Shulou(Shulou.com)06/01 Report--

Aliyun Standard-CentOS Linux 7 Security baseline check

Note: it is recommended to record or back up the password expiration time during operation | identity authentication

Description:

Set the password expiration time, force the password to be changed regularly, and reduce the risk of password disclosure and guess. use non-password login methods (such as key pairs) to ignore this.

Reinforcement recommendations:

Use non-password login methods such as key pairs, please ignore this item. Set the PASS_MAX_DAYS parameter to between 60 and 180 in / etc/login.defs, for example:

PASS_MAX_DAYS 90

You need to execute the command at the same time to set the expiration time of the root password:

Chage-- maxdays 90 root sets the minimum interval between password changes | identity authentication

Description:

Set the minimum interval for password modification to limit password changes too frequently

Reinforcement recommendations:

In / etc/login.defs, set the PASS_MIN_DAYS parameter between 7 and 14, which is recommended to be 7:

PASS_MIN_DAYS 7

You need to execute the command at the same time to set for the root user:

Chage-- mindays 7 root password complexity check | identity authentication

Description:

Check the password length and whether the password uses multiple character types

Reinforcement recommendations:

Edit / etc/security/pwquality.conf, set minlen (minimum password length) to 9-32 bits, and set minclass (at least 4 types of characters, such as lowercase letters, uppercase letters, numbers, special characters, etc.) to 3 or 4. Such as:

Minlen=10minclass=3 checks whether password reuse is restricted | identity authentication

Description:

Force users not to reuse recently used passwords, reducing the risk of password guessing

Reinforcement recommendations:

Configure the remember parameter between 5 and 24 at the end of the line password sufficient pam_unix.so in / etc/pam.d/password-auth and / etc/pam.d/system-auth. The original content does not need to be changed, only added at the end.

Remember=5 . SSHD enforces the use of V2 security protocol | SSH service configuration

Description:

SSHD enforces the use of V2 security protocol

Reinforcement recommendations:

Edit the / etc/ssh/sshd_config file to set the parameters as follows:

Protocol 2 sets SSH idle timeout exit time | Service configuration

Description:

Set the SSH idle timeout exit time to reduce the risk of unauthorized users accessing other users' ssh sessions

Reinforcement recommendations:

Edit / etc/ssh/sshd_config, set ClientAliveInterval to 300 to 900, that is, 5 to 15 minutes, and set ClientAliveCountMax to between 0 and 3.

ClientAliveInterval 600ClientAliveCountMax 2 check system empty password account | identity authentication

Description:

Check the system empty password account

Reinforcement recommendations:

Set a non-empty password for the user, or execute passwd-l to lock the user

Disable login of SSH users with empty passwords | SSH service configuration

Description:

Prohibit SSH empty password users from logging in

Reinforcement recommendations:

Edit the file / etc/ssh/sshd_config to configure PermitEmptyPasswords as no:

| PermitEmptyPasswords no ensures that password expiration warning days are 7 or more | identity authentication |

Description:

Ensure that password expiration warning days are 7 or more

Reinforcement recommendations:

In / etc/login.defs, set the PASS_WARN_AGE parameter between 7 and 14, which is recommended to be 7:

PASS_WARN_AGE 7

Execute the command at the same time to make the root user settings take effect:

Chage-- warndays 7 root ensure that SSH MaxAuthTries is set between 3 and 6 | SSH service configuration

Description:

Setting a lower Max AuthTrimes parameter will reduce the risk that the SSH server will be successfully subjected to violence.

Reinforcement recommendations:

Uncomment the MaxAuthTries symbol # in / etc/ssh/sshd_config, and set the maximum number of failed password attempts to 3-6. The recommended value is 4:

MaxAuthTries 4 ensures that the rsyslog service is enabled | Security audit

Description:

Ensure that the rsyslog service is enabled and log is used for audit

Reinforcement recommendations:

Run the following command to enable the rsyslog service:

Systemctl enable rsyslogsystemctl start rsyslog ensures that SSH LogLevel is set to INFO | Service configuration

Description:

Make sure SSH LogLevel is set to INFO and log login and logout activity

Reinforcement recommendations:

Edit the / etc/ssh/sshd_config file to set the parameters (uncomment) as follows:

Permission settings for LogLevel INFO access control profile | File permissions

Description:

Permission settings for access control profil

Reinforcement recommendations:

Run the following four commands:

Chown root:root / etc/hosts.allow chown root:root / etc/hosts.denychmod 644 / etc/hosts.denychmod 644 / etc/hosts.allow set the permissions of the user rights profile | File permissions

Description:

Set the permissions of the user rights profile

Reinforcement recommendations:

Execute the following five commands

Chown root:root / etc/passwd / etc/shadow / etc/group / etc/gshadowchmod 0644 / etc/group chmod 0644 / etc/passwd chmod 0400 / etc/shadow chmod 0400 / etc/gshadow enable address space layout randomization | *

Description:

It randomizes the memory space address of the process to increase the difficulty of predicting the destination address, thus reducing the risk of success of the process.

Reinforcement recommendations:

Set the following parameters in the / etc/sysctl.conf or / etc/sysctl.d/* file:

Kernel.randomize_va_space = 2

Execute the command:

Sysctl-w kernel.randomize_va_space=2 ensures that root is the only account with a UID of 0 | Authentication

Description:

Users with a UID of 0 except root should be deleted or assigned a new UID

Reinforcement recommendations:

Users whose UID is 0 except root

View command

Cat / etc/passwd | awk-F:'($3 = = 0) {print $1}'| grep-v'^ root$')

Should be deleted or assigned a new UID

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.