Dear All,
About a week ago; I posted a proposal over on the centos-devel mailing list, the proposal is for a SIG 'CentOS hardening', there were a few of the members of the community who are also interested in this. Therefore, I am extending that email to this community; where there is a larger community.
Some things that we will like to achieve are as follows: SSH: disable root (uncomment 'PermitRootLogin' and change to no) enable 'strictMode' modify 'MaxAuthTries' modify 'ClientAliveInterval' modify 'ClientAliveCountMax'
Gnome: disable Gnome user list
Console: Remove reboot, halt poweroff from /etc/security/console.app
Applying security best practises from various compliance perspective, e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure configuration guide to get some insight or use it as a baseline. The members of the community who are interested in this SIG or are willing to contribute are: Leam Hall Corey Henderson Jason Pyeron
You can find the post here [0]
We will really like to get SIG approved by the CentOS board so if anyone is interested or willing to contribute we will be happy to have you onboard.
[0] http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html
I am very interested.
One of my suggestions:
Firewall: Network based firewall zone assignment (possibly disabling interface based assignment)
Regards Tim
Am 22. April 2015 07:13:52 MESZ, schrieb Earl A Ramirez earlaramirez@gmail.com:
Dear All,
About a week ago; I posted a proposal over on the centos-devel mailing list, the proposal is for a SIG 'CentOS hardening', there were a few of the members of the community who are also interested in this. Therefore, I am extending that email to this community; where there is a larger community.
Some things that we will like to achieve are as follows: SSH: disable root (uncomment 'PermitRootLogin' and change to no) enable 'strictMode' modify 'MaxAuthTries' modify 'ClientAliveInterval' modify 'ClientAliveCountMax'
Gnome: disable Gnome user list
Console: Remove reboot, halt poweroff from /etc/security/console.app
Applying security best practises from various compliance perspective, e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure configuration guide to get some insight or use it as a baseline. The members of the community who are interested in this SIG or are willing to contribute are: Leam Hall Corey Henderson Jason Pyeron
You can find the post here [0]
We will really like to get SIG approved by the CentOS board so if anyone is interested or willing to contribute we will be happy to have you onboard.
[0] http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html
-- Earl A Ramirez earlaramirez@gmail.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
apply also ideas from this document: https://benchmarks.cisecurity.org/downloads/show-single/?file=rhel6.130
-- Eero
2015-04-22 9:30 GMT+03:00 Tim lists@kiuni.de:
I am very interested.
One of my suggestions:
Firewall: Network based firewall zone assignment (possibly disabling interface based assignment)
Regards Tim
Am 22. April 2015 07:13:52 MESZ, schrieb Earl A Ramirez < earlaramirez@gmail.com>:
Dear All,
About a week ago; I posted a proposal over on the centos-devel mailing list, the proposal is for a SIG 'CentOS hardening', there were a few of the members of the community who are also interested in this. Therefore, I am extending that email to this community; where there is a larger community.
Some things that we will like to achieve are as follows: SSH: disable root (uncomment 'PermitRootLogin' and change to no) enable 'strictMode' modify 'MaxAuthTries' modify 'ClientAliveInterval' modify 'ClientAliveCountMax'
Gnome: disable Gnome user list
Console: Remove reboot, halt poweroff from /etc/security/console.app
Applying security best practises from various compliance perspective, e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure configuration guide to get some insight or use it as a baseline. The members of the community who are interested in this SIG or are willing to contribute are: Leam Hall Corey Henderson Jason Pyeron
You can find the post here [0]
We will really like to get SIG approved by the CentOS board so if anyone is interested or willing to contribute we will be happy to have you onboard.
[0] http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html
-- Earl A Ramirez earlaramirez@gmail.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 4/21/2015 11:34 PM, Eero Volotinen wrote:
apply also ideas from this document: https://benchmarks.cisecurity.org/downloads/show-single/?file=rhel6.130
that should be your baseline. I suspect you'll find all the things you mentioned are discussed in the CIS benchmarks.
SELinux?
On 22 April 2015 at 09:11, John R Pierce pierce@hogranch.com wrote:
On 4/21/2015 11:34 PM, Eero Volotinen wrote:
apply also ideas from this document: https://benchmarks.cisecurity.org/downloads/show-single/?file=rhel6.130
that should be your baseline. I suspect you'll find all the things you mentioned are discussed in the CIS benchmarks.
