Se curity be gins with the firs t time you put that CD or DVD into your dis k drive to ins tall Re d Hat Ente rpris e Linux 7. Configuring your s ys te m s e cure ly from the be ginning make s it e as ie r to imple me nt additional s e curity s e ttings late r.
2.1. Securing BIOS
Pas s word prote ction for the BIOS (or BIOS e quivale nt) and the boot loade r can pre ve nt unauthorize d us e rs who have phys ical acce s s to s ys te ms from booting us ing re movable me dia or obtaining root privile ge s through s ingle us e r mode . The s e curity me as ure s you s hould take to prote ct agains t s uch attacks de pe nds both on the s e ns itivity of the
information on the works tation and the location of the machine .
For e xample , if a machine is us e d in a trade s how and contains no s e ns itive information, the n it may not be critical to pre ve nt s uch attacks . Howe ve r, if an e mploye e 's laptop with private , une ncrypte d SSH ke ys for the corporate ne twork is le ft unatte nde d at that s ame trade s how, it could le ad to a major s e curity bre ach with ramifications for the e ntire company.
If the works tation is locate d in a place whe re only authorize d or trus te d pe ople have acce s s , howe ve r, the n s e curing the BIOS or the boot loade r may not be ne ce s s ary.
2.1.1. BIOS Passwords
The two primary re as ons for pas s word prote cting the BIOS of a compute r are :
1. Preventing Changes to BIOS Settings — If an intrude r has acce s s to the BIOS, the y can s e t it to boot from a CD-ROM or a flas h drive . This make s it pos s ible for the m to e nte r re s cue mode or s ingle us e r mode , which in turn allows the m to s tart arbitrary proce s s e s on the s ys te m or copy s e ns itive data.
2. Preventing System Booting — Some BIOSe s allow pas s word prote ction of the boot proce s s . Whe n activate d, an attacke r is force d to e nte r a pas s word be fore the BIOS launche s the boot loade r.
Be caus e the me thods for s e tting a BIOS pas s word vary be twe e n compute r manufacture rs , cons ult the compute r's manual for s pe cific ins tructions .
If you forge t the BIOS pas s word, it can e ithe r be re s e t with jumpe rs on the mothe rboard or by dis conne cting the CMOS batte ry. For this re as on, it is good practice to lock the
compute r cas e if pos s ible . Howe ve r, cons ult the manual for the compute r or mothe rboard be fore atte mpting to dis conne ct the CMOS batte ry.
2.1.1.1. Securing Non-BIOS-based Systems
Othe r s ys te ms and archite cture s us e diffe re nt programs to pe rform low-le ve l tas ks roughly e quivale nt to thos e of the BIOS on x86 s ys te ms . For e xample , the Unified Extensible Firmware Interface (UEFI) s he ll.
For ins tructions on pas s word prote cting BIOS-like programs , s e e the manufacture r's ins tructions .
2.2. Part it ioning t he Disk
[2]
Re d Hat re comme nds cre ating s e parate partitions for /boot,/, /tmp and /var/tmp. The re as ons for e ach are diffe re nt and we will addre s s e ach partition.
/boot
This partition is the firs t partition that is re ad by the s ys te m during boot up. The boot loade r and ke rne l image s that are us e d to boot your s ys te m into Re d Hat Ente rpris e Linux 7 are s tore d in this partition. This partition s hould not be e ncrypte d. If this partition is include d in / and that partition is e ncrypte d or othe rwis e be come s unavailable the n your s ys te m will not be able to boot.
/home
Whe n us e r data (/home) is s tore d in / ins te ad of in a s e parate partition, the partition can fill up caus ing the ope rating s ys te m to be come uns table . Als o, whe n upgrading your s ys te m to the ne xt ve rs ion of Re d Hat Ente rpris e Linux 7 it is a lot e as ie r whe n you can ke e p your data in the /home partition as it will not be
ove rwritte n during ins tallation. If the root partition (/) be come s corrupt your data could be los t fore ve r. By us ing a s e parate partition the re is s lightly more
prote ction agains t data los s . You can als o targe t this partition for fre que nt backups .
/tmp and /var/tmp
Both the /tmp and /var/tmp dire ctorie s are us e d to s tore data that doe s not ne e d to be s tore d for a long pe riod of time . Howe ve r, if a lot of data floods one of the s e dire ctorie s it can cons ume all of your s torage s pace . If this happe ns and the s e dire ctorie s are s tore d within / the n your s ys te m could be come uns table and cras h. For this re as on, moving the s e dire ctorie s into the ir own partitions is a good ide a.
Note
During the ins tallation proce s s , an option to e ncrypt partitions is pre s e nte d to you.
The us e r mus t s upply a pas s phras e . This pas s phras e will be us e d as a ke y to
unlock the bulk e ncryption ke y, which is us e d to s e cure the partition's data. For more information on LUKS, s e e Se ction 4.10.1, “Us ing LUKS Dis k Encryption”.
2.3. Inst alling t he Minimum Amount of Packages Required
It is be s t practice to ins tall only the package s you will us e be caus e e ach pie ce of s oftware on your compute r could pos s ibly contain a vulne rability. If you are ins talling from the DVD me dia, take the opportunity to s e le ct e xactly what package s you want to ins tall during the ins tallation. If you find you ne e d anothe r package , you can always add it to the s ys te m late r.
For more information about ins talling the Minimal install e nvironme nt, s e e the
Software Se le ction chapte r of the Re d Hat Ente rpris e Linux 7 Ins tallation Guide . A minimal ins tallation can als o be pe rforme d via a Kicks tart file us ing the --nobase option. For more information about Kicks tart ins tallations , s e e the Package Se le ction s e ction from the Re d Hat Ente rpris e Linux 7 Ins tallation Guide .
2.4. Post -inst allat ion Procedures
The following s te ps are the s e curity-re late d proce dure s that s hould be pe rforme d imme diate ly afte r ins tallation of Re d Hat Ente rpris e Linux.
1. Update your s ys te m. Run the following command as root:
~]# yum update
2. Eve n though the fire wall s e rvice , firewalld, is automatically e nable d with the ins tallation of Re d Hat Ente rpris e Linux, the re are s ce narios whe re it might be e xplicitly dis able d, for e xample in the kicks tart configuration. In s uch a cas e , it is re comme nde d to cons ide r re -e nabling the fire wall.
To s tart firewalld run the following commands as root:
~]# systemctl start firewalld
~]# systemctl enable firewalld
3. To e nhance s e curity, dis able s e rvice s you do not ne e d. For e xample , if the re are no printe rs ins talle d on your compute r, dis able the cups s e rvice us ing the following command:
~]# systemctl disable cups
To re vie w active s e rvice s , run the following command:
~]$ systemctl list-units | grep service
2.5. Addit ional Resources
For more information about ins tallation in ge ne ral, s e e the Re d Hat Ente rpris e Linux 7 Ins tallation Guide.
[2] Since system BIO Ses differ between m anufacturers, som e m ay not support password protection of either type, while others m ay support one type but not the other.