Securing-Optimizing-RH-Linux-1_2_41
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
41
In a safe environment where we are sure that console is secured because passwords for BIOS
and LILO are set and all physical power and reset switches on the system are disables it may be
advantageous to entirely disable all console-equivalent access to programs like shutdown,
reboot, and halt for regular users in your server.
To do this, run the following command:
[root@deep /]# rm -f /etc/security/console.apps/<servicename>
Where <servicename> is the name of the program to which you wish to disable console-
equivalent access. Unless you use xdm, however, be careful not to remove the xserver file or no
one but root will be able to start the X server. (If you always use xdm to start the X server, root is
the only user that needs to start X, in which case you might actually want to remove the xserver
file).
As an example:
[root@deep /]# rm -f /etc/security/console.apps/halt
[root@deep /]# rm -f /etc/security/console.apps/poweroff
[root@deep /]# rm -f /etc/security/console.apps/reboot
[root@deep /]# rm -f /etc/security/console.apps/shutdown
[root@deep /]# rm -f /etc/security/console.apps/xserver (if removed, root will be the only user able to start X).
Will disable console-equivalent access to programs halt, poweroff, reboot, and shutdown. Once
again, the program xserver apply only is you are installed the Xwindow interface on your system.
NOTE: If you are following our setup installation, the Xwindow interface is not installed in your
server and all the files described above will not appear in the /etc/security directory, so dont
make attention to the above steps.
9. Disabling all console access
The Linux-PAM library installed by default in your system allow the system administrator to
choose how applications authenticate users like for console access, program and file access. In
order to disable all these accesses for the users, you must comment out all lines that refer to
pam_console.so in the /etc/pam.d/ directory. This step is the continuity of the above hack 8.
Disabling console program access.
The following script will do the trick automatically for you. As root creates the disabling.sh
script file (touch disabling.sh) and add the following lines inside:
# !/bin/sh
cd /etc/pam.d
for i in * ; do
sed '/[^#].*pam_console.so/s/^/#/' < $i > foo && mv foo $i
done
Make this script executable with the following command and execute it:
[root@deep /]# chmod 700 disabling.sh
[root@deep /]# ./disabling.sh
This will comment out all lines that refer to pam_console.so for all files located under
/etc/pam.d directory. Once the script has been executed, you can remove it from your system.
10. The /etc/inetd.conf file