Secured CentOS 4.x i386 Created at the Lawrence Berkeley National Laboratory, In Conjunction with the FaST program and Contra Costa's HPC Program. Rev Date Author Revisions 1 08/12/05 Tjioman, Gani gtjioman@sbcglobal.net 510-685-3654 Abstract: With an increase in hacker activities, software updates and security patches have become essential to protecting network systems and workstations. This document describes one proposed method to create a Secured CentOS 4.x Operating System Workstation and an Archive NFS Server, with automated package / patch management solution, based on YUM. Secured CentOS 4.x i386 1
1.0 INTRODUCTION 1.1 PURPOSE... 3 1.2 SCOPE... 3 1.3 RESPONSIBILITIES / REASON FOR CHANGES... 3 2.0 PROCEDURES 2.1 REQUIRED EQUIPMENT... 4 2.2 CREATE A SECURED WORKSTATION... 4 2.2.0 STEP-BY-STEP PROCEDURES... 5 2.2.1 STEPS TO CREATE A SECURED WORKSTATION... 5 2.2.2 EXTRA CONFIGURATIONS... 13 2.2.3 METHODS TO TEST RESULT... 15 2.3 AUTOMATING CRON FOR SOFTWARE UPDATES... 16 2.3.1 CREATE AN NFS ARCHIVE SERVER TO COLLECT CLIENT YUM SOFTWARE UPDATE RESULTS... 18 2.3.2 USING CROND TO AUTOMATE YUM SOFTWARE UPGRADES... 18 2.4 ALTERNATIVE CONFIGURATION METHOD... 16 2.4.1 OPEN PORTS TO SELECTIVE HOST SYSTEM CONFIGURATION... 17 2.5 DATA COMPARISONS... 16 2.5.1 COMPARISON OF ACTIVE SYSTEM SERVICES... 16 2.5.2 COMPARISON RESULT OF NMAP... 18 2.5.3 COMPARISION RESULT OF NETSTAT... 20 2.5.4 DEFAULT WORKSTATION PACKAGE SELECTION... 22 Secured CentOS 4.x i386 2
1.0 INTRODUCTION 1.1 PURPOSE The purpose of this document is to describe one method to create a Secured CentOS 4.x Operating System Workstation and an Archive NFS Server, with automated package / patch management solution, based on YUM. 1.2 SCOPE The procedure used for the documentation was written with the ideology of implementing a Secured Linux configuration for a basic everyday research and document usage. It should be noted that an individual who requires a more complex workstation will require additional configuration, which will increase vulnerabilities to the system. 1.3 RESPONSIBLITIES / REASONS FOR CHANGES It is the responsibility of the Unix Group to maintain this document. Reason for subsequent change after its release are described in this section. Secured CentOS 4.x i386 3
2.0 PROCEDURES 2.1 REQUIRED EQUIPMENT CentOS 4.x (or more current), version i386, installation disk PC Computer with the following minimum spec: Intel / AMD x86 or x86_64 Processor 2.0 Ghz and above Western Drive 120 GB WD1200JB DVD / DVD-RW Drive 512 MB / 1 GB PC2700 or PC3200 DDR RAM 2.2 CREATE A SECURED WORKSTATION The following are steps to create a Secured Workstation: Steps to install and secure a Workstation (2.2.1) 1. Install Linux Workstation using CentOS Installation Disks 2. CentOS 4.x i386 Software update 3. Install necessary tools for debugging purposes 4. Disable unnecessary ports and processes that may cause security vulnerabilities 5. Configuring Permissions to directories and files 6. Disable unnecessary Default Account 7. Deny all hosts to use the local INET services 8. Configure "HOSTNAME" to specify user 9. Configure "Syslog.conf" to send logs to Central Syslog Server Extra Configurations (2.2.2) 1. Prepare, download and install the "LBL" version of Mozilla 2. Create a desktop launcher for root to add a user Methods of testing comparison between standard default and stripped down workstation (2.2.3) 1. Use "nmap" to compare the different open ports 2. Use "netstat" to compare the different processes that are listening 2.2.0 STEP-BY-STEP PROCEDURES Use the following steps to create an image of CentOS 4.1 Workstation: 2.2.1 STEPS TO CREATE A SECURED WORKSTATION 1. Install Linux Workstation using CentOS Installation Disks To install CentOS on a new computer, do the following: Secured CentOS 4.x i386 4
