[CentOS] SIG - Hardening

Thu Apr 23 19:09:43 UTC 2015

The most common way to get root on any box is through the web browser and
web browser plugins.
sandboxing firefox, acrobat reader, flash-plugin by default has gotta be a
priority.  Was brought up before.

i use a ffSandbox.sh that launches FF in a sandbox, but no longer sandboxes
PDFs.  Not production ready.

Might want to look at porting Qubes-OS to CentOS from Fedora.
https://en.wikipedia.org/wiki/Qubes_OS

On Thu, Apr 23, 2015 at 12:58 PM, Earl A Ramirez <earlaramirez at gmail.com>
wrote:

> On 22 April 2015 at 20:49, Mark LaPierre <marklapier at gmail.com> wrote:
>
> > On 04/22/15 01:13, Earl A Ramirez wrote:
> > > Dear All,
> > >
> > > About a week ago; I posted a proposal over on the centos-devel mailing
> > > list, the proposal is for a SIG 'CentOS hardening', there were a few of
> > > the members of the community who are also interested in this.
> Therefore,
> > > I am extending that  email to this community; where there is a larger
> > > community.
> > >
> > > Some things that we will like to achieve are as follows:
> > > SSH:
> > > disable root (uncomment 'PermitRootLogin' and change to no)
> > > enable 'strictMode'
> > > modify 'MaxAuthTries'
> > > modify 'ClientAliveInterval'
> > > modify 'ClientAliveCountMax'
> > >
> > > Gnome:
> > > disable Gnome user list
> > >
> > > Console:
> > > Remove reboot, halt poweroff from /etc/security/console.app
> > >
> > > Applying security best practises from various compliance perspective,
> > > e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure
> > > configuration guide to get some insight or use it as a baseline. The
> > > members of the community who are interested in this SIG or are willing
> > > to contribute are:
> > > Leam Hall
> > > Corey Henderson
> > > Jason Pyeron
> > >
> > > You can find the post here [0]
> > >
> > > We will really like to get SIG approved by the CentOS board so if
> anyone
> > > is interested or willing to contribute we will be happy to have you
> > > onboard.
> > >
> > > [0]
> > > http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html
> > >
> >
> > These are all wicked good ideas for machines connected to the internet.
> >  I hope you also plan on making it easy to turn off these otherwise
> > useful "features" for systems with no exposure to the internet.  Don't
> > make it difficult/impossible to use rsync to back up between machines on
> > the local intranet.  Rsync has to run as root to access and maintain
> > correct file ownership and permissions.
> >
> > --
> >     _
> >    °v°
> >   /(_)\
> >    ^ ^  Mark LaPierre
> > Registered Linux user No #267004
> > https://linuxcounter.net/
> > ****
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
>
> Hello Mark,
>
> We understand and recognise that security should not affect the function of
> a business in our case the operating system, I "believe" that the goal of
> the hardening SIG will be to mitigate potential risks that can have
> significant consequences.
>
> Over on the centos-devel list it was mentioned that there will be a
> separate repo, therefore this means that packages will be created to meet
> the objectives of the hardening SIG. Currently we are trying to get the SIG
> approved, therefore, no clear picture has been worked out at this moment;
> however within a month or so it will be available.
>
>
>
> --
> Kind Regards
> Earl Ramirez
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>