23.9 Security Guidelines

23.9.1 Minimizing the Software Footprint
23.9.2 Configuring System Logging
23.9.3 Disabling Core Dumps
23.9.4 Minimizing Active Services
23.9.5 Locking Down Network Services
23.9.6 Configuring a Packet-filtering Firewall
23.9.7 Configuring TCP Wrappers
23.9.8 Configuring Kernel Parameters
23.9.9 Restricting Access to SSH Connections
23.9.10 Configuring File System Mounts, File Permissions, and File Ownerships
23.9.11 Checking User Accounts and Privileges

The following sections provide guidelines that help secure your Oracle Linux system.

23.9.1 Minimizing the Software Footprint

On systems on which Oracle Linux has been installed, remove unneeded RPMs to minimize the software footprint. For example, you could uninstall the X Windows package (xorg-x11-server-Xorg) if it is not required on a server system.

To discover which package provides a given command or file, use the yum provides command as shown in the following example:

# yum provides /usr/sbin/sestatus
...
policycoreutils-2.0.83-19.24.0.1.el6.x86_64 : SELinux policy core utilities
Repo        : installed
Matched from: 
Other       : Provides-match: /usr/sbin/sestatus

To display the files that a package provides, use the repoquery utility, which is included in the yum-utils package. For example, the following command lists the files that the btrfs-progs package provides.

# repoquery -l btrfs-progs
/sbin/btrfs
/sbin/btrfs-convert
/sbin/btrfs-debug-tree
.
.
. 

To uninstall a package, use the yum remove command, as shown in this example:

# yum remove xinetd
Loaded plugins: refresh-packagekit, security
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package xinetd.x86_64 2:2.3.14-35.el6_3 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package       Arch          Version                   Repository          Size
================================================================================
Removing:
 xinetd        x86_64        2:2.3.14-35.el6_3         @ol6_latest        259 k

Transaction Summary
================================================================================
Remove        1 Package(s)

Installed size: 259 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Erasing    : 2:xinetd-2.3.14-35.el6_3.x86_64                              1/1 
  Verifying  : 2:xinetd-2.3.14-35.el6_3.x86_64                              1/1 

Removed:
  xinetd.x86_64 2:2.3.14-35.el6_3                                               

Complete!

The following table lists packages that you should not install or that you should remove using yum remove if they are already installed.

PackageDescription

krb5-appl-clients

Kerberos versions of ftp, rcp, rlogin, rsh and telnet. If possible, use SSH instead.

rsh, rsh-server

rcp, rlogin, and rsh use unencrypted communication that can be snooped. Use SSH instead.

samba

Network services used by Samba. Remove this package if the system is not acting as an Active Directory server, a domain controller, or as a domain member, and it does not provide Microsoft Windows file and print sharing functionality.

talk, talk-server

talk is considered obsolete.

telnet, telnet-server

telnet uses unencrypted communication that can be snooped. Use SSH instead.

tftp, tftp-server

TFTP uses unencrypted communication that can be snooped. Use only if required to support legacy hardware. If possible, use SSH or other secure protocol instead.

xinetd

The security model used by the Internet listener daemon is deprecated.

ypbind, ypserv

The security model used by NIS is inherently flawed. Use an alternative such as LDAP or Kerberos instead.

23.9.2 Configuring System Logging

Verify that the system logging service rsyslog is running:

# service rsyslog status
rsyslogd (pid  1632) is running...

If the service is not running, start it and enable it to start when the system is rebooted:

# service rsyslog start
# chkconfig rsyslog on

Ensure that each log file referenced in /etc/rsyslog.conf exists and is owned and only readable by root:

# touch logfile
# chown root:root logfile
# chmod 0600 logfile

It is also recommended that you use a central log server and that you configure Logwatch on that server. See Section 23.7, “About System Logging”.

23.9.3 Disabling Core Dumps

Core dumps can contain information that an attacker might be able to exploit and they take up a large amount of disk space. To prevent the system creating core dumps when the operating system terminates a program due to a segment violation or other unexpected error, add the following line to /etc/security/limits.conf:

*  hard  core  0

You can restrict access to core dumps to certain users or groups, as described in the limits.conf(5) manual page.

