Best practices for Linux security reinforcement
Security issues of enterprise IT system construction will not become an outdated topic at any time. Enterprises should build IT systems suitable for their own business needs at the beginning and throughout the IT system lifecycle, the safe operation of the system is a very important task. As a system O & M personnel, it is more important to ensure the safe and stable operation of the system.
So this blog article provides specific implementation scripts and baseline check specifications for Linux system security reinforcement for the reference of host maintenance personnel.
The following scripts mainly implement the following functions:
* Reinforcement items include: password length, session Timeout, deleting unused accounts and groups, limiting root users to direct telnet, rlogin, and ssh
* Check whether there are users whose UID is 0 except the root user. Make sure that the system path of the root user does not contain the parent directory. If not necessary, the directory with the group permission of 777 should not be included.
* Check the umask settings of Linux users in the operating system, check the permissions of important directories and files, prohibit su operations by users other than root, and find directories in the system where anyone has write permissions.
* Search for files without the owner in the system, find hidden files in the system, determine whether logs and audits are compliant, set logon timeout, and disable unnecessary services.
* Linux security reinforcement applies to redhat, centos5.8 to 6.2
The details are as follows. Perform system-level reinforcement based on your business needs:
#1 ,---------------------------------------------------------------------
Echo "deleting unused accounts and groups"
Echo "delete unused users and grups"
For I in lp sync shutdown halt news uucp operator games gopher
Do
Echo "will delete user $ I"
Userdel $ I
Echo "user $ I have delete"
Done
For I in lp sync shutdown halt news uucp operator games gopher
Do
Echo "will delete group $ I"
Groupdel $ I
Echo "group $ I have delete"
Done
Date = 'date + % F'
#2 ,-----------------------------------------------
# Section1 the password length must be greater than 8, and the password expires for 90 days/etc/login. defs
#-----------------------------------------------
#---------------------------------------------------------------------
Echo "cp/etc/login. defs to/etc/login. defs. bak _ % date"
Echo "#-------------------------------------"
Cp/etc/login. defs/etc/login. defs. bak _ $ date
# Echo "Check password configuration"
Echo "Check the configure for user's password ."
Echo "#-------------------------------------"
For I in PASS_MAX_DAYS PASS_MIN_LEN PASS_MIN_DAYS PASS_WARN_AGE
Do
Cat/etc/login. defs | grep $ I | grep-v \#
Done
# Set password min length 8
Echo "#-------------------------------------"
Echo "Set user's password min length is 8"
Sed-I '/PASS_MIN_LEN/s/5/8/G'/etc/login. defs
Echo "#-------------------------------------"
# Set password max day 90
# Echo "set password expired 90 day"
# Sed-I '/PASS_MAX_DAYS/s/99999/90/G'/etc/login. defs
#3 ,---------------------------------------------------------------------
Echo "# Check for empty passwords"
Echo "Check if there have user without password! "
Echo "#-------------------------------------"
Awk-F: '($2 = "") {print $1}'/etc/shadow
#4 ,-----------------------------------------------
# Section2 Restrict root users to telnet or rlogin directly. ssh is invalid.
###### We recommend that you configure CONSOLE =/dev/tty01 in the/etc/securetty File
#---------------------------------------------------------------------
# Account and password-check whether there are users whose UID is 0 except root
# Echo "# check whether there are other users with id 0 in the system"
Echo "Check if the system have other user's id is 0"
Echo "#-------------------------------------"
Mesg = 'awk-F: '($3 = 0) {print $1}'/etc/passwd | grep-v root'
If [-z $ mesg]
Then
Echo "There don't have other user uid = 0"
Else
Echo
Echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! "
Echo "$ mesg uid = 0"
Echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! "
Fi
#5 ,---------------------------------------------------------------------
Echo "# Make sure that the root user's system path does not contain the parent directory. If not necessary, the root user's system path should not contain a directory with 777 group permissions"
Echo "check the Path set for root, make sure the path for root dont have father directory and 777 rights"
Echo "#-------------------------------------"
Echo $ PATH | egrep '(^ |:) (\. |: | $ )'
Find 'echo $ PATH | tr': '''-type d \ (-perm-002-o-perm-020 \)-ls
#6 ,---------------------------------------------------------------------
Echo "# Checking Linux remote connection"
Echo "Check if system have remote connection seting"
Echo "#-------------------------------------"
Find/-name. netrc
Find/-name. rhosts
Echo "Check umask settings for Linux users"
Echo "Check the system users umask setting"
Echo "#-------------------------------------"
For I in/etc/profile/etc/csh. login/etc/csh. cshrc/etc/bashrc
Do
Grep-H umask $ I | grep-v "#"
Done
################## Set umask to 027
#7 ,---------------------------------------------------------------------
# Echo "# Check the permissions of important directories and files"
# Echo "Check the important files and directory rights"
Echo "#-------------------------------------"
For I in/etc/rc. d/init. d/tmp/etc/inetd. conf/etc/passwd/etc/shadow/etc/group/etc/security/etc/services/etc/rc *. d
Do
Ls-ld $ I
Done
Echo-n "Please check if the output is OK? Yes or no :"
Read I
Case $ I in
Y | yes)
Break
;;
N | no)
Echo "Please recheck the output! "
Echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!! "
Continue
;;
*)
Echo "please input yes or no"
;;
Esac
#8 ,---------------------------------------------------------------------
# Echo "# configure the script permissions under rc. d"
Echo "Configure the scripts right (750) in rc. d directory"
Echo "#-------------------------------------"
Chmod-R 750/etc/rc. d/init. d /*
After chmod 755/bin/su is changed, only root su is allowed. If the s-bit user is absent, su cannot be successfully performed.
