similar to: freebsd kernel hardening tools

Hi, My boss asked me to harden a CentOS box by removing "hacker" tools, such as nmap, tcpdump, nc (netcat), telnet, etc. I would like to know which list of packages would you remove from a base install. I would appreciate if someone could point me to a "standard" way of doing this. I know there are procedures for hardening a machine (I remember reading about Bastille Linux)

Hi All:) I would like to start using a tool for automating of os hardening. I found some informations about Bastille. One things which attracted my attention is that in http://bastille-linux.sourceforge.net/news_updates.htm the last post is from January 29th, 2012 :D Is the tool ready to use at the moment with CentOS 6/7? Are there any alternatives which you can recommend? Thanks for all info

Has anyone got Bastille-linux running on Centos-5.6? http://bastille-linux.sourceforge.net claims RHEL5 support but I ran into problems running it on a Centos 5.6 test system. First I had to "ln -s /usr/lib64/Bastille /usr/lib" just to get it to run at all. Then I tried faking /etc/redhat-release with Red Hat Enterprise Linux Server release 5.6 ... but I get this (why would it want

Hello everybody, I'm a newbie in this list, so I don't know if it's the appropriate place for my question. Anyway, I'd be happy to find out the solution. Please, has anyone simple answer for: I'm looking for an exact list of files, which: 1. MUST have... 2. HAVE FROM BSD INSTALLATION... 3. DO NOT NEED... 4. NEVER MAY... ...the suid-bit set. Of course, it's no problem to

I have a client project to implement PCI/DSS compliance. The PCI/DSS auditor has stipulated that the web server, application middleware (tomcat), the db server have to be on different systems. In addition the auditor has also stipulated that there be a NTP server, a "patch" server, The Host OS on all of the above nodes will be CentOS 6.2. Below is a list of things that would be

Hi Guys, I would like advice for best practices to secure my linux boxes. Know if I have been hacked, know of security breaches, etc. Can anyone provide advice? -Jason

Hi, Some time ago one of my public servers (running Slackware64 14.0) got attacked and was misused to send phishing emails. This misadventure made me more concerned about security, so I spent the last few weeks catching up on security, reading docs about SELinux and how to use it, etc. I have a public sandbox server running CentOS 7, and I'm currently experimenting quite a lot with Apache

Has anyone also run Bastille on the Asterisk pbx? Here's the link: http://www.bastille-linux.org/ It's a Linux hardening add-on. I was wondering if it'd mess up my Asterisk installation if I also installed Bastille, if it was a good idea to install it and work through the problems that may arise - or if it's not necessary. Makarios Communications, LLC Network Monitoring,

Greetings, Apologies if this is not the appropriate list, but my questions are about best practices in maintaining production servers (so I believe I can justify a post in -stable, short of a -release list :) I maintain a modest installation of 6 FreeBSD servers. They're CVSUP'd to RELENG_4_8 (I make buildworld on each individually) and I portupgrade ports as necessary. In an attempt to

Hi All, I noticed that a few years back, someone from Puppet Labs (well Reductive Labs at that time) reached out to the openscap list in an attempt to collaborate on puppet modules: https://www.redhat.com/archives/open-scap-list/2010-March/msg00000.html it seems like the aqueduct project is/was working on a similar ''harden through puppet modules'' approach:

I'm finally biting the bullet, and replacing the 12-yr-old box that's been my firewall/router with an appliance. First, does anyone have any idea whether the WRT160 nl can use tomato? Second, is there any way, or any reason, I could/would want to run bastille against the firmware? mark

Hello all, I've been working for the last month or so on a comprehensive mitigation approach to variant #1 of Spectre. There are a bunch of reasons why this is desirable: - Critical software that is unlikely to be easily hand-mitigated (or where the performance tradeoff isn't worth it) will have a compelling option. - It gives us a baseline on performance for hand-mitigation. - Combined

Dear all, i Just finished setting up an apache service on a centos 5.2 VM machine. i need to secure this machine as i'm soon to be setting a public IP over it where i'd be opening up the following services: 1. http 2. https 3. ssh Things i've done so far: 1. stopped root ssh access in sshd.conf 2. tried configuring PAM so i get a more secure ssh passwords (dictionary wise) as

WE have a centos 5.3 install, and our server is keep getting hacked. We see load averages of 500+ and see people from all over the world logging into our server (used last). Is there a good place to start to avoid these kinds of things? For example, here is what I already did. Open up sshd port only setup iptables to only accept port 80 and 22 No FTP No other ports are allowed according to IP

We're running Fedora Core and Samba-3.0.8-0.pre1.3 and we're authenticating our Windows XP users against Active Directory running on Windows 2003. Everything works fine! But now we're trying to secure and harden our WinXP machines and now when any user logged into a secured WinXP they get the errormessage "The account is not authorized to log in from this station". I browsed

> On 30 March 2018 at 15:08 "A. Schulze" <sca at andreasschulze.de> wrote: > > > Hello, > > to build + packages dovecot I use the usual Debian tool chain. That includes build with selected GCC options and running lintian. > > I notice since a long time (read: many earlier versions, up to 2.2.35) this lintian warnings: > > I: dovecot-core:

Hi all, I have just started using shorewall. So far so good. I have two questions which I cant find an answer to either on the website or googling. They may be stupid so please forgive my ignorance. 1) What is shorewalls preferred operating status, running or stopped? What I mean is, some firewalls start-up and run, and they do their thing, then they stop. But the firewall is still really

Hi list Several people have physical access to my FreeBSD box and I have the feeling that somebody try to get access with boot -s options . Can I log activity after boot -s option (change user password, install software and etc.). I use boot -s and change user password, but after reboot i can't find this atcivity in log files. The BSD box is shutdown and run again many time at day. Best

Hello, to build + packages dovecot I use the usual Debian tool chain. That includes build with selected GCC options and running lintian. I notice since a long time (read: many earlier versions, up to 2.2.35) this lintian warnings: I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/auth N: N: This package provides an ELF binary that lacks the use of fortified libc N:

Hi Folks! I''m new to shorewall (in the process of switching from Bastille), and I have a question as to how to address using Bluetooth enabled Palms with a BT dongle on a linux box protected by shorewall. Basically I followed the directions located at http://www.metacon.ca/bcs/view.php?page=bluetooth to get things working strictly with iptables, specifically: echo