By default, the system prevents setuid and setgid programs, programs that have changed credentials, and programs whose binaries do not have read permission from dumping core. To ensure that the setting is permanently recorded, add the following lines to /etc/sysctl.conf:

# Disallow core dumping by setuid and setgid programs
fs.suid_dumpable = 0

and then run the sysctl -p command.

Note

A value of 1 permits core dumps that are readable by the owner of the dumping process. A value of 2 permits core dumps that are readable only by root for debugging purposes.

23.9.4 Minimizing Active Services

Restrict services to only those that a server requires. The default installation for an Oracle Linux server configures a minimal set of services:

cupsd and lpd (print services)

sendmail (email delivery service)

sshd (openSSH services)

If possible, configure one type of service per physical machine, virtual machine, or Linux Container. This technique limits exposure if a system is compromised.

If a service is not used, remove the software packages that are associated with the service. If it is not possible to remove a service because of software dependencies, use the chkconfig and service commands to disable the service.

For services that are in use, apply the latest Oracle support patches and security updates to keep software packages up to date. To protect against unauthorized changes, ensure that the /etc/services file is owned by root and writable only by root.

# ls -Z /etc/services
-rw-r--r--. root root system_u:object_r:etc_t:SystemLow /etc/services

Unless specifically stated otherwise, consider disabling the services in the following table if they are not used on your system:

Service

Description

anacron

Executes commands periodically. Primarily intended for use on laptop and user desktop machines that do not run continuously.

apmd

(Advanced Power Management Daemon) Provides information on power management and battery status, and allows programmed response to power management events. Primarily intended for use on laptop machines.

automount

Manages mount points for the automatic file-system mounter. Disable this service on servers that do not require automounter functionality.

bluetooth

Supports the connections of Bluetooth devices. Primarily intended for use on laptop and user desktop machines. Bluetooth provides an additional potential attack surface. Disable this service on servers that do not require Bluetooth functionality.

firstboot

Configures a system when you first log in after installation. Controlled by the /etc/rc.d/init.d/firstboot script. firstboot does not run unless RUN_FIRSTBOOT=YES is set in /etc/sysconfig/firstboot. If /etc/reconfigSys exists or if you specify reconfig in the kernel boot arguments, firstboot runs in reconfiguration mode. Disable this service on servers following successful installation.

gpm

(General Purpose Mouse) Provides support for the mouse pointer in a text console.

haldaemon

(Hardware Abstraction Layer Daemon) Maintains a real-time database of the devices that are connected to a system. Applications can use the HAL API to discover and interact with newly attached devices. Primarily intended for use on laptop and user desktop machines to support hot-plug devices.

Caution

Do not disable this service. Many applications rely on this functionality.

hidd

(Bluetooth Human Interface Device daemon) Provides support for Bluetooth input devices such as a keyboard or mouse. Primarily intended for use on laptop and user desktop machines. Bluetooth provides an additional potential attack surface. Disable this service on servers that do not require Bluetooth functionality.

irqbalance

Distributes hardware interrupts across processors on a multiprocessor system. Disable this service on servers that do not require this functionality.

iscsi

Controls logging in to iSCSI targets and scanning of iSCSI devices. Disable this service on servers that do not access iSCSI devices.

iscsid

Implements control and management for the iSCSI protocol. Disable this service on servers that do not access iSCSI devices.

kdump

Allows a kdump kernel to be loaded into memory at boot time or a kernel dump to be saved if the system panics. Disable this service on servers that you do not use for debugging or testing.

mcstrans

Controls the SELinux Context Translation System service.

mdmonitor

Checks the status of all software RAID arrays on the system. Disable this service on servers that do not use software RAID.

messagebus

Broadcasts notifications of system events and other messages relating to hardware events via the system-wide D-BUS message bus.

