24 Security compliance settings for Linux machines

Work of some content, this is China Mobile group's current Linux machine security compliance standards, find some time to classify it, and check out some information, what each configuration means, not only to know it, but also to know its why. A good memory is inferior to a bad pen.

1. Check FTP configuration-Restrict user FTP login

Control the FTP process default access permissions, when you create a new file or directory through the FTP service, you should block out new files or directories should not have access permission.

Operation:

(1) Vsftp:

# vi/etc/vsftp/vsftpd.conf manually change userlist_enable to Yes

Restrict access to users in/etc/vsftpd/user_list files.

# VI/ETC/PAM.D/VSFTPD

Change the file behind file= to/etc/ftpusers

# vi/etc/ftpusers Manually add Users

Used to save local user accounts that do not allow FTP logons. Is the blacklist of vsftp users.

(2) PURE-FTPD:

# VI/ETC/PAM.D/PURE-FTPD

Change the file after file= to/etc/ftpusers

# vi/etc/ftpusers Manually add Users

2. Check the SSH protocol version for any serious security issues

Modifying the SSH protocol version to 2,SSH1 has serious security issues and can even intercept passwords.

Operation:

# Vi/etc/ssh/sshd_config manually modified protocol to 2

3. Check the password lockout policy

For devices that use the static password authentication technology, the user should be configured to lock the account used by users with more than 6 consecutive authentication failures (6 times not included).

Operation:

/etc/pam.d/common-auth (preferred) or/etc/pam.d/passwd

Manually add the following line

Auth Required pam_tally.so onerr=fail deny=6 unlocktime=300 (SuSE 9)

Auth Required pam_tally2.so onerr=fail deny=6 unlock_time=300 (SuSE +)

4. Check if the account operation log is logged

The device should configure the logging function to record the operation of the user on the device, including but not limited to the following: account creation, deletion and permission modification, password modification, read and modify the device configuration, read and modify the business user's phone call data, identity data, involving communication privacy data. Need to record to include user accounts, the total number of commands executed, operation time, Operation content.

Operation:

cd/home/boco4a/

FTP 10.212.41.120//Login Ftp,sec/[email protected]#$

Ls

Get acct*.rpm//Get acct*.rpm Pack

By

Ls

RPM-IVH acct*.rpm//install acct software, and then run the following command

TOUCH/VAR/ADM/PACCT//new file to hold log audit operations

/USR/SBIN/ACCTON/VAR/ADM/PACCT//Open Audit

/etc/init.d/acct Restart//start

/etc/init.d/acct Stop//stop

5. Check whether to delete or lock the unrelated account

You should remove or lock accounts that are unrelated to the operation, maintenance, etc. of your device.

Operation:

cat/etc/passwd

PASSWD-L user//Lock user

Usermod-s/bin/false Games

Usermod-s/bin/false nobody//-s:--shell. Modifying the user shell is not valid, the user cannot log on, but can have other features, such as sending mail, accessing shared resources, and so on.

6. Check if the compiler is installed on the machine that is developing the system

Remove all compilers and assemblers. The C compiler poses a credible threat to the system. The compiler should be installed on the machine that develops the system, not on a production application system.

Operation:

# RPM-E < package name >//uninstall Compiler software

7. Check if password policy settings meet complexity requirements

For devices with static password Authentication technology, the password is at least 8 bits long and includes at least 2 classes in the number, lowercase, uppercase, and special symbols 4 classes.

Operation:

Password Required pam_cracklib.so minlen=8 lcredit=-1 dcredit=-1 ocredit=-1

Minlen: Password length lcredit: number of lowercase letters dcredit: Number of digits Ocredit: number of special characters

8. Check the password life cycle requirements

For devices with static password authentication technology, the lifetime of the account password used by the maintainer is not longer than 90 days.

Operation:

# vi/etc/login.defs manually set the Pass_max_days to 90

9. Check password repeat limit

For devices with static password authentication technology, the device should be configured so that users cannot reuse passwords that have been used in the last 5 (including 5) times.

Operation:

# VI/ETC/PAM.D/PASSWD (SuSE 9)

# Vi/etc/pam.d/common-password (SuSE + +)

Manually add the following line

Password Required pam_pwcheck.so remember=5

10. Check the log file permissions settings

The device should configure permissions to control operations such as reading, modifying, and deleting log files.

Operation:

Ps-ef|grep syslog View Log type

chmod 640/etc/rsyslog.conf//Set log file 640 permissions

11. Check whether account management is performed by role

According to the requirements of the system and the business needs of users, set up a multi-account group, the user account assigned to the corresponding account group.

Operation:

# groupadd-g < new group id> SMPADM//new group ID with new user ID consistent, preferably greater than 1000

# useradd-d/home/smpadm-m-u < New user Id>-G smpadm smpadm

Add Smpadm Manage users and groups

12. Check whether the user is assigned the account responsibility to the person

Accounts should be assigned according to the user. Avoid sharing accounts among different users. Avoid account sharing between user accounts and communication between devices.

