HPE Community
Secure OS Software for Linux
1752807 Members
6034 Online
108789 Solutions
New Discussion юеВ

Re: LINUX Hardening guide differences

 
robert mead_1
Occasional Contributor

тАО03-02-2010 01:38 PM

тАО03-02-2010 01:38 PM

LINUX Hardening guide differences

What is the difference between the HP Common Criteria EAL4+ Evaluated Configuration Guide for Red Hat Enterprise Linux 5 on Hardware, date 05/31/2007; 2.3 and the NSA Guide to The Secure Configuration of Red Hat Enterprise Linux 5, date 12/20/2007; Revision 2?

Is one of these more complete then the other?
0 Kudos
3 REPLIES 3
Steven E. Protter
Exalted Contributor

тАО03-02-2010 01:56 PM

тАО03-02-2010 01:56 PM

Re: LINUX Hardening guide differences

Shalom,

The OS security vulnerabilities are different. HP ships in an insecure but secure able state.

Linux ships in a lot more secure state, but it can be improved.

Think about Bastille for both.

It does a nice job.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
rmueller58
Valued Contributor

тАО03-02-2010 02:15 PM

тАО03-02-2010 02:15 PM

Re: LINUX Hardening guide differences

Based on the date of the Guides you are looking at it might be best to get into one of the RHEL Classes on SELINUX and Redhat secured over a book that is 4 years old.

I'd be inclined to pickup the NSA guide as NSA wrote the guidelines for SE enhancements which redhat adopted..

0 Kudos
Don Mallory
Trusted Contributor

тАО03-03-2010 04:46 AM

тАО03-03-2010 04:46 AM

Re: LINUX Hardening guide differences

I've always been a fan of the Centre for Internet Security benchmark tools. They are essecentially documents, that are consensus based that help to bring things in line. Large portions of the document also include pre-written scripts to help automate the task.

http://cisecurity.org/en-us/?route=downloads

They have benchmarks for pretty much any OS, as well, they have audit tools to test against later.

Bastille is a great tool to start with, but is lacking in a number of areas. CIS also provides Bastille configs as a base, but enhances on them.

Before wasting your time on an SELinux course, check out SANS (www.sans.org). There is a UNIX specific course, which is primarily Linux based, as well as others. The Essentials bootcamp has a full day of UNIX/Linux as part of the 6-day program, which is an excellent program.

Under the SANS reading room, there are a large number of whitepapers available for pretty much any topic. All papers in here are the work of successful "gold" certifications and double-blind graded by experts in the given field being written about.

Something to remember about these documents is that they are not a "Bible". They are a series of guidelines that can lead to better security and hardening of a host. They change, they are not static, as a host that is secure today, is not secure tomorrow. Security is a journey, not a destination. No single reference is all encompassing.

With that in mind, view the documents as a valid reference, consensus based ones are better than those written in a vacuum. What is most important is understanding the risk to your critical assets, and prioritise time, and resources to reduce those risks. If there is a risk you cannot reduce, understand the risk, and most of all, understand and put in place means by which you can DETECT that the risk has been compromised.

Good luck and happy hunting,
Don
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.