Caution

Do not disable this service. Many applications rely on this functionality.

microcode_ctl

Runs microcode that is required for IA32 processors only. Disable this service on servers that do not have such processors.

pcscd

(PC/SC Smart Card Daemon) Supports communication with smart-card readers. Primarily intended for use on laptop and user desktop machines to support smart-card authentication. Disable this service on servers that do not use smart-card authentication.

sandbox

Sets up /tmp, /var/tmp, and home directories to be used with the pam_namespace, sandbox, and xguest application confinement utilities. Disable this service if you do not use these programs.

setroubleshoot

Controls the SELinux Troubleshooting service, which provides information about SELinux Access Vector Cache (AVC) denials to the sealert tool.

smartd

Communicates with the Self-Monitoring, Analysis and Reporting Technology (SMART) systems that are integrated into many ATA-3 and later, and SCSI-3 disk drives. SMART systems monitor disk drives to measure reliability, predict disk degradation and failure, and perform drive testing.

xfs

Caches fonts in memory to improve the performance of X Window System applications.

You should consider disabling the following network services if they are not used on your system:

Service

Description

avahi-daemon

Implements Apple's Zero configuration networking (also known as Rendezvous or Bonjour). Primarily intended for use on laptop and user desktop machines to support music and file sharing. Disable this service on servers that do not require this functionality.

cups

Implements the Common UNIX Printing System. Disable this service on servers that do not need to provide this functionality.

hplip

Implements HP Linux Imaging and Printing to support faxing, printing, and scanning operations on HP inkjet and laser printers. Disable this service on servers that do not require this functionality.

isdn

(Integrated Services Digital Network) Provides support for network connections over ISDN devices. Disable this service on servers that do not directly control ISDN devices.

netfs

Mounts and unmounts network file systems, including NCP, NFS, and SMB. Disable this service on servers that do not require this functionality.

network

Activates all network interfaces that are configured to start at boot time.

NetworkManager

Switches network connections automatically to use the best connection that is available.

nfslock

Implements the Network Status Monitor (NSM) used by NFS. Disable this service on servers that do not require this functionality.

nmb

Provides NetBIOS name services used by Samba. Disable this service and remove the samba package if the system is not acting as an Active Directory server, a domain controller, or as a domain member, and it does not provide Microsoft Windows file and print sharing functionality.

portmap

Implements Remote Procedure Call (RPC) support for NFS. Disable this service on servers that do not require this functionality.

rhnsd

Queries the Unbreakable Linux Network (ULN) for updates and information.

rpcgssd

Used by NFS. Disable this service on servers that do not require this functionality.

rpcidmapd

Used by NFS. Disable this service on servers that do not require this functionality.

smb

Provides SMB network services used by Samba. Disable this service and remove the samba package if the system is not acting as an Active Directory server, a domain controller, or as a domain member, and it does not provide Microsoft Windows file and print sharing functionality.

To stop a service and prevent it from starting when you reboot the system, used the following commands:

# service service_name stop
# chkconfig service_name off

Alternatively, use the Service Configuration GUI (system-config-services) to configure services.

23.9.5 Locking Down Network Services

Note

It is recommended that you do not install the xinetd Internet listener daemon. If you do not need this service, remove the package altogether by using the yum remove xinetd command.

If you must enable xinetd on your system, minimize the network services that xinetd can launch by disabling those services that are defined in the configuration files in /etc/xinetd.d and which are not needed.

To counter potential Denial of Service (DoS) attacks, you can configure the resource limits for such services by editing /etc/xinetd.conf and related configuration files. For example, you can set limits for the connection rate, the number of connection instances to a service, and the number of connections from an IP address:

# Maximum number of connections per second and
# number of seconds for which a service is disabled
# if the maximum number of connections is exceeded
cps             = 50 10

# Maximum number of connections to a service
instances       = 50

# Maximum number of connections from an IP address
per_source      = 10

For more information, see the xinetd(8) and /etc/xinetd.conf(5) manual pages.

23.9.6 Configuring a Packet-filtering Firewall

You can configure the Netfilter feature to act as a packet-filtering firewall that uses rules to determine whether network packets are received, dropped, or forwarded.

The primary interfaces for configuring the packet-filter rules are the iptables and ip6tables utilities and the Firewall Configuration Tool GUI (system-config-firewall). By default, the rules should drop any packets that are not destined for a service that the server hosts or that originate from networks other than those to which you want to allow access.

In addition, Netfilter provides Network Address Translation (NAT) to hide IP addresses behind a public IP address, and IP masquerading to alter IP header information for routed packets. You can also set rule-based packet logging and define a dedicated log file in /etc/syslog.conf.

