- Remove un-needed users from /etc/passwd ( change shells )
- cp -p /etc/passwd /etc/passwd.original
- cp -p /etc/shadow /etc/shadown.original
- Remove the account from the /etc/passwd and /etc/shadow files
- Put a * in the second field ( no login permitted )
- Use /bin/false for the shell -- something NOT listed in /etc/shells
- chmod 1777 /tmp /usr/tmp
- chmod 554 /sbin /usr/sbin /usr/lcoal/sbin -- dont allow world execute
- Remove setuid on some ( most all ) of the apps
- See the list of files to check
- find / \( -perm +2000 -o -perm +4000 \) -ls
- find / -user root -perm "-u+s"
- chmod -s program_name
- Turn off world-writable files
- To See it...
- find / -perm -2 -type f -ls
- To Change it...
- find / -perm -2 -type f -exec chmod -o-w {}\; -- untested
- Add missing(empty) user files: .rhosts .forward .plan
- Mail Server Fixes
- chmod 775 /var/spool/mail /var/spool/mqueue
- chown root.mail /var/spool/mail /var/spool/mqueue
- chmod 6755 /usr/sbin/sendmail
- chgrp mail /usr/sbin/sendmail
- FileSystem Hierachy
- Keep all system and user config files in /etc
- Keep all user changes in their home dir
- Keep all run time log files and info in /var
- Install all user changes in /usr/local/{src,etc,bin,sbin,man}
- Root Priviledges
- Document all changes, no matter how small of a change, in the files itself
- NEVER share root passwds - use sudo instead
- NEVER write down passwds
- NEVER use the same passwd on multiple machines
- and if you do write it down in one of the servers, at least encrypt the file
- Enable Shadow passwd if not already used
- Scripts to Check filesystem
|