##########################################################################
# Linux Security Checklist                                               #
# Anuradha Weeraman, 23 June 2002                                        #
# Sample security checklist for the certifiably paranoid                 #
# $Id: security-checklist.txt,v 1.1 2004/06/02 21:17:54 anuradha Exp $   #
##########################################################################

[ ] Turn off the Computer
[ ] Remove Network Cable
[ ] Turn on Computer
[ ] Configure BIOS to Boot from CD
[ ] Password Protect BIOS
[ ] Install Distribution with Minimum Requirements
[ ] Re-Boot
[ ] Configure BIOS to Boot Only from the Hard-disk
[ ] Assign Secure Root Password
[ ] Install Shadow File and MD5 Passwords
[ ] Password Protect Lilo
	code:
		restricted
		password g00d-PA55wrd
[ ] Check for Open Ports
	netstat -l --inet
[ ] Disable ALL Services (Both Standalone and Inetd)
[ ] TCP/Wrappers
	In /etc/hosts.deny :
		ALL: ALL
[ ] Change Default Banners
	Files :
		/etc/issue
		/etc/issue.net
	Make them immutable :
		chattr +i /etc/issue*
[ ] Install OpenSSH and Disable it Temporarily
	Deny Remote Root Logins in /etc/ssh/sshd_config
		Eg : PermitRootLogin no
	Allow Remote Logins to Particular Users in /etc/ssh/sshd_config
		Eg : AllowUsers anuradha tore
[ ] Remote Root Logins Only to the Console
	In /etc/securetty :
		tty1
		tty2
		..
		tty12
[ ] Allow Only Users in the 'wheel' Group to su to Root
	In /etc/pam.d/su :
		auth	required	pam_wheel.so group=wheel
[ ] Install System Security Scanners, Network Security Scanners and
    Intrusion Detection Systems
	SSN : AIDE
	NSN : Nessus, NMAP, Strobe, lsof
	IDS : SNORT
[ ] Run the Security Scanners and Port Scanners on the Machine
[ ] Make Sure the IDS is Working Properly
[ ] Generate Checksums of All the Files on the Machine and Store them Offline
[ ] Configure the Network Interface
[ ] Plug-in the Network Cable
[ ] Verify Network Connectivity
[ ] Perform Security Updates and Patch the System
	Security Updates of the Distribution
	Close Security Holes found by the Scanners
[ ] Download and Compile the Most Recent Kernel with Firewalling Support
[ ] Install and Start the Firewalling Script
[ ] Configure the Firewall to be Started at Boot-Time
[ ] Start inetd Services if Necessary
[ ] Lax TCP/Wrapper Rules
	In /etc/hosts.deny :
		ALL: PARANOID
[ ] Restart inetd
[ ] Start Necessary Standalone Daemons (Like OpenSSH)
[ ] Check to See if the Services are Running (NMAP, netstat -l --inet)
[ ] Re-boot Computer
[ ] Verify Boot-time Services (NMAP, netstat -l --inet, lsof -i)
[ ] Update the Security Scanners with the Latest Exploit Rulesets
[ ] Re-run the Security Scanners and Take Necessary Measures
[ ] Check the Checksums of All Files on the Hard Disk
	Make Sure that Changed Checksums are of the Software You Just
	Upgraded or Patched
[ ] Regenerate the Checksums and Store Offline