Y | N |
Val | Operation or Description |
YES | NO |
5 |
Install minumum system:
base, bsd, etc, man. |
YES | NO |
3 |
Install compilers / development tools. |
YES | NO |
5 |
Do NOT install X, games, misc. |
YES | NO |
5 |
Root password 8
plus characters, mixed case, with symbols and digits. |
YES | NO |
1 |
Kernel source
code intalled. |
YES | NO |
1 |
Previous GENERIC compared to new GENERIC. |
YES | NO |
1 |
Pervious CUSTOM compared to new GENERIC |
YES | NO |
1 |
Old CUSTOM options merged with new GENERIC |
YES | NO |
5 |
Generic kernel saved when building custom kernel. |
YES | NO |
1 |
Custom kernel built, "installed", and tested. |
YES | NO |
4 |
1 - 4 admin
users created with passwords, 8 plus characters, mixed case,
with symbols and digits. |
YES | NO |
4 |
Administrative users in group wheel. |
YES | NO |
2 |
Refine and test file removal script. |
YES | NO |
1 |
Remove
users named, popa3d, uucp, and www, if not needed. |
YES | NO |
1 |
Fix errors caused by uucp removal in
/etc/newsyslogd and /etc/mtree/special. |
YES | NO |
4 |
Adjust
sendmail to DNS availability when needed. |
YES | NO |
1 |
Adjust
sendmail to removed IPv6 support |
YES | NO |
4 |
Disable
rstatd and and rusersd in /etc/inetd.conf |
YES | NO |
4 |
Disable portmap /etc/rc.conf |
YES | NO |
2 |
Comment portmap, yp and NFS lines from
/etc/rc. |
YES | NO |
3 |
Disable time, daytime, in /etc/inetd.conf. |
YES | NO |
3 |
Disable ident and comsat in /etc/inetd.conf. |
YES | NO |
4 |
Enable TCP
Wrappers in /etc/inetd.conf and /etc/hosts.allow and
/etc/hosts.deny, if FTP or telenet must be used. |
YES | NO |
3 |
Disable inetd
in /etc/rc.conf, if no services started. |
YES | NO |
4 |
If using TCP Wrappers enable IPs needed for sshd
and sendmail. |
YES | NO |
4 |
Disable PermitRootLogin in /etc/sshd_config |
YES | NO |
3 |
Disable Protcol 1 in /etc/sshd_config |
YES | NO |
2 |
Disable specific interfaces in /etc/sshd_config |
YES | NO |
3 |
Do full system backup to protect changes. |
YES | NO |
3 |
Install NTP
from source or package for accurate time synchronization. |
YES | NO |
4 |
Configure HTTP, FTP, SMTP, DHCP, POP3, IMAP or other
protocols specific to machines intended function. |
YES | NO |
4 |
Use "nestat -an" or
nmap to check for
unknown open ports. |
YES | NO |
5 |
Close all unknown open ports. |
YES | NO |
4 |
Install or develop automated
host intrusion detection. |
YES | NO |
2 |
Tighten
permsision settings on intitialization and security files
and adjust /etc/changelist, /etc/mtree/special, and
/etc/security. |
YES | NO |
3 |
Adapt syslock
and sysunlock scripts for immutable files and securelevel 2. |
YES | NO |
2 |
Set nodev
and nosuid mount options in /etc/rc.local and cron job. |
YES | NO |
1 |
Set noexec mount option (on /tmp) in /etc/rc.local
and cron job. |
YES | NO |
0 |
Set read
only file system(s) /? /usr? |
YES | NO |
2 |
Adjust login banners
to supress system data and warn intruders. |
YES | NO |
3 |
Do full system backup to protect changes. |
YES | NO |
5 |
Set up host based firewall,
if no outer firewall |
YES | NO |
2 |
Run tested remove script. |
YES | NO |
2 |
Create recovery CD
from deleted and reinstall tars. |
YES | NO |
5 |
Develop and test backup procedures. |
YES | NO |
5 |
Install and configure applications with data. |
YES | NO |
4 |
Create application users and groups with appropriate
directory permissions and umask. |