Jun 6th, 2012

How to disable Interactive Boot

How to disable Interactive Boot

Edit the file /etc/sysconfig/init. Add or correct the setting:

PROMPT=no

The PROMPT option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot. Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security

Tags: , ,


Jun 4th, 2012

How to check for Unlabeled Device Files

How to check for Unlabeled Device Files

Device files are used for communication with important system resources. SELinux contexts should exist for these. If a device file is not labeled, then misconfiguration is likely.

To check for unlabeled device files, run the following command:

# ls -Z | grep unlabeled_t

It should produce no output in a well-configured system.

Tags: , ,


Jun 2nd, 2012

How to disable and Remove SETroubleshoot

How to disable and Remove SETroubleshoot

Disable the service and remove the RPM:

# chkconfig setroubleshoot off
# yum erase setroubleshoot

The setroubleshoot service is a facility for notifying the desktop user of SELinux denials in a user-friendly fashion. SELinux errors may provide important information about intrusion attempts in progress, or may give information about SELinux configuration problems which are preventing correct system operation. In order to maintain a secure and usable SELinux installation, error logging and notification is necessary.

Tags: ,


May 25th, 2012

How to set Daemon umask

How to set Daemon umask

Edit the file /etc/sysconfig/init, and add or correct the following line:

umask 027

The settings file /etc/sysconfig/init contains settings which apply to all processes started at boot time.

The system umask must be set to at least 022, or daemon processes may create world-writable files. The more restrictive setting 027 protects files, including temporary files and log files, from unauthorized reading by unprivileged users on the system. If a particular daemon needs a less restrictive umask, consider editing the startup script or sysconfig file of that
daemon to make a specific exception.

Tags: , ,


May 24th, 2012

How to find Unauthorized SUID/SGID System Executables and fix them

How to find Unauthorized SUID/SGID System Executables and fix them.

The following command discovers and prints any setuid or setgid files on local partitions. Run it once for each local partition PART:

# find PART -xdev \( -perm -4000 -o -perm -2000 \) -type f -print

If the file does not require a setuid or setgid bit as discussed below, then these bits can be removed with the command:

# chmod -s file

Tags: , , ,

« Prev - Next »