As a follow up on changing the default password, I was running an overall security audit on a number of systems I manage, as part of a monthly administrative routine.
As many readers know I try to inject security-consciousness into many of my columns and blog posts, referencing authentication, intrusion detection, spam prevention and other factors/products for securing your open source system. Thus, I decided to explore the Center for Internet Security’s benchmark tool for Linux. Currently it supports only Red Hat platforms (Enterprise Linux and the Fedora Cores).
Installation is as simple as untarring the download and switching to the root user. The tool is read-only – so no fear is necessary in executing the script. I ran the tool on my own dedicated web server as a test prior to shifting to any customer hardware. This particular server runs Fedora Core 3, uses iptables for firewalling, and allows ssh and sftp only for remote access. It also contains the usual LAMP-platform daemons, Tripwire for Linux for intrusion detection and change control on configuration files, and QMail as an MTA (running vpopmail, qmailadmin, tcpserver and spamassassin).
This box runs a tight ship and little is left to chance as far as possible cracks through which an intruder can slip. However, the CIS revealed an eye-opening number details for tweaking the system to tighten it to an almost completely hardened level (short of turning off Apache, Qmail and MySQL) beyond the tuning I had expedited when building it.
In particular, I like that the tool takes note of services not necessary to starting or running the OS which can be disabled for the next reboot (i.e Kudzu for hardware discovery – handy for a desktop scenario but not necessary for a server, CUPS for printing if no printing is needed, etc.).
Ideally it would be optimal to run this benchmark after a clean build of a Red Hat flavored box – tuning it prior to placing it into production. Being that we do not live in a perfect world – I will simply build this tool into my process of checking and re-checking servers on a regular basis. I would encourage the same for all reading this.
If you are running BSD, Solaris or Windows, see the CIS home page as there are benchmark tools for multiple platforms.