When it comes to platform hardening there are almost limitless options that could improve system’s security. Starting from configuration, services, network parameters, shell limits, through encryption, centralized access management and intrusion detection systems. Building secure system require time effort and money.

Here we will present five quick wins which, while easy to implement can significantly improve security. This should not replace traditional platform hardening process which is the recommended course of action, but to draw attention to the tools available out of the box that can be easily switched on even on the system already in production environment.

1. Activate Internal Firewall.

IPtables software is installed by default on SLES and can be used to secure your server from unnecessary or damaging traffic,Yast provides easy and intuitive graphical interface which allows restrict access to the system only on specific ports. This is easy task and the main challenge very often turns to be the identification of the TCP and UDP ports that should be allowed.

2. Patch your server.

Failure to keep operating system and application software up to date is the most common mistake made by information system professionals and users. Novell publishes list of released patches on Patch Support Database website.

The easiest way to ensure the compliance is by using Online Patch Management Tool available trough Yast. For multiple systems or when security policies do not allow direct connections to the internet better choice may be the Subscription Management Tool. It is is a proxy system integrated with Novell Customer Center and provides key Novell Customer Center capabilities locally at the customer site, allowing a more secure centralized deployment.

Enterprises may consider implementation of Zenworks Linux Management which can scale to support large IT systems. In addition to standard patching ZLM can provide build management, bare metal installations, configuration management and software and hardware inventory.

3. Disable unnecessary services.

Aside from consuming resources some of the default services can be used as a door by which attackers can gain access to the system. The typical candidates are portmap (if nfs is not used), cups (if printers are not configured on the system).

Another service – SSH is typically used for remote management and if it can not be disabled for practical reasons, direct root logins should at least be disabled and only SSH protocol version 2 allowed.

4. Use sudo.

Sudo is great little tool which deserves more attention from Linux administrators. First benefit is that it makes unnecessary to use root password for day to day management tasks. Secondly it allows granular delegation of tasks between staff. For example database administrators can be given right to start/stop applications they manage and mount disks, while being forbidden from altering network configuration or creating new users.

5. Enable audit subsystem

The audit subsystem provides quite extensive list of rules that can be set to audit events on the system. The choice may be overwhelming but with little effort auditing of login events can be enabled. This is done through setting AUDITD_DISABLE_CONTEXTS=”no” variable in /etc/sysconfig/auditd configuration file and then ensuring auditd service is started automatically during boot time.