16 - הקשחת שרתי לינוקס - centos
TRANSCRIPT
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 1/23
CentOS Server Hardening
For
Version: 1.0
Date: 08 June 2010
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 2/23
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 3/23
— Confidential and Proprietary—
CentOS Server Hardening Page 3 of 23 Version 1.0
[1] Introduction and Basic Assumptions
The primary assumption of this hardening document is to install and run only systems that are clearly
required. Services and applications should be installed and started only if absolutely required according to
this document.
1.1. Pre-Hardening
This document describes major changes to the configuration of the operating system in order to provide a
better security level. Note section 2.1 for backup before hardening.
1.2. Root Privileges
The actions listed in this hardening document are written with the assumption that they will be executed by
the root user running the /bin/bash shell.
1.3. ActionsThe actions listed in this document are provided according to the assumption that they will be executed in
the order presented here. Some actions may need to be modified if the order is changed. Some actions are
written so that they may be copied directly from this document into a root shell window with a "cut-and-
paste" method.
1.4. Enabling / Disabling Services
Please note that during the hardening many of the "chkconfig" actions, which activate or deactivate
services, produce the message "error reading information on service <service>: No such file or directory."
These messages are quite normal and should not cause alarm – they simply indicate that the program being
referenced was not installed on your machine. As the OS installation allows a great deal of flexibility in what
software you choose to install, these messages are unavoidable.
1.5. Reboot is required
Rebooting the system is required after completing all of the actions below in order to complete the
reconfiguration of the system and verify that all services are up and running. In some cases, the changes
made in the following steps will not take effect until this reboot is performed.
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 4/23
— Confidential and Proprietary—
CentOS Server Hardening Page 4 of 23 Version 1.0
1.6. Conventional Terms
Term Description
Must The definition is an absolute requirement of the specification.
Must not The definition is an absolute prohibition of the specification.
Should There may be a valid reason in particular circumstances to ignore a
particular definition, but the full implications must be understood
and carefully weighed before choosing a different course.
Should not There may be valid reasons in particular circumstances when the
particular behavior is acceptable or even useful, but the full
implications should be understood and the case carefully weighed
before implementing any behavior described with this label.
May The definition is recommended but it is not a must. If chosen to be
ignored the security of the operating system will still be satisfying.
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 5/23
— Confidential and Proprietary—
CentOS Server Hardening Page 5 of 23 Version 1.0
[2] Prerequisites
2.1. Backup
Before performing the steps of this hardening guide, backup copies of critical configuration files that may bemodified by various hardening items MUST be created. (A full backed-up or mirror SHOULD be performed).
2.2. Patch
Keeping up-to- date with vendor patches is critical for the security and reliability of the system. Vendors
issue operating system updates when they become aware of security vulnerabilities and other serious
functionality issues, but it is up to their customers to actually download and install these patches.
All security patches SHOULD be applied on a test environment before being applied on a production
environment due to the option that a security patch will damage the installed application.
After testing, all security patches SHOULD be implemented on the production environment.
2.3. Installation
The system MUST be installed with the minimum needed components (minimum Packages during
the CentOS operating system installation).
SSH suite MUST be installed.
The operating system SHOULD be installed with the following partition table:
o /tmp
o /home
o /var
o /boot
In any case the following packages SHOULD NOT be installed:
Action
Parted
The parted package contains various utilities to create, destroy, resize, move and copy
hard disk partitions. Since the hard disk is configured during the installation process,
there is no need to change it.
NC
Netcat is a featured networking utility which reads and writes data across network
connections, It can be used as an arbitrary TCP and UDP connections and listening
utility.
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 6/23
— Confidential and Proprietary—
CentOS Server Hardening Page 6 of 23 Version 1.0
[3] Hardening Procedures
3.1. User and Group accounts
The following user accounts MAY be removed:
User
uucp
news
ldap
postfix
ftp
games
lp
The shell for the following account MUST be set to /dev/null:
User
daemon
bin
sys
nobody
noaccess
nobody4
The following groups MAY be removed:
Group
adm
dip
gopher
games
uucp
Check for more unused accounts and groups and carefully delete them. If the functionality of the account is
unknown, it is better to lock and set /dev/null shell then to delete it.
