:-[] :-|| Vivek Khokhar rambles here :-O :-[]

RPM packages have a file of names like foo-1.0-2.i386.rpm, which include the
package name (foo), version (1.0), release (2), and architecture (i386).

To display package information before installing the program, use the command:
# rpm -qpi foo-2.3-8.i386.rpm

To install a RPM package, use the command:
# rpm -ivh foo-1.0-2.i386.rpm

To upgrade a RPM package, use the command:
# rpm -Uvh foo-1.0-2.i386.rpm

With this command, RPM automatically uninstalls the old version of foo package and installs the
new one. Always use rpm -Uvh to install packages, since it works fine even when there are no
previous versions of the package installed.

To uninstall a RPM package, use the command:
# rpm -e foo
Notice the use of the package name “foo�?, not the name of the original package file “foo-
1.0-2.i386.rpm�?.

# rpm -q foo
foo-2.3-8
This command will print the package name, version, and release number of installed package
foo. Use this command to verify that a package is or is not installed on your system.

To display package information, use the command:
# rpm -qi foo

To display package information before installing the program, use the command:
# rpm -qpi foo-2.3-8.i386.rpm

To list files in a installed RPM package, use the command:
# rpm -ql foo

To know which files is part of which package, use the command:
# rpm -qf /etc/passwd

To remove all the unneeded packages together, use the following commands:
# rpm -e –nodeps anacron apmd at dhcpcd dosfstools eject hotplug ipchains ksymoops kudzu lokkit mailcap pciutils pump raidtools redhat-logos redhat-release setserial kbdconfig mouseconfig timeconfig authconfig ntsysv setuptool

Once you have installed all the software that you need on your Linux server with the RPM
command, it’s a good idea to move it to a safe place like a floppy disk or other safe place of your choice. With this method if someone accesses your server and has the intention to install nasty software with the RPM command, he wouldn’t be able to. Of course, if in the future you want to install or upgrade new software via RPM, all you have to do is to replace the RPM binary to its original directory again.

To move the RPM binary on the floppy disk, use the command:
[root@deep /]# mount /dev/fd0H1440 /mnt/floppy/
[root@deep /]# mv /bin/rpm /mnt/floppy/
[root@deep /]# umount /mnt/floppy/

One more thing you can do is change the default permission of the “rpm�? command from 755 to 700. With this modification, non-root users can’t use the “rpm�? program to query, install etc; in case you forget to move it to a safe place after installation of new programs.

Linux has a special command (linux single) also known as ‘single-user mode’, which can be
entered at the boot prompt during startup of the system. The single-user mode is generally used
for system maintenance. You can boot Linux in single-user mode by typing at the LILO boot
prompt the following command:
LILO: linux single

This will place the system in Run level 1 where you’ll be logged in as the super-user ‘root’, and
where you won’t even have to type in a password! Requiring no password to boot into root under single-user mode is a bad idea! You can fix this by

Editing the inittab file (vi /etc/inittab) and change the following line:
id:3:initdefault:
To read:
id:3:initdefault:
~~:S:wait:/sbin/sulogin
The addition of the above line will require to enter the root password before continuing to boot
into single-user mode by making init (8) run the program sulogin (8) before dropping
the machine into a root shell for maintenance.

Now, for the change to take effect type in the following at a prompt:
# /sbin/init q

Configure the /etc/exports file with the most restrictive access possible. This means not using wildcards, not allowing root
write access, and mounting read-only wherever possible.

Edit the exports file (vi /etc/exports) and add:
As an example:
/dir/to/export host1.mydomain.com(ro,root_squash)
/dir/to/export host2.mydomain.com(ro,root_squash)
Where /dir/to/export is the directory you want to export, host1.mydomain.com is the machine allowed to log in this directory, the option mean mounting read-only and the option for not allowing root write access in this directory.
* root_squash - Maps the root user to the nobody user. This has the effect of not allowing a root user on a client to gain root file access permissions on the server.
* all_squash - Maps all the UIDs and GIDs to the nobody user. This is useful if the share is to have anonymous access, much like an anonymous FTP server.

For this change to take effect you will need to run this command on your terminal:
#/usr/sbin/exportfs -a

- Mounting boot partition read only, increases security of kernel. This how you do it in /etc/fstab

LABEL=/boot /boot ext2 defaults,ro 1 2

And reload changes
# mount /boot -oremount

And yes, make it writable when you are planning kernel upgrade. Otherwise new kernel wont be able to enter

Other security options in the fstab file are:
 defaults Allow everything (quota, read-write, and suid) on this partition.
 noquota Do not set users quotas on this partition.
 nosuid Do not set SUID/SGID access on this partition.
 nodev Do not set character or special devices access on this partition.
 noexec Do not set execution of any binaries on this partition.
 quota Allow users quotas on this partition.
 ro Allow read-only on this partition.
 rw Allow read-write on this partition.
 suid Allow SUID/SGID access on this partition.

Some useful examples:
LABEL=/cache /cache ext2 defaults,nodev 1 2
LABEL=/tmp /tmp ext2 defaults,nosuid,noexec 1 2

# mount /cache -oremount
# mount /tmp -oremount

To verify if the modifications have been correctly applied:
# cat /proc/mounts

By default, when you login to a Linux machine, it tells you the Linux distribution name, version, kernel version, and the name of the server. This is giving away too much info. We’d rather just prompt users with a “Login:” prompt.

To do this, edit the rc.local file (vi /etc/rc.local) and place “#” in front of the following lines as shown:
–
# This will overwrite /etc/issue at every boot. So, make any changes you
# want to make to /etc/issue here or you will lose them when you reboot.
#echo “” > /etc/issue
#echo “$R” >> /etc/issue
#echo “Kernel $(uname -r) on $a $(uname -m)” >> /etc/issue
##cp -f /etc/issue /etc/issue.net
#echo >> /etc/issue

Then, remove the following files: issue.net and issue under /etc/ directory:
# rm -f /etc/issue
# rm -f /etc/issue.net

To find all files with the ‘s’ bits from root-owned programs, use the command:
# find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -l {} \;

software named “sXid�? that will do the job for you automatically each
day and report the results via mail.
To disable the suid bits on selected programs above, use chmod a-s :
# chmod a-s /usr/bin/chage

The password length

Edit the passwd file (vi /etc/pam.d/passwd) and remove the following line:
password required /lib/security/pam_stack.so service=system-auth

Edit the system-auth file (vi /etc/pam.d/system-auth) and remove the lines:
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so

Now add the following lines to /etc/pam.d/passwd. We use the PAM “pam_cracklib�? module here with the argument “minlen�? to enforce the password length.
password required /lib/security/pam_cracklib.so retry=3 minlen=12
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so

Fix the permissions of the script files that are responsible for starting and stopping all your normal processes that need to run at boot time.
To fix the permissions of those files, use the following command:
[root@deep /]# chmod -R 700 /etc/init.d/*
Which means just the super-user “root�? is allowed to Read, Write, and Execute scripts files on this directory. I don’t think regular users need to know what’s inside those script files.
WARNING: If you install a new program or update a program that use the init system V script located under /etc/rc.d/init.d/ directory, don’t forget to change or verify the permission of this script file again.

http://www.securityfocus.com/infocus/1613