For more information, see Section 23.3, “About Packet-filtering Firewalls”.

23.9.7 Configuring TCP Wrappers

The TCP wrappers feature mediates requests from clients to services, and control access based on rules that you define in the /etc/hosts.deny and /etc/hosts.allow files. You can restrict and permit service access for specific hosts or whole networks. A common way of using TCP wrappers is to detect intrusion attempts. For example, if a known malicious host or network attempts to access a service, you can deny access and send a warning message about the event to a log file or to the system console.

For more information, see Section 23.4, “About TCP Wrappers”.

23.9.8 Configuring Kernel Parameters

You can use several kernel parameters to counteract various kinds of attack.

kernel.randomize_va_space controls Address Space Layout Randomization (ASLR), which can help defeat certain types of buffer overflow attacks. A value of 0 disables ASLR, 1 randomizes the positions of the stack, virtual dynamic shared object (VDSO) page, and shared memory regions, and 2 randomizes the positions of the stack, VDSO page, shared memory regions, and the data segment. The default and recommended setting is 2.

net.ipv4.conf.all.accept_source_route controls the handling of source-routed packets, which might have been generated outside the local network. A value of 0 rejects such packets, and 1 accepts them. The default and recommended setting is 0.

net.ipv4.conf.all.rp_filter controls reversed-path filtering of received packets to counter IP address spoofing. A value of 0 disables source validation, 1 causes packets to be dropped if the routing table entry for their source address does not match the network interface on which they arrive, and 2 causes packets to be dropped if source validation by reversed path fails (see RFC 1812). The default setting is 0. A value of 2 can cause otherwise valid packets to be dropped if the local network topology is complex and RIP or static routes are used.

net.ipv4.icmp_echo_ignore_broadcasts controls whether ICMP broadcasts are ignored to protect against Smurf DoS attacks. A value of 1 ignores such broadcasts, and 0 accepts them. The default and recommended setting is 1.

net.ipv4.icmp_ignore_bogus_error_message controls whether ICMP bogus error message responses are ignored. A value of 1 ignores such messages, and 0 accepts them. The default and recommended setting is 1.

To change the value of a kernel parameter, add the setting to /etc/sysctl.conf, for example:

kernel.randomize_va_space = 1

and then run the sysctl -p command.

23.9.9 Restricting Access to SSH Connections

The Secure Shell (SSH) allows protected, encrypted communication with other systems. As SSH is an entry point into the system, disable it if it is not required, or alternatively, edit the /etc/ssh/sshd_config file to restrict its use.

For example, the following setting does not allow root to log in using SSH:

PermitRootLogin no

You can restrict remote access to certain users and groups by specifying the AllowUsers, AllowGroups, DenyUsers, and DenyGroups settings, for example:

DenyUsers carol dan
AllowUsers alice bob

The ClientAliveInterval and ClientAliveCountMax settings cause the SSH client to time out automatically after a period of inactivity, for example:

# Disconnect client after 300 seconds of inactivity
ClientAliveCountMax 0
ClientAliveInterval 300

After making changes to the configuration file, restart the sshd service for your changes to take effect.

For more information, see the sshd_config(5) manual page.

23.9.10 Configuring File System Mounts, File Permissions, and File Ownerships

Use separate disk partitions for operating system and user data to prevent a file system full issue from impacting the operation of a server. For example, you might create separate partitions for /home, /tmp, p, /oracle, and so on.

Establish disk quotas to prevent a user from accidentally or intentionally filling up a file system and denying access to other users.

To prevent the operating system files and utilities from being altered during an attack, mount the /usr file system read-only. If you need to update any RPMs on the file system, use the -o remount,rw option with the mount command to remount /usr for both read and write access. After performing the update, use the -o remount,ro option to return the /usr file system to read-only mode.

To limit user access to non-root local file systems such as /tmp or removable storage partitions, specify the -o noexec, nosuid, nodev options to mount. These option prevent the execution of binaries (but not scripts), prevent the setuid bit from having any effect, and prevent the use of device files.