3.2. Account and Password Policy
The operating system enables configuring the account policy by defining different parameters. The
configurations defined by default on the servers usually provide a low level of information security. The
following steps are required in order to create a suitable policy.
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 7/23
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 8/23
— Confidential and Proprietary—
CentOS Server Hardening Page 8 of 23 Version 1.0
The following lines MUST be set to /etc/pam.d/system_auth :
Action
password: <other options as "nullok"> remember=5 minlen=8
The following lines MUST be set to /etc/pam.d/system_auth :
Action
password required pam_cracklib.so retry=3 debug ucredit=-1 dcredit=-1 ocredit=-
1 lcredit=-1
The following lines MUST be set to /etc/pam.d/ system_auth:
Action
auth required pam_tally.so onerr=fail no_magic_root
The following lines MUST be set to /etc/pam.d/system_auth:
Action
account required pam_tally.so deny=6 reset no_magic_root
3.3. Access Control
3.3.1. BIOS and Boot Loader
The boot loader MAY be configured with the following settings:
Action
/boot/grub/grub.conf need to be readable only for root.
/boot/grub/grub.conf file need to be configured with immutable bit.
3.3.2. R* Services and .rhosts Files
The r* services (rsh, rexec, etc.) are vulnerable to IP spoofing attacks and may allow an attacker the
ability to execute commands on the server by using their trust options (using ~.rhosts files).
The following settings MUST be set:
Action
Find and delete all .rhosts files.
/etc/securetty is owned by root user and group
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 9/23
— Confidential and Proprietary—
CentOS Server Hardening Page 9 of 23 Version 1.0
Only root should be able to edit the /etc/securetty file
Set immutable bit to the /etc/securetty file
Disable of the shell/rsh/login/rlogin/rexec services is part of the xinetd.d session
3.3.3. FTP
FTP protocol is unencrypted, meaning passwords and other data transmitted during the session can be
captured by sniffing the network, and that the FTP session can be hijacked by an external attacker
Note: Any directory writable by an anonymous FTP server should probably have its own partition or
have a quota limitation. This helps prevent a compromised FTP server from filling a hard drive used by
other services.
Action
The /etc/ftpusers file MUST exist, if it does not exist - create it
The following users MUST exist on the /etc/ftpusers file:
root
daemon
bin
sys
adm
smmsp
gdm
webservd
nobody noaccess
nobody4
sshd
More users SHOULD be added to the /etc/ftpusers file if they should not use the FTP
service.
The root user MUST be the only user which is able to change /etc/ftpusers file
3.4. Services Configuration
3.4.1. SSH
OpenSSH is a popular free distribution of the standards-track SSH protocols which has become the
standard implementation on Linux distributions. For more information on OpenSSH, see
www.openssh.org. The settings in this section attempt to ensure safe defaults for both the client and
the server. Specifically, both the SSH and the SSHD server are configured to use only SSH protocol 2, as
security vulnerabilities have been found in the first SSH protocol.
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 10/23
— Confidential and Proprietary—
CentOS Server Hardening Page 10 of 23 Version 1.0
Action
SSH latest updated package MUST be installed
Configure sshd_config with the following settings:
Port 22 MAY
Protocol 2 MUST
ServerKeyBits 1024 SHOULD
LoginGraceTime 600 SHOULD
KeyRegenerationInterval 3600 SHOULD
PermitRootLogin no MUST
IgnoreRhosts yes MUST
IgnoreUserKnownHosts yes MUST
StrictModes yes SHOULD
X11Forwarding no MAY
SyslogFacility AUTH SHOULD
LogLevel INFO SHOULD
RhostsAuthentication no MUST
RhostsRSAAuthentication no MUST
RSAAuthentication yes SHOULD
PasswordAuthentication yes SHOULD
PermitEmptyPasswords no MUST
PrintMotd yes SHOULD
AllowTcpForwarding no MUST
The file sshd_config MUST be owned by root:root
The file sshd_config MUST have 600 permissions
3.4.2. xinetd.d
On Linux, xinetd has outpaced inetd as the default network superserver. Most distributions have been
using xinetd for some time, there are still many servers that do run inetd.
