Harden SuSE harden_suse is system security script for SuSE Linux only. It makes several changes to the system configuration to make the operating system very secure and therefore very resistent to local as to remote attacks. It can make 10 different kind of security changes (with an undo script being generated): 1) deactivate all network services, except very few security services (e.g. SSH, Firewall, VPN) 2) change the filer permissions to a secure state 3) comment out all services in /etc/inetd.conf and secure the tcpwrapper to allow only localhost access 4) secure the login process (log all login attempts, show last/failed logins, root login only from console) 5) secure the passwords (long passwords enforced, password change after 40 days, weak password warning) 6) strong permissions on /home directories of users and a strict umask (077) for all users 7) secure configuration of SSH/SSHD (disables/enables options for better security) 8) remove privilege of all unknown suid files on the system 9) remove world write permissions on all unknown world writeable files on the system 10) show legal disclaimer in the login banner, motd and lilo boot menu. All these 10 areas can be explicitly turned on or off. You can run this script without any parameter and the tool will ask you about your wishes, or you can supply commandline parameters. From the harden_suse script: If you run this script with the commandline option "yes", an automatic yes to all questions about security settings is assumed. You may also auto-answer all ten questions by putting ten commandline parameters. a "y"* is a YES to a question, anything else NO. To UNDO your changes, a perlscript called undo_harden_suse is put put into the /etc directory (also the harden_suse.log file). TIPS: Server: "harden_suse y y y y y n y n y y" User Workstation: "harden_suse y n y y n n y n n y" Firewall: "harden_suse yes" The harden_suse homepage is located at: http://www.suse.de/~marc/SuSE.html Cryptographic signatures and checksums may be provided by the developers at the URL(s) above. Wiretapped recommends that users check these before use of the software/information.