12

Some in our infrastructure group want to upgrade to start taking advantage of the new features in RHEL 6. In the past, I have relied on the NSA Guide to secure RHEL 5 and CentOS 5 installations. I find this guide invaluable.

Does anyone out there have experience with securing RHEL / CentOS 6 in a similar way? If so, what resources (written or consultative) did you leverage?

I have heard from some colleagues that version 6 is significantly different from version 5 in various ways, so I don't want to leave gaping holes in our security because I didn't adequately account for those differences.

Is Red Hat's own Security Guide for RHEL 6 really sufficient?

Would anyone go so far as to say that, unless you have a compelling functional reason, you should hold off on upgrading from 5 to 6 until some group like the NSA can produce a guide that is specific to the version you are trying to protect?

I appreciate any feedback that you may have, even if it is directing me to a more appropriate forum.

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
theosophe74
  • 121
  • 1
  • 5
  • Also, can someone speak to whether the following training would be worthwhile in preparation for this work: http://www.sans.org/ondemand/description.php?tid=3877 – theosophe74 Mar 09 '12 at 18:47

2 Answers2

11

When it comes to something like a hardening guide, RHEL 6 is still considered fairly new. As sad as it seems, many of these types of guides take several months or years to produce. That being said, by and large, for your purposes the difference between EL 5 and EL 6 should be fairly minimal. When I began supporting EL 6, most of my changes were rather cosmetic. For instance, making sure to use rsyslog instead of syslogd. Since RedHat produces their own guide, a lot of the version specific work should be taken care of there.

I would, however, encourage you to check out the NSA Fact Sheet for RedHat 5 and the CIS Benchmark. Some specifics may change, but much of the core work should translate quite well.

I would also recommend checking out this related question: How to secure a dedicated linux server running a LAMP stack for commercial E-commerce use


It is worth noting that as of 2 June 2012 there exists a Red Hat Enterprise Linux 6 Benchmark from the Center for Internet Security.

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
  • I totally understand the time that it takes to produce these types of guides and the tools that accompany them. I will review all of the links that you mentioned. – theosophe74 Mar 09 '12 at 19:57
  • 1
    @theosophe74 - welcome to security stack exchange. If an answer helps you, clicking on the tick at the left indicates this to the person who posted it, and to other visitors to the site. This and other helpful tips can be found in the [faq] linked at the top of the page. – Rory Alsop Mar 12 '12 at 11:02
0

The correct answer is that the SNAC was one of the original guides and was intended for all organizations and persons. It was largely superseded by the NIST specifications which the USGCB RHEL 5 and the STIG 5 and 6 are based. The hardening guide you are referencing is created from all of this work. (http://blog-shawndwells.rhcloud.com/) The CIS Benchmark is a near exact copy of the STIG and references the original authors without permission.