Maintaining Software
You can file an issue about it and ask that it be added.
Software mintenance is extremely important to maintaining a secure system. It is vital to patch software as soon as it becomes available in order to prevent attackers from using known holes to infiltrate your system.
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
gpgcheck=1- Configuring Yum and Yum Repositories [Official]
Software updates offer plenty of benefits. It’s all about revisions. These might include repairing security holes that have been discovered and fixing or removing bugs.
U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.
Some benefits:
- close up problems of security that has been discovered
- it can improve the stability of the system
- improvements the system stacks or network stacks
yum updateBefore updating the system, I do it in the console:
# This one-liner save the update process session:
script -t 2>~/upgrade.time -a ~/upgrade.scriptAlso these one-liners are important:
yum check-updateyum --security upgradeyum history undo <id>- Yum [Official]
- How to use yum history to roll back an update in Red Hat Enterprise Linux 6 , 7? [Official]
- In CentOS, what is the difference between yum update and yum upgrade?
The best protection against vulnerable software is running less software.
From C2S/CIS: These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Removing the rsh package removes the clients for rsh,rcp, and rlogin.
yum remove rshC2S/CIS: CCE-27274-0 (unknown)
From C2S/CIS: The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
systemctl disable rlogin.socketFrom C2S/CIS: The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
systemctl disable rexec.socketFrom C2S/CIS: The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
systemctl disable rsh.socketFrom C2S/CIS: Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.
rm /etc/hosts.equiv
rm ~/.rhostsFrom C2S/CIS: The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
# Edit /etc/xinetd.d/telnet:
disable = yesFrom C2S/CIS: The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session.
yum erase ypservFrom C2S/CIS: Disabling the tftp service ensures the system is not acting as a TFTP server, which does not provide encryption or authentication.
systemctl disable tftp.serviceFrom C2S/CIS: The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services.
systemctl disable xinetd.serviceFrom C2S/CIS: The talk software presents a security risk as it uses unencrypted protocols for communications.
yum erase talkFrom C2S/CIS: The talk software presents a security risk as it uses unencrypted protocols for communications.
yum erase talk-serverFrom C2S/CIS: Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information.
systemctl disable vsftpd.serviceC2S/CIS: CCE-80244-7 (Unknown)
From C2S/CIS: X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.
yum groupremove "X Window System"
yum remove xorg-x11-server-commonFrom C2S/CIS: Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.
systemctl disable avahi-daemon.serviceC2S/CIS: CCE-80338-7 (Unknown)
The C2S/CIS standard also explains the following services. You should consider which ones are use. If they are not use on the local system then this service should be disabled.
Only reason to have some of these services might be some kind of dependency issue.
From C2S/CIS: Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed.
systemctl disable snmpd.serviceC2S/CIS: CCE-80274-4 (Unknown)
From C2S/CIS: All network services involve some risk of compromise due to implementation flaws and should be disabled if possible.
systemctl disable named.serviceC2S/CIS: CCE-80325-4 (Unknown)
From C2S/CIS: Unnecessary packages should not be installed to decrease the attack surface of the system.
yum erase openldap-serversC2S/CIS: CCE-80293-4 (Unknown)
From C2S/CIS: Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed.
systemctl disable smb.serviceC2S/CIS: CCE-80277-7 (Unknown)
From C2S/CIS: Running web server software provides a network-based avenue of attack, and should be disabled if not needed.
systemctl disable httpd.serviceC2S/CIS: CCE-80300-7 (Unknown)
From C2S/CIS: Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments.
systemctl disable rhnsd.serviceC2S/CIS: CCE-80269-4 (Unknown)
From C2S/CIS: Running proxy server software provides a network-based avenue of attack, and should be removed if not needed.
systemctl disable squid.serviceC2S/CIS: CCE-80285-0 (Unknown)
From C2S/CIS: Unmanaged or unintentionally activated DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site DHCP server if there is one.
systemctl disable dhcpd.serviceFrom C2S/CIS: Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed.
systemctl disable dovecot.serviceC2S/CIS: CCE-80294-2 (Unknown)
From C2S/CIS: All of these daemons (nfslock, rpcgssd, and rpcidmapd) run with elevated privileges, and many listen for network connections.
systemctl disable rpcbind.serviceFrom C2S/CIS: Unnecessary services should be disabled to decrease the attack surface of the system.
systemctl disable nfs.serviceC2S/CIS: CCE-80237-1 (Unknown)
From C2S/CIS: Turn off unneeded services to reduce attack surface.
systemctl disable cups.serviceC2S/CIS: CCE-80282-7 (Unknown)
The best protection against vulnerable software is running less software.
From C2S/CIS: Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.
systemctl enable crond.serviceFrom C2S/CIS: Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges.
yum install tcp_wrappersFrom C2S/CIS: Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. The chronyd and ntpd NTP daemons offer all of the functionality of ntpdate, which is now deprecated.
systemctl enable chronyd
# or
systemctl enable ntpdThe Practical Linux Hardening Guide provides a high-level overview of the hardening GNU/Linux systems. It is not an official standard or handbook but it touches and use industry standards.