Shulou(Shulou.com)06/02 Report--

This article mainly explains "what are the methods of baseline verification of Linux operating system". The content of the explanation is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn what are the methods of baseline verification of Linux operating system.

I. identity authentication

Serial number

Requirements / control points

Is it satisfied?

Reinforcement method

one

The logged-in user should be identified and authenticated, the identity is unique, the identity authentication information has complexity requirements and is changed regularly.

Password complexity: alphanumeric / special symbol, not less than 8 digits; user password cannot be repeated 5 times

Vim / etc/pam.d/system-auth

Auth required pam_tally2.so onerr=fail deny=3 unlock_time=1200even_deny_root root_unlock_time=1200

Auth sufficient pam_unix.so nullok try_first_pass remember=5

Password requisite pam_cracklib.so retry=3 difork=3 minlen=8 lcredit=-1 dcredit=-1 ocredit=-1

Set the time to change passwords periodically

Vim / etc/login.defs

PASS_MAX_DAYS 90

PASS_MIN_DAYS 0

PASS_MIN_LEN 8

PASS_WARN_AGE 7

two

It should have the function of handling login failure, and relevant measures such as ending the session, limiting the number of illegal logins and automatically exiting when the login connection times out should be strengthened and enabled.

Set to enter the wrong password three times in a row, and the account will be locked for five minutes.

Use the command vi / etc/pam.d/common-auth to modify the configuration file and add auth required pam_tally.so onerr=fail deny=3 unlock_time=300 to the configuration file

three

When carrying out remote management, necessary measures should be taken to prevent authentication information from being eavesdropped during network transmission.

The use of telnet protocol is prohibited, and ssh protocol can be used for remote management.

Use the command rpm-qa | grep telnet to see if telnet and telnet server are installed, if so

1. Edit / etc/xinetd.d/telnet, and modify disable = yes.

two。 Activate the xinetd service. The command is as follows:

# service xinetd restart

If not installed, the telnet service is disabled

For devices that use IP protocol for remote maintenance, SSH protocol should be configured.

Get OpenSSH http://www.openssh.com/, free of charge on the website and follow the installation file instructions to perform the installation steps

II. Access control

Serial number

Requirements / control points

Is it satisfied?

Reinforcement method

one

Users who log in should be assigned accounts and permissions

Check to see if there is a general multi-purpose root account. If so, you need to set up a number of ordinary accounts that are in line with the actual situation. Each ordinary account must follow the principle of minimum permissions and prohibit the direct use of root accounts.

Create an account with normal permissions and configure a password to prevent remote login

Use the command vi / etc/ssh/sshd_config to modify the configuration file to change the value of PermitRootLogin to no, save it, and then restart the service using service sshd restart.

two

The default account should be renamed or deleted and the default password of the default account should be changed

Check the empty password and root account to confirm whether there is an abnormal account.

Use the command awk-F:'($2 accounts = "")'/ etc/shadow to view the empty password account

Use the command awk-F:'($3 percent zero)'/ etc/passwd to view accounts with zero UID

Use the command passwd to set a password for an empty password account

Check if there is a user with a UID of 0 except root.

three

Redundant and expired accounts should be deleted or disabled in time to avoid the existence of shared accounts.

Delete user: # userdel username

Lock out the user:

# usermod-L username

Can only be used by users with superuser privileges

# usermod-U username can be unlocked.

Supplementary operation instructions

Users who need to be locked out:

Adm,lp,mail,uucp,operator,games,gopher,ftp,nobody,nobody4,noaccess,listen,webservd,rpm,dbus,avahi,mailnull,smmsp,nscd,vcsa,rpc,rpcuser,nfs,sshd,pcap,ntp,haldaemon,distcache,apache,webalizer,squid,xfs,gdm,sabayon,named

four

The separation of permissions of administrative users is achieved by granting the minimum permissions required by administrative users.

Check to see if there are users with excessive privileges and whether they can manipulate system resources outside the scope to which they should access. If it exists, its permissions need to be reduced so that it can only operate on the system resources that should be accessed.

Create an account with normal permissions and configure a password to prevent remote login

Restrict root users from logging in directly

Use the command vi / etc/ssh/sshd_config to modify the configuration file to change the value of PermitRootLogin to no, save it, and then restart the service using service sshd restart.

Restrict users who can su to root

Edit the su file (vi / etc/pam.d/su) and add the following two lines at the beginning:

Auth sufficient pam_rootok.so and

Auth required pam_wheel.so group=wheel this indicates that only members of the wheel group can become root users using the su command.

You can add a user to the wheel group so that it can become a root user using the su command.

The method to add is: usermod-G wheel username

III. Security audit

Serial number

Requirements / control points

Is it satisfied?

Reinforcement method

one

The security audit function should be enabled to cover each user and audit important user behavior and important security events.