After enabling SSH, it is possible to nearly disable all xinetd-based services, since SSH provides both a
secure login mechanism and a means of transferring files to and from the system. The actions below will
disable all standard services normally enabled in the xinetd configuration.Action
If all xinetd-based services are not needed xinetd SHOULD be completely disabled by
stopping the xinetd service.
The file xinetd.conf should have 600 permissions
Set immutable bit to the xinetd.conf file
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 11/23
— Confidential and Proprietary—
CentOS Server Hardening Page 11 of 23 Version 1.0
permissions on /etc/rc.d/init.d/* need to be set without write permissions to ‘groups’
and ‘other’
All of the following services SHOULD be disabled. If for any reason one of the services is being used it
MUST be configured with a secured configuration.
Action
Disable Telnet service (port 23)
Disable FTP service (port 21)
Disable amanda service (Port 10080)
Disable amandaidx service (Port 10082)
Disable cups service (Port 1179)
Disable dbskdkd-cdb service
Disable eklogin service (Port 2180)
Disable gssftp service (Port 21)
Disable vsftpd service (Port 21)
Disable wu-ftpd service (Port 21)
Disable imap service (Port 143)
Disable imaps service (Port 993)
Disable ipop3 service
Disable ipop2 service
Disable pop3s service
Disable tftp service (Port 69)
Disable rlogin service (Port 513)
Disable rsh service (Port 514)
Disable rexec service (Port 512)
Disable chargen/chargen-udp service (Port 19)
Disable daytime/daytime-udp service (Port 13)
Disable echo/echo-udp service (Port 7)
Disable finger service (Port 79)
Disable talk/ntalk service (Port 518)
Disable rsync service (Port 873)
Disable sgi_fam service
Disable time/time-udp service (Port 37)
Disable krb5-telnet service
Disable klogin service
Disable kshell service
Disable ktalk service
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 12/23
— Confidential and Proprietary—
CentOS Server Hardening Page 12 of 23 Version 1.0
3.4.3. Boot Services
Every system daemon that does not have a clear and necessary purpose on the host MUST be
deactivated. This greatly reduces the chances that the machine will be running a vulnerable daemon
when the next vulnerability is discovered in its operating system.
It may be that services listed below will not exist on all installations – this is normal behavior.
All of the following services SHOULD be disabled. If for any reason one of the services is being used it
MUST be configured with a secured configuration.
Action
Stop apmd daemon
An APM monitoring daemon, works in conjunction with the APM BIOS driver in the OS
kernel. It can execute a command (normally a shell script) when certain events are
reported by the driver and certain changes in system power status. When the
available battery power becomes very low, it can alert all users on the system usingseveral methods
Stop canna daemon
Japanese input system
Stop freewnn daemon
FreeWnn is a client-server based input system for Japanese input system
Stop gpm daemon
A cut and paste utility and mouse server for virtual consoles.
Stop hpoj daemon
HP printer driver
Stop innd daemon
InterNetNews daemon
Stop irda daemon
Infrared support
Stop isdn daemon
Support for ISDN infrastructure
Stop kdcrotate daemon
A script which rotates the list of KDCs in /etc/krb5.conf.
Stop lvs daemon
A service for LVSM cluster
Stop mars-nwe daemon
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 13/23
— Confidential and Proprietary—
CentOS Server Hardening Page 13 of 23 Version 1.0
A NetWare compatible file and printer server
Stop oki4daemon daemon
Printer service
Stop privoxy daemon
Privoxy is a web proxy with advanced filtering capabilities
Stop rstatd daemon
Server that returns performance statistics through RPC.
