`
Below is a list of most tasks described in these Hardening OpenBSD pages or related pages on this web site, arranged in approximately the order it makes sense to do them in. The values, 0 - 5 represent the approximate importance of the task as described on the priorities page: 5 - essential, 4 - very important, 3 - recommended, 2 - useful in some situations, 1 - applicable in special circumstances, 0 - not recommended. Print and review the list and mark all the NO's that will not be performed. Then start from the top, marking the YES's as they are completed.
Y | N | Val | Operation or Description |
---|---|---|---|
YES | NO | 5 | Install minumum system: base, bsd, etc, man. |
YES | NO | 3 | Install compilers / development tools. |
YES | NO | 5 | Do NOT install X, games, misc. |
YES | NO | 5 | Root password 8 plus characters, mixed case, with symbols and digits. |
YES | NO | 1 | Kernel source code intalled. |
YES | NO | 1 | Previous GENERIC compared to new GENERIC. |
YES | NO | 1 | Pervious CUSTOM compared to new GENERIC |
YES | NO | 1 | Old CUSTOM options merged with new GENERIC |
YES | NO | 5 | Generic kernel saved when building custom kernel. |
YES | NO | 1 | Custom kernel built, "installed", and tested. |
YES | NO | 4 | 1 - 4 admin users created with passwords, 8 plus characters, mixed case, with symbols and digits. |
YES | NO | 4 | Administrative users in group wheel. |
YES | NO | 2 | Refine and test file removal script. |
YES | NO | 1 | Remove users named, popa3d, uucp, and www, if not needed. |
YES | NO | 1 | Fix errors caused by uucp removal in /etc/newsyslogd and /etc/mtree/special. |
YES | NO | 4 | Adjust sendmail to DNS availability when needed. |
YES | NO | 1 | Adjust sendmail to removed IPv6 support |
YES | NO | 4 | Disable rstatd and and rusersd in /etc/inetd.conf |
YES | NO | 4 | Disable portmap /etc/rc.conf |
YES | NO | 2 | Comment portmap, yp and NFS lines from /etc/rc. |
YES | NO | 3 | Disable time, daytime, in /etc/inetd.conf. |
YES | NO | 3 | Disable ident and comsat in /etc/inetd.conf. |
YES | NO | 4 | Enable TCP Wrappers in /etc/inetd.conf and /etc/hosts.allow and /etc/hosts.deny, if FTP or telenet must be used. |
YES | NO | 3 | Disable inetd in /etc/rc.conf, if no services started. |
YES | NO | 4 | If using TCP Wrappers enable IPs needed for sshd and sendmail. |
YES | NO | 4 | Disable PermitRootLogin in /etc/sshd_config |
YES | NO | 3 | Disable Protcol 1 in /etc/sshd_config |
YES | NO | 2 | Disable specific interfaces in /etc/sshd_config |
YES | NO | 3 | Do full system backup to protect changes. |
YES | NO | 3 | Install NTP from source or package for accurate time synchronization. |
YES | NO | 4 | Configure HTTP, FTP, SMTP, DHCP, POP3, IMAP or other protocols specific to machines intended function. |
YES | NO | 4 | Use "nestat -an" or nmap to check for unknown open ports. |
YES | NO | 5 | Close all unknown open ports. |
YES | NO | 4 | Install or develop automated host intrusion detection. |
YES | NO | 2 | Tighten permsision settings on intitialization and security files and adjust /etc/changelist, /etc/mtree/special, and /etc/security. |
YES | NO | 3 | Adapt syslock and sysunlock scripts for immutable files and securelevel 2. |
YES | NO | 2 | Set nodev and nosuid mount options in /etc/rc.local and cron job. |
YES | NO | 1 | Set noexec mount option (on /tmp) in /etc/rc.local and cron job. |
YES | NO | 0 | Set read only file system(s) /? /usr? |
YES | NO | 2 | Adjust login banners to supress system data and warn intruders. |
YES | NO | 3 | Do full system backup to protect changes. |
YES | NO | 5 | Set up host based firewall, if no outer firewall |
YES | NO | 2 | Run tested remove script. |
YES | NO | 2 | Create recovery CD from deleted and reinstall tars. |
YES | NO | 5 | Develop and test backup procedures. |
YES | NO | 5 | Install and configure applications with data. |
YES | NO | 4 | Create application users and groups with appropriate directory permissions and umask. |
Copyright © 2000 - 2013 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in http://GeodSoft.com/terms.htm (or http://GeodSoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.