Dear All, About a week ago; I posted a proposal over on the centos-devel mailing list, the proposal is for a SIG 'CentOS hardening', there were a few of the members of the community who are also interested in this. Therefore, I am extending that email to this community; where there is a larger community. Some things that we will like to achieve are as follows: SSH: disable root (uncomment 'PermitRootLogin' and change to no) enable 'strictMode' modify 'MaxAuthTries' modify 'ClientAliveInterval' modify 'ClientAliveCountMax' Gnome: disable Gnome user list Console: Remove reboot, halt poweroff from /etc/security/console.app Applying security best practises from various compliance perspective, e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure configuration guide to get some insight or use it as a baseline. The members of the community who are interested in this SIG or are willing to contribute are: Leam Hall Corey Henderson Jason Pyeron You can find the post here [0] We will really like to get SIG approved by the CentOS board so if anyone is interested or willing to contribute we will be happy to have you onboard. [0] http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html -- Earl A Ramirez <earlaramirez at gmail.com>
I am very interested. One of my suggestions: Firewall: Network based firewall zone assignment (possibly disabling interface based assignment) Regards Tim Am 22. April 2015 07:13:52 MESZ, schrieb Earl A Ramirez <earlaramirez at gmail.com>:>Dear All, > >About a week ago; I posted a proposal over on the centos-devel mailing >list, the proposal is for a SIG 'CentOS hardening', there were a few of >the members of the community who are also interested in this. >Therefore, >I am extending that email to this community; where there is a larger >community. > >Some things that we will like to achieve are as follows: >SSH: >disable root (uncomment 'PermitRootLogin' and change to no) >enable 'strictMode' >modify 'MaxAuthTries' >modify 'ClientAliveInterval' >modify 'ClientAliveCountMax' > >Gnome: >disable Gnome user list > >Console: >Remove reboot, halt poweroff from /etc/security/console.app > >Applying security best practises from various compliance perspective, >e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure >configuration guide to get some insight or use it as a baseline. The >members of the community who are interested in this SIG or are willing >to contribute are: >Leam Hall >Corey Henderson >Jason Pyeron > >You can find the post here [0] > >We will really like to get SIG approved by the CentOS board so if >anyone >is interested or willing to contribute we will be happy to have you >onboard. > >[0] >http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html > >-- >Earl A Ramirez <earlaramirez at gmail.com> > >_______________________________________________ >CentOS mailing list >CentOS at centos.org >http://lists.centos.org/mailman/listinfo/centos
apply also ideas from this document: https://benchmarks.cisecurity.org/downloads/show-single/?file=rhel6.130 -- Eero 2015-04-22 9:30 GMT+03:00 Tim <lists at kiuni.de>:> I am very interested. > > One of my suggestions: > > Firewall: > Network based firewall zone assignment (possibly disabling interface based > assignment) > > Regards > Tim > > Am 22. April 2015 07:13:52 MESZ, schrieb Earl A Ramirez < > earlaramirez at gmail.com>: > >Dear All, > > > >About a week ago; I posted a proposal over on the centos-devel mailing > >list, the proposal is for a SIG 'CentOS hardening', there were a few of > >the members of the community who are also interested in this. > >Therefore, > >I am extending that email to this community; where there is a larger > >community. > > > >Some things that we will like to achieve are as follows: > >SSH: > >disable root (uncomment 'PermitRootLogin' and change to no) > >enable 'strictMode' > >modify 'MaxAuthTries' > >modify 'ClientAliveInterval' > >modify 'ClientAliveCountMax' > > > >Gnome: > >disable Gnome user list > > > >Console: > >Remove reboot, halt poweroff from /etc/security/console.app > > > >Applying security best practises from various compliance perspective, > >e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure > >configuration guide to get some insight or use it as a baseline. The > >members of the community who are interested in this SIG or are willing > >to contribute are: > >Leam Hall > >Corey Henderson > >Jason Pyeron > > > >You can find the post here [0] > > > >We will really like to get SIG approved by the CentOS board so if > >anyone > >is interested or willing to contribute we will be happy to have you > >onboard. > > > >[0] > >http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html > > > >-- > >Earl A Ramirez <earlaramirez at gmail.com> > > > >_______________________________________________ > >CentOS mailing list > >CentOS at centos.org > >http://lists.centos.org/mailman/listinfo/centos > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
