The anacron subsystem
The anacron subsystem is designed to provide cron functionality for machines which may be shut down during the normal times that system cron jobs run, frequently in the middle of the night. Laptops and workstations which are shut down at night should keep anacron enabled, so that standard system cron jobs will run when the machine boots.
However, on machines which do not need this additional functionality, anacron represents another piece of privileged software which could contain vulnerabilities. Therefore, it should be removed when possible to reduce system risk.
Disable anacron if Possible
Is this a machine which is designed to run all the time, such as a server or a workstation which is left on at night? If so:
How to confirm Existence and Permissions of System Log Files
For each log file LOGFILE referenced in /etc/syslog.conf or /etc/rsyslog.conf, run the commands:
# touch LOGFILE
# chown root:root LOGFILE
# chmod 0600 LOGFILE
Syslog will refuse to log to a file which does not exist. All messages intended for that file will be silently discarded, so it is important to verify that all log files exist. Some logs may contain sensitive information, so it is better to restrict permissions so that only administrative users can read or write logfiles.
How to Configure Logging
There are two packages available in RHEL 5 for performing logging, and recommends that rsyslog be used.
No matter which logging software is used, a system should send its logs to a remote loghost. An intruder who has compromised the root account on a machine may delete the log entries which indicate that the system was attacked before they are seen by an administrator. If system logs are to be useful in detecting malicious activities, it is necessary to send them to a remote server.
The sysklogd software provides the default logging daemon for RHEL, but has a number of downsides, including a lack of authentication for client or server, lack of encryption, or reliable transport for messages sent over a network. For these reasons, rsyslog is recommended instead (and it is also part of RHEL).
Network Parameters for Hosts Only System
If the system is not going to be used as a firewall or gateway to pass IP traffic between different networks, then edit the file /etc/sysctl.conf and add or correct the following lines:
net.ipv4.ip forward = 0
net.ipv4.conf.all.send redirects = 0
net.ipv4.conf.default.send redirects = 0
These settings disable hosts from performing network functionality which is only appropriate for routers.
TCP Wrapper
TCP Wrapper is a library which provides simple access control and standardized logging for supported applications which accept connections over a network. Historically, TCP Wrapper was used to support inetd services.
TCP Wrapper supports only services which were built to make use of the libwrap library. To determine whether a given executable daemon /path/to/daemon supports TCP Wrapper, check the documentation, or run:
$ ldd /path/to/daemon | grep libwrap.so
If this command returns any output, then the daemon probably supports TCP Wrapper. An alternative to TCP Wrapper support is packet filtering using iptables. Note that iptables works at the network level, while TCP Wrapper works at the application level. This means that iptables filtering is more efficient and more resistant to flaws in the software being protected, but TCP Wrapper provides support for logging, banners, and other application-level tricks which iptables cannot provide.
