Shulou(Shulou.com)06/02 Report--

This article introduces you how to check and strengthen the security compliance of Linux operating system. The content is very detailed. Interested friends can refer to it for reference. I hope it can help you.

1. Account and password

1.1 Disable or delete unwanted accounts

Reduce system useless accounts and reduce security risks.

operation steps

Use the command userdel to delete unnecessary accounts.

Use passwd -l to lock unwanted accounts.

Use the command passwd -u to unlock the necessary accounts.

1.2 Check special accounts

Check if there is an account with an empty password and root privileges.

operation steps

1. Check the blank password and root privilege account to confirm whether there is an abnormal account:

Use awk -F: '($2=="")' /etc/shadow to view empty password accounts.

Use awk -F: '($3==0)' /etc/passwd to view accounts with UID zero.

2. Fortify Empty Password Account:

Use the command passwd to set a password for an empty password account.

Make sure that the account with UID 0 is only root account.

1.3 Add password policy

Strengthen the complexity of passwords, etc., reduce the possibility of guessing.

operation steps

1. Modify the configuration file using the command vi /etc/login.defs.

PASS_MAX_DAYS 90 #Maximum number of days a new user password can be used

PASS_MIN_DAYS 0 #Minimum number of days to use password for new user

PASS_WARN_AGE 7 #Number of days to remind new users of password expiration

2. Use the chage command to modify user settings.

For example, chage -m0-M30-E2000 -01-01 -W7 means that this user's password is set to a maximum of 30 days and a minimum of 0 days, and the password expires on January 1, 2000, warning the user seven days before it expires.

3. Set the password incorrectly three times in a row and lock the account for five minutes. Modify the configuration file using the command vi /etc/pam.d/common-auth, adding auth required pam_tally.so onerr=fail deny=3 unlock_time=300 to the configuration file.

1.4 Limit user su

Limit users who can su to root.

operation steps

Modify the configuration file using the command vi /etc/pam.d/su to add lines to the configuration file. For example, if only test group users are allowed to su to root, add auth required pam_wheel.so group=test.

1.4 Prohibiting root from logging in directly

Restrict root user from logging in directly.

operation steps

1. Create an account with normal permissions and configure a password to prevent remote login;

2. Modify the configuration file with the command vi /etc/ssh/sshd_config to change the PermitRootLogin value to no, save it, and restart the service with service sshd restart.

2. service

2.1 Turn off unnecessary services

Turn off unnecessary services (such as regular services and xinetd services) to reduce risk.

operation steps

Use the command systemctl disable to set the service not to start automatically at boot.

Note: For some older versions of Linux operating systems (such as CentOS 6), the command chkconfig \-leveloff can be used to set the service not to start automatically when booting at a specified init level.

2.2 SSH Service Security

Secure SSH services to prevent brute force attacks.

operation steps

Edit the configuration file using the command vim /etc/ssh/sshd_config.

The root account is not allowed to log in directly to the system.

Set PermitRootLogin to no.

Modify the protocol version SSH uses.

Set Protocol version to 2.

Change the number of password errors allowed (default 6).

Set MaxAuthTries to a value of 3.

After the configuration file is modified, restart sshd service takes effect.

3. file system

3.1 Set umask value

Set the default umask value to enhance security.

operation steps

Use vi /etc/profile to modify the configuration file and add line umask 027, that is, the newly created file owner has read and write execution permissions, and users in the same group have read and execute permissions, while other users have no permissions.

3.2 Set login timeout

Set connection timeout after system login to enhance security.

operation steps

Modify the configuration file using the command vi /etc/profile to set the line comment that starts with TMOUT= to TMOUT=180, which means the timeout is three minutes.

4. log

4.1 syd log

Enable logging and configure logging.

operation steps

Linux systems enable the following types of logs by default:

Syslog (default)/var/log/messages

cron log (default)/var/log/cron

Security log (default)/var/log/secure

Note: Some systems may use sy-ng logs with the configuration file: /etc/sy-ng/sy-ng.conf.

You can configure verbose logs according to your needs.

4.2 Log all users logins and actions

Through script code to record all users login operation log, to prevent security incidents without evidence to check.

operation steps

1. Open the configuration file

[root@xxx /]# vim /etc/profile

2. Enter the following in the configuration file:

historyUSER=`whoami`USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`if [ "$USER_IP" = "" ]; thenUSER_IP=`hostname`fiif [ ! -d /var/log/history ]; thenmkdir /var/log/historychmod 777 /var/log/historyfiif [ ! -d /var/log/history/${LOGNAME} ]; thenmkdir /var/log/history/${LOGNAME}chmod 300 /var/log/history/${LOGNAME}fiexport HISTSIZE=4096DT=`date +"%Y%m%d_%H:%M:%S"`export HISTFILE="/var/log/history/${LOGNAME}/${USER}@${USER_IP}_$DT"chmod 600 /var/log/history/${LOGNAME}/*history* 2>/dev/null

3. Run load configuration takes effect.

[root@xxx /]# source /etc/profile

Note: /var/log/history is the location where the log is stored and can be customized.

Through the above steps, you can create a new folder under the/var/log/history directory with the name of each user. After each user exits, a log file with the user name, login IP and time will be generated, containing all the operations of this user (except root user).

About how to carry out Linux operating system security compliance inspection and reinforcement to share here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.