• About Us/Policies
• Accounts
• Cable TV/Video
• Computing Services
• Computing Sites
• E-Mail
• Enterprise Apps
• Hardware
• Help
• Hosting/File Storage
• ID Cards
• IT Security
• IT Training
• Media Services
• Network Services
• New to MU?
• Printing
• Research Computing
• Software
• Student Phones
• Telecom Services

Best Practices: Red Hat Linux OS

1. Subscribe to redhat-announce-list

   • This list is Red-Hat's security and patch announcements list as well as list archives.

2. Read Securing and Optimizing Red Hat Linux

   • Available from The Linux Doc Project: Introduction to security and optimization for Red Hat (and other flavors) of Linux.
   • The Linux Doc Project site.

3. When possible, always do a custom installation

   • This will help to ensure that you have total control over how the disk and partitions are laid out and which packages are installed. Performing an automated installation tends to install software that you don't need. Be aware of what you are installing. You should carefully document the configuration in case the box needs to be rebuilt from scratch.

4. Disable all services at first

   • When you first reboot after installation, drop into single user mode and disable all services that would be started with the chkconfig command (it's easier then removing symlinks from /etc/rc.d/rcX.d individually.) Then re-enable services that you need one by one when you are sure of what they are intended for.

5. Verify RPM integrity before installation

   • RPM is a very powerful tool despite some of its shortcomings. Issuing "rpm -K package.rpm" will check the packages signature to make sure it hasn't been tampered with before installation. To verify the system after installation, you can issue "rpm -Va" to verify all installed packages.
   • The Red-Hat Package Manager: http://www.rpm.org/

6. Read the RPM man page

   • Man pages are your friend, especially in the case of RPM. There are numerous options to help keep your system healthy.

7. Consider using libsafe

   • Install libsafe to aid in preventing stack smashing attacks and common buffer overflow exploits. It is only usable on systems that don't require the installation of Java, Netscape, and other "badly" coded programs. Make sure that libsafe is in /etc/ld.so.preload so that all users are affected.

8. Consider using grsecurity

   • If you are using Linux 2.4 (the kernel version, not Red-Hat), consider using the grsecurity module. It enables several security features to aid in the protection of a system. Some features include stack-protection, execution logging, process hiding, fork-bomb protection, and many more. Be sure to read the manual page and the kernel patch to understand the implications of using the patch.
   • Grsecuity home page: http://www.grsecurity.net/

9. Periodically review and harden security settings

   • Consider using Bastille to check your system on a regular basis.

Additional services running on your system may require special attention. If you have questions or concerns about specific security issues, contact isam@missouri.edu for assistance.