Restrict Console Device Access
The default system configuration grants the console user enhanced privileges
normally reserved for the root user, including temporary ownership of most system devices.
If not necessary, these privileges should be removed and restricted to root only.
Restrict device ownership to root only.
Edit /etc/security/console.perms.d/50-default.perms and locate the section prefaced by the following comment:
# permission definitions
Prepend a # symbol to comment out each line in that section which starts with [console] or [xconsole]
Edit /etc/security/console.perms and make the following changes:
[console]=tty[0-9][0-9]* vc/[0-9][0-9]* :0\.[0-9] :0
[xconsole]=:0\.[0-9] :0
Tags: Access, Console, device, Restrict
Using nodev, nosuid, and noexec Options to Temporary Storage Partitions
Temporary storage directories such as /tmp and /dev/shm potentially provide storage space for malicious executables.
Although mount options options cannot prevent interpreted code stored there from
getting executed by a program in another partition, using certain mount options can
be disruptive to malicious code.
Add nodev, nosuid, and noexec Options to /tmp
#Edit the file /etc/fstab. Add the text nodev,nosuid,noexec to the list of mount options in column 4.
#Edit the file /etc/fstab. Add the text ,nodev,nosuid,noexec to the list of mount options in column 4
Tags: nodev, noexec, nosuid, Partitions
Add nodev Option to Non-Root Local Partitions
Edit the file /etc/fstab. The important columns for purposes of this section are column 2 (mount point), column 3 (filesystem type), and column 4 (mount options). For any line which satisfies all of the conditions:
The filesystem type is ext2 or ext3
The mount point is not /
add the text “,nodev” to the list of mount options in column 4.
The nodev option prevents users from mounting unauthorized devices on any partition which is known not to contain any authorized devices. The root partition typically contains the /dev directory, which is the primary location for authorized devices, so this option should not be set on /. However, if system programs are being run in chroot jails, this advice may need to be modified further, since it is often necessary to create device files inside the chroot directory for use by the restricted program.
Tags: Local, nodev, Non-Root, Partitions
Verify Package Integrity Using RPM
The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database.
Although an attacker could corrupt the RPM database (analogous to attacking the AIDE database as described above), this check can still reveal modification of important files. To determine which files on the system differ from what is expected by the RPM database:
A “c” in the second column indicates that a file is a configuration file (and may be expected to change). In order to exclude configuration files from this list, run:
# rpm -qVa | awk ‘$2!=”c” {print $0}’
Tags: Integrity, package, rpm, Verify
Increasing PHP security php functions
dl — Loads a PHP extension at runtime
This function is required for loading ionCube on the fly. However if you have a popular sites using ionCube then the better way is to load it from php.ini anyway. Not only because of speed increase, also you would be in control of ionCube versions so you can make sure that they match with your PHP versions.
exec — Execute an external program
This function is required for XCart and spellcheck feature of Horde. There is no good thing about letting this function work. You could perhaps use safe_mode to designate a safebin environment where you let users to execute only the binaries you allow.
fsockopen — Open Internet or Unix domain socket connection
This function is unfortunately required for Virtuemart paypal module. Thus removed from the example above. You can add it if you are sure that it wont break anything in your system.
Tags: Functions, Increasing, PHP, Security