Stop ruserd daemon
Server that returns information about users currently logged in.
Stop rwalld daemon
Writes messages to users currently logged in. Uses RPC.Stop rwhod daemon
System-status server that maintains the database used by the rwho and ruptime
programs. Its operation is predicated on the ability to broadcast messages on a
network. As a producer of information, rwhod periodically queries the state of the
system and constructs status messages, which are broadcast on a network. As a
consumer of information, it listens for other rwhod servers' status messages, validates
them, then records them in a collection of files located in the directory
/var/spool/rwho. Messages received by the rwhod server are discarded unless they
originated at an rwhod server's port. Status messages are generated approximately
once every three minutes.
Stop spamassassin daemon
Anti-SPAM server
Stop nfs daemon
Network File Server, use to share files and directories. Use RPC.
Stop nfslock daemon
NFS Component
Stop autofs daemon
Autofs is a kernel-based automounter for Linux.
Stop ypbind daemon
NIS server process
Stop ypserv daemon
NIS server process
Stop yppasswdd daemon
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 14/23
— Confidential and Proprietary—
CentOS Server Hardening Page 14 of 23 Version 1.0
NIS server process
Stop portmap daemon
RPC ServiceStop smb daemon
Samba Server
Stop netfs daemon
Mounts and un-mounts all Network File System (NFS), SMB (Lan Manager/Windows),
and NCP (NetWare) mount points.
Stop lpd daemon
Print Server
Stop apache daemon
Web Server
Stop httpd daemon
Web Server
Stop tux daemon
Kernel based HTTP server
Stop snmpd daemon
SNMP server
Stop named daemon
DNS Server
Stop postgresql daemon
Postgres SQL Server
Stop mysqld daemon
mySQL database server.
Stop webmin daemon
Web based system administration tool.
Stop kudzu daemon
Linux hardware probing tool. This is a hardware probing tool run at system boot time
to determine what hardware has been added or removed from the system.
Stop squid daemon
WEB proxy server
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 15/23
— Confidential and Proprietary—
CentOS Server Hardening Page 15 of 23 Version 1.0
Stop hotplug daemon
Hot pluggable hardware daemon.
Stop cups daemon
A printing service
Stop sendmail daemon
Sendmail is an e-mail transfer agent.
Stop ident daemon
Looks up TCP/IP connections and returns the username of the process user
identification daemon for Linux, which implements the Identification Protocol
(RFC1413). This protocol is used to identify active TCP connections.
Stop vncserver daemon
Starts a vnc server application.
Stop arpwatch daemon
Keeps track of Ethernet IP address.
Stop acpid daemon
ACPID is a completely flexible, totally extensible daemon for delivering ACPI events.
Stop anacron daemon
Anacron is a periodic command scheduler. It executes commands at intervals
specified in days. Unlike cron, it does not assume that the system is running
continuously.
Stop avahi-daemon
Avahi is a fully LGPL framework for Multicast DNS Service Discovery. It allows
programs to publish and discover services and hosts running on a local network with
no specific configuration. For example one can plug into a network and instantly find
printers to print to, files to look at and people to talk to.
Stop avahi-dnsconfd daemon
Same as avahi-daemon
Stop bluetooth daemon
Bluetooth support
Stop capi daemon
CAPI is a shortcut for Common-ISDN-API and defines an abstraction layer for different
ISDN protocols
Stop dhcp daemon
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 16/23
— Confidential and Proprietary—
CentOS Server Hardening Page 16 of 23 Version 1.0
DHCP D-BUS daemon (dhcdbd) controls dhclient sessions with D-BUS
Stop conman daemon
Conman is a program for connecting to remote consoles being managed by conmand.
