On Fri, 6 Jun 2008, Filipe Brandenburger wrote:
Hi,
My boss asked me to harden a CentOS box by removing "hacker" tools, such as nmap, tcpdump, nc (netcat), telnet, etc.
I would like to know which list of packages would you remove from a base install. I would appreciate if someone could point me to a "standard" way of doing this. I know there are procedures for hardening a machine (I remember reading about Bastille Linux) but I don't know how effective they are and if they include the removal of such tools in their procedures.
Any advice would be very appreciated!
Thanks, Filipe
Assuming from the question that a) the box is already installed and b) the application for which it exists is installed via a well formed rpm...
(Tell your boss the box or the app may go down unexpectedly while you're doing this. This will almost certainly happen if condition b) is not met. And the app may not come back up right when you reboot the box or restart the app. Definitely schedule a power cycle or two for after you think you're done. Maybe freshen up your resume too. Probably should mention to the boss that if the app has gone through any internal certification process, you are probably going to invalidate it and he needs to talk to the development/enduser folks to schedule a recert.)
rpm -qa | sort > rpm.lst
look at the list, anything you don't know what it is, rpm -qi. Season with a liberal dose of "man -k package;man <something" and "less /usr/share/doc/<package>" If you think you probably don't need it yum erase. If it doesn't try to erase the application or something else necessary (like ssh or the kernel), say yes. Use yum not rpm so you have a record in /var/log/yum.log of what you did. Maybe start a screen session with history or a typescript session. Read everything c.a.r.e.f.u.l.l.y and slowly. Don't multitask. If you're really paranoid (twitch, twitch), run your application test suite after each deletion (you do have a test suite, right???).
Better, google for "tiny centos" and build a new box with the minimum on it. Then get the well formed application rpm from the vendor (evil laughter), put it in a local repository and use yum to install it and it's dependencies.
And do all the firewall, selinux, hosts.{allow,deny} and NSA stuff too.
------------------------------------------------------------------------ Jim Wildman, CISSP, RHCE jim@rossberry.com http://www.rossberry.com "Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one." Thomas Paine