[Forgot Password]
Login  Register Subscribe

25354

 
 

132805

 
 

139230

 
 

909

 
 

113006

 
 

156

 
 
Paid content will be excluded from the download.

Filter
Matches : 25354 Download | Alert*

Add noexec Option to /tmp The 'noexec' mount option can be used to prevent binaries from being executed out of '/tmp'.

Enable Auditing for Processes Which Start Prior to the Audit Daemon To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument 'audit=1' to the kernel line in '/etc/grub.conf', in the manner below: 'kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1'

Add nodev Option to /tmp The 'nodev' mount option can be used to prevent device files from being created in '/tmp'. Legitimate character and block devices should not exist within temporary directories like '/tmp'.

Ensure System Log Files Have Correct Permissions The file permissions for all log files written by 'rsyslog' should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in '/etc/rsyslog.conf' and typically all appear in '/var/log'. For each log file

Add nosuid Option to Removable Media Partitions The 'nosuid' mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted ...

Ensure Log Files Are Owned By Appropriate Group The group-owner of all log files written by 'rsyslog' should be root. These log files are determined by the second part of each Rule line in '/etc/rsyslog.conf' and typically all appear in '/var/log'. For each log file

Add noexec Option to Removable Media Partitions The 'noexec' mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media.

Verify ip6tables Enabled if Using IPv6 The 'ip6tables' service can be enabled with the following command: '$ sudo systemctl enable ip6tables'

Add nodev Option to Removable Media Partitions The 'nodev' mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the '/dev' directory on the root partition or within chroot jails built for system services.

Ensure /home Located On Separate Partition If user home directories will be stored locally, create a separate partition for '/home' at installation time (or migrate it later using LVM). If '/home' will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.


Pages:      Start    1    2    3    4    5    6    7    8    9    10    11    12    13    14    ..   2535

© SecPod Technologies