General System Security
The value we enter for the variable “TMOUT=” is in second and represent 2 hours (60 * 60 = 3600 * 2 = 7200 seconds). It is important to note that if you decide to put the above line in your “/etc/profile” file, then the automatic logout after two hours of inactivity will apply for all users on the system. So, instead, if your prefer to control which users will be automatically logged out and which ones not, you can set this variable in their individual “.bashrc” file.
After this parameter has been set on your system, you must logout and login again (as root) for the change to take effect.
The “/etc/exports” file
If you are exporting file systems using NFS service, be sure to configure the “/etc/exports” file with the most restrictive access possible. This means not using wildcards, not allowing root write access, and mounting read-only wherever possible.
Edit the exports file (vi /etc/exports) and add:
As an example:
/dir/to/export hosti .mydomain.com(ro,root_squash)
/dir/to/export host2.mydomain.com(ro,root_squash)
Where 7dir/to/export” is the directory you want to export, host#.mydomain.com is the machine allowed to log in this directory, the <ro> option mean mounting read-only and the <root_squash> option for not allowing root write access in this directory.
For this change to take effect you will need to run the following command on your terminal: [root@deep]# /usr/sbin/exportfs -a
NOTE: Please be aware that having an NFS service available on your system can be a security risk. Personally, I don’t recommend using it.
Disabling console program access
In a safe environment where we are sure that console is secured because passwords for BIOS and LILO are set and all physical power and reset switches on the system are disabled it may be advantageous to entirely disable all console-equivalent access to programs like shutdown, reboot, and halt for regular users on your server.
To do this, run the following command:
[root@deep /]# rm -f /etc/security/console.apps/<servicename>
Where <servicename> is the name of the program to which you wish to disable console-equivalent access. Unless you use xdm, however, be careful not to remove the xserver file or no one but root will be able to start the X server. (If you always use xdm to start the X server, root is the only user that needs to start X, in which case you might actually want to remove the xserver file).
As an example:
[root@deep /]# rm -f /etc/security/console.apps/halt
[root@deep /]# rm -f /etc/security/console.apps/poweroff
[root@deep /]# rm -f /etc/security/console.apps/reboot
[root@deep /]# rm -f /etc/security/console.apps/shutdown
[root@deep /]# rm -f /etc/security/console.apps/xserver (if removed, root will be the only user able to start X).
This will disable console-equivalent access to programs halt, poweroff, reboot, and shutdown. Once again, the program xserver apply only is you are installed the Xwindow interface on your system.