so close session required pam_stack.so service=system-auth session optional pam_console.so session required pam_selinux.so multiple open

pam_access

/etc/pam.d/gdm

auth required pam_env.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_access.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_console.so

/etc/security/access.conf

-:ALL EXCEPT users :ALL

/etc/security/access.conf

pam_access

users

pam_access

account

users

oracle

oracle

/etc/security/access.conf

-:ALL EXCEPT users oracle:ALL -:oracle:ALL EXCEPT rac1cluster.example.com rac2cluster.example.com rac3cluster.example.com

oracle

oracle

NOTE:

pam_access

crond

# grep pam_access /etc/pam.d/* /etc/pam.d/crond:account required pam_access.so accessfile=/etc/security/access-cron.conf #

/etc/security/access.conf

pam_access

pam_access

/etc/pam.d/crond

account required pam_access.so accessfile=/etc/security/access-cron.conf

/etc/security/access.conf

crond

pam_cracklib

# touch /etc/security/access-cron.conf

NOTE:

/etc/passwd

This chapter shows how to restrict people from su-ing to system and shared accounts even if they know the passwords

su

root

oracle

postgres

pam_wheel

pam_wheel

root

any

su

root

oracle

postgres

# groupadd rootmembers # groupadd oraclemembers # groupadd postgresmembers

su

root

oracle

postgres

admin1

su

root

oracle

postgres

oracledba1

su

oracle

postgresdba1

su

postgres

su

# usermod -G rootmembers adminuser1 # usermod -G oraclemembers oracleuser1 # usermod -G postgresmembers postgresuser1

adminuser1

rootmembers

su

oracle

postgres

oraclemembers

postgresmembers

/etc/pam.d/su

auth sufficient /lib/security/$ISA/pam_rootok.so auth required /lib/security/$ISA/pam_stack.so service=system-auth auth sufficient /lib/security/$ISA/pam_stack.so service=su-root-members auth sufficient /lib/security/$ISA/pam_stack.so service=su-other-members auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_stack.so service=system-auth password required /lib/security/$ISA/pam_stack.so service=system-auth session required /lib/security/$ISA/pam_selinux.so close session required /lib/security/$ISA/pam_stack.so service=system-auth session required /lib/security/$ISA/pam_selinux.so open multiple session optional /lib/security/$ISA/pam_xauth.so

nobody

su

any

su-root-members

su-other-members

sufficient

pam_deny

su

/etc/pam.d/su-root-members

/etc/pam.d/su-other-members

/etc/pam.d/su-root-members

/etc/pam.d/su

auth required /lib/security/pam_wheel.so use_uid group=rootmembers auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-rootmembers-access

/etc/security/su-rootmembers-access

/etc/pam.d/su-root-members

root oracle postgres

required

/etc/pam.d/su

rootmembers

/etc/security/rootusername

su

item=user

pam_listfile

/etc/security/rootusername

su

rootmembers

/etc/pam.d/su-root-members

/etc/pam.d/su-root-members

rootmembers

/etc/pam.d/su-other-members

/etc/pam.d/su-other-members

/etc/pam.d/su

auth sufficient /lib/security/pam_stack.so service=su-oracle-members auth sufficient /lib/security/pam_stack.so service=su-postgres-members auth required /lib/security/pam_deny.so

/etc/pam.d/su

/etc/pam.d/su-oracle-members

/etc/pam.d/su-other-members

auth required /lib/security/pam_wheel.so use_uid group=oraclemembers auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-oraclemembers-access

/etc/security/su-oraclemembers-access

oracle

/etc/pam.d/su-postgres-members

/etc/pam.d/su-other-members

auth required /lib/security/pam_wheel.so use_uid group=postgresmembers auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-postgresmembers-access

/etc/security/su-postgresmembers-access

/etc/pam.d/su-postgres-members

postgres

adminuser1

root

oracle

postgres

su

root

oracleuser1

oracle

postgresuser1

postgres

su

/etc/security/limits.conf

ulimit -a

ulimit

man bash

ulimit

Important Note:

oracle

root

su

oracle

/etc/security/limits.conf

UsePrivilegeSeparation

/etc/ssh/sshd_config

no

/etc/init.d/sshd restart

/etc/security/limits.conf

oracle soft nofile 4096 oracle hard nofile 63536

ulimit -n 63536

nofile

oracle

/proc/sys/fs/file-max

oracle

pam_limits

/etc/pam.d/system-auth

/etc/pam.d/sshd

/etc/pam.d/su

/etc/pam.d/login

/etc/pam.d/system-auth

/etc/security/limits.conf

session required /lib/security/pam_limits.so

/etc/pam.d/system-auth

session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so

$ su - oracle $ ulimit -n 4096 $

ulimit

$ su - oracle $ ulimit -n 4096 $ ulimit -n 63536 $ ulimit -n 63536 $

ulimit -n 63536

~oracle/.bash_profile

echo $SHELL

oracle

su - oracle cat >> ~oracle/.bash_profile << EOF ulimit -n 63536 EOF

after

/etc/motd

# cat /etc/motd This system is classified... Use of this system constitutes consent to official monitoring. #

Banner

/etc/ssh/sshd_config

/etc/issue

/etc/X11/gdm/PreSession/Default

if ! gdialog --yesno '

This system is classified...

' 10 10; then sleep 10 exit 1; fi

who

w

last

lastb

/var/log/btmp

lastlog

/var/log/lastlog

ac

/var/log/wtmp

dump-utmp

/var/run/utmp

/var/log/wtmp

/var/log/messages

Resolver ( /etc/hosts , /etc/resolv.conf , /etc/nsswitch.conf )

, , ) NTP ( /etc/ntp.conf )

DISCLAIMER: The information provided on this website comes without warranty of any kind and is distributed AS IS. Every effort has been made to provide the information as accurate as possible, but no warranty or fitness is implied. The information may be incomplete, may contain errors or may have become out of date. The use of this information described herein is your responsibility, and to use it in your own environments do so at your own risk.

Copyright © 2007 PUSCHITZ.COM