1. Insert CentOS 4.1 i386 Installation disk 2. Press "Enter", to install in "graphical mode" 3. Click the "Skip" button, to skip the CD/DVD test 4. Highlight "English", and click on "Next", to use English during installation 5. Highlight "U.S. English" for keyboard configuration 6. Click on the "Workstation" configuration and click on "Next" to install basic Workstation software package installation 7. Click on the "Manually Partition with Disk Druid" and press the "Next" button to partition the hard disk manually 8. Configure the partitions as follow: 1. /boot 100 MBytes ext3 partition 2. /swap 2 x (size of memory) swap partition 3. / 3 GBytes ext3 partition 4. /var 2.5 GBytes ext3 partition 5. /usr 30 GBytes ext3 partition 6. /home the rest of hard drive ext3 partition 9. Click on the "Next" button to format the hard drive 10. Accept the default value at the boot loader configuration screen and click on the "Next" button 11. On the "Network Devices" configuration screen, leave the default value and click "Next" to continue 12. For the Firewall configuration, click the "No Firewall", and leave the "Enable SELinux" to "Active" 13. Leave the "English (USA)" as the default language for the system, and click the "Next" button 14. For the Time Zone Selection screen, highlight the location most suitable to the location the Workstation will be used. For example, "America/Los_Angeles" for PacificTime. Click "Next" to move to the next screen 15. Enter and set the root's password 16. On the "Package Installation Defaults" screen, click on the "Install default software packages" and click on the "Next" button to continue 17. CentOS will now format your hard drive and install the Operating System 2. CentOS 4.1 i386 Software update To update the Operating System, do the following instructions: Secured CentOS 4.x i386 5
1. Login as root 2. Install the CentOS RPM signing key, by typing: # rpm --import http://mirror.centos.org/centos/rpm-gpg-key- CentOS-4 2. Once the signing key is installed, type the following: # yes /usr/bin/yum update ----- 3. Install necessary tools for debugging purposes Install "nmap" using yum: 1. Login as root 2. Type the following: # yes /usr/bin/yum install nmap 4. Disable unnecessary ports and processes that may cause security vulnerabilities Turn only necessary ports and processes to secure Workstation: 1. login as root 2. type setup at the command prompt, a setup menu should appear 3. using the arrow key, highlight the "System services" menu 4. using the "space bar" button, check only the services listed on the table below 5. click on the "ok" button and exit the "setup" menu NetworkManager acpid anacron apmd atd autofs bluetooth chargen Active Services Secured CentOS 4.x i386 6
chargen-udp cpuspeed crond cups cups-config-daemon cups-lpd daytime daytime-udp diskdump echo echo-udp eklogin gpm gssftp haldaemon iptables irda irqbalance isdn klogin krb5-telnet kshell kudzu mdmonitor mdmpd messagebus microcode_ctl netdump netfs netplugd network nfs nfslock nscd ntpd pcmcia portmap psacct rawdevices readahead readahead_early rhnsd rpcgssd rpcidmapd rpcsvcgssd rsync saslauthd sendmail smartd spamassassin Secured CentOS 4.x i386 7
sshd syslog time time-udp vncserver winbind xfs xinetd ypbind yum 5. Configuring Permissions to directories and files The following table is a list of configuration recommended to further secure the Workstation. Set the proper permission and configure the files and directories listed on the table below: 1. login as root 2. on the command line, use the chmod command to set each file and directory listed on the table: For example: For the /etc directory, type: # chmod -R 755 /etc to remove the writable permission for everyone except root. File / Directory Recommended Permission /etc 755 /bin 755 /sbin 755 /var 755 /dev/mem 640 /etc/init.d 755 /etc/xinetd.conf 644 Secured CentOS 4.x i386 8
6. Disable unnecessary Default Account The following table is a list of unnecessary Default Account that can safely be disabled in the /etc/passwd file. To disable the accounts, set the login shell in the /etc/passwd file to /sbin/nologin or /dev/null. For example, to set the default account bin to /dev/null edit the /etc/passwd file as follow: bin:x:1:1:bin:/bin:/dev/null or bin:x:1:1:bin:/bin:/sbin/nologin Login bin daemon adm lp mail news uucp operator games gopher ftp nobody dbus vcsa rpm haldaemon nscd sshd rpc rpcuser nfsnobody mailnull Recommended Passwd Configuration Secured CentOS 4.x i386 9
