Hardening Doc Update 2

[Paul W. Frields]

On Tue, 2005-01-11 at 00:04 -0800, tuxxer wrote:
> > Section 1.5.1)
> > 
> > <nitpick>You've listed snortd, which doesn't ship with Fedora
> > Core</nitpick>.
> > 
> 
> I'm running snortd, so it showed up in the list when I ran the
> command.  ;-) 

If you're writing official documentation, it's probably a good idea for
you to have a "stock" system to do fact-checking. Like you, I have a lot
of things on my system that don't come with Fedora Core. I do testing
for documentation either in a VMWare guest that has the stock
distribution installed, or on a separate box.

> > Strictly IMHO, disabling service accounts is often excessive and causes
> > a maintenance problem.  They can't login locally, and you can easily
> > block remote logins (see above).
> 
> Rahul mentioned something along these lines.  Does anyone know for sure
> if you remove a certain service that the user for that service is
> removed as well?  I don't remember for sure, but I believe that the user
> remains.

It differs from package to package. It also depends on what you mean
when you say "remove a certain service." Are you talking about doing
"chkconfig --del"? If so, then definitely not. But if you're talking
about "rpm -e", then the answer is "sometimes." For instance,

  rpm -q --scripts bind
  rpm -q --scripts nfs-utils

shows that bind nicely removes named when it is uninstalled, and nfs-
utils does the same with its associated users. However,

  rpm -q --scripts httpd

shows that httpd is not as good at cleaning up after itself. There may
be a reason for this. For instance, if a system administrator is running
a web server, but has the "userdel" command aliased under the root
account to automatically use the "-r" option, and did "rpm -e httpd",
then he would run the risk of deleting the entire /var/www, which is
user apache's home directory. That's just idle speculation on my part; I
have no idea whether there's a real rationale hidden in there or not.

-- 
Paul W. Frields, RHCE