Stop cpuspeed daemon
Power management based CPU Speed control
Stop dc_client daemon
Distributed session cache client
Stop dc_server daemon
Distributed session cache server
Stop dovecot daemon
Secure IMAP and POP3 server.Stop dund daemon
BlueZ Bluetooth dial-up networking daemon
Stop haldaemon daemon
HAL is used for discovering storage, networking, digital cameras and printers
Stop hidd daemon
Bluetooth HID daemon
Stop kdump daemon
Kdump is a kexec based crash dumping mechanism for Linux.
Stop lisa daemon
LISA is a small daemon which is intended to run on end user systems. It provides
something like a "network neighborhood", but only relying on the TCP/IP protocol
stack.
Stop mcstrans daemon
mcstrans provides a translation daemon to translate SELinux categories from internal
representations to user defined representation.
Stop mdmonitor daemon
Manages software RAID
Stop mdmpd daemon
Used to monitor multi-path devices (RAID) devices
Stop messagebus daemon
D-BUS is first a library that provides one-to-one communication between any two
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 17/23
— Confidential and Proprietary—
CentOS Server Hardening Page 17 of 23 Version 1.0
applications; dbus-daemon-1 is an application that uses this library to implement a
message bus daemon. Multiple programs connect to the message bus daemon and
can exchange messages with one another.
Stop netplugd daemon
netplugd is a daemon that responds to network link events from the Linux kernel,
such as a network interface losing or acquiring a carrier signal.
Stop nscd daemon
Nscd is a daemon that provides a cache for the most common name service requests.
Stop pand daemon
BlueTooth network tools
Stop pcscd daemon
pcscd is the daemon program for pcsc-lite and musclecard framework. It is a resourcemanager that coordinates communications with smart-card readers and smart cards
and cryptographic tokens that are connected to the system.
Stop psacct daemon
The psacct package contains several utilities for monitoring process activities.
Stop rdisc daemon
rdisc implements client side of the ICMP router discover protocol. rdisc is invoked at
boot time to populate the network routing tables with default routes.
Stop restorecond daemon
A daemon that watches for file creation and then sets the default SELinux file context
Stop saslauthd daemon
saslauthd is a daemon process that handles plaintext authentication requests on
behalf of the SASL library.
Stop setroubleshoot daemon
SELinux Module
Stop smartd daemon
Self-monitoring analysis and reporting technology system. Monitors the hard disk for
failures.
Stop winbind daemon
Winbind is an NSS switch module to map Windows NT Domain databases to Unix.
Stop postfix daemon
Mail Server
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 18/23
— Confidential and Proprietary—
CentOS Server Hardening Page 18 of 23 Version 1.0
3.4.4. SNMP Service
The SNMP protocol is a management protocol that provides the ability to audit and manage network
devices remotely. A community name is the identification string used in this service.
Action
SNMP prior to version 3 SHOULD NOT be used because it is considered to be non-
secured in many ways.
The community strings which are being used for SNMP queries MUST NOT be the
default ("public")
The private (read-write) SNMP method SHOULD NOT be used.
ACL (Access List) MUST be set to the SNMP service in order to allow only the query
server to query the SNMP service.
3.4.5. Setuid/Gid Files
Setuid and setgid are short for "Set User ID" and "Set Group ID", respectively. Setuid and setgid are
access right flags that can be assigned to files and directories and mostly used to allow users on acomputer system to execute binary executable with temporarily elevated privileges in order to perform
a specific task.
When a binary executable file has been given the setuid attribute, normal users on the system can
execute this file and gain the privileges of the user who owns the file (commonly root) within the
created process. When root privileges are gained within the process, the application can then perform
tasks on the system that regular users normally would be restricted from doing.
While the setuid feature is very useful in many cases, it can pose a security risk if the setuid attribute is
assigned to executable programs that are not carefully designed. Users can exploit vulnerabilities in
flawed programs to gain permanent elevated privileges, or unintentionally execute a Trojan Horse
program.Action
The SUID bit SHOULD be removed from all files under /bin /usr/bin except the
following files:
/usr/bin/passwd
/usr/bin/sudo
/bin/ping
/usr/bin/crontab
/bin/su
/usr/bin/agent_ctrl
/usr/bin/wall
/usr/bin/rcp
/bin/ping
/bin/mount
/bin/traceroute
Executable files SHOULD NOT be set with suid/sgid bit.