smmsp pcap xfs ntp gdm 7. Deny all hosts to use the local INET services Though, services to connect to system should be turned off at this point, to make sure that other possibilities are eliminated, use the following steps to deny all hosts to use the local INET services: 1. login as root 2. On the command line, type: # vi /etc/hosts.deny 3. Append the following line to the file: all:all 4. Save and exit the file 8. Configure "HOSTNAME" to specify user To identify the Workstation to a specific user, add the "HOSTNAME" as follow: 1. login as root 2. On the command line, type: # vi /etc/sysconfig/network 3. Append the following line to the file HOSTNAME=<user login> 4. On the command line, type: # vi /etc/hosts 5. Append the following line to the file <ip address of computer> <user login> 6. Save and exit the file Secured CentOS 4.x i386 10
9. Configure "Syslog.conf" to send logs to Central Syslog Server To configure the Workstation host to send all syslog information to the LBL central syslog server named syslog.lbl.gov, do the following steps: 1. login as root 2. On the command line, type: # vi /etc/syslog.conf 3. Append the following line to the file # Send copy of logs to central syslog server *.* @syslog.lbl.gov 4. Save and exit the file 2.2.2 EXTRA CONFIGURATIONS 1. Prepare, download and install the "LBL" version of Mozilla. - Remove the current version of Mozilla on computer: 1. login as root 2. On the command line, type: # yum remove mozilla - Download the program: 3. Go to URL: http://www.lbl.gov/download 4. In the "Category Index", click on the "Web/E-mail Software" link 5. Click on the "Mozilla 1.4 for Linux" to download the archive: LBNL-Mozilla-linux.tar.gz - Installing the program: 7. Move the downloaded source file in the: /root/desktop directory, to the: /usr/local/src/ directory, by typing the following at the command prompt: # mv /root/desktop/lbnl-mozilla-linux.tar.gz /usr/local/src/ 8. Go to the "/usr/local/src/" directory by typing: # cd /usr/local/src/ 9. Remove the gunzip extension of the downloaded source file, by typing: # gunzip LBNL-Mozilla-linux.tar.gz 10. Untar the file by typing: Secured CentOS 4.x i386 11
# tar -xvf LBNL-Mozilla-linux.tar to create a directory called LBNL-Mozilla-linux 11. Go into the LBNL-Mozilla-linux directory, by typing: # cd mozilla-installer 12. At the command prompt type: #./mozilla-installer to install mozilla 13. A "Berkeley Lab Mozilla Installer" menu should appear. 14. Follow the direction to install all the different components. 15. When asked to create the "/usr/local/mozilla/" directory, click "Yes" 16. Continue the installation. 17. Once completed, create a soft link of the mozilla executable by typing: # ln -s /usr/local/mozilla/mozilla /usr/bin/mozilla 18. To execute the LBL mozilla mail, at the command line type: # mozilla -mail & - Create an executable Mozilla Mail via "launcher" icon: 19. Right-click on the email launcher icon 20. Click on the "properties", a launcher properties should appear 21. On the "command" line, delete the "launcher" line command and replace with the following command: /usr/bin/mozilla -mail & 22. Click on "Close" to close the launcher properties 2. Create a desktop launcher for root to add a user 1. login as root 2. right click on the desktop 3. highlight "Create Launcher" 4. for the "name" section, type "Add User" 5. in the "command" section, type "/usr/bin/system-config-users" 6. click the "ok" button to completed 2.2.3 METHODS TO TEST RESULT 1. Use "nmap" to compare the different open ports Make sure to check that all ports are closed, except for port 631 (ipp services) for Secured CentOS 4.x i386 12
network printing capability, by typing: # nmap -ss -p 1-65535 -T insane localhost 2. Use "netstat" to compare the different processes that are listening To use "netstat", type the following syntax at the command prompt: # netstat -a grep LISTEN After reboot, to see what is still listening, iterate through and disable unnecessary programs until the "netstat" list is as clean as possible. 2.3 AUTOMATING CRON FOR SOFTWARE UPDATES The following is one method to writing a "cron" script to execute an automated "yum" package / patch management solution. An output report should be printed to a file called "yumresult", located in the "/home/sysadmin/archivedir" directory of the Archive Server machine. This directory should be automatically mounted to the "/archivedir/" directory of the Secured Workstations. 