Am 23.04.2015 um 02:49 schrieb Mark LaPierre <marklapier at gmail.com>: > On 04/22/15 01:13, Earl A Ramirez wrote: >> Dear All, >> >> About a week ago; I posted a proposal over on the centos-devel mailing >> list, the proposal is for a SIG 'CentOS hardening', there were a few of >> the members of the community who are also interested in this. Therefore, >> I am extending that email to this community; where there is a larger >> community. >> >> Some things that we will like to achieve are as follows: >> SSH: >> disable root (uncomment 'PermitRootLogin' and change to no) >> enable 'strictMode' >> modify 'MaxAuthTries' >> modify 'ClientAliveInterval' >> modify 'ClientAliveCountMax' >> >> Gnome: >> disable Gnome user list >> >> Console: >> Remove reboot, halt poweroff from /etc/security/console.app >> >> Applying security best practises from various compliance perspective, >> e.g. STIG, SOX, PCI etc... We may also use NSA RHEL 5 secure >> configuration guide to get some insight or use it as a baseline. The >> members of the community who are interested in this SIG or are willing >> to contribute are: >> Leam Hall >> Corey Henderson >> Jason Pyeron >> >> You can find the post here [0] >> >> We will really like to get SIG approved by the CentOS board so if anyone >> is interested or willing to contribute we will be happy to have you >> onboard. >> >> [0] >> http://lists.centos.org/pipermail/centos-devel/2015-April/013197.html >> > > These are all wicked good ideas for machines connected to the internet. > I hope you also plan on making it easy to turn off these otherwise > useful "features" for systems with no exposure to the internet. Don't > make it difficult/impossible to use rsync to back up between machines on > the local intranet. Rsync has to run as root to access and maintain > correct file ownership and permissions. grep OPTIONS /etc/sysconfig/sshd OPTIONS="-o PermitRootLogin=without-password" -- LF