-- john r pierce, recycling bits in santa cruz
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Sounds like a bit basic stuff? How about hardening ciphers, two factor authentication, snort, web application firewall and scap scanning?
Eero 22.4.2015 10.14 ap. "Andrew Holway" andrew.holway@gmail.com kirjoitti:
SELinux?
On 22 April 2015 at 09:11, John R Pierce pierce@hogranch.com wrote:
On 4/21/2015 11:34 PM, Eero Volotinen wrote:
apply also ideas from this document: https://benchmarks.cisecurity.org/downloads/show-single/?file=rhel6.130
that should be your baseline. I suspect you'll find all the things you mentioned are discussed in the CIS benchmarks.
-- john r pierce, recycling bits in santa cruz
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I think, this SIG would/should care about hardening CentOS itself as a system not a complete environment (proxies, firewalls, etc.) The examples of the opener show this.
Something else could be integrity checking possibly.
I imagine a tool/script that could apply hardening stuff.
Regards Tim
Am 22. April 2015 09:23:52 MESZ, schrieb Eero Volotinen eero.volotinen@iki.fi:
Sounds like a bit basic stuff? How about hardening ciphers, two factor authentication, snort, web application firewall and scap scanning?
Eero 22.4.2015 10.14 ap. "Andrew Holway" andrew.holway@gmail.com kirjoitti:
SELinux?
On 22 April 2015 at 09:11, John R Pierce pierce@hogranch.com wrote:
On 4/21/2015 11:34 PM, Eero Volotinen wrote:
apply also ideas from this document:
https://benchmarks.cisecurity.org/downloads/show-single/?file=rhel6.130
that should be your baseline. I suspect you'll find all the
things you
mentioned are discussed in the CIS benchmarks.
-- john r pierce, recycling bits in santa cruz
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Wed, 2015-04-22 at 10:16 +0200, Tim wrote:
I think, this SIG would/should care about hardening CentOS itself as a system not a complete environment (proxies, firewalls, etc.) The examples of the opener show this.
Something else could be integrity checking possibly.
I imagine a tool/script that could apply hardening stuff.
Regards Tim
Am 22. April 2015 09:23:52 MESZ, schrieb Eero Volotinen eero.volotinen@iki.fi:
Sounds like a bit basic stuff? How about hardening ciphers, two factor authentication, snort, web application firewall and scap scanning?
Eero 22.4.2015 10.14 ap. "Andrew Holway" andrew.holway@gmail.com kirjoitti:
SELinux?
On 22 April 2015 at 09:11, John R Pierce pierce@hogranch.com wrote:
On 4/21/2015 11:34 PM, Eero Volotinen wrote:
apply also ideas from this document:
https://benchmarks.cisecurity.org/downloads/show-single/?file=rhel6.130
that should be your baseline. I suspect you'll find all the
things you
mentioned are discussed in the CIS benchmarks.
-- john r pierce, recycling bits in santa cruz
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thanks for all of your input guys, there were some discussion on the centos-devel list [0], which will give you a better idea of what this SIG will aim to accomplish.
We will be happy to see you guys over on the centos-devel list and if possible chip in to make this SIG a success.
[0] http://lists.centos.org/pipermail/centos-devel/2015-April/013280.html
On 04/22/15 01:13, Earl A Ramirez wrote:
Dear All,
About a week ago; I posted a proposal over on the centos-devel mailing list, the proposal is for a SIG 'CentOS hardening', there were a few of the members of the community who are also interested in this. Therefore, I am extending that email to this community; where there is a larger community.
Some things that we will like to achieve are as follows: SSH: disable root (uncomment 'PermitRootLogin' and change to no) enable 'strictMode' modify 'MaxAuthTries' modify 'ClientAliveInterval' modify 'ClientAliveCountMax'
Gnome: disable Gnome user list
Console: Remove reboot, halt poweroff from /etc/security/console.app
Applying security best practises from various compliance perspective, e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure configuration guide to get some insight or use it as a baseline. The members of the community who are interested in this SIG or are willing to contribute are: Leam Hall Corey Henderson Jason Pyeron
You can find the post here [0]
We will really like to get SIG approved by the CentOS board so if anyone is interested or willing to contribute we will be happy to have you onboard.