On 04/22/15 01:13, Earl A Ramirez wrote:> Dear All, > > About a week ago; I posted a proposal over on the centos-devel mailing > list, the proposal is for a SIG 'CentOS hardening', there were a few of > the members of the community who are also interested in this. Therefore, > I am extending that email to this community; where there is a larger > community. > > Some things that we will like to achieve are as follows: > SSH: > disable root (uncomment 'PermitRootLogin' and change to no) > enable 'strictMode' > modify 'MaxAuthTries' > modify 'ClientAliveInterval' > modify 'ClientAliveCountMax' > > Gnome: > disable Gnome user list > > Console: > Remove reboot, halt poweroff from /etc/security/console.app > > Applying security best practises from various compliance perspective, > e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure > configuration guide to get some insight or use it as a baseline. The > members of the community who are interested in this SIG or are willing > to contribute are: > Leam Hall > Corey Henderson > Jason Pyeron > > You can find the post here [0] > > We will really like to get SIG approved by the CentOS board so if anyone > is interested or willing to contribute we will be happy to have you > onboard. > > [0] > http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html >These are all wicked good ideas for machines connected to the internet. I hope you also plan on making it easy to turn off these otherwise useful "features" for systems with no exposure to the internet. Don't make it difficult/impossible to use rsync to back up between machines on the local intranet. Rsync has to run as root to access and maintain correct file ownership and permissions. -- _ ?v? /(_)\ ^ ^ Mark LaPierre Registered Linux user No #267004 https://linuxcounter.net/ ****
Am 23.04.2015 um 02:49 schrieb Mark LaPierre <marklapier at gmail.com>:> On 04/22/15 01:13, Earl A Ramirez wrote: >> Dear All, >> >> About a week ago; I posted a proposal over on the centos-devel mailing >> list, the proposal is for a SIG 'CentOS hardening', there were a few of >> the members of the community who are also interested in this. Therefore, >> I am extending that email to this community; where there is a larger >> community. >> >> Some things that we will like to achieve are as follows: >> SSH: >> disable root (uncomment 'PermitRootLogin' and change to no) >> enable 'strictMode' >> modify 'MaxAuthTries' >> modify 'ClientAliveInterval' >> modify 'ClientAliveCountMax' >> >> Gnome: >> disable Gnome user list >> >> Console: >> Remove reboot, halt poweroff from /etc/security/console.app >> >> Applying security best practises from various compliance perspective, >> e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure >> configuration guide to get some insight or use it as a baseline. The >> members of the community who are interested in this SIG or are willing >> to contribute are: >> Leam Hall >> Corey Henderson >> Jason Pyeron >> >> You can find the post here [0] >> >> We will really like to get SIG approved by the CentOS board so if anyone >> is interested or willing to contribute we will be happy to have you >> onboard. >> >> [0] >> http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html >> > > These are all wicked good ideas for machines connected to the internet. > I hope you also plan on making it easy to turn off these otherwise > useful "features" for systems with no exposure to the internet. Don't > make it difficult/impossible to use rsync to back up between machines on > the local intranet. Rsync has to run as root to access and maintain > correct file ownership and permissions.grep OPTIONS /etc/sysconfig/sshd OPTIONS="-o PermitRootLogin=without-password" -- LF
