Stripping CentOS 5.6
Intro
The default CentOS 5.6 install is intended to serve a broad general purpose. Hence it not only leaves you with a bloated system, it also induces a higher chance on security weaknesses.
This guide provides a copy-paste walk-through hardening and stripping guide for CentOS 5.6, so you'll end up with something usable as a general purpose server. It will cut out fancy stuff like smart-card readers, graphical (X) things, support for the OpenMP-framwork, printing and so on...
It assumes a freshly installed machine without any packages added during install. (So disable the Gnome package)
Cut out the fat
Groups
The basic install contains a number of generic packages, useless on an internet server. (remove the -y if you want to give some of them a second thought)
yum -y groupremove "Dialup Networking Support" yum -y groupremove "Network Servers" yum -y groupremove "Text-based Internet" yum -y groupremove "System Tools"
Now you can (should) install screen:
yum -y install screen
If you're happy enough with nano, and don't need vi:
yum -y groupremove Editors
Individual RPMs
The following kicks out a big list of more or less useless RPMs.
rpm -ev libpng cairo cups-libs gtk2 pango GConf2 trousers libwnck notification-daemon libnotify ecryptfs-utils rpm -ev libXau libXext libX11 libXrender libXrandr libXi libXinerama libXres libXfixes libXcursor startup-notification libXft rpm -ev libSM rmt pcsc-lite pcsc-lite-libs bluez-libs dump ccid ifd-egate coolkey rpm -ev jwhois udftools talk rdate unix2dos mtools hicolor-icon-theme syslinux mkbootdisk rpm -ev pam_pkcs11 irda-utils freetype dosfstools wireless-tools ibmasm finger dos2unix wpa_supplicant ypbind pcmciautils fontconfig yp-tools rhpl rpm -ev nfs-utils nfs-utils-lib portmap autofs
If it turns out some needed RPMs (client NFS, autofs, ...) where removed in this process, just reinstall them (you know what you are doing right?). Rather that than to carry on with unneeded stuff...
Now is a good time to reboot your system to see what happens...
Disabling services
Daemons
Check what daemons will be started by default:
chkconfig --list | grep :on
Depending on your taste, kick out what you don't need. I usually go for:
chkconfig rawdevices off chkconfig iscsi off chkconfig iscsid off
yum-updatesd
Disabling yum-updatesd and replacing by a simple cron job is simply a good idea. You save a bunch of resident memory and you get what you really need:
chkconfig yum-updatesd off /etc/init.d/yum-updatesd stop
Create a file /etc/cron.daily/yum.cron with:
#!/bin/sh /usr/bin/yum -R 120 -e 0 -d 0 -y update yum /usr/bin/yum -R 10 -e 0 -d 0 -y update
Followed by:
chmod +x /etc/cron.daily/yum.cron
At this point you also might want to do an upgrade manually
yum -y update
Remove SELinux stuff (optional)
You weren't going to maintain that SELinux for the rest of your servers' lifetime weren't you?
In the file /etc/selinux/config, change the correct line into:
SELINUX=disabled
A reboot now will disable that memory consuming restorecond daemon.
Network : IPv6
Disable IPv6 while you still can, create a file /etc/modprobe.d/ipv6 containing:
install ipv6 /bin/true
The ip6tables are also no longer needed:
chkconfig ip6tables off
Filesystem
Its a good idea to use restrictive mount-flags on your partitions where possible. For example /var can be mounted with nosuid flag, whereas /tmp,/var/tmp can be mounted with nosuid,noexec,nodev (worth the nuisance, really!)
Your /etc/fstab might look like:
/dev/VolGroup00/root / ext3 defaults 1 1 /dev/VolGroup00/usr /usr ext3 defaults 1 2 /dev/VolGroup00/var /var ext4 defaults,nosuid 1 2 LABEL=/boot /boot ext3 defaults,nosuid,noexec,nodev 1 2 tmpfs /tmp tmpfs defaults,nosuid,noexec,nodev,size=2500m,nr_inodes=1m 1 2 tmpfs /var/tmp tmpfs defaults,nosuid,noexec,nodev,bind 1 2 tmpfs /dev/shm tmpfs defaults,nosuid,noexec,nodev 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 /dev/VolGroup00/swap swap swap defaults 0 0
Please do comment your feedback or suggestions.
