Chapter 2 - General Principles to Information Security
The United States' National Security Agency (NSA) provides hardening guides and hardening tips for many different operating systems to help government agencies, businesses, and individuals help secure their system against attacks. In addition to specific settings to change, a set of general principles have been developed to give you a high level view of information security.
- Encrypt all data transmitted over the network. Encrypting authentication information (such as passwords) is particularly important.
- Minimize the amount of software installed and running in order to minimize vulnerability.
- Use security-enhancing software and tools whenever available (e.g. SELinux and IPTables).
- Run each network service on a separate server whenever possible. This minimizes the risk that a compromise of one service could lead to a compromise of others.
- Maintain user accounts. Create a good password policy and enforce its use. Delete unused user accounts.
- Review system and application logs on a routine basis. Send logs to a dedicated log server. This prevents intruders from easily avoiding detection by modifying the local logs.
- Never login directly as root, unless absolutely necessary. Administrators should use sudo to execute commands as root when required. The accounts capable of using sudo are specified in /etc/sudoers, which is edited with the visudo utility. By default, relavent logs are written to /var/log/secure.
Tips, Guides, and Tools
Most of the above tips are very basic. Depending on your knowledge of Linux and how comfortable you are with modifying your system, some changes could be made to help make your installation more secure.
As mentioned above, the NSA has hardening guides and tips for securing Red Hat Enterprise Linux 5. Likewise, the Defense Information Systems Agency (DISA) has an Information Assurance Support Environment in which they publish checklists and tests for verifying the security of your system. The documents from the NSA are a good read for anyone familiar with Linux while the information from DISA is extremely specific and advanced knowledge of Unix/Linux would be a great benefit.
Links to these documents are listed below. We will try to pull some of the larger items out of these documents and explain how to implement them in Fedora and why they are important.
In addition to documentation, DISA has made available SRR scripts that allow an administrator to check specific settings on a system quickly. The SRR scripts will provide an XML-formatted report listing any known vulnerable settings that you have on your system.
- Hardening Tips for the Red Hat Enterprise Linux 5 (PDF)
- Guide to the Secure Configuration of Red Hat Enterprise Linux 5 (PDF)