Linux Server Build Checklist
From Federal Burro of Information
- The purpose of the server is clear
- Who will use the server / via what ports? What services?
- What software will be installed
- interface configuration is correct
- routing table is correct
- minimal software stack is installed. unneeded stuff removed ( bluetooth, gnome )
- Time services ( Ntp | PTP )
- Logging services - kern.* /var/log/kernel.log + logrotate
- ssh updated, and locked down ( no remore root, no version 1 protocol , keys only )
- open ssl updated
- kernel updated
- Password policy updated.
- update system working: yum , checking in , registered.
- users defined and locked down.
- service list defined and locked down.
- selinux setup as needed
- iptables / firewall.
Basic default allow + logging iptables:
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -m limit --limit 6/min -j LOG --log-prefix "INPUT " /sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -m limit --limit 6/min -j LOG --log-prefix "OUTPUT "
- server is monitored properly.
- timestamp in bash history: "export HISTTIMEFORMAT='%F %T '"
- Hardened ( http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf )
- check list: ( http://security.utexas.edu/admin/redhat-linux.html )