Operation (above):

# groupadd-g < new group Id> Smpadm

# useradd-d/home/smpadm-m-u < New user Id>-G smpadm smpadm

Add Smpadm Manage users and groups

13. Check if disconnected when inactive

The user is disconnected when inactive.

Operation:

# vi/etc/ssh/sshd_config Manual Modification

Clientalivecountmax 0

Clientaliveinterval 300

CLIENTALIVEINTERVAL Specifies the time interval for server-side request messages to clients, which is 0 by default and not sent. The Clientaliveinterval 60 means that it is sent every minute, and then the client responds so that it remains long connected. Clientalivecountmax indicates the number of times the client did not respond after the server made a request.

The above command indicates that the client has been disconnected for 300 seconds with a 0-time timeout and can also be written as:

Clientalivecountmax 3

Clientaliveinterval 100

14. Check if the SU log is logged

The device should configure the logging function, recording the user's use of the SU command, recording bad attempts.

Operation:

# vi/etc/syslog.conf manually add the following

Auth.info/var/adm/authlog

# vi/etc/rsyslog.conf manually add the following

Auth.info/var/adm/authlog

# vi/etc/syslog-ng/syslog-ng.conf manually add the following

Filter F_messages {level (Info,notice,warn) and not facility (auth,authpriv,cron,daemon,mail,news);};

15. Check if the security event log is logged

The device should configure the logging feature to log security events related to the device.

Operation:

# vi/etc/syslog.conf manually add the following

. info, *.err;auth.info/var/log/auth.log

# vi/etc/rsyslog.conf manually add the following

. info, *.err;auth.info/var/log/auth.log

# vi/etc/syslog-ng/syslog-ng.conf manually add the following

Filter F_messages {level (Info,notice,warn) and not facility (auth,authpriv,cron,daemon,mail,news);};

16. Check if the account log log is logged

The device should configure the logging function, log the user login, including the user login to use the account, login is successful, logon time, and remote login, the user used IP address.

Operation:

# vi/etc/syslog.conf manually add the following

Auth.info/var/adm/authlog

# vi/etc/rsyslog.conf manually add the following

Auth.info/var/adm/authlog

# vi/etc/syslog-ng/syslog-ng.conf manually add the following

Filter F_messages {level (Info,notice,warn) and not facility (auth,authpriv,cron,daemon,mail,news);};

17. Check whether ICMP redirection is prohibited

The host system should prohibit ICMP redirection, using static routing.

Operation:

# vi/etc/sysctl.conf

Add net.ipv4.conf.all.accept_redirects=0 Manually

18. Check whether log options are configured

Applications/services running on the system should also configure appropriate logging options, such as Cron.

Operation:

# vi/etc/syslog.conf manually add the following

Cron.*/var/log/cronlog

# vi/etc/rsyslog.conf manually add the following

Cron.*/var/log/cronlog

# vi/etc/syslog-ng/syslog-ng.conf manually add the following

Filter F_cron {facility (cron);};

Destination Cron {file ("/var/log/cronlog");};

Log {source (src); filter (F_cron); destination (cron);};

19. Check whether remote log save is configured

The device configures the remote logging feature to transfer log content that needs to be focused on to the log server.

Operation:

# vi/etc/syslog.conf manually add the following

* * @192.168.0.1

# vi/etc/rsyslog.conf manually add the following

* * @192.168.0.1

# vi/etc/syslog-ng/syslog-ng.conf manually add the following

Filter F_auth {level (info) facility (auth);};

Destination D_auth {UDP ("10.0.3.232" Port (514));};

Log {source (src); filter (f_ auth) destination (d_auth);};

20. Check if SSH is used instead of Telnet service

For devices that use the IP protocol for remote maintenance, the device should be configured to use encryption protocols such as SSH.

Operation:

# service sshd Start

# Kill <telnet Service Process number >//view process number: Netstat–anp|more

21. Check if root login is restricted

Restrict remote logins to users with Super Administrator privileges. The remote execution Administrator permission operation, should first with the normal permission user Telnet, then switches to the Super Administrator privilege account after the corresponding operation.

Operation:

# Vi/etc/ssh/sshd_config manually modify Permitrootlogin to no//do not allow root SSH remote login

# Vi/etc/securetty Manually will note the entry with PTS//pts is Pesudo tty slave, which is the slave side of the pseudo terminal

22. Check User default Umask

Controls the user's default access rights, which should be masked when creating new files or directories that should not allow access to new files or directories. Prevent users who belong to the same group and other groups from modifying the user's files or the higher limit.

Operation:

# Vi/etc/profile manually add the following

Umask 027

/etc/profile The system environment variable setting, which affects all users. When the user logs on for the first time, the file is executed. and collect the shell settings from the configuration file of the/ETC/PROFILE.D directory.

The Umask value is used to set the user's default permissions when creating a file, and when we create a directory or file in the system, the default permissions for the directory or file are determined by the Umask value. Umask value A total of 4 sets of numbers, of which the 1th set of numbers to define special permissions, we generally do not consider, and general permissions related to the latter 3 sets of numbers.