Chmod 664/var/log/wtmp
# Chattr + a/var/log/messages
#9 ,---------------------------------------------------------------------
Echo "# Searching for SUID and SGID programs in the system"
Echo "Find the files have suid or Sgid"
Echo "#-------------------------------------"
For PART in 'grep-v ^ #/etc/fstab | awk' ($6! = "0") {print $2} ''; do
Find $ PART \ (-perm-04000-o-perm-02000 \)-type f-xdev-print | xargs ls-ld
Done
Echo-n "Please check if the output is OK? Yes or no :"
Read I
Case $ I in
Y | yes)
Break
;;
N | no)
Echo "Please recheck the output! "
Echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!! "
Continue
;;
*)
Echo "please input yes or no"
;;
Esac
#10 ,---------------------------------------------------------------------
Echo "# Find a directory in the system where anyone has the write permission"
Echo "Find the directory everyone have the write right"
Echo "#-------------------------------------"
For PART in 'awk' ($3 = "ext2" | $3 = "ext3 ")\
{Print $2} '/etc/fstab'; do
Find $ PART-xdev-type d \ (-perm-0002-! -Perm-1000 \)-print | xargs ls-ld
Done
Echo-n "Please check if the output is OK? Yes or no :"
Read I
Case $ I in
Y | yes)
Break
;;
N | no)
Echo "Please recheck the output! "
Echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!! "
Continue
;;
*)
Echo "please input yes or no"
;;
Esac
#11 ,---------------------------------------------------------------------
# Echo "# search for files in the system that anyone has the write permission"
Echo "Find the files everyone have write right"
Echo "#-------------------------------------"
For PART in 'grep-v ^ #/etc/fstab | awk' ($6! = "0") {print $2} ''; do
Find $ PART-xdev-type f \ (-perm-0002-! -Perm-1000 \)-print | xargs ls-ld
Done
Echo-n "Please check if the output is OK? Yes or no :"
Read I
Case $ I in
Y | yes)
Break
;;
N | no)
Echo "Please recheck the output! "
Echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!! "
Continue
;;
*)
Echo "please input yes or no"
;;
Esac
#12 ,---------------------------------------------------------------------
Echo "# search for files without a master in the system"
Echo "Find no owner or no group files in system"
Echo "#-------------------------------------"
For PART in 'grep-v ^ #/etc/fstab | grep-v swap | awk' ($6! = "0") {print $2} ''; do
Find $ PART-nouser-o-nogroup | grep-v "vmware" | grep-v "dev" | xargs ls-ld
Done
Echo-n "Please check if the output is OK? Yes or no :"
Read I
Case $ I in
Y | yes)
Break
;;
N | no)
Echo "Please recheck the output! "
Echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!! "
Continue
;;
*)
Echo "please input yes or no"
;;
Esac
#13 ,---------------------------------------------------------------------
### Echo "# Searching for hidden files in the system"
# Echo "Find the hiding file in system"
# Echo "#-------------------------------------"
### Linux execution errors \ exclude/dev "directory files
#### Find/-name \ ("... *"-o "... * "-O". xx "-o". mail "\)-print-xdev
### Find/-name "... * "-Print-xdev | cat-v
# Find/\ (-name ". *"-o-name "... * "-O-name". xx "-o-name". mail "\)-xdev
# Echo-n "If you have check all the output files if correct yes or no? :"
# Read I
# Case $ I in
# Y | yes)
# Break
##;;
# N | no)
# Echo "Please recheck the output! "
# Echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!! "
# Continue
##;;
##*)
# Echo "please input yes or no"
##;;
# Esac
##
#14 ,---------------------------------------------------------------------
Echo "# Checking whether logs and audits are compliant"
Echo "Judge if the syslog audition if follow the rules"
Echo "#-------------------------------------"
Autmesg = 'cat/etc/syslog. conf | egrep ^ authpriv'
If [! -N "$ autmesg"]
Then
Echo "there don't have authpriv set in/etc/syslog. conf"
Echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!! "
Echo-n "If you have know this y or n? "
Read I
Case $ I in
Y | yes)
Break
;;
N | no)
Echo "there don't have authpriv set in/etc/syslog. conf"
Echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!! "
Continue
;;
*)
Echo "please input yes or no"
;;
Esac
Else
# Echo "log and audit compliance"
Echo "syslog audition follow the rules"
Fi
#15 ,---------------------------------------------------------------------
Echo "# disable linux core dump"
Echo "Turn off the system core dump"
Echo "#-------------------------------------"
Mesg1 = 'grep "* soft core 0"/etc/security/limits. conf'
Mesg2 = 'grep "* hard core 0"/etc/security/limits. conf'
If [! -N "$ mesg1"-o! -N "$ mesg2"]
Then
Cp/etc/security/limits. conf/etc/security/limits. conf _ $ date
If [! -N "$ mesg1"]
Then
Echo "* soft core 0">/etc/security/limits. conf
Fi
If [! -N "$ mesg2"]
Then
Echo "* hard core 0">/etc/security/limits. conf
Fi
Fi
# Modify the login file to make limits effective
Cp/etc/pam. d/login/etc/pam. d/login _ $ date
Echo "session required/lib/security/pam_limits.so">/etc/pam. d/login
#16 ,---------------------------------------------------------------------
# Logon timeout settings
# Check whether the/etc/pam. d/system-auth file has settings related to account required/lib/security/pam_tally.so deny =
