Disable Modprobe Loading of USB Storage Driver
If USB storage devices should not be used, the modprobe program used for automatic kernel module loading should be configured to not load the USB storage driver upon demand.
Add the following line to /etc/modprobe.conf to prevent loading of the usb-storage kernel module:
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.
Restrict Console Device Access
The default system configuration grants the console user enhanced privileges
normally reserved for the root user, including temporary ownership of most system devices.
If not necessary, these privileges should be removed and restricted to root only.
Restrict device ownership to root only.
Edit /etc/security/console.perms.d/50-default.perms and locate the section prefaced by the following comment:
# permission definitions
Prepend a # symbol to comment out each line in that section which starts with [console] or [xconsole]
Edit /etc/security/console.perms and make the following changes:
[console]=tty[0-9][0-9]* vc/[0-9][0-9]* :0\.[0-9] :0
[xconsole]=:0\.[0-9] :0
Using nodev, nosuid, and noexec Options to Temporary Storage Partitions
Temporary storage directories such as /tmp and /dev/shm potentially provide storage space for malicious executables.
Although mount options options cannot prevent interpreted code stored there from
getting executed by a program in another partition, using certain mount options can
be disruptive to malicious code.
Add nodev, nosuid, and noexec Options to /tmp
#Edit the file /etc/fstab. Add the text nodev,nosuid,noexec to the list of mount options in column 4.
#Edit the file /etc/fstab. Add the text ,nodev,nosuid,noexec to the list of mount options in column 4
Add nodev Option to Non-Root Local Partitions
Edit the file /etc/fstab. The important columns for purposes of this section are column 2 (mount point), column 3 (filesystem type), and column 4 (mount options). For any line which satisfies all of the conditions:
The filesystem type is ext2 or ext3
The mount point is not /
add the text “,nodev” to the list of mount options in column 4.
The nodev option prevents users from mounting unauthorized devices on any partition which is known not to contain any authorized devices. The root partition typically contains the /dev directory, which is the primary location for authorized devices, so this option should not be set on /. However, if system programs are being run in chroot jails, this advice may need to be modified further, since it is often necessary to create device files inside the chroot directory for use by the restricted program.
Verify Package Integrity Using RPM
The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database.
Although an attacker could corrupt the RPM database (analogous to attacking the AIDE database as described above), this check can still reveal modification of important files. To determine which files on the system differ from what is expected by the RPM database:
A “c” in the second column indicates that a file is a configuration file (and may be expected to change). In order to exclude configuration files from this list, run:
# rpm -qVa | awk ‘$2!=”c” {print $0}’
