Securing-Optimizing-RH-Linux-1_2_53
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
53
[root@deep /]# mount /dev/fd0 /mnt/floppy/
[root@deep /]# mv /bin/rpm /mnt/floppy/
[root@deep /]# umount /mnt/floppy
NOTE: Never uninstall RPM program completely from your system or you will be unable to reinstall
it again later since to install RPM or other software you need to have RPM commands available.
One more thing you can do is to change the default permission of rpm command from 755 to
700. With this modification, non-root users cant use the rpm program to query, install etc; in
case you forget to move it on safe place after installation of new programs.
·
To change the default permission of /bin/rpm, use the command:
[root@deep /]# chmod 700 /bin/rpm
26. Shell logging
To make it easy for you to repeat long commands, the bash shell stores up to 500 old commands
in the ~/.bash_history file (where ~/ is your home directory). Each users that has a account on
the system will have this file .bash_history in their home directory. Reducing the number of old
commands the .bash_history files can hold may protect users on the server to enter by mistake
their password on the screen in plain text and have their password stored for a long time in the
.bash_history file.
The HISTFILESIZE and HISTSIZE lines in the /etc/profile file determine the size of old
commands the .bash_history file for all users on your system can hold. For all accounts I would
highly recommend setting the HISTFILESIZE and HISTSIZE in /etc/profile file to a low value
such as 20.
Edit the profile file (vi /etc/profile) and change the lines to:
HISTFILESIZE=20
HISTSIZE=20
Which mean, the .bash_history file in each users home directory can store 20 old commands
and no more. Now, if a cracker try to see the ~/.bash_history file of users on your server to find
some password typed by mistake in plain text, he has less chance to find one.
27. The /etc/lilo.conf file
LILO is the most commonly used boot loader for Linux. It manages the boot process and can boot
Linux kernel images from floppy disks, hard disks or can even act as a "boot manager" for other
operating systems. LILO is very important in the Linux system and for this reason, we must
protect it the best we can. The most important configuration file of LILO is the lilo.conf file and
reside under /etc directory. It is with this file that we can configure and improve the security of
our LILO program and Linux system. Following are tree important options that will improve the
security of our valuable LILO program.
·
Adding: timeout=00
This option controls how long (in seconds) LILO waits for user input before booting to the default
selection. One of the requirements of C2 security is that this interval be set to 0 unless the system
dual boots something else.
·
Adding: restricted