RedHat 7.3 security tweaks

chkconfig --del kudzu, identd, isdn, lpd, xfs, rhnsd, ipchains

/etc/fstab:

	comment out /dev/shm entry, unmount /dev/shm if mounted

/etc/X11/XF86Config-4:

	comment out FontPath entry if it contains port 7100 reference

/etc/mail/sendmail.mc:

	comment out accept_unresolvable_domains, run
        m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
	On non-servers, place "DAEMON=no\nQUEUE=15m\n" into /etc/sysconfig/sendmail

/etc/ntp.conf:

	add all CIS and SEAS ntp servers, comment out server, fudge, broadcastdelay
	add server lines: ntp-server-{1,2}.cis.upenn.edu, ntp-server-{1,2,3}.upenn.edu
	set date manually first, then start ntpd
	for each server, look up IP address, set up restrict line:
		restrict  mask 255.255.255.255 nomodify notrap noquery

/etc/sysconfig/iptables:

	make config for SSH from specific servers, NTP, DNS,
        internal interfaces (if not set on initial installation), default DENY,
	allow clients outgoing and ESTABLISHED incoming (allow NEW identd for
	access to servers where tcp_wrappers is so configured)

/etc/sysconfig/network-scripts/ifcfg-*:

	make sure these are all good, confirm labeling on interfaces (PLEASE)

/etc/nsswitch.conf:

	sed -e 's/ nisplus//g', change publickey to files only, 
	remove lingering "[NOTFOUND=return]" from bootparams

/etc/hosts:

	update all internally significant entries (e.g. admin subnet)

security patches (!):

	ftp://redhat.seas.upenn.edu:/pub/mirrors/redhat-updates/7.3/en/os/*

	[NB: For those reaching this page from outside of Penn, please be
	 aware that the above site has flow control for non-Penn clients.
	 You would be better off using RedHat's Site --widyono]

/etc/inittab:

	add this line (/dev/console might not work -- need to confirm; this is
	probably necessary due to console redirection in BIOS)

	~:S:wait:/sbin/sulogin /dev/console

/etc/sysconfig/init:

	change PROMPT=yes to PROMPT=no (if physical access is public)

Download, Install, and Configure Tripwire

logging:
	add /var/log/auth to list in /etc/logrotate.d/syslog
	add "auth.*   /var/log/auth" to /etc/syslog.conf
	add "auth.none;" to /var/log/messages in /etc/syslog.conf
	add "*.*   @management_node" to /etc/syslog.conf
	killall -HUP syslogd

/etc/logrotate.d/syslog on management node:
	notifempty
	sharedscripts
	postrotate
		/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
	endscript
	/var/log/messages {
		compress
	}
	/var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
		nocompress
	}

	
REBOOT