2.3.1 CREATE AN NFS ARCHIVE SERVER TO COLLECT CLIENT YUM SOFTWARE UPDATE RESULTS To create the NFS Archive Server, we will use an image of the Secured Workstation machine we have created, with the following updates: 1. login as root 2. type setup at the command prompt, a setup menu should appear 3. highlight the "System services" menu, using the arrow key and press the enter button 4. using the "space bar" button, un-check the selection for nfs, "nfslock" & "portmap" 5. click on the "ok" button and exit the "setup" menu 6. configure system's "hostname" to "yumarchiveserver", by typing: # hostname yumarchiveserver 7. configure system's "domainname" to "yumarchiveserver.lbl.gov", by typing: # domainname yumarchiveserver.lbl.gov 8. reboot the system 9. log back in as root 10. Click on the desktop "add user" launcher, created earlier, to add a user. 11. Add "sysadmin" as a user Secured CentOS 4.x i386 13
12. logout root, and log back in as "sysadmin" 13. create a directory called "archivedir" in the "/home/sysadmin/" directory, by typing: # mkdir /home/sysadmin/archivedir 14. change the permission of "archivedir" directory with "777", by typing: # chmod 777 archivedir 15. add the following line to the "/etc/exports" file: /home/sysadmin/archivedir *(rw) 16. save and exit the file 2.3.2 USING CROND TO AUTOMATE YUM SOFTWARE UPGRADES The following are steps required to automating yum for a software upgrade on Client Workstation. - Uninstall up2date application 1. login as root 2. at the command prompt, type: # yes yum remove up2date - Create a script file to execute "cron" to run "yum" updates 1. login as root 2. create an nfs archive directory "archivedir" at the root directory by typing: # mkdir /archivedir 3. create a new file at the "/etc/" directory, by typing the following at the command prompt: # vi /etc/cronyum 4. enter the following input to the file: #!/bin/bash # the script will mount an nfs directory located in the archive system, to a temporary directory in the local client machine. Updates yum, and append the result to a file called "yumresult" and "yumresult_userlist" in the "archivedir" located in the archive system. # mount NFS mount -t nfs <ip address of archive server>:/home/sysadmin/archivedir/ /archivedir/ # sleep 4 minutes sleep 4 Secured CentOS 4.x i386 14
echo " " >> /archivedir/yumresult echo "Yum output from host: `hostname`" >> /archivedir/yumresult # execute an automatic yum update (yes /usr/bin/yum update) >> /archivedir/yumresult # append a line to a server file for acknowledgment echo "cron completed at " `date` >> /archivedir/yumresult # write a list of users who have completed yum update script echo `hostname` " " `date` >> /archivedir/yumresult_userlist # unmount the NFS directory from the local client machine umount /archivedir 5. save the file and exit 6. change the permission to 755 for /etc/cronyum by typing, # chmod 755 /etc/cronyum 7. to activate "cron", type the following at the command prompt: # crontab -e 8. an empty "vi" editor should open. 9. to execute yum to automatically install updates at 1:30 am every Monday morning, add the following line to the file: 30 1 * * mon /etc/cronyum 10. save and close the file 11. to execute the "cron" process, type the following at the command prompt: # service crond start Secured CentOS 4.x i386 15
2.4 ALTERNATIVE CONFIGURATION METHOD 2.4.1 OPEN PORTS TO SELECTIVE HOST SYSTEM CONFIGURATION If a user request to enable port 22 of SSH, make sure to configure hosts.allow and hosts.deny files properly, to allow only a certain user into the system. - Turn off sshd (SSH) to open port 22 1. login as root 2. type setup at the command prompt, a setup menu should appear 3. highlight the "System services" menu, using the arrow key and press the enter button 4. using the "space bar" button, check the selection for ssh 5. click on the "ok" button and exit the "setup" menu 6. at the command prompt, type: "/etc/init.d/sshd start" - Edit the "hosts.allow" and hosts.deny files to restrict connections 1. at the command prompt, type: # vi /etc/hosts.allow 2. go to the bottom of the file and use the following syntax to restrict access: <the service(s) to enable>: <host ip address> For example, to enable the "sshd" services for host 192.168.1.3, add the line as follow: sshd: 192.168.1.3 Or to enable all the ports / services, type: all: 192.168.1.3 3. save the file and exit the editor 4. type the following on the command prompt: # vi /etc/hosts.deny 5. at the bottom of the file, add the following line to block all connection request from unlisted hosts: all:all 6. save the file and exit the editor 7. reboot system Secured CentOS 4.x i386 16
