Checklist (was Re: OS Hardening)
My checklist is:
1.- custom install (do not select tasks) w/ shadow passwords
2.- go through deselect and remove packages before doing a install, leave
3.- (the things in the debian-hardening-howto: quotas, login definitions, lilo)
4.- check init.d scripts, remove unwanted with package (check with dpkg -S do
dpkg --purge), if they are useful but not interesting to enable on startup use
update-rc.d XXX remove
5.- Install services that will be used in bastioned host
6.- check services enabled: ps aux, netstat -n --inet, lsof -i
7.- Remove RPC (if not using NFS or any other RPC service, i.e. always)
8.- check inetd services: grep -v "^#" | sort |uniq. remove unwanted with
9.- check if inetd services are wrapped (tcpd) configure hosts.deny hosts.allow
10.- check which services are running as root (with ps aux, netstat).
Consider change to a given user/group (start-stop-daemon -- -u XXX -g XXX)
11.- (if services changed to another user) Check files from services (dpkg -L)
and change ownership.
12.- Recheck services enabled.
13.- Test install: services work as expected
14.- Check setting with network scanner, analysis of vulnerabilities
15.- Install problem detectors (snort, logging...)
16.- Recheck with network scanner. Do detectors warn you?
(for the truly paranoid ;)
17.- Add firewall capabilities. Offer only selected services.
18.- Recheck install (13)
19.- Recheck with network scanner.
And no, I'm not in a mental institution ;)