[CentOS] Hardening CentOS by removing "hacker" tools

Jim Wildman jim at rossberry.com
Sat Jun 7 02:09:59 UTC 2008 

On Fri, 6 Jun 2008, Filipe Brandenburger wrote:

> Hi,
>
> My boss asked me to harden a CentOS box by removing "hacker" tools,
> such as nmap, tcpdump, nc (netcat), telnet, etc.
>
> I would like to know which list of packages would you remove from a
> base install. I would appreciate if someone could point me to a
> "standard" way of doing this. I know there are procedures for
> hardening a machine (I remember reading about Bastille Linux) but I
> don't know how effective they are and if they include the removal of
> such tools in their procedures.
>
> Any advice would be very appreciated!
>
> Thanks,
> Filipe

Assuming from the question that a) the box is already installed and b)
the application for which it exists is installed via a well formed
rpm...

(Tell your boss the box or the app may go down unexpectedly while
you're doing this.  This will almost certainly happen if condition b) is
not met.  And the app may not come back up right when you reboot the box
or restart the app.  Definitely schedule a power cycle or two for after
you think you're done.  Maybe freshen up your resume too.  Probably
should mention to the boss that if the app has gone through any internal
certification process, you are probably going to invalidate it and he
needs to talk to the development/enduser folks to schedule a recert.)

rpm -qa | sort > rpm.lst

look at the list, anything you don't know what it is, rpm -qi.  Season
with a liberal dose of "man -k package;man <something" and 
"less /usr/share/doc/<package>" If you think you probably don't need it
yum erase.  If it doesn't try to erase the application or
something else necessary (like ssh or the kernel), say yes.  Use yum not
rpm so you have a record in /var/log/yum.log of what you did.  Maybe
start a screen session with history or a typescript session.  Read
everything c.a.r.e.f.u.l.l.y and slowly.  Don't multitask.  If you're
really paranoid (twitch, twitch), run your application test suite after
each deletion (you do have a test suite, right???).

Better, google for "tiny centos" and build a new box with the minimum on
it.  Then get the well formed application rpm from the vendor (evil laughter), 
put it in a local repository and use yum to install it and it's
dependencies.

And do all the firewall, selinux, hosts.{allow,deny} and NSA stuff too.

------------------------------------------------------------------------
Jim Wildman, CISSP, RHCE       jim at rossberry.com http://www.rossberry.com
"Society in every state is a blessing, but Government, even in its best
state, is a necessary evil; in its worst state, an intolerable one."
Thomas Paine

More information about the CentOS mailing list