[unisog] Linux OS Hardening Guidelines

Bill Martin bmartin at luc.edu
Tue Oct 17 01:42:10 GMT 2006

"Best practices" is a good place to start (disable unneeded daemons,
remove unneeded accounts, users to groups, enable host base firewall
opening only ports thar are required, etc). Use SELinux or CHROOT
applications when/where you can and as needed. Remove setuid for
binaries, disable root logins (enable wheel group as needed and SU up to
root).  Google for "hardening Linux".  There are a number of docs out
there including the NSA checklist. 

Additionally, if you are looking for a tool that will tighten the server
up a bit, look into Bastille and the NSA checklist and baselines

Now, be aware, as is the case w/ any O/S, what you do is going to depend
on your policy (if you have one), the daemons that you intend on
running, the actual distro of Linux (RedHat, SuSE, etc), and the manner
you are running it (workstation/server, public access, shell accounts
available, etc), where on the network it sits, etc.

Hope this helps.
-bill martin-
bmartin [ @ ] luc [ dot ] edu
Sr Server Administrator
Information Technology Services
Loyola University Chicago

>>> Tim Lane <tlane at scu.edu.au> 10/11/06 6:55 PM >>>

> Hi,
> I am looking for relatively high level 'checklist' style guidelines
for Linux (and variants) OS hardening.  I envisage a 1-2 page checklist
of principles plus some specific more technical recommendations.
> Would anyone have this sort of guideline documented that they would be
able to forward to me?
> Much appreciated if anyone can help.
> Thanks,
> Tim

Tim Lane
Information Security Program Manager

More information about the unisog mailing list