On 04/22/15 01:13, Earl A Ramirez wrote: > Dear All, > > About a week ago; I posted a proposal over on the centos-devel mailing > list, the proposal is for a SIG 'CentOS hardening', there were a few of > the members of the community who are also interested in this. Therefore, > I am extending that email to this community; where there is a larger > community. > > Some things that we will like to achieve are as follows: > SSH: > disable root (uncomment 'PermitRootLogin' and change to no) > enable 'strictMode' > modify 'MaxAuthTries' > modify 'ClientAliveInterval' > modify 'ClientAliveCountMax' > > Gnome: > disable Gnome user list > > Console: > Remove reboot, halt poweroff from /etc/security/console.app > > Applying security best practises from various compliance perspective, > e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure > configuration guide to get some insight or use it as a baseline. The > members of the community who are interested in this SIG or are willing > to contribute are: > Leam Hall > Corey Henderson > Jason Pyeron > > You can find the post here [0] > > We will really like to get SIG approved by the CentOS board so if anyone > is interested or willing to contribute we will be happy to have you > onboard. > > [0] > http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html > These are all wicked good ideas for machines connected to the internet. I hope you also plan on making it easy to turn off these otherwise useful "features" for systems with no exposure to the internet. Don't make it difficult/impossible to use rsync to back up between machines on the local intranet. Rsync has to run as root to access and maintain correct file ownership and permissions. -- _ °v° /(_)\ ^ ^ Mark LaPierre Registered Linux user No #267004 https://linuxcounter.net/ ****