Security review checklist
The baseline for the notes below is a default Scientific Linux 3.04 installation.
See also: LinuxSecurityNotes.
1. General
Secure root password selected
Shadow passwords enabled (on debian: shadowconfig on)
Firewall activated, with incoming access for required services only
Check running services (chkconfig --list)
No unsecured Telnet or FTP access
Security updates automatically checked and applied
All accounts with non-trivial passwords (how to check?)
Restrict remote access to selected accounts (use AllowGroups in sshd.conf)
Install SshBlack: see
![[WWW]](/wiki/modern/img/moin-www.png)
http://wiki.oss-watch.ac.uk/InstallingSshblack [[[TODO: Disable login to root account]]]
[[[TODO: Enable SELinux controls for external services]]]
2. Apache httpd
httpd installed to run using a non-root account (apache)
CGI processes run in separate non-apache accounts (via suexec)
/var/www/html/... files ownership apache:apache.
3. Restricting SSH access
add the following directive to /etc/ssh/sshd_config:
AllowGroups remote
Create a new group called remote, it it doesn't already exist:
groupadd -r remote
The -r flag here is optional, and creates a "system" group (gid less than 1024).
edit the file /etc/group, locate the entry for group remote, and add the accounts for which remote access is to be permited as members; e.g.
remote:x:555:tom,dick,harry,bioimage
Check that file /etc/group is writeable only by the root user; e.g.
# ls -al /etc/group -rw-r--r-- 1 root root 779 Jan 4 10:48 /etc/group
-- GrahamKlyne 2005-05-12 14:19:59