Project Home Page
As the popularity of the Linux operating system increases, so does it use in sensitive or critical environments. While most modern distributions of Linux are more secure than previous versions, there are still some additional procedures that can improve these systems. This document describes an installation and configuration procedure which will enhance the security of the Linux operating system, specifically the Red Hat Enterprise Server and Workstation, as well as the SuSE Enterprise Server distributions. Most of the recommendations are general enough that they may also be applied to other Linux systems by an experienced system administrator. Many books, documents, and Web sites authored by security professionals and organizations have been studied and analyzed to determine industry best practices. Some of the resources dealt with general computer security, while others addressed Linux and/or the above distributions in particular. Furthermore, Department of Defense directives were consulted to determine the Department's specific requirements. The described system will have minimal functionality, which is in accordance with industry accepted standards for secure operation. In some cases, these guidelines may reduce the ease-of-use of the computer system. This has been done deliberately when the result is a system that is more difficult to compromise. Department of Defense directives have been followed where applicable to ensure that the system meets the most stringent requirements. Being of a technical nature, this document is directed at system administrators and sophisticated users of computers running the Linux operating system. A degree of familiarity with Linux or a UNIX system is assumed. Knowledge of computer security is not required. The baseline document.
This document is a guide to hardening an Apache Web server that is running on either Red Hat Enterprise Linux Server 3 or SUSE Linux Enterprise Server 9. While Apache itself is considered secure, errors made by an administrator may still cause the server to be compromised. This document addresses several issues which have been identified as potential security problems, and provides guidance in regard to mitigating their effects. The recommendations have been derived from many books, documents, and Web sites authored by security professionals and organizations that have been studied and analyzed to determine industry best practices. Furthermore, Department of Defense directives were consulted to determine the Department's specific requirements. The objective of this document is to instill a better understanding of how to secure Apache. Among the topics covered are the threats and risks related to operating a Web server in general, as well as the installation and secure configuration of the Apache Web server software in particular. In addition, setup of mod_security and Secure Socket Layer (SSL) are discussed. The appendices include configuration file templates which can be used to set up an Apache server. Being of a technical nature, this document is directed at system and Web server administrators as well as sophisticated users of computers running the Linux operating system. A degree of familiarity with Linux or a UNIX system is assumed. Some experience with Apache may be helpful. Knowledge of computer security is not required. The Apache document.
Last updated on November, 2004 by Charlie Long