Personal tools

Skip to content. | Skip to navigation

This Logo Viewlet registered to qPloneSkinTechlight
You are here: Home Snippets Stripping CentOS 5.5

Stripping CentOS 5.5

— filed under: , ,

Intro

The default CentOS 5.5 install is intended to serve a broad general purpose. Hence it not only leaves you with a bloated system, it also induces a higher chance on security weaknesses.

This guide provides a copy-paste walk-through hardening and stripping guide for CentOS 5.5. This document is not complete, but it will help you get started. It assumes a freshly installed machine without any optional packages added during install.

Cut out the fat

Groups

 The basic install contains a number of generic packages, useless on an internet server.  (remove the -y if you want to give some of them a second thought)

yum -y groupremove "Dialup Networking Support"
yum -y groupremove "Network Servers"
yum -y groupremove "Text-based Internet"
yum -y groupremove "System Tools"

Now you can (should) install screen:

yum install screen

If you're happy enough with nano, and don't need vi:

yum groupremove Editors

 Joy Division is just fine! :)

 

Individual RPMs

The following kicks out a big list of more or less useless RPMs. Don't execute the first line if you would need ecryptfs-utils (which pulls in a set of X11 related RPMS) or rely on the tui's (system-config-network or firstboot).

rpm -ev --allmatches  libSM libpng wireless-tools talk unix2dos libjpeg libtiff xorg-x11-filesystem libXi  libXrandr libXt libX11 libXfixes libXxf86vm cairo nfs-utils-lib hicolor-icon-theme poppler-utils trousers ifd-egate oddjob-libs nfs-utils rmt desktop-file-utils jwhois dos2unix libaio   pam_smb libICE  libSM gpm  wireless-tools libX11 libXrender libXfixes libXcursor libXres libXxf86vm libXext libXi libXcursor libXinerama libXt mesa-libGL fontconfig cups-libs libXft gtk2  poppler libwnck notification-daemon libnotify GConf2 pango paps cups startup-notification  redhat-menus-6.7.8-3.el5.noarch oddjob coolkey rhpl ecryptfs-utils dump htmlview  system-config-network-tui firstboot-tui pinfo
rpm -ev libXau-1.0.1-3.1.x86_64 libXdmcp-1.0.1-2.1.x86_64 libevent-1.4.13-1.x86_64 libdrm-2.0.2-1.1.x86_64 libdrm-2.0.2-1.1.i386 libpcap-0.9.4-15.el5.x86_64 libwvstreams-4.2.2-2.1.x86_64 bluez-libs-3.7-1.1.x86_64 libXau-1.0.1-3.1.i386 libXdmcp-1.0.1-2.1.i386 libgssapi-0.10-2.x86_64 
rpm -ev --allmatches  freetype
rpm -ev wpa_supplicant kudzu avahi avahi-compat-libdns_sd irda-utils
rpm -ev portmap ypbind yp-tools autofs

If it turns out some needed RPMs where removed in this process (eg you want to be NFS client), just reinstall them (you know what you are doing right?). Rather that than to carry on with unneeded stuff...

Now is a good time to reboot your system to see what happens...

 

Disabling services

Daemons

Check what daemons will be started by default:

chkconfig  --list | grep :on

Depending on your taste, kick out what you don't need. I usually go for:

chkconfig pcscd off 
chkconfig rawdevices off

 

yum-updatesd

Disabling yum-updatesd and replacing by a simple cron job is simply a good idea. You save a bunch of resident memory and you get what you really need:

chkconfig yum-updatesd off

Create a file /etc/cron.daily/yum.cron with:

#!/bin/sh 
/usr/bin/yum -R 120 -e 0 -d 0 -y update yum 
/usr/bin/yum -R 10 -e 0 -d 0 -y update

Followed by:

chmod +x /etc/cron.daily/yum.cron

 

Remove SELinux stuff (optional)

You weren't going to maintain that SELinux for the rest of your servers' lifetime weren't you?

In the file /etc/selinux/config, change the correct line into:

SELINUX=disabled

A reboot now will disable that memory consuming restorecond daemon.

 

Network : IPv6

Disable IPv6 while you still can, create a file /etc/modprobe.d/ipv6 containing:

install ipv6 /bin/true

 The ip6tables are also no longer needed:

chkconfig ip6tables off

 

Filesystem

Its a good idea to use restrictive mount-flags on your partitions where possible. For example /var can be mounted with nosuid flag, whereas /tmp,/var/tmp can be mounted with nosuid,noexec,nodev  (worth the nuisance, really!)

Your /etc/fstab might look like:

/dev/VolGroup00/root    /                       ext3    defaults        1 1
/dev/VolGroup00/usr     /usr                    ext3    defaults        1 2
/dev/VolGroup00/var     /var                    ext4    defaults,nosuid                                         1 2
LABEL=/boot             /boot                   ext3    defaults,nosuid,noexec,nodev                            1 2
tmpfs                   /tmp                    tmpfs   defaults,nosuid,noexec,nodev,size=2500m,nr_inodes=1m    1 2
/tmp                    /var/tmp                tmpfs   defaults,nosuid,noexec,nodev,bind                       1 2
tmpfs                   /dev/shm                tmpfs   defaults,nosuid,noexec,nodev    0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/VolGroup00/swap    swap                    swap    defaults        0 0

 Please do comment your feedback or suggestions.

Document Actions