---

---

Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 53 [root@deep /]# mount /dev/fd0 /mnt/floppy/ [root@deep /]# mv /bin/rpm /mnt/floppy/ [root@deep /]# umount /mnt/floppy NOTE: Never uninstall RPM program completely from your system or you will be unable to reinstall it again later since to install RPM or other software you need to have RPM commands available. One more thing you can do is to change the default permission of “rpm” command from 755 to 700. With this modification, non-root users can’t use the “rpm” program to query, install etc; in case you forget to move it on safe place after installation of new programs. · To change the default permission of “/bin/rpm”, use the command: [root@deep /]# chmod 700 /bin/rpm 26. Shell logging To make it easy for you to repeat long commands, the bash shell stores up to 500 old commands in the “~/.bash_history” file (where “~/” is your home directory). Each users that has a account on the system will have this file “.bash_history” in their home directory. Reducing the number of old commands the “.bash_history” files can hold may protect users on the server to enter by mistake their password on the screen in plain text and have their password stored for a long time in the “.bash_history” file. The HISTFILESIZE and HISTSIZE lines in the “/etc/profile” file determine the size of old commands the “.bash_history” file for all users on your system can hold. For all accounts I would highly recommend setting the HISTFILESIZE and HISTSIZE in “/etc/profile” file to a low value such as 20. Edit the profile file (vi /etc/profile) and change the lines to: HISTFILESIZE=20 HISTSIZE=20 Which mean, the “.bash_history” file in each users home directory can store 20 old commands and no more. Now, if a cracker try to see the “~/.bash_history” file of users on your server to find some password typed by mistake in plain text, he has less chance to find one. 27. The “/etc/lilo.conf” file LILO is the most commonly used boot loader for Linux. It manages the boot process and can boot Linux kernel images from floppy disks, hard disks or can even act as a "boot manager" for other operating systems. LILO is very important in the Linux system and for this reason, we must protect it the best we can. The most important configuration file of LILO is the “lilo.conf” file and reside under “/etc” directory. It is with this file that we can configure and improve the security of our LILO program and Linux system. Following are tree important options that will improve the security of our valuable LILO program. · Adding: timeout=00 This option controls how long (in seconds) LILO waits for user input before booting to the default selection. One of the requirements of C2 security is that this interval be set to 0 unless the system dual boots something else. · Adding: restricted