CSEC_PUBLIC/the-practical-linux-hardening-guide
1
0
Fork 0
mirror of https://github.com/trimstray/the-practical-linux-hardening-guide.git synced 2025-12-06 17:22:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

changed chapters layout; minor updates

Browse Source 
- signed-off-by: trimstray <trimstray@gmail.com>
This commit is contained in:
trimstray
2019-02-20 13:34:12 +01:00
parent 6f5b15e700
commit 9ad81bb481
1 changed files with 40 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
lib/post_install_tasks/keep_system_updated.md
View File

@@ -4,7 +4,7 @@
#### :information_source: Introduction #### :information_source: Introduction
Software updates offer plenty of benefits. Its all about revisions. These might include repairing security holes that have been discovered and fixing or removing computer bugs. Software updates offer plenty of benefits. Its all about revisions. These might include repairing security holes that have been discovered and fixing or removing bugs.
Some benefits: Some benefits:
@@ -14,7 +14,7 @@ Some benefits:
#### :eight_pointed_black_star: Make sure that the system is up to date #### :eight_pointed_black_star: Make sure that the system is up to date
For CentOS: ###### RedHat/CentOS
```bash ```bash
# Check for updates # Check for updates
@@ -22,13 +22,24 @@ yum check-update
# Install updates # Install updates
yum update yum update
# Install upgrades (with security updates)
yum --security upgrade
``` ```
For Debian: ###### Policy
| Type | Severity | Reference | Comment |
| :--- | :--- | :--- | :--- |
| <sup>OpenSCAP</sup> | <sup>High</sup> | <sup>[Ensure Software Patches Installed](https://static.open-scap.org/ssg-guides/ssg-centos7-guide-pci-dss.html#xccdf_org.ssgproject.content_rule_security_patches_up_to_date)<sup> | |
| <sup>STIG</sup> | <sup>Medium</sup> | <sup>[Vendor packaged system security patches and updates must be installed and up to date.](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-71999)</sup> | <sup>ID: V-71999</sup> |
| <sup>CIS</sup> | | | <sup>ID: 1.2, 1.8</sup> |
###### Debian
```bash ```bash
# Check for updates # Check for updates
apt-get update -qq ; apt-get upgrade -duyq apt-get update && apt-get upgrade
# Install updates # Install updates
apt-get upgrade && apt-get dist-upgrade apt-get upgrade && apt-get dist-upgrade
@@ -36,19 +47,34 @@ apt-get upgrade && apt-get dist-upgrade
#### :eight_pointed_black_star: Automatic security updates #### :eight_pointed_black_star: Automatic security updates
###### Useful resources ###### RedHat/CentOS
```bash
yum install yum-cron
# Edit /etc/yum/yum-cron.conf
update_cmd = security
apply_updates = yes
# Enable service
systemctl enable yum-cron
systemctl start yum-cron
```
###### Debian
```bash
apt-get install unattended-upgrades apt-listchanges
# Edit /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
```
#### :eight_spoked_asterisk: Useful resources
- [How Often Should I Update our Linux Server?](https://serverfault.com/questions/9490/how-often-should-i-update-our-linux-server) - [How Often Should I Update our Linux Server?](https://serverfault.com/questions/9490/how-often-should-i-update-our-linux-server)
###### Policies
| <b><u>Policy</u></b> | <b><u>ID/Description</u></b> | <b><u>Severity</u></b> |
| :--- | :--- | :--- |
| <b>STIG</b> | [V-71999](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-71999) | <b>Medium</b> |
| <b>CIS</b> | 1.2, 1.8 | |
| <b>OpenSCAP</b> | CCI-002605, CCI-002607 | CAT II |
#### :ballot_box_with_check: Summary checklist #### :ballot_box_with_check: Summary checklist
| <b>Item</b> | <b>True</b> | <b>False</b> | | <b>Item</b> | <b>True</b> | <b>False</b> |