Skip to content

Maintaining Software

trimstray edited this page Feb 27, 2019 · 30 revisions

You can file an issue about it and ask that it be added.


Table of Contents

Maintaining Software

Software mintenance is extremely important to maintaining a secure system. It is vital to patch software as soon as it becomes available in order to prevent attackers from using known holes to infiltrate your system.

Package signatures

Rationale

Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.

Solution

Enabled gpgcheck option
gpgcheck=1

C2S/CIS: CCE-26989-4 (High)

Useful resources

Keep system updated

Rationale

Software updates offer plenty of benefits. It’s all about revisions. These might include repairing security holes that have been discovered and fixing or removing bugs.

U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.

Some benefits:

  • close up problems of security that has been discovered
  • it can improve the stability of the system
  • improvements the system stacks or network stacks

Solution

Updating all packages and dependencies
yum update

C2S/CIS: CCE-26895-3 (High)

Comments

Before updating the system, I do it in the console:

# This one-liner save the update process session:
script -t 2>~/upgrade.time -a ~/upgrade.script

Also these one-liners are important:

Check for updates
yum check-update
Install upgrades (with security updates)
yum --security upgrade
Roll back an update
yum history undo <id>

Useful resources

Remove vulnerable software

Rationale

The best protection against vulnerable software is running less software.

Solution

Remove or disable unnecessary services

From C2S/CIS: These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Removing the rsh package removes the clients for rsh,rcp, and rlogin.

yum remove rsh

C2S/CIS: CCE-27274-0 (unknown)

From C2S/CIS: The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

systemctl disable rlogin.socket

C2S/CIS: CCE-27336-7 (High)

From C2S/CIS: The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

systemctl disable rexec.socket

C2S/CIS: CCE-27408-4 (High)

From C2S/CIS: The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

systemctl disable rsh.socket

C2S/CIS: CCE-27337-5 (High)

From C2S/CIS: Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.

rm /etc/hosts.equiv
rm ~/.rhosts

C2S/CIS: CCE-27406-8 (High)

From C2S/CIS: The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

# Edit /etc/xinetd.d/telnet:
disable = yes

C2S/CIS: CCE-27401-9 (High)

From C2S/CIS: The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session.

yum erase ypserv

C2S/CIS: CCE-27399-5 (High)

From C2S/CIS: Disabling the tftp service ensures the system is not acting as a TFTP server, which does not provide encryption or authentication.

systemctl disable tftp.service

C2S/CIS: CCE-80212-4 (Medium)

From C2S/CIS: The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services.

systemctl disable xinetd.service

C2S/CIS: CCE-27443-1 (Medium)

From C2S/CIS: The talk software presents a security risk as it uses unencrypted protocols for communications.

yum erase talk

C2S/CIS: CCE-27432-4 (Medium)

From C2S/CIS: The talk software presents a security risk as it uses unencrypted protocols for communications.

yum erase talk-server

C2S/CIS: CCE-27210-4 (Medium)

From C2S/CIS: Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information.

systemctl disable vsftpd.service

C2S/CIS: CCE-80244-7 (Unknown)

From C2S/CIS: X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.

yum groupremove "X Window System"
yum remove xorg-x11-server-common

C2S/CIS: CCE-27218-7 (Medium)

From C2S/CIS: Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.

systemctl disable avahi-daemon.service

C2S/CIS: CCE-80338-7 (Unknown)

Comments

The C2S/CIS standard also explains the following services. You should consider which ones are use. If they are not use on the local system then this service should be disabled.

From C2S/CIS: Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed.

systemctl disable snmpd.service

C2S/CIS: CCE-80274-4 (Unknown)

From C2S/CIS: All network services involve some risk of compromise due to implementation flaws and should be disabled if possible.

systemctl disable named.service

C2S/CIS: CCE-80325-4 (Unknown)

From C2S/CIS: Unnecessary packages should not be installed to decrease the attack surface of the system.

yum erase openldap-servers

C2S/CIS: CCE-80293-4 (Unknown)

From C2S/CIS: Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed.

systemctl disable smb.service

C2S/CIS: CCE-80277-7 (Unknown)

From C2S/CIS: Running web server software provides a network-based avenue of attack, and should be disabled if not needed.

systemctl disable httpd.service

C2S/CIS: CCE-80300-7 (Unknown)

From C2S/CIS: Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments.

systemctl disable rhnsd.service

C2S/CIS: CCE-80269-4 (Unknown)

From C2S/CIS: Running proxy server software provides a network-based avenue of attack, and should be removed if not needed.

systemctl disable squid.service

C2S/CIS: CCE-80285-0 (Unknown)

From C2S/CIS: Unmanaged or unintentionally activated DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site DHCP server if there is one.

systemctl disable dhcpd.service

C2S/CIS: CCE-80330-4 (Medium)

From C2S/CIS: Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed.

systemctl disable dovecot.service

C2S/CIS: CCE-80294-2 (Unknown)

From C2S/CIS: All of these daemons (nfslock, rpcgssd, and rpcidmapd) run with elevated privileges, and many listen for network connections.

systemctl disable rpcbind.service

C2S/CIS: CCE-80230-6 (Medium)

From C2S/CIS: Unnecessary services should be disabled to decrease the attack surface of the system.

systemctl disable nfs.service

C2S/CIS: CCE-80237-1 (Unknown)

From C2S/CIS: Turn off unneeded services to reduce attack surface.

systemctl disable cups.service

C2S/CIS: CCE-80282-7 (Unknown)

Useful resources

Enable important software

Rationale

The best protection against vulnerable software is running less software.

Solution

Install tcp wrappers

From C2S/CIS: Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.

systemctl enable crond.service

C2S/CIS: CCE-27323-5 (Medium)

From C2S/CIS: Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges.

yum install tcp_wrappers

C2S/CIS: CCE-27361-5 (Medium)

Enable chronyd/ntpd

From C2S/CIS: Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. The chronyd and ntpd NTP daemons offer all of the functionality of ntpdate, which is now deprecated.

systemctl enable chronyd
# or
systemctl enable ntpd

C2S/CIS: CCE-27444-9 (Medium)

Useful resources