For the root user, the default umask value is 0022, and for a normal user, the default Umask value for the system is 0002. Execute the umask command to view the umask value of the current user.

For the root user, his umask value is 022. When the root user creates the directory, the default permission is to use the maximum permissions 777 to remove the corresponding location of the Umask value permission, that is, the owner does not have to remove any permissions, for the owning group to remove the W permission, for other users also to remove the W permission, so the default permissions for the directory is 755 When the root user creates the file, the default permission is to remove the umask value of the corresponding location with the maximum permissions of 666, that is, the default permission for the file is 644.

Common umask values and corresponding file and directory permissions

Umask Value Catalog file

022 755 644

027 750 640

002 775 664

006 771 660

007 770 660

23. Check the account file permissions settings

Within the capabilities of the device permissions configuration, configure the minimum permissions required by the user's business needs.

Operation:

# chmod 644/ETC/PASSWD

# chmod 400/etc/shadow

# chmod 644/etc/group

/etc/passwd: Store user Information folder, 7 information fields are as follows:

User name: Password: uid:gid: User description: Home directory: Login Shell

/etc/shadow: is the shadow file of passwd.

In Linux, the password file in/etc/passwd, the earlier file directly stored encrypted password, the first two bits is the "salt" value, is a random number, followed by an encrypted password. For the sake of security, Linux now provides/etc/shadow this shadow file, the password is placed in this file, and is only the root readable.

The 9 fields are as follows:

1. Username: Because the password also need to correspond with the account AH ~ Therefore, the first column of this file is the account number, must be the same as/etc/passwd!

2. Password: This is the real password, and is a coded password! You'll only see the letters with some special symbols! It should be noted that although these encrypted passwords are difficult to solve, the ' hard ' is not equal to ' no ', so the default attribute of this file is '-rw-------' or '-r--------', that is, only root can read and write! You have to be careful not to accidentally change the properties of this file! Also, if the first character in the password bar is ' * ' or '! ' means that the account will not be used to log in. So in case one day your user is not good, you can first in this file, the most front of his password field to add a *! Hey! He won't be able to use the account! Until he becomes a good boy, turn it on again!

3. Date of recent password change: This field records the date of ' The day the password was changed ', but it's strange! How can it be 12959 in my case? Oh, this is because the time to calculate the Linux date is January 1, 1970 as 1, and January 1, 1971 is 366! So this date is cumulative! Have to pay attention to this information yo! So the last January 1, 2005 is 12784, do you understand?

4. Number of days the password cannot be changed: The Fourth field records the password of this account after a few days before it can be altered! If it is 0, it means that the password can be changed at any time. The limit is to be afraid of the password by some people to change and redesign! If set to 20 days, then after you set the password, within 20 days can not change the password yo!

5. The number of days the password needs to be re-changed: because of the fear that the password was stolen by some ' people ' to compromise the security of the whole system, so the design of this field. You must reset your password within this time, or the account will expire temporarily. And if like above 99999, that means, hehe, the password does not need to re-enter! However, if it is for security, it is best to set a period of time after the strict requirements of users to change the password!

6. Password need to change the warning period before the deadline: when the password expiration period of the account is about to arrive, is the above the ' must change password ' at the time, the system will be based on the setting of this field, issued ' warning ' speech to this account, remind him ' N days your password will expire, Please re-set your password as soon as possible! ', as in the above example, the system warns the user within 7 days of the expiration of the password.

7. Password Expiration Time: If the user has not re-entered the password after the warning period, so that the password expires, that is, you must change the password before the deadline, and did not change your password! ' Then this group password is called ' Invalid password ' ~ What to do? It doesn't matter, there is the number of days of this field design ah ~ meaning, when the password expires, you can also use this password in n days to log in the meaning. And if after this number of days there is no change password, hehe! Then your account will expire! Unable to log in!

8. Account Expiration Date: This date is the same as the third field, which is set to the total number of days since 1970 years. This field indicates that the account will no longer be available after the date specified in this field. This field will usually be used in the ' Toll service ' system, you can specify a date so that the account can no longer be used!

9. Reservation: The last field is reserved, see if there are any new features to join.

/etc/group: for storing user group information, the content is 4 fields as follows:

1. Group name: The group name is the name of the user group, consisting of letters or numbers. As with logins in/etc/passwd, group names should not be duplicated.

2. Password: The password field holds the password word after the user group is encrypted. The user groups in the General Linux system do not have a password, that is, the field is generally empty or *.

3. Group identification Number (GID): The group identification number is similar to the user ID number and is an integer that is used internally by the system to identify the group.

4. List of users in the group: is a list of all users belonging to this group, separated by commas (,) between different users. This user group may be the user's primary group, or it may be an additional group.

Take Root:x:0:root,linuxsir as an example: User group root,x is a password segment, indicating that no password is set, GID is 0,root user group including root, Linuxsir and GID 0 other users.

24. Check the program communication account cycle requirements

The/etc/shadow configured "postgres|oracle|sybase" password expires less than or equal to 180 days.

Operation:

# Vi/etc/shadow Manually modify these user 5th column values to 180.

24 Security compliance settings for Linux machines