|
Name |
Red
Hat Enterprise Linux Benchmark Version 1.0.5 |
|
Version |
v1.0.5 |
|
Status |
Final |
| Creation
Date |
Not
available |
| Revision
Date |
2006-11-02 |
| Product
Category |
Operating
System |
| Vendor |
Red
Hat |
| Product |
Red
Hat Enterprise Linux 2.1 and 3.0
Fedora Core 1, 2, and 3 |
| Product
Version |
RHEL
2.1, 3.0 and Fedora 1, 2, 3 |
| Product
Role |
Server operating system, desktop operating system
|
|
Checklist
Summary |
The Benchmark is a compilation of security configuration actions and settings that "harden" Red Hat Linux operating systems. It is a CIS Level-I benchmark: the prudent level of minimum due care for operating system security. This benchmark was developed and tested on Red Hat Enterprise Linux (RHEL) including RHEL 2.1, RHEL 3.0, and Fedora Core 1, 2, & 3. It is likely to work for other Linux distributions - especially Red Hat and Fedora derivatives - as well. |
| Known
Issues |
The actions listed in this document are written with the assumption that they will be executed in the order presented here. Some actions may need to be modified if the order is changed. Actions are written so that they may be copied directly from this document into a root shell window with a "cut-and-paste" operation. You may find that many of the "chkconfig" actions, which activate or deactivate services, produce the message "error reading information on service : No such file or directory." These messages are quite normal and should not cause alarm - they simply indicate that the program being referenced was not installed on your machine. As Red Hat Enterprise Linux installs allow a great deal of flexibility in what software you choose to install, these messages are unavoidable. The actions listed in this document are written with the assumption that they will be executed by the root user running the bash shell and without noclobber set. Also, the following directories are assumed to be in root's path: /bin:/sbin:/usr/bin:/usr/sbin. Before performing the steps of this benchmark, it is strongly recommended that administrators make backup copies of critical configuration files that may get modified by various benchmark items. If this step is not performed, then the site may have no reasonable back-out strategy for reversing system modifications made as a result of this document. The script provided in Appendix B of this document will automatically back up all files that may be modified by the actions below.
|
| Target
Audience |
System
and network administrators |
| Target
Operational Environment |
Enterprise |
| Checklist
Installation Tools |
Not
Available. |
| Rollback
Capability |
Not
Available. |
| Testing
Information |
Not
Available. |
| NIAP/CMVP
Status |
|
| Regulatory
Compliance |
|
Comments,
Warnings, Disclaimer, Miscellaneous
|
Refer
to Known Issues. |
| Disclaimer |
Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations "as is" and "as available" without representations, warranties or covenants of any kind. |
| Product
Support |
|
| Submitting
Organization/Authors |
The
Center for Internet Security (CIS) |
| Point
of Contact |
linux-bench@cisecurity.org |
| Sponsor |
|
| Licensing |
Commercial
use license
EDUCAUSE Member license
US Federal, state and local government agency
license
|
| Checklist
Homepage |
http://www.cisecurity.org/ |
| Download
Package |
http://www.cisecurity.org/sub_form.html |
| Integrity |
sha1
(CIS_RHLinux_Benchmark_v1.0.5.zip) =
49643dd0fdf9a82b755dc4135a3b2efdf3e52afe
sha256 (CIS_RHLinux_Benchmark_v1.0.5.zip) =
1e50943ab106f3b1029ccc0d6c871f52416adfb2
838fc3678c97453072173f33 |
| Change
History |
Version
1.0.1: 2005-02-17
Version 1.0.3: 2005-04-27
Version 1.0.5: 2006-11-02
|
| Dependency/Requirement |
|
| References |
Free benchmark documents and security tools for various OS platforms and applications:
http://www.cisecurity.org/
Patches and related documentation:
https://www.redhat.com/security/
Red Hat Update Manager tools:
https://rhn.redhat.com/help/latest-up2date.pxt
https://rhn.redhat.com/help/latest-up2date.pxt https://rhn.redhat.com/
Various documentation on Linux security issues:
https://www.redhat.com/security/
Primary source for information on NTP:
http://www.ntp.org/
Information on MIT Kerberos:
http://web.mit.edu/kerberos/www/
Apache "Security Tips" document:
http://httpd.apache.org/docs-2.0/misc/security_tips.html
Information on Sendmail and DNS:
http://www.sendmail.org/
http://www.deer-run.com/~hal/dns-sendmail/DNSandSendmail.pdf
OpenSSH (secure encrypted network logins):
http://www.openssh.org
TCP Wrappers source distribution:
ftp.porcupine.org
PortSentry and Logcheck (port and log monitoring tools):
http://sourceforge.net/projects/sentrytools/
Swatch (log monitoring tool):
http://www.oit.ucsb.edu/~eta/swatch/
Open Source Sendmail (email server) distributions:
ftp://ftp.sendmail.org/
LPRng (Open Source replacement printing system for Unix):
http://www.lprng.org/
sudo (provides fine-grained access controls for superuser activity):
http://www.courtesan.com/sudo/
CIS Red Hat Enterprise Linux Benchmark Tripwire - file modification utility
http://www.tripwire.org
|
| NIST
Identifier |
1050 |
