| Bundle Feature Name: |
Description: |
| APF (Advanced
Policy Firewall) |
policy based, reactive firewall |
| LSM
(Linux Socket Monitor) |
network monitor, identify rouge services |
| SPRI (Priority
Scheduler) |
schedule the priority of system processes |
| BFD
(Brute Force Detection) |
identify login password cracking attempts |
| SIM (System Integrity
Monitor) |
monitor critical services, load, network etc. |
| NSIV
(Network Socket Inode Validation) |
auto-inode validation; ensure sanity of binaries
that are running as network services |
| LES
(Linux Environment Security) |
set secure default permissions and restrictions
across the local env.; prevent key logging and profile
hijacking among other intrusion trends |
| RPM Package Purge |
removal of unneeded software, such
as print server, printing drivers, sound & usb drivers,
portmaper, ypserv etc... |
| Default User Purge |
remove OS Default users [adm, gopher etc...] |
| Common permissions |
reset system permissions to secure
defaults on directories and common binaries |
| 'tmp' Path Hardening |
harden temporary data paths (e.g: /tmp) with a special
device file to enforce strict options that prevent the
execution of compiled exploits |
| 'tmpfs' Path Hardening |
harden the tmpfs file system path (i.e: /dev/shm) with
special mount options; to enforce strict permissions that
prevent the execution of compiled exploits |
| 'lalert' Login Alert routine |
notify system administrator when an interactive login
is initated for users root, adm, admin, & mysql |
| 'sysctl' Hooks Configuration |
sysctl provides configuration options
hooked into kernel functions to allow a user to modify
options without a recompile; these options are tweaked
to harden the TCP/IP stack from syn-flood attacks and
other network abuses |
| Services Hardening |
tweak & harden common services to minimize information
broadcasted about software versions |
| Time Synchronization |
sync local system clock to time server |
| Increased Logging |
modify default syslog configuration to perform further
logging options |
| Host.conf |
reconfigure host.conf to prevent dns
lookup poisoning & spoofing protection |
| TPE (trusted path execution) |
enforce trusted path execution; exported PATH environment
variable can only contain root owned paths |
| Setup 'iftop' |
top like network traffic monitor |
| Setup 'tcpdump' |
network packet sniffer/network analysis |
| Setup 'cbq' |
QoS discipline rules; allows throughput
limiting |
| Setup 'smartd' |
monitor hard disk events; failed i/o, temp, etc..; can
provide ample warning to disk failure; email alerts |
| Setup 'mod_security' |
filter common web-based attack trends
(i.e: php injection exploits) |
| Setup 'snort' |
network intrusion detection system (*evaluated
against available resources; not installed on high-load
servers) |
| Setup 'logwatch' |
log parsing and reporting
utility; receive daily summary reports on systems events
(kernel, network, logins, top e-mail relays & local
senders etc...) |
| Backdoor inspection |
inspect and verify server for sanity
from backdoor exploits |
| User Password Auditing [JTR] |
audit user accounts and identify insecure user passwords/alert
users/admin summary report |
| PAM basic limits |
linux pam resource limits; restrict
user resource consumption to reasonable limits |
| SSH Server Hardening |
modify default sshd server config files to address common
protocol & authentication issues |
| Software Updates |
local inspection of installed software/retrieval
of vendor & OS updates |
| PHP open_basedir |
modify php setup to enforce a set of 'safe' execution
paths |
| Security Analysis |
security verification tests; verifies
secure setup |
