
**************************
SECTION A   : SOFT CHANGES
**************************

A.1. BIOS Security
   Secure the BIOS by establishing a BIOS password.

A.2. LILO Security

   If your /etc/lilo.conf file looks like this one
   #lilo.conf starts here
   boot=/dev/hda
   map=/boot/map
   install=/boot/boot.b
   prompt
   timeout=50
   linear
   default=dos

   image=/boot/vmlinuz-2.2.14-5.0
        label=linux
        initrd=/boot/initrd-2.2.14-5.0.img
        read-only
        root=/dev/hda3

   other=/dev/hda1
        label=dos
   #lilo.conf ends here


  Modify it as follows.

  Step 2.1
  --------
#lilo.conf starts here
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
timeout=00
prompt
timeout=50
linear
default=dos

restricted
passwd=mypassword
image=/boot/vmlinuz-2.2.14-5.0
        label=linux
        initrd=/boot/initrd-2.2.14-5.0.img
        read-only
        root=/dev/hda3

other=/dev/hda1
        label=dos
#lilo.conf ends here


  Step 2.2
  --------
  Change the permissions as password mypassword is plaintext.
    % chmod 600 /etc/lilo.conf

  See  root.run script.

  Step 2.3
  --------
   Run lilo again
    % /sbin/lilo    
       (or /sbin/lilo -v )

  Step 2.4 (paranoid)
  -------------------
   Change the attribute of the lilo.conf file as follows
    % chattr -i /etc/lilo.conf
   See  root.run script.

A.3. Eliminate unnecessary user accounts

   A listing of such accounts can be found in
   % cat /etc/passwd 
    or
   % cat /etc/shadow
   games, lp, news, uucp, gopher, 
   sync, shutdown, halt, operator,
   ftp,gdm,piranha, postgres,squid,pvm

   You delete an account by typing
   % userdel games

   You can do the same for groups
   % cat /etc/group
   % groupdel news


A.4. Password aging etc.
   Think of changing
   % more /etc/login.defs

   PASS_MAX_DAYS   30
   PASS_MIN_DAYS   0
   PASS_MIN_LEN    7  
   #               ^^^ make it at least seven, if not 8
   PASS_WARN_AGE   7

A.5. Add a timeout mechanism in 
   /etc/profile
   like
  HOSTNAME=`/bin/hostname`
  HISTSIZE=1000
  TMOUT=1800
  #      ^^ in seconds; half an hour in this example


A.6. Delete services in /etc/security/console.apps

   A listing of such services such as
   gnorpm-auth  isdn-config  kpackage  poweroff  rp3-config  up2date
   halt         kbdrate      kppp      reboot    shutdown    xserver

   shouldn't be allowed for regular users. Delete them by issuing
   an 
   % rm -f  halt
   for example.


A.7 Secure root login

    comment out /etc/securetty as needed
    typical one

tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8

A.8  Secure su

     a. Edit /etc/group and create a new group sugroup

     (fragment of group)

     b. add the following two lines in /etc/pam.d/su

auth       sufficient   /lib/security/pam_rootok.so debug
auth       required     /lib/security/pam_wheel.so group=sugroup

***********************************
SECTION B:  NETWORKING AND SERVICES
***********************************


1. inetd.conf

   Permissions: 600
   Owner:  root
   Disable: shell,login,exec,comsat,talk,ntalk,dtalk,pop-2,uucp,
            pop-3,imap,tftp,bootps,finger,cfinger,systat,netstat,
            auth,linuxconf,time,  and ftp,telnet

2. host.conf

order hosts,bind
multi on
nospoof on

3. hosts

127.0.0.1		localhost.localdomain localhost
128.235.32.100		pcc01.njit.edu pcc01

4. hosts.allow

#
# hosts.allow	This file describes the names of the hosts which are
#		allowed to use the local INET services, as decided
#		by the '/usr/sbin/tcpd' server.
#  eg  ftp: foobar.com 1.1.1.1
ALL:128.235.32.100
ALL:128.235.32.101

5. hosts.deny

#
# hosts.deny	This file describes the names of the hosts which are
#		*not* allowed to use the local INET services, as decided
#		by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
ALL:ALL@ALL,PARANOID

6. hosts.equiv  (DISABLE IT UNLESS you REALLY WANT it; IF disabled, make
                 sure it is empty; do 
        % chmod 000 /etc/hosts.equiv
                 )   

pcc01.njit.edu
pcc02.njit.edu

7. resolv.conf

search njit.edu
nameserver 128.235.251.10

8. sysconfig/network

NETWORKING=yes
HOSTNAME=above.njit.edu
GATEWAY=128.235.32.1

9. sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=static
BROADCAST=128.235.35.255
IPADDR=128.235.33.121
NETMASK=255.255.252.0
NETWORK=128.235.32.0
ONBOOT=yes

10 /etc/services  : information provider 


   % chattr +i /etc/services ; prevent from adding services


11. Stop/Restart inetd.conf services

    % killall -HUP inetd   ; stop inetd
    % chattr +i /etc/inetd.conf  ;prevent changes -i restores

12. Check hosts.* file

    % tcpdchk

13. 
    
       


SECTION C.

1. Disable scripts

  % cp S80sendmail alex.S80sendmail
  %  chkconfig sendmail off

2. Services to disable

   recommended: S16apmd, S45pcmcia, S99linuxconf, S80sendmail, S85httpd
   optional: S40atd, S85gpm, S25netfs
   required: S05kudzu, S99local,S50inet,S30syslog,S40crond,S10network,
             S20random, 
