Essential Linux Red Hat Security Hardening Checklist: Accounts, Passwords, SSH, and Services

1. Shared Account Check

Verify that each system user has a unique account and that no account is shared between users or between users and services. List all accounts with cat /etc/passwd. Confirm with administrators that no shared accounts exist. Create missing accounts with useradd username and set passwords with passwd username. Ensure each account has an appropriate login shell and home directory.

2. Redundant Account Lockout

Identify accounts that are not required for system operation and lock them. Accounts whose login shell is /sbin/nologin or /bin/false are considered disabled. List such accounts with awk -F: '$7 ~ /nologin|false/ {print $1}' /etc/passwd. Lock an account with passwd -l username or by editing /etc/passwd to set the shell to /sbin/nologin. Unlock with passwd -u username. Typical unnecessary accounts include lp, nuucp, hpdb, www, demon.

3. Root Remote‑Login Restriction

Prevent direct SSH login for the root account. Edit /etc/ssh/sshd_config and set PermitRootLogin no. Restart the SSH daemon with service sshd restart or systemctl restart sshd. Verify that a remote root login is rejected (e.g., “Permission denied”) and that a regular user can log in and then become root with su - or sudo -i.

4. Password Complexity Policy

Enforce strong passwords via PAM. In /etc/pam.d/system-auth ensure the pam_cracklib.so (or pam_pwquality.so) line contains the required parameters:

password requisite pam_cracklib.so minlen=12 dcredit=-2 ucredit=-1 lcredit=-1 ocredit=-1 retry=3

These settings require a minimum length of 12 characters, at least two digits, one uppercase letter, one lowercase letter, and one special character. Edit the line with a text editor; PAM reads the file on the next authentication attempt.

5. Maximum Password Lifetime

Set password expiration to 90 days or less. Edit /etc/login.defs and configure:

PASS_MAX_DAYS   90
PASS_MIN_DAYS   0
PASS_WARN_AGE   7

Apply the policy to existing accounts with chage --maxdays 90 username for each user.

6. Critical Directory Permission Control

Ensure that system files have least‑privilege permissions: /etc/passwd –

chmod 644 /etc/passwd

/etc/shadow

–

chmod 600 /etc/shadow

/etc/group

– chmod 644 /etc/group Audit with ls -l /etc/passwd /etc/shadow /etc/group. Remove write permissions for group/others on the /etc directory if present: chmod -R go-w,o-r /etc.

7. Default User Umask

Set a restrictive default umask (e.g., 027 or 077) so newly created files inherit limited permissions. Add or modify the line: umask 027 in /etc/bashrc for system‑wide defaults and in each user’s ~/.bash_profile for per‑user overrides. Verify with the umask command after a new login.

8. Security Log Completeness

Configure syslog to capture authentication events. Ensure /etc/syslog.conf contains: authpriv.* /var/log/secure Restart the syslog daemon with service syslog restart or systemctl restart rsyslog and confirm that entries appear in /var/log/secure.

9. Centralized Remote Log Server

Forward logs to a remote syslog server. Append a line to /etc/syslog.conf such as: *.* @192.168.0.1 Replace the IP address and facility selector as needed. After editing, restart the syslog service. Ensure a tab separates the facility selector and the “@” symbol.

10. Bash History Timestamp

Record timestamps for each command in Bash history. Add the following to /etc/bashrc (or the user’s ~/.bashrc): export HISTTIMEFORMAT='%F %T ' Reload the file or start a new shell; history will now display date and time.

11. SSH Login Hardening

Disable insecure protocols and tighten SSH daemon options. Ensure /etc/ssh/sshd_config includes:

Protocol 2
X11Forwarding yes
IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
Banner /etc/motd

Verify that Telnet is not running ( ps -ef | grep telnet) and that SSH is active. Restart SSH after changes.

12. Disable Unnecessary Services

List enabled services with chkconfig --list (or systemctl list-unit-files --type=service). Stop and disable services that are not required for the server role, for example:

service sendmail stop
chkconfig sendmail off
service telnet stop
chkconfig telnet off
# repeat for lpd, routed, bind, bluetooth, identd, xfs, rlogin, rsh, rexec, inetd daytime, chargen, echo

Confirm that the services are disabled at runlevels 3 and 5.

13. Disable Ctrl‑Alt‑Delete Reboot

Prevent accidental reboots by commenting the Ctrl‑Alt‑Del entry in /etc/inittab: #ca::ctrlaltdel:/sbin/shutdown -t3 -r now Apply the change with /sbin/init q (or init q).

14. Install OS Update Patches

Keep the system up‑to‑date by applying Red Hat errata. Check the current patch level, download required RPMs from https://rhn.redhat.com/errata/, and install them:

rpm -Uvh package.rpm
# or use yum for dependency handling
yum update -y

Reboot if the kernel or core libraries were updated and verify that services start correctly.