Find and remove suid/sgid bit from all other files on the file system:
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 19/23
— Confidential and Proprietary—
CentOS Server Hardening Page 19 of 23 Version 1.0
find / -perm –4000 –print
find / -perm –2000 –print
Before removing suid/sgid bit make sure the permission is not needed by the
application.Only Read-Only permission MAY be set to the mount point by using "ro" option.
3.4.6. Crontab
The following configuration settings with enable scheduling jobs with CRON / AT only to users which are
listed in cron.allow and at.allow (white list approach) – add users to the files in order to permit CRON /
AT use.
Action
The /etc/cron.d/cron.allow file MUST be exist and owned by root (600)The /etc/cron.d/cron.deny file MUST be exist and owned by root (600)
The /etc/cron.d/at.allow file MUST be exist and owned by root (600)
The /etc/cron.d/at.deny file MUST be exist and owned by root (600)
If one of the above files does not exist, 'touch' the relevant file )make sure "root" is
allowed to schedule crons by adding him to the .allow files)
3.4.7. Other File System Security Requirements
Action
Only root SHOULD have permissions to the /root directory.
The system SHOULD prevent SUID and device files on removable media via vfstab file
using the "nosuid" option.
The /tmp partition SHOULD be mounted with the 'nosuid' and acl option set.
The user's home directories partition SHOULD be mounted with the 'nosuid' option
set.
The /home partition SHOULD be mounted with the 'nosuid' and acl option set.
The /var partition SHOULD be mounted with the ‘nosuid’ and option set.
Executable files under /bin and /usr/bin MUST NOT have write permissions.
The following files MUST NOT be writable for group and for other.
/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow
The /etc/services file SHOULD be immutable
File /usr/sbin/tcpdump MUST have permissions only for the root user.
File /etc/syslog.conf permissions MUST be set without ‘other’ permissions.
Non root users MUST NOT be able to run the following applications:
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 20/23
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 21/23
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 22/23
— Confidential and Proprietary—
CentOS Server Hardening Page 22 of 23 Version 1.0
3.6. General Requirements
3.6.1. General Subjects
Action
NTP service MUST be enabled.
Note: NTP should be configured according to the company policy. This is a crucial
service regarding security investigations.
motd/issue files SHOULD be set with a warning banner. See Appendix A for a
suggestion.
An auto idle console logout time for 15 minutes SHOULD be set by editing the
/etc/profile file with the following line:
TMOUT=900
Restricting system reboots through the console:
The system MAY prevent the option to reboot the system through the console without
being logged in to the system:
Verify the following line exist at /etc/inittab:
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
8/10/2019 CentOS - הקשחת שרתי לינוקס - 16
http://slidepdf.com/reader/full/16-centos 23/23
— Confidential and Proprietary—
CentOS Server Hardening Page 23 of 23
Appendix A
The Following Text is a suggestion for /etc/issue and /etc/motd:
This computer system, including all related equipment, networks and network devices (specifically including
Internet access), is provided only for authorized use.
The computer systems may be monitored for all lawfull purposes, including to ensure that their use is
authorized, for management of the system, to facilitate protection against unauthorized access and to verify
security procedures, survivability and operational security.
Monitoring includes active attacks by authorized entities to test or verify the security of this system.
During monitoring, information may be examined, recorded, copied and used for authorized purposes.
All information, including personal information, placed on or sent over this system may be monitored. Use of
this computer system, authorized or unauthorized, constitutes consent to the monitoring of this system.
Unauthorized use may subject you to criminal prosecution.
Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or
adverse action.
Use of this system constitutes consent to monitoring for these purposes.