NSA has developed and distributed configuration guidance for Red Hat Enterprise Linux 5 that is currently being used throughout the government and by numerous entities as a security baseline for their Red Hat Enterprise Linux 5 systems.
The introductory points:
- Encrypt all data transmitted over the network. Encrypting authentication information (such as passwords) is particularly important.
- Minimize the amount of software installed and running in order to minimize vulnerability.
- Use security-enhancing software and tools whenever available (e.g., SELinux and Iptables).
- Run each network service on a separate server whenever possible. This minimizes the risk that a compromise of one service could lead to a compromise of others.
- Maintain user accounts. Create a good password policy and enforce its use. Delete unused user accounts.
- Review system and application logs on a routine basis. Send logs to a dedicated log server. This prevents intruders from easily avoiding detection by modifying the local logs.
- Never log in directly as root, unless absolutely necessary. Administrators should use
sudoto execute commands as root when required. The accounts capable of using
sudoare specified in
/etc/sudoers, which is edited with the
visudoutility. By default, relevant logs are written to
There are security guides on the same page for OS X (Leopard, Snow Leopard), Windows (various versions) and Sun Solaris (9, 10).