Hardening Doc Update 2
Paul W. Frields
stickstr at cox.net
Tue Jan 11 12:55:01 UTC 2005
On Tue, 2005-01-11 at 00:04 -0800, tuxxer wrote:
> > Section 1.5.1)
> >
> > <nitpick>You've listed snortd, which doesn't ship with Fedora
> > Core</nitpick>.
> >
>
> I'm running snortd, so it showed up in the list when I ran the
> command. ;-)
If you're writing official documentation, it's probably a good idea for
you to have a "stock" system to do fact-checking. Like you, I have a lot
of things on my system that don't come with Fedora Core. I do testing
for documentation either in a VMWare guest that has the stock
distribution installed, or on a separate box.
> > Strictly IMHO, disabling service accounts is often excessive and causes
> > a maintenance problem. They can't login locally, and you can easily
> > block remote logins (see above).
>
> Rahul mentioned something along these lines. Does anyone know for sure
> if you remove a certain service that the user for that service is
> removed as well? I don't remember for sure, but I believe that the user
> remains.
It differs from package to package. It also depends on what you mean
when you say "remove a certain service." Are you talking about doing
"chkconfig --del"? If so, then definitely not. But if you're talking
about "rpm -e", then the answer is "sometimes." For instance,
rpm -q --scripts bind
rpm -q --scripts nfs-utils
shows that bind nicely removes named when it is uninstalled, and nfs-
utils does the same with its associated users. However,
rpm -q --scripts httpd
shows that httpd is not as good at cleaning up after itself. There may
be a reason for this. For instance, if a system administrator is running
a web server, but has the "userdel" command aliased under the root
account to automatically use the "-r" option, and did "rpm -e httpd",
then he would run the risk of deleting the entire /var/www, which is
user apache's home directory. That's just idle speculation on my part; I
have no idea whether there's a real rationale hidden in there or not.
--
Paul W. Frields, RHCE
More information about the fedora-docs-list
mailing list