On 22 April 2015 at 20:49, Mark LaPierre <marklapier at gmail.com> wrote:> On 04/22/15 01:13, Earl A Ramirez wrote: > > Dear All, > > > > About a week ago; I posted a proposal over on the centos-devel mailing > > list, the proposal is for a SIG 'CentOS hardening', there were a few of > > the members of the community who are also interested in this. Therefore, > > I am extending that email to this community; where there is a larger > > community. > > > > Some things that we will like to achieve are as follows: > > SSH: > > disable root (uncomment 'PermitRootLogin' and change to no) > > enable 'strictMode' > > modify 'MaxAuthTries' > > modify 'ClientAliveInterval' > > modify 'ClientAliveCountMax' > > > > Gnome: > > disable Gnome user list > > > > Console: > > Remove reboot, halt poweroff from /etc/security/console.app > > > > Applying security best practises from various compliance perspective, > > e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure > > configuration guide to get some insight or use it as a baseline. The > > members of the community who are interested in this SIG or are willing > > to contribute are: > > Leam Hall > > Corey Henderson > > Jason Pyeron > > > > You can find the post here [0] > > > > We will really like to get SIG approved by the CentOS board so if anyone > > is interested or willing to contribute we will be happy to have you > > onboard. > > > > [0] > > http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html > > > > These are all wicked good ideas for machines connected to the internet. > I hope you also plan on making it easy to turn off these otherwise > useful "features" for systems with no exposure to the internet. Don't > make it difficult/impossible to use rsync to back up between machines on > the local intranet. Rsync has to run as root to access and maintain > correct file ownership and permissions. > > -- > _ > ?v? > /(_)\ > ^ ^ Mark LaPierre > Registered Linux user No #267004 > https://linuxcounter.net/ > **** > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >Hello Mark, We understand and recognise that security should not affect the function of a business in our case the operating system, I "believe" that the goal of the hardening SIG will be to mitigate potential risks that can have significant consequences. Over on the centos-devel list it was mentioned that there will be a separate repo, therefore this means that packages will be created to meet the objectives of the hardening SIG. Currently we are trying to get the SIG approved, therefore, no clear picture has been worked out at this moment; however within a month or so it will be available. -- Kind Regards Earl Ramirez
On 22 April 2015 at 20:49, Mark LaPierre <marklapier at gmail.com> wrote:> On 04/22/15 01:13, Earl A Ramirez wrote: > > Dear All, > > > > About a week ago; I posted a proposal over on the centos-devel mailing > > list, the proposal is for a SIG 'CentOS hardening', there were a few of > > the members of the community who are also interested in this. Therefore, > > I am extending that email to this community; where there is a larger > > community. > > > > Some things that we will like to achieve are as follows: > > SSH: > > disable root (uncomment 'PermitRootLogin' and change to no) > > enable 'strictMode' > > modify 'MaxAuthTries' > > modify 'ClientAliveInterval' > > modify 'ClientAliveCountMax' > > > > Gnome: > > disable Gnome user list > > > > Console: > > Remove reboot, halt poweroff from /etc/security/console.app > > > > Applying security best practises from various compliance perspective, > > e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure > > configuration guide to get some insight or use it as a baseline. The > > members of the community who are interested in this SIG or are willing > > to contribute are: > > Leam Hall > > Corey Henderson > > Jason Pyeron > > > > You can find the post here [0] > > > > We will really like to get SIG approved by the CentOS board so if anyone > > is interested or willing to contribute we will be happy to have you > > onboard. > > > > [0] > > http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html > > > > These are all wicked good ideas for machines connected to the internet. > I hope you also plan on making it easy to turn off these otherwise > useful "features" for systems with no exposure to the internet. Don't > make it difficult/impossible to use rsync to back up between machines on > the local intranet. Rsync has to run as root to access and maintain > correct file ownership and permissions. > > -- > _ > ?v? > /(_)\ > ^ ^ Mark LaPierre > Registered Linux user No #267004 > https://linuxcounter.net/ > **** > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >Hello Mark, We understand and recognise that security should not affect the function of a business in our case the operating system, I "believe" that the goal of the hardening SIG will be to mitigate potential risks that can have significant consequences. Over on the centos-devel list it was mentioned that there will be a separate repo, therefore this means that packages will be created to meet the objectives of the hardening SIG. Currently we are trying to get the SIG approved, therefore, no clear picture has been worked out at this moment; however within a month or so it will be available. -- Kind Regards Earl Ramirez