Server Hardening#
Updates packages#
yum install yum-plugin-security
yum updateinfo
yum updateinfo list
yum updateinfo list --sec-severity=Critical
yum updateinfo list --sec-severity=Moderate
yum updateinfo list --sec-severity=Low
yum update --bugfix
yum update --security
yum update --advisory
yum update --sec-serverity=SEVS
Verifying Packages#
rpm --import /tmp/rpm-gpg-keynew
# install a gpg key
rpm -qa gpg-pubkey*
# look at the install keys
rpm -qi gpg-pubkey-8483c65d-5ccc5b19
# get detailed information of a specific key
rpm -K *.rpm
# verify the key that was used to sign a given package corresponds with known gpg keys
/etc/yum.conf
# make sure gpgcheck=1
rpm -Uvh *.rpm
# install packages from rpm
yum localinstall *.rpm
# install from yum (will also install the dependencies indeed)
Install Packages#
-e, --erase=<package>+ erase (uninstall) package
-F, --freshen=<packagefile>+ upgrade package(s) if already installed
-h, --hash print hash marks as package installs (good with -v)
-i, --install install package(s)
-U, --upgrade=<packagefile>+ upgrade package(s)
-v, --verbose provide more detailed output
Query options (with -q or --query):
-c, --configfiles list all configuration files
-d, --docfiles list all documentation files
-L, --licensefiles list all license files
-A, --artifactfiles list all artifact files
--dump dump basic file information
-l, --list list files in package
--queryformat=QUERYFORMAT use the following query format
-s, --state display the states of the listed files
rpm -e screen
# erase scren
rpm -q screen
# query for elinks to check if installed
yum install --downloadonly --downloaddir=. screen
# download the package localy without installing
rpm -ivh screen
# install
rpm -Uvh screen
# -U stands for upgrades and replaces the current version (ie overwrites) it will also install if no version exists
rpm -Fvh screen
# -F stands for freshen will update only if a new version exists, will not install if no version already exists
#
#
#
AIDE - Advanced Intrusion Detection Environment#
IDS
Creates a database from Regex rules
Checks file integrity from digest algorithms
Also check file attributes for inconsistencies
vim /etc/aide.conf
# AIDE conf file
/usr/sbin/aide --init
# generates the db
file /var/lib/aide/aide.db.new.gz
# db location
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# copy here once generated
/usr/sbin/aide --check
# runs checks on the filesystem
0 1 * * * /usr/sbin/aide --check
# set a cronjob to run everyday 1am
build the baseline database
put the check in crontab
MAILTO