# It is recommended to set it to auth required pam_tally.so onerr = fail deny = 6 unlock_time = 300.
#17 ,---------------------------------------------------------------------
# Use the su command to restrict the use of the su command
# Check the setting of the/etc/pam. d/su File
# File Inclusion
# Auth sufficient/lib/security/pam_rootok.so debug
# Auth required/lib/security/pam_wheel.so group = isd
#20 ,---------------------------------------------------------------------
Echo "# automatic logout upon logon timeout"
Echo "set session time out terminal"
Echo "#-------------------------------------"
Tmout = 'grep-I TMOUT/etc/profile'
If [! -N "$ tmout"]
Then
Echo
Echo-n "do you want to set login timeout to 300 s? [Yes]:"
Read I
Case $ I in
Y | yes)
Cp/etc/profile _ $ date
Echo "export TMOUT = 300">/etc/profile
./Etc/profile
;;
N | no)
Break
;;
*)
Echo "please input yes or no"
;;
Esac
Else
Mesg = 'echo $ tmout | awk-F "=" '{print $2 }''
If ["$ mesg"-ne 300]
Then
Echo "The login session timeout is $ mesg now will change to 300 seconds"
Cp/etc/profile _ $ date
Echo "export TMOUT = 300">/etc/profile
./Etc/profile
Fi
Fi
Sed-I's/HISTSIZE = 1000/HISTSIZE = 100/G'/etc/profile
#21 ,---------------------------------------------------------------------
Echo "# disable telnet to enable ssh"
Echo "Stop telnet and start up sshd"
Echo "#-------------------------------------"
Mesg1 = 'lsof-I: 23'
Mesg2 = 'lsof-I: 22'
If [! -N "$ mesg2"]
Then
Service start sshd
Chkconfig sshd on
Mesg2 = 'lsof-I: 22'
Fi
If [! -N "$ mesg1"-! -N "$ mesg2"]
Then
Echo
Echo "Will Deactive telnet"
Chkconfig krb5-telnet off
Chkconfig ekrb5-telnet off
Fi
#22 ,---------------------------------------------------------------------
# Echo "# Set terminal timeout so that the system automatically exits the idle Shell 10 minutes later"
# Echo "#-------------------------------------"
# Mesg = 'grep "export TMOUT = 600"/etc/profile'
# If [-z $ mesg]
# Then
# Echo "export TMOUT = 600">/etc/profile
#./Etc/profile
# Fi
#23 ,---------------------------------------------------------------------
Echo "# disable unnecessary services"
Echo "Stop unuseing services"
Echo "#-------------------------------------"
List = "avahi-daemon bluetooth cups firstboot nnmi IP ip6tables iptables iscsi iscsid isdn kudzu pcscd rhnsd rhsmcertd rpcgssd pull sendmail smartd yum-updatesd netfs portmap autofs nfslock"
For I in $ list
Do
Chkconfig $ I off
Service $ I stop
Done
Echo "change kernel parameter for network secure"
Cp/etc/sysctl. conf/etc/sysctl. conf. $ date
# Echo "net. ipv4.icmp _ echo_ignore_all = 1">/etc/sysctl. conf
Sysctl-a | grep arp_filter | sed-e's/\=\ 0/\=\ 1/G'>/etc/sysctl. conf
Sysctl-a | grep accept_redirects | sed-e's/\=\ 1/\=\ 0/G'>/etc/sysctl. conf
Sysctl-a | grep send_redirects | sed-e's/\=\ 1/\=\ 0/G'>/etc/sysctl. conf
Sysctl-a | grep log_martians | sed-e's/\=\ 0/\=\ 1/G'>/etc/sysctl. conf
Sysctl-p
#24 ,---------------------------------------------------------------------
Echo "set hotkeys"
# Ctrl + alt + del
If [-d/etc/init]
Then
Sed-I's/^ [^ #]/# &/G'/etc/control-alt-delete.conf
Else
Sed-I's/^ ca: // # &/G'/etc/inittab
Fi
#25 ,---------------------------------------------------------------------
Echo "demo: Prohibit users except db2inst1 from su to root"
Usermod-G wheel db2inst1
Sed-I '/pam_wheel.so use_uid/s/^ # // G'/etc/pam. d/su
Echo "SU_WHEEL_ONLY yes">/etc/login. defs