[0] http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html
These are all wicked good ideas for machines connected to the internet. I hope you also plan on making it easy to turn off these otherwise useful "features" for systems with no exposure to the internet. Don't make it difficult/impossible to use rsync to back up between machines on the local intranet. Rsync has to run as root to access and maintain correct file ownership and permissions.
Am 23.04.2015 um 02:49 schrieb Mark LaPierre marklapier@gmail.com:
On 04/22/15 01:13, Earl A Ramirez wrote:
Dear All,
About a week ago; I posted a proposal over on the centos-devel mailing list, the proposal is for a SIG 'CentOS hardening', there were a few of the members of the community who are also interested in this. Therefore, I am extending that email to this community; where there is a larger community.
Some things that we will like to achieve are as follows: SSH: disable root (uncomment 'PermitRootLogin' and change to no) enable 'strictMode' modify 'MaxAuthTries' modify 'ClientAliveInterval' modify 'ClientAliveCountMax'
Gnome: disable Gnome user list
Console: Remove reboot, halt poweroff from /etc/security/console.app
Applying security best practises from various compliance perspective, e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure configuration guide to get some insight or use it as a baseline. The members of the community who are interested in this SIG or are willing to contribute are: Leam Hall Corey Henderson Jason Pyeron
You can find the post here [0]
We will really like to get SIG approved by the CentOS board so if anyone is interested or willing to contribute we will be happy to have you onboard.
[0] http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html
These are all wicked good ideas for machines connected to the internet. I hope you also plan on making it easy to turn off these otherwise useful "features" for systems with no exposure to the internet. Don't make it difficult/impossible to use rsync to back up between machines on the local intranet. Rsync has to run as root to access and maintain correct file ownership and permissions.
grep OPTIONS /etc/sysconfig/sshd OPTIONS="-o PermitRootLogin=without-password"
-- LF
On 22 April 2015 at 20:49, Mark LaPierre marklapier@gmail.com wrote:
On 04/22/15 01:13, Earl A Ramirez wrote:
Dear All,
About a week ago; I posted a proposal over on the centos-devel mailing list, the proposal is for a SIG 'CentOS hardening', there were a few of the members of the community who are also interested in this. Therefore, I am extending that email to this community; where there is a larger community.
Some things that we will like to achieve are as follows: SSH: disable root (uncomment 'PermitRootLogin' and change to no) enable 'strictMode' modify 'MaxAuthTries' modify 'ClientAliveInterval' modify 'ClientAliveCountMax'
Gnome: disable Gnome user list
Console: Remove reboot, halt poweroff from /etc/security/console.app
Applying security best practises from various compliance perspective, e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure configuration guide to get some insight or use it as a baseline. The members of the community who are interested in this SIG or are willing to contribute are: Leam Hall Corey Henderson Jason Pyeron
You can find the post here [0]
We will really like to get SIG approved by the CentOS board so if anyone is interested or willing to contribute we will be happy to have you onboard.
[0] http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html
These are all wicked good ideas for machines connected to the internet. I hope you also plan on making it easy to turn off these otherwise useful "features" for systems with no exposure to the internet. Don't make it difficult/impossible to use rsync to back up between machines on the local intranet. Rsync has to run as root to access and maintain correct file ownership and permissions.
-- _ °v° /(_)\ ^ ^ Mark LaPierre Registered Linux user No #267004 https://linuxcounter.net/
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hello Mark,
We understand and recognise that security should not affect the function of a business in our case the operating system, I "believe" that the goal of the hardening SIG will be to mitigate potential risks that can have significant consequences.
Over on the centos-devel list it was mentioned that there will be a separate repo, therefore this means that packages will be created to meet the objectives of the hardening SIG. Currently we are trying to get the SIG approved, therefore, no clear picture has been worked out at this moment; however within a month or so it will be available.
On 22 April 2015 at 20:49, Mark LaPierre marklapier@gmail.com wrote:
On 04/22/15 01:13, Earl A Ramirez wrote:
Dear All,
About a week ago; I posted a proposal over on the centos-devel mailing list, the proposal is for a SIG 'CentOS hardening', there were a few of the members of the community who are also interested in this. Therefore, I am extending that email to this community; where there is a larger community.
