Scribd Logo
Upload

Welcome to Scribd!

  • RHEL 6/CentOS 6 PCI Hardening Guide

    Uploaded by

    ttyX
    237 views4 pages
    PCI Hardening guide for RHEL6/CentOS6

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    PCI Hardening guide for RHEL6/CentOS6

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    237 views4 pages

    RHEL 6/CentOS 6 PCI Hardening Guide

    Uploaded by

    ttyX
    PCI Hardening guide for RHEL6/CentOS6

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    EL6 PCI Hardening Guide

    OpenSSH server config


    #Edit /etc/ssh/sshd_config to look like the following:
    Protocol 2 (This is default in EL6)
    PasswordAuthentication yes (This is default in EL6)
    PermitEmptyPasswords no (Uncomment)
    PermitRootLogin no (This needs to be changed from yes to no)
    StrictModes yes (Uncomment)
    Banner /etc/message (Don't need a custom location just a banner in place)
    Optional: Port 3404 (Uncomment and change port from 22 to your liking)
    Restart the daemon after making the changes:
    service sshd restart
    Edit /etc/sysconfig/iptables to include a new rule like the following somewhere in the middle of the
    file:
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 3404 -j ACCEPT
    Restart the iptables daemon after making the changes:
    service iptables restart
    Limit history size
    #Edit /etc/bashrc and append the following lines at the end of the file:
    export HISTSIZE=10
    export HISTFILESIZE=10
    Idle logout timeout
    #Edit /etc/profile and append the following line at the end of the file:
    export TMOUT=360
    Disable physical restart by keyboard shortcut
    #Disable CTRL+ALT+DELETE keyboard shortcut by editing /etc/init/control-alt-delete.conf and
    comment out both lines in the file:
    #start on control-alt-delete
    #exec /sbin/shutdown -r now "Control-Alt-Delete pressed"

    Lock out unneeded accounts


    #Lock all frivolous accounts like games, operator, gopher, ftp, lp, uucp, news:
    Run: awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd and identify all such accounts, usually all have a
    UID below 500 but there are exceptions and in case the shell isn't /sbin/nologin, make it so by issuing,
    usermod -s /sbin/nologin username
    Lock the identified accounts by issuing the command below:
    usermod -L username
    Remove unneeded packages
    #Remove unneeded packages:
    yum remove package-name but you'd want to see the full list of installed packages first by
    issuing, rpm -qa | less
    Setup password policy
    #Edit /etc/login.defs to look exactly like below:
    PASS_MAX_DAYS 45
    PASS_MIN_DAYS 0
    PASS_MIN_LEN 8
    PASS_WARN_AGE 7
    For existing users, run the following commands:
    chage -M 45 username
    chage -W 7 username
    Verify once that the changes were made successfully:
    chage -l user
    #Optional: Set immutable bit on the following files:
    chattr +i /etc/passwd*
    chattr +i /etc/group*
    chattr +i /etc/gshadow*

    Warning: Each time you create a new user it'll throw an error, adduser: cannot open /etc/passwd or
    something similar

    #Edit /etc/pam.d/password-auth and add the following line at the top of auth section:
    auth
    required
    unlock_time=900

    pam_tally2.so file=/var/log/tallylog deny=3 even_deny_root

    Add the following line to the top of account section:


    account

    required

    pam_tally2.so

    #Edit /etc/pam.d/system-auth and edit the pam_cracklib.so line to look like the following:
    password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 ucredit=1 dcredit=1
    ocredit=1 lcredit=1
    After updating the file execute, the following command to apply the changes:
    authconfig --updateall
    Install HIDS
    #Install Tripwire and setup according to your requirements:
    yum install tripwire
    tripwire-setup-keyfiles
    tripwire init
    Install Antivirus
    #Install ClamAV:
    yum install clamav clamd (RPMforge, Atomic or EPEL repos required)
    Setup NTP
    #Install ntp if not already installed by issuing, yum install ntp and comment out all the existing time
    servers and add your own in /etc/ntp.conf:
    server serverip/domain iburst

    Setup centralized logging


    #Edit /etc/rsyslog.conf and append the following line at the bottom:
    *.* @logserverip/domain
    Restart the daemon after making the changes:
    service rsyslog restart
    Disable ipv6 if not in use
    #Optional: Edit /etc/sysctl.conf and append the following lines at the bottom to disable ipv6 on all
    adapters:
    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1

    After saving the file issue command, sysctl -p to apply the config
    Note: You may or may not need to mail yourself the logs of Tripwire and ClamAV for which you'll
    need to setup cron jobs. Youd want to sure only server admins have sudo rights on your servers and
    even if others do have sudo rights, theyre limited to few specific commands only.
    A sample banner:
    *****************************************************************************
    ***
    !!! WARNING !!!
    ***
    *** THIS IS A PRIVATE AND PROPRIETARY SYSTEM. ANY UNAUTHORIZED ACCESS ***
    *** TO OR MISUSE OF SYSTEMS OR DATA MAY RESULT IN CIVIL AND/OR CRIMINAL ***
    *** PROSECUTION, EMPLOYEE DISCIPLINE UP TO AND INCLUDING DISCHARGE, OR
    ***
    ***
    THE TERMINATION OF VENDOR/SERVICE CONTRACTS.
    ***
    *****************************************************************************
    ***
    !-!-! ACCESS AND USE OF THIS SYSTEM IS MONITORED !-!-!
    ***
    *****************************************************************************

    You might also like