Securing and Optimizing Linux:RedHat Edition | All about OS

Fix the permissions under “/etc/rc.d/init.d” directory for script files

Категория: Securing and Optimizing

Fix the permissions of the script files that are responsible for starting and stopping all your normal processes that need to run at boot time.
[root@deep /]# chmod -R 700 /etc/rc.d/init.d/*
Which means just root is allowed to Read, Write, and Execute scripts files on this directory. I don’t think regular users need to know what’s inside those script files.
NOTE: If you install a new program or update a program that use the init system V script located under 7etc/rc.d/init.d/” directory, don’t forget to change or verify the permission of this script file again.
The “/etc/rc.d/rclocal” file
By default, when you login to a Linux box, it tells you the Linux distribution name, version, kernel version, and the name of the server. This is giving away too much info. We’d rather just prompt users with a “Login:” prompt.
Stepi
To do this, Edit the “/etc/rc.d/rclocal” file and Place “#” in front of the following lines as shown:
# This will overwrite /etc/issue at every boot. So, make any changes you
# want to make to /etc/issue here or you will lose them when you reboot.
#echo “” > /etc/issue
#echo “$R” »/etc/issue
#echo “Kernel $(uname -r) on $a $(uname -m)” »/etc/issue
#
#cp -f /etc/issue /etc/issue.net
#echo »/etc/issue
Step 2
Then, remove the following files: “issue.net” and “issue” under “/etc” directory:
[root@deep /]# rm -f /etc/issue [root@deep /]# rm -f/etc/issue.net
NOTE: The 7etc/issue.net” file is the login banner that users will see when they make a networked (i.e. telnet, SSH) connection to your machine. You will find it in the “/etc” directory, along with a similar file called “issue”, which is the login banner that gets displayed to local users. It is simply a text file and can be customized to your own tastes, but be aware that as noted above, if you do change it or remove it like we do, you’ll also need to modify the 7etc/rc.d/rc.local” shell script, which re-creates both the “issue” and “issue.net” files every time the system boots.
Bits from root-owned programs
A regular user will be able to run a program as root if it is set to SUID root. All programs and files on your computer with the ’s’ bits appearing on its mode, have the SUID (-rwsr-xr-x) or SGID (-r-xr-sr-x) bit enabled. Because these programs grant special privileges to the user who is executing them, it is important to remove the ’s’ bits from root-owned programs that won’t absolutely require such privilege. This can be accomplished by executing the command “chrnod a-s” with the name(s) of the SUID/SGID files as its arguments.

Страниц: 1 2

« Disable the Control-Alt-Delete keyboard shutdown command
The kernel tunable parameters »