CentOS System Reinforcement

　　

I. Account security
1.1 Lock out redundant self-built accounts in the system
Check method:
Execute command
#cat/etc/passwd
#cat/etc/shadow
Check the account, password file, and the system administrator to confirm the unnecessary account. For some reserved systems pseudo-accounts such as: Bin, sys,adm,uucp,lp, nuucp,hpdb, www, daemon etc. can be locked into the login as required.
Backup method:
#cp-P/etc/passwd/etc/passwd_bak
#cp-P/etc/shadow/etc/shadow_bak
Reinforcement method:
Use the command Passwd-l < username > lock unnecessary accounts.
Use the command Passwd-u < username > Unlock the account you want to recover.
Risk:
You need to confirm with the administrator that this action does not affect the login of the business system

1.2 Setting the System password policy
Check method:
Using commands
#cat/etc/login.defs|grep Pass to view password policy settings
Backup method:
Cp-p/etc/login.defs/etc/login.defs_bak
Reinforcement method:
#vi/etc/login.defs Modifying a configuration file
Pass_max_days #新建用户的密码最长使用天数
Pass_min_days 0 #新建用户的密码