Use the find command to check for unowned files and directories on each file system, for example:

# find mount_point -mount -type f -nouser -o -nogroup -exec ls -l {} \;
# find mount_point -mount -type d -nouser -o -nogroup -exec ls -l {} \;

Unowned files and directories might be associated with a deleted user account, they might indicate an error with software installation or deleting, or they might a sign of an intrusion on the system. Correct the permissions and ownership of the files and directories that you find, or remove them. If possible, investigate and correct the problem that led to their creation.

Use the find command to check for world-writable directories on each file system, for example:

# find mount_point -mount -type d -perm /o+w -exec ls -l {} \;

Investigate any world-writable directory that is owned by a user other than a system user. The user can remove or change any file that other users write to the directory. Correct the permissions and ownership of the directories that you find, or remove them.

You can also use find to check for setuid and setgid executables.

# find path -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;

If the setuid and setgid bits are set, an executable can perform a task that requires other rights, such as root privileges. However, buffer overrun attacks can exploit such executables to run unauthorized code with the rights of the exploited process.

If you want to stop a setuid and setgid executable from being used by non-root users, you can use the following commands to unset the setuid or setgid bit:

# chmod u-s file
# chmod g-s file

For example, you could use the chmod command to unset the setuid bit for the /bin/ping6 command:

# ls -al /bin/ping6
-rwsr-xr-x. 1 root root 36488 May 20  2011 /bin/ping6
# chmod u-s /bin/ping6
# ls -al /bin/ping6
-rwxr-xr-x. 1 root root 36488 May 20  2011 /bin/ping6

The following table lists programs for which you might want to consider unsetting setuid and setgid:

Program File

Bit Set

Description of Usage

/bin/ping

setuid

Sends an ICMP ECHO_REQUEST to a network host.

/bin/ping6

setuid

Sends an ICMPv6 ECHO_REQUEST to a network host.

/bin/cgexec

setgid

Runs a task in a control group.

/sbin/mount.nfs

setuid

Mounts an NFS file system.

Note

/sbin/mount.nfs4, /sbin/umount.nfs, and /sbin/umount.nfs4 are symbolic links to this file.

/sbin/netreport

setgid

Requests notification of changes to network interfaces.

/usr/bin/chage

setuid

Finds out password aging information (via the -l option).

/usr/bin/chfn

setuid

Changes finger information.

/usr/bin/chsh

setuid

Changes the login shell.

/usr/bin/crontab

setuid

Edits, lists, or removes a crontab file.

/usr/bin/wall

setgid

Sends a system-wide message.

/usr/bin/write

setgid

Sends a message to another user.

/usr/bin/Xorg

setuid

Invokes the X Windows server.

/usr/libexec/openssh/ssh-keysign

setuid

Runs the SSH helper program for host-based authentication.

/usr/sbin/suexec

setuid

Switches user before executing external CGI and SSI programs. This program is intended to be used by the Apache HTTP server. For more information, see http://httpd.apache.org/docs/2.2/suexec.html.

/usr/sbin/usernetctl

setuid

Controls network interfaces. Permission for a user to alter the state of a network inerface also requires USERCTL=yes to be set in the interface file. You can also grant users and groups the privilege to run the ip command by creating a suitable entry in the /etc/sudoers file.

Note

This list is not exhaustive as many optional packages contain setuid and setgid programs.

23.9.11 Checking User Accounts and Privileges

Check the system for unlocked user accounts on a regular basis, for example using a command such as the following:

# for u in `cat /etc/passwd | cut -d: -f1 | sort`; do passwd -S $u; done
abrt LK 2012-06-28 0 99999 7 -1 (Password locked.)
adm LK 2011-10-13 0 99999 7 -1 (Alternate authentication scheme in use.)
apache LK 2012-06-28 0 99999 7 -1 (Password locked.)
avahi LK 2012-06-28 0 99999 7 -1 (Password locked.)
avahi-autoipd LK 2012-06-28 0 99999 7 -1 (Password locked.)
bin LK 2011-10-13 0 99999 7 -1 (Alternate authentication scheme in use.)
...

In the output from this command, the second field shows if a user account is locked (LK), does not have a password (NP), or has a valid password (PS). The third field shows the date on which the user last changed their password. The remaining fields show the minimum age, maximum age, warning period, and inactivity period for the password and additional information about the password's status. The unit of time is days.

