15.3. Security Levels in Details

Here we review the details of the three security levels: Lax, Moderate and Paranoid used in the security level settings either during the install or afterwards using BastilleChooser.

15.3.1. Workstation Configuration

15.3.1.1. Lax Security Level

  • No firewalling

  • Disables SUID status to the news server tools and DOSEMU

  • Setup password aging -- old unused accounts will be disabled, though the owners will be warned

  • Password protects single-user mode

  • Applies limits to any one program/user's resource usage, to block Denial of Service attacks.

  • Configures additional logging

  • Deactivate the DHCP Server daemon

  • Disable the SNMP daemons

  • Disable the VRFY/EXPN data mining commands in Sendmail

  • Deactivate the DNS server

  • Deactivate the Apache server

  • Deactivate Apache Server Side Includes (SSI)

  • Set umask to 022

  • Set security level to 2

  • Apply file permission level 2

  • Restrict "." from the PATH variable

  • Deactivate telnet

  • Deactivate ftp

  • Activate security checks

15.3.1.2. Moderate Security Level

  • Moderate firewalling

  • Disables SUID status to dump, restore, cardctl, rsh, rlogin and rcp

  • Disables SUID status to the news server tools and DOSEMU

  • Disables rsh/rlogin access to this machine

  • Sets up password aging -- old unused accounts will be disabled, though the owners will be warned

  • Password protects single-user mode

  • Applies limits to any one program/user's resource usage, to block Denial of Service attacks.

  • Configures additional logging

  • Deactivates the APMd daemon

  • Disables NFS and Samba

  • Disables GPM

  • Deactivates the DHCP Server daemon

  • Disables the SNMP daemons

  • Deactivates Sendmail's network listening mode, so this WORKSTATION doesn't operate as a mail server

  • Disables the VRFY/EXPN data mining commands in Sendmail

  • Deactivates the DNS server

  • Deactivates the Apache server

  • Deactivates the Apache Server Side Includes (SSI)

  • Sets umask to 022

  • Sets security level to 3

  • Applies file permission level 3

  • Restricts "." from the PATH variable

  • Deactivates telnet

  • Deactivates ftp

  • Disables FTP's anonymous mode capability

  • Activates security checks

  • Applies TMPDIR protection

15.3.1.3. Paranoid Security Level

  • Tight firewalling

  • Disables SUID status to mount, umount, ping, at, usernetctl, and traceroute

  • Disables SUID status to dump, restore, cardctl, rsh, rlogin and rcp

  • Disables SUID status to the news server tools and Disables SUID status to the news server tools and DOSEMU

  • Disables rsh/rlogin access to this machine

  • Restricts use of cron to root account

  • Disables the pcmcia startup script

  • Sets up password aging -- old unused accounts will be disabled, though the owners will be warned

  • Password protects single-user mode

  • Applies limits to any one program/user's resource usage, to block Denial of Service attacks.

  • Configures additional logging

  • Deactivates the APMd daemon

  • Disables NFS and Samba

  • Disables GPM

  • Deactivates the DHCP Server daemon

  • Disables the SNMP daemons

  • Deactivates Sendmail's network listening mode, so this WORKSTATION doesn't operate as a mail server

  • Disables the VRFY/EXPN data mining commands in Sendmail

  • Deactivates the DNS server

  • Deactivates the Apache server

  • Deactivates the Apache Server Side Includes (SSI)

  • Deactivates the Apache Server follow-symbolic links behavior

  • Deactivates the Apache Server CGI's

  • Deactivates all remaining daemons, with the exception of crond, syslog, keytable, network, gpm, xfs and pcmcia

  • Sets umask to 077

  • Sets security level to 4

  • Applies file permission level 4

  • Restricts "." from the PATH variable

  • Deactivates telnet

  • Deactivates ftp

  • Disables FTP's anonymous mode capability

  • Disables FTP's user mode capability

  • Activates security checks

  • Applies TMPDIR protection

15.3.2. Server Configuration

The server configurations include three security levels. They start with the following major servers turned off: DNS, Mail, web, FTP and DHCP. And then modify them, based on which of the five major server types the user asks for.

15.3.2.1. Lax Security Level

  • No firewalling

  • Disables SUID status from dump/restore, cardctl, dosemu, news server programs

  • Enforces password aging

  • Password protects single user mode

  • Adds additional logging

  • Disables apmd, NFS, Samba, pcmcia, DHCP server, news server, routing daemons, NIS, SNMPD

  • Disables VRFY/EXPN data mining commands in sendmail

  • Deactivates named (dns)

  • Deactivates apache (web)

  • Deactivates apache Server Side Includes (SSI)

  • Sets umask to 022

  • Sets security level to 2

  • Applies file permission level 2

  • Deactivates telnet

  • Deactivates ftp

  • Activates security checks

15.3.2.2. Moderate Security Level

  • Moderate firewalling

  • Disables SUID status from dump/restore, cardctl, dosemu, news server programs

  • Disables SUID status from rsh, rlogin

  • Disables rhost-based authentication

  • Enforces password aging

  • Password protects single user mode

  • Adds additional logging

  • Disables apmd, NFS, Samba, pcmcia, DHCP server, news server, routing daemons, NIS, SNMPD

  • Disables gpm

  • Disables VRFY/EXPN data mining commands in sendmail

  • Deactivates named (dns)

  • Deactivates apache (web)

  • Deactivates apache Server Side Includes (SSI)

  • Deactivates apache CGI script execution

  • Disables FTP user mode

  • Disables FTP anonymous mode

  • Sets umask to 022

  • Sets security level to 3

  • Applies file permission level 3

  • Restricts "." from the PATH variable

  • Deactivates telnet

  • Deactivates ftp

  • Activates security checks

15.3.2.3. Paranoid Security Level

  • Strong firewalling

  • Disables SUID status from dump/restore, cardctl, dosemu, news server programs

  • Disables SUID status from rsh, rlogin

  • Disables SUID status for mount, umount, ping, at, usernetctl, traceroute

  • Disables rhost-based authentication

  • Disables cron use to everyone but root

  • Enforces password aging

  • Enforces limits on resources to prevent DoS attack

  • Password protects single user mode

  • Adds additional logging

  • Disables apmd, NFS, Samba, pcmcia, DHCP server, news server, routing daemons, NIS, SNMPD

  • Disables gpm

  • Disables VRFY/EXPN data mining commands in sendmail

  • Deactivates named (dns)

  • Deactivates apache (web)

  • Deactivates apache Server Side Includes (SSI)

  • Deactivates apache CGI script execution

  • Deactivates apache's following of symlinks

  • Disables printing

  • Disables FTP user mode

  • Disables FTP anonymous mode

  • Activates TMPDIR protection

  • Sets umask to 077

  • Sets security level to 4

  • Applies file permission level 4

  • Restricts "." from the PATH variable

  • Deactivates telnet

  • Deactivates ftp

  • Activates security checks


Tux on Star from MandrakeSoft Linux is a registered trademark of Linus Torvalds. All other trademarks and copyrights are the property of their respective owners.
Unless otherwise stated, all the content of these pages and all images are Copyright MandrakeSoft S.A. and MandrakeSoft Inc. 2002.
http://www.mandrakelinux.com/