Enable the syslog log function and auditd audit function of the system itself, and audit the behavior of the server and users

Record the login and operation of users

Vim / etc/profile

USER_IP= `who-u am i 2 > / dev/null | awk'{print $NF}'| sed-e's / [()] / / g``

If ["$USER_IP" = ""]

Then

USER_IP= `hostname`

Fi

If [!-d / tmp/dbasky]

Then

Mkdir / tmp/dbasky

Chmod 755 / tmp/dbasky

Fi

If [!-d / tmp/dbasky/$ {LOGNAME}]

Then

Mkdir / tmp/dbasky/$ {LOGNAME}

Chmod 300 / tmp/dbasky/$ {LOGNAME}

Fi

Export HISTSIZE=4096

DT= `date "+% Y-%m-%d_%H-%M-%S" `

Export HISTFILE= "/ tmp/dbasky/$ {LOGNAME} / ${USER_IP}-dbasky.$DT"

Export HISTTIMEFORMAT= "[% Y.%m.%d% H:%M:%S]"

Chmod 600 / tmp/dbasky/$ {LOGNAME} / * dbasky* 2 > / dev/null

two

The audit record shall include the date of the event, user, event type, success of the event and other information related to the audit.

Check the audit content, whether it contains key information such as the date, user, event type, success of the event, etc.

three

Audit records should be protected and backed up regularly to avoid unexpected deletions, modifications or overwrites.

Change all log file properties so that the file can only be appended and not modified:

Chattr + a / var/log/messages / var/log/secure / var/log/maillog / var/log/cron

Export backups regularly and keep audit records for at least 6 months

IV. Intrusion prevention

Serial number

Requirements / control points

Is it satisfied?

Reinforcement method

one

Should follow the principle of minimum installation and install only the required components and applications

Follow the principle of minimum installation and prohibit the phenomenon of "entrainment".

two

Unwanted system services, default shares, and high-risk ports should be turned off

View listening port

Netstat-an

Check to enable the service

Chkconfig-list | grep on

To shut down a service directly, such as sshd, you can use the following command:

# / etc/init.d/sshd stop # shut down the running sshd service

Turn off the following unnecessary basic network services.

Chargen-dgram daytime-stream echo-streamklogin tcpmux-server chargen-stream discard-dgram eklogin krb5-telnet tftp cvs discard-stream ekrb5-telnet kshell time-dgram daytime-dgram echo-dgram gssftp rsync time-stream

three

The management terminal managed through the network should be restricted by setting the terminal access mode or the network address range.

Connect the intranet environment through vpn, and then use the fortress machine for unified management and login.

V. Prevention of malicious code

Serial number

Requirements / control points

Is it satisfied?

Reinforcement method

one

Anti-malware software or hardened software with corresponding functions should be installed, and the anti-malware code base should be upgraded and updated regularly.

Check the current antivirus software, record the version, and whether it is upgraded to the latest

VI. Data backup and recovery

Serial number

Requirements / control points

Is it satisfied?

Reinforcement method

one

Local data backup and recovery functions for important data should be provided.

Check to see if there are backup files, and understand the backup and recovery mechanisms

If not, you need to establish backup files and implement a daily incremental and weekly backup strategy.

two

The remote data backup function should be provided, and the important data should be transmitted to the standby site regularly and in batches using the communication network.

Store backup files in remote locations and ensure their effectiveness to avoid the risk of recovery after a single point of failure.

VII. Resource control

Serial number

Requirements / control points

Is it satisfied?

Reinforcement method

one

You should ensure that the system disk root partition uses less than 80% of the space.

If the disk dynamic partition space is insufficient, it is recommended that the administrator expand the disk capacity.

two

Command line interface timeout should be set to exit

Execute under the root account, vi / etc/profile, add export TMOUT=600 (in seconds, you can set the timeout exit time according to the specific situation, which is required to be no less than 600s), log out the user, and then log in with the user to activate the function.

three

The scope of remote login IP should be limited

Check / etc/hosts.allow configuration

Edit / etc/hosts.allow

Add one line: examples of IP; allowed to be accessed are as follows:

All:192.168.4.44:allow # allows a single IP

Sshd:192.168.1.:allow # allows the PC of the entire network segment of 192.168.1 to access the local machine through SSH

Restart the process:

# / etc/init.d/xinetd restart

Check / etc/hosts.deny configuration

Edit / etc/hosts.deny

Add a line of all:all

Restart the process:

# / etc/init.d/xinetd restart

four

The minimum permissions required by the user should be configured

Configure / etc/passwd file permissions

Chmod 644 / etc/passwd

Configure / etc/group file permissions

Chmod 644 / etc/group

Configure / etc/shadow file permissions

Chmod 600 / etc/shadow

Thank you for your reading, the above is the content of "what are the methods of baseline verification of Linux operating system". After the study of this article, I believe you have a deeper understanding of what the method of baseline verification of Linux operating system has, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.