2.5 DATA COMPARISONS The data taken are comparisons between a default installed Workstation to the Secured Workstation. 2.5.1 COMPARISON OF ACTIVE SYSTEM SERVICES The following graph shows a comparison of system services between a default Workstation to a Secured Workstation: Active Default Action Taken Result of Active Services NetworkManager acpid activated anacron activated deactivate apmd activated deactivate atd activated deactivate autofs activated bluetooth chargen chargen-udp cpuspeed activated deactivate crond activated cups activated cups-config-daemon activated deactivate cups-lpd daytime daytime-udp diskdump echo echo-udp eklogin gpm activated deactivate gssftp haldaemon activated iptables activated irda irqbalance activated isdn activated deactivate klogin krb5-telnet kshell kudzu activated mdmonitor activated deactivate mdmpd messagebus activated microcode_ctl activated netdump Secured CentOS 4.x i386 17
netfs activated deactivate netplugd network activated nfs nfslock activated deactivate nscd ntpd pcmcia activated deactivate portmap Activated deactivate psacct rawdevices activated deactivate readahead activated deactivate readahead_early activated deactivate rhnsd rpcgssd activated deactivate rpcidmapd activated deactivate rpcsvcgssd activated deactivate rsync saslauthd sendmail Activated smartd activated spamassassin sshd activated deactivate syslog activated deactivate time time-udp vncserver winbind xfs activated xinetd activated deactivate ypbind yum 2.5.2 COMPARISON RESULT OF NMAP There are several methods to test the result of the Secured Workstation. One method is to use NMAP, a free port scanning software, designed to detect open ports on targeted computer. The software determines which port services are open on the localhost computer. The result of NMAP are shown below, between default Workstation and Secured Workstation, when used as such: # nmap -ss -p 1-65535 -T insane localhost Secured CentOS 4.x i386 18
Default CentOS Workstation Secured CentOS Workstation Secured CentOS 4.x i386 19
Note that, all service ports, except for port 631 of Internet Printing Protocol Service (IPP) are closed, for the Secured Workstation image. This is compared to that of the Default Workstation, where port 22 (SSH), port 25 (SMTP), port 111 (rpcbind), port 631 (IPP), and port 32769 (Status) are open. The result shows that the Secured Workstation has much less of security vulnerability with less ports opened. 2.5.3 COMPARISION RESULT OF NETSTAT Using NETSTAT in the following format: # netstat -a grep LISTEN will show what is still listening after reboot. Below is a comparison of the different services after reboot, between the Default and Secured Workstation: Secured CentOS 4.x i386 20
Default CentOS Workstation Secured CentOS 4.x i386 21
Secured CentOS Workstation 2.5.4 DEFAULT WORKSTATION PACKAGE SELECTION Below is a list of installed packages for the Default Workstation setup. Package Installed # of Packages Installed Desktops X Window System Installed 38 out of 42 GNOME Desktop Environment Installed 41 out of 42 KDE (K Desktop Environment) 0 out of 14 Secured CentOS 4.x i386 22
Applications Editors Installed 2 out of 5 Engineering and Scientific 0 out of 7 Graphical Internet Installed 6 out of 10 Text-based Internet Installed 4 out of 4 Office/Productivity Installed 6 out of 9 Sound and Video Installed 12 out of 16 Authoring and Publishing 0 out of 12 Graphics Installed 11 out of 13 Games and Entertainment 0 out of 1 Servers Server Configuration Tools 0 out of 12 Web Server 0 out of 20 Mail Server 0 out of 12 Windows File Server 0 out of 3 DNS Name Server 0 out of 3 FTP Server 0 out of 1 PostgreSQL Database 0 out of 16 MySQL Database 0 out of 14 News Server 0 out of 1 Network Servers 0 out of 13 Legacy Network Server 0 out of 9 Development Development Tools Installed 55 out of 71 X Software Development Installed 16 out of 18 GNOME Software Development Installed 30 out of 30 KDE Software Development 0 out of 20 Legacy Software Development 0 out of 5 System Administration Tools Installed 11 out of 12 System Tools 0 out of 33 Printing Support Installed 11 out of 12 Miscellaneous Everything Minimal Secured CentOS 4.x i386 23