Some things that we will like to achieve are as follows: SSH: disable root (uncomment 'PermitRootLogin' and change to no) enable 'strictMode' modify 'MaxAuthTries' modify 'ClientAliveInterval' modify 'ClientAliveCountMax'
Gnome: disable Gnome user list
Console: Remove reboot, halt poweroff from /etc/security/console.app
Applying security best practises from various compliance perspective, e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure configuration guide to get some insight or use it as a baseline. The members of the community who are interested in this SIG or are willing to contribute are: Leam Hall Corey Henderson Jason Pyeron
You can find the post here [0]
We will really like to get SIG approved by the CentOS board so if anyone is interested or willing to contribute we will be happy to have you onboard.
[0] http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html
These are all wicked good ideas for machines connected to the internet. I hope you also plan on making it easy to turn off these otherwise useful "features" for systems with no exposure to the internet. Don't make it difficult/impossible to use rsync to back up between machines on the local intranet. Rsync has to run as root to access and maintain correct file ownership and permissions.
-- _ °v° /(_)\ ^ ^ Mark LaPierre Registered Linux user No #267004 https://linuxcounter.net/
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hello Mark,
We understand and recognise that security should not affect the function of a business in our case the operating system, I "believe" that the goal of the hardening SIG will be to mitigate potential risks that can have significant consequences.
Over on the centos-devel list it was mentioned that there will be a separate repo, therefore this means that packages will be created to meet the objectives of the hardening SIG. Currently we are trying to get the SIG approved, therefore, no clear picture has been worked out at this moment; however within a month or so it will be available.
The most common way to get root on any box is through the web browser and web browser plugins. sandboxing firefox, acrobat reader, flash-plugin by default has gotta be a priority. Was brought up before.
i use a ffSandbox.sh that launches FF in a sandbox, but no longer sandboxes PDFs. Not production ready.
Might want to look at porting Qubes-OS to CentOS from Fedora. https://en.wikipedia.org/wiki/Qubes_OS
On Thu, Apr 23, 2015 at 12:58 PM, Earl A Ramirez earlaramirez@gmail.com wrote:
On 22 April 2015 at 20:49, Mark LaPierre marklapier@gmail.com wrote:
On 04/22/15 01:13, Earl A Ramirez wrote:
Dear All,
About a week ago; I posted a proposal over on the centos-devel mailing list, the proposal is for a SIG 'CentOS hardening', there were a few of the members of the community who are also interested in this.
Therefore,
I am extending that email to this community; where there is a larger community.
Some things that we will like to achieve are as follows: SSH: disable root (uncomment 'PermitRootLogin' and change to no) enable 'strictMode' modify 'MaxAuthTries' modify 'ClientAliveInterval' modify 'ClientAliveCountMax'
Gnome: disable Gnome user list
Console: Remove reboot, halt poweroff from /etc/security/console.app
Applying security best practises from various compliance perspective, e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure configuration guide to get some insight or use it as a baseline. The members of the community who are interested in this SIG or are willing to contribute are: Leam Hall Corey Henderson Jason Pyeron
You can find the post here [0]
We will really like to get SIG approved by the CentOS board so if
anyone
is interested or willing to contribute we will be happy to have you onboard.
[0] http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html
These are all wicked good ideas for machines connected to the internet. I hope you also plan on making it easy to turn off these otherwise useful "features" for systems with no exposure to the internet. Don't make it difficult/impossible to use rsync to back up between machines on the local intranet. Rsync has to run as root to access and maintain correct file ownership and permissions.
-- _ °v° /(_)\ ^ ^ Mark LaPierre Registered Linux user No #267004 https://linuxcounter.net/
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hello Mark,
We understand and recognise that security should not affect the function of a business in our case the operating system, I "believe" that the goal of the hardening SIG will be to mitigate potential risks that can have significant consequences.
Over on the centos-devel list it was mentioned that there will be a separate repo, therefore this means that packages will be created to meet the objectives of the hardening SIG. Currently we are trying to get the SIG approved, therefore, no clear picture has been worked out at this moment; however within a month or so it will be available.
-- Kind Regards Earl Ramirez _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Andrew Holway -
Earl A Ramirez -
Eero Volotinen -
John R Pierce -
Leon Fauster -
Mark LaPierre -
Rob Townley -
Tim