I often say that most successful attacks and vulnerabilities are failures of imagination (when they aren’t outright laziness/penny pinching). The authors of these documents have seen a lot of attacks and know something about how things should be configured to give your servers a fighting chance. These guides and checklists are great to look over for inspiration and ideas on how to better lock down your systems. Look over each item and think to yourself: “What on earth happened such that they had to put this on a security checklist?”
- http://www.nsa.gov/ia/_files/os/redhat/rhel5-pamphlet-i731.pdf
- http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
- http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf (not Federal but good to review all the same)
- http://benchmarks.cisecurity.org/tools2/linux/CIS_RHEL_5.0-5.1_Benchmark_v1.1.2.pdf (also not Fed but good)
- http://web.nvd.nist.gov/view/ncp/repository
Use something like puppet to automate implementation of this stuff network-wide. That last NIST link even has an awesome puppet config for all of this! I’ve been reading through the code for the puppet modules and learned some neat things, including stuff I had no clue about previously such as how augeas works and what it is good for.
NIST, HIPPA, PCI, CIS, NSA, IQOQ, another day another security audit and industry-specific acronym!