[Discuss] RHEL 6 security hardening

[dsr at randomstring.org (Dan Ritter)]

On Fri, Mar 07, 2014 at 10:35:46AM -0500, John Malloy wrote:
> Does anyone have recommendations for RHEL 6 security hardening?
> 
> I am building a new RHEL 6 server  and am using the tools from *cisecurity*
> .org
> 
> CIS RHEL 6 Benchmark v1.2.0
> 
> OCI8 is the bridge between PHP and our Oracle databases

Do you have a threat model? And do you know how much it will
cost you if you are successfully attacked?

Without those, you don't know how much time and money to spend
on security.

Are you building a special snowflake server? If there's ever
going to be two or more of them, I recommend starting with
Puppet or Chef or bcfg2 or any of the other automation tools
from the beginning.

And there's going to be a dev server, right? So that's two.

Next. Make sure the Oracle servers are firewalled off from the
app servers in every way except what is absolutely necessary.
The SQLNET protocol (1521) is unencrypted. If you pay for
Enterprise, you can use Advanced Security (TM) which encrypts
it, but you probably don't have a client-side implementation.

So, if you can, use a tunnel. SSH or SSL. Yes, inside your own
network.

Next, consider running your PHP code behind a web-services
security proxy, Apache with mod_proxy and mod_security, or other
similar system.

Finally, destroy all your data when you're done with it. If you 
don't know when you're done with it, you have to figure that
out.

-dsr-