A virtual file can present information from the kernel to the user and also serve as a means of sending information from the user to the kernel. Note the series of numbered files on the left. Each of these is a directory representing a process in the system. Next, performing an ls on the directory shows a list of files.
For more information, see Kernel Tunable Security Parameters. Virtual Address Space Randomization: I highly recommend the book SELinux: It is highly recommended not to run these services.
Due to the high risk, this guide does not cover these services. You should have a detailed knowledge of what is on your system. If you do that you will have less packages to update and to maintain when security alerts and patches are released.
Also, it is a good practice not to have development packages, desktop software packages e. One of the first action items should be to create a Linux image that only contains RPMs needed by the applications, and needed for maintenance and troubleshooting purposes.
A good approach is to start with a minimum list of RPMs and then add packages as needed. It may be time-consuming but worth the efforts. To get a list of all installed RPMs you can use the following command: Patching Linux Systems Building an infrastructure for patch management is another very important step to proactively secure Linux production environments.
It is recommended to have a written security policy and procedure to handle Linux security updates and issues. For example, a security policy should detail the timeframe for assessment, testing, and rollout of patches. Network related security vulnerabilities should get the highest priority and should be addressed immediately within a short timeframe.
For example, a security procedure should detail the process for assesment, testing, and rollout of patches. The assessment phase should occur within a testing lab, and initial rollout should occur on development systems first. A separate security log should detail what Linux security notices have been received, when patches have been researched and assessed, when patches have been applied etc.
Detecting Listening Network Ports One of the most important tasks is to detect and close network ports that are not needed. On all newer Red Hat Linux distributions sendmail is configured to listen for local connections only. Sendmail should not listen for incoming network connections unless the server is a mail or relay server.
Running a port scan from another server will confirm that make sure that you have permissions to probe a machine: The ports scanned but not shown below are in state: If you remove the UDP port scan without the option "-U"then nmap will finish the port scan immediately.
If you run it on the local machine it will also complete very fast. Also note that nmap might not show all listening network sockets if a firewall is being used to block ports.
From the output above you can see that the xinetd daemon is listening on port auth port for IDENT for more information on this service, see below.
You can also see that sendmail is not listening for remote incoming network connections, see also Securing Sendmail. On Red Hat systems you can list all services which are started at bootup using the following command: This service is only run during the boot process. Ensure not to disable runlevel services that are needed by the system to run smoothly.
And in the script look for lines that start programs. Now having the name of the program that is started by this service, you can check the online pages of atd by running man atd. This will help you to find out more about a system service. To permanently disable e.
To check if xinetd is enabled and running, execute: If xinetd is active, it is important to check which Unix services are active and controlled by xinetd. Here is an example how to disable a service. Assuming the telnet service is active, run the following commands to disable it and to see how the telnet service entries are being updated: Here is an example how to find out what a service does.
The steps above should be helpful for finding out more about services.
Securing and Hardening Red Hat Linux Production Systems A Practical Guide to Basic Linux Security in Production Enterprise Environments rutadeltambor.com Managing Group Access. Linux groups are a mechanism to manage a collection of computer system users. All Linux users have a user ID and a group ID and a unique numerical identification number called a userid (UID) and a groupid (GID) respectively. The /proc filesystem is a virtual filesystem that permits a novel approach for communication between the Linux kernel and user space. In the /proc filesystem, virtual files can be read from or written to as a means of communicating with entities in the kernel, but unlike regular files, the content of these virtual files is dynamically created.
In a trusted environment it helps a server to identify who is trying to use it.The use of groups in Linux forms the basis of access control on local systems and networks.
If you aren't in the group that controls a specific file, you might not have read or write access to that file. Here we will discuss the handful of ways in which you can add users to groups and grant them access to files. I know I can assign the permission to write to an owner\group\others like this: chmod u+w myfolder Can I specify the specific user here?
Some like this: chmod username u+w myfolder. Umask Settings The umask command can be used to determine the default file creation mode on your system. It is the octal complement of the desired file mode. If files are created without any regard to their permissions settings, the user could inadvertently give read or write permission to someone that should not have this permission.
Securing and Hardening Red Hat Linux Production Systems A Practical Guide to Basic Linux Security in Production Enterprise Environments rutadeltambor.com Best HP Black Friday deals: Pavilion laptops, desktops, and more. Whether you're in the market for a business laptop, gaming desktop, or just a basic PC, HP's Black Friday sale has you covered.
Give user read/write access to only one directory. Ask Question. up vote 16 down vote favorite. 8.
I'm running a server, and I need to give read/write access to a particular directory to a single user. I've tried the following: SFTP: give user access to folder outside home. 9.