TCP Wrapper
TCP Wrapper is a library which provides simple access control and standardized logging for supported applications which accept connections over a network. Historically, TCP Wrapper was used to support inetd services.
TCP Wrapper supports only services which were built to make use of the libwrap library. To determine whether a given executable daemon /path/to/daemon supports TCP Wrapper, check the documentation, or run:
$ ldd /path/to/daemon | grep libwrap.so
If this command returns any output, then the daemon probably supports TCP Wrapper. An alternative to TCP Wrapper support is packet filtering using iptables. Note that iptables works at the network level, while TCP Wrapper works at the application level. This means that iptables filtering is more efficient and more resistant to flaws in the software being protected, but TCP Wrapper provides support for logging, banners, and other application-level tricks which iptables cannot provide.
How to disable Interactive Boot
Edit the file /etc/sysconfig/init. Add or correct the setting:
The PROMPT option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot. Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security
How to check for Unlabeled Device Files
Device files are used for communication with important system resources. SELinux contexts should exist for these. If a device file is not labeled, then misconfiguration is likely.
To check for unlabeled device files, run the following command:
# ls -Z | grep unlabeled_t
It should produce no output in a well-configured system.
How to disable and Remove SETroubleshoot
Disable the service and remove the RPM:
# chkconfig setroubleshoot off
# yum erase setroubleshoot
The setroubleshoot service is a facility for notifying the desktop user of SELinux denials in a user-friendly fashion. SELinux errors may provide important information about intrusion attempts in progress, or may give information about SELinux configuration problems which are preventing correct system operation. In order to maintain a secure and usable SELinux installation, error logging and notification is necessary.
How to set Daemon umask
Edit the file /etc/sysconfig/init, and add or correct the following line:
The settings file /etc/sysconfig/init contains settings which apply to all processes started at boot time.
The system umask must be set to at least 022, or daemon processes may create world-writable files. The more restrictive setting 027 protects files, including temporary files and log files, from unauthorized reading by unprivileged users on the system. If a particular daemon needs a less restrictive umask, consider editing the startup script or sysconfig file of that
daemon to make a specific exception.