Use the passwd command to set passwords on any accounts that are not protected.

Use passwd -l to lock unused accounts. Alternatively, use userdel to remove the accounts entirely.

For more information, see the passwd(1) and userdel(8) manual pages.

To specify how users' passwords are aged, edit the following settings in the /etc/login.defs file:

Setting

Description

PASS_MAX_DAYS

Maximum number of days for which a password can be used before it must be changed. The default value is 99,999 days.

PASS_MIN_DAYS

Minimum number of days that is allowed between password changes. The default value is 0 days.

PASS_WARN_AGE

Number of days warning that is given before a password expires. The default value is 7 days.

For more information, see the login.defs(5) manual page.

To change how long a user's account can be inactive before it is locked, use the usermod command. For example, to set the inactivity period to 30 days:

# usermod -f 30 username

To change the default inactivity period for new user accounts, use the useradd command:

# useradd -D -f 30

A value of -1 specifies that user accounts are not locked due to inactivity.

For more information, see the useradd(8) and usermod(8) manual pages.

Verify that no user accounts other than root have a user ID of 0.

# awk -F":" '$3 == 0 { print $1 }' /etc/passwd
root

If you install software that creates a default user account and password, change the vendor's default password immediately. Centralized user authentication using an LDAP implementation such as OpenLDAP can help to simplify user authentication and management tasks, and also reduces the risk arising from unused accounts or accounts without a password.

By default, an Oracle Linux system is configured so that you cannot log in directly as root. You must log in as a named user before using either su or sudo to perform tasks as root. This configuration allows system accounting to trace the original login name of any user who performs a privileged administrative action. If you want to grant certain users authority to be able to perform specific administrative tasks via sudo, use the visudo command to modify the /etc/sudoers file. For example, the following entry grants the user erin the same privileges as root when using sudo, but defines a limited set of privileges to frank so that he can run commands such as chkconfig, service, rpm, and yum:

erin           ALL=(ALL)       ALL
frank          ALL= SERVICES, SOFTWARE

23.9.11.1 Configuring User Authentication and Password Policies

The Pluggable Authentication Modules (PAM) feature allows you to enforce strong user authentication and password policies, including rules for password complexity, length, age, expiration and the reuse of previous passwords. You can configure PAM to block user access after too many failed login attempts, after normal working hours, or if too many concurrent sessions are opened.

PAM is highly customizable by its use of different modules with customisable parameters. For example, the default password integrity checking module pam_cracklib.so tests password strength. The PAM configuration file (/etc/pam.d/system-auth) contains the following default entries for testing a password's strength:

password  requisite   pam_cracklib.so try_first_pass retry=3 type=
password  sufficient  pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password  required    pam_deny.so

The line for pam_cracklib.so defines that a user gets three attempts to choose a good password. From the module's default settings, the password length must a minimum of six characters, of which three characters must be different from the previous password.

The line for pam_unix.so specifies that the module is not to perform password checking (pam_cracklib will already have performed such checks), to use SHA-512 password hashing, to allow access if the existing password is null, and to use the /etc/shadow file.

You can modify the control flags and module parameters to change the checking that is performed when a user changes his or her password, for example:

password  required  pam_cracklib.so retry=3 minlen=8 difok=5 minclass=-1
password  required  pam_unix.so use_authtok sha512 shadow remember=5
password  required  pam_deny.so

The line for pam_cracklib.so defines that a user gets three attempts to choose a good password with a minimum of eight characters, of which five characters must be different from the previous password, and which must contain at least one upper case letter, one lower case letter, one numeric digit, and one non-alphanumeric character.

The line for pam_unix.so specifies that the module is not to perform password checking, to use SHA-512 password hashing, to use the /etc/shadow file, and to save information about the previous five passwords for each user in the /etc/security/opasswd file. As nullok is not specified, a user cannot change his or her password if the existing password is null.

The omission of the try_first_pass keyword means that the user is always asked for their existing password, even if he or she entered it for the same module or for a previous module in the stack.

Alternative modules are available for password checking, such as pam_passwdqc.so.

For more information, see Section 21.7, “About Pluggable Authentication Modules” and the pam_cracklib(8), pam_deny(8), pam_passwdqc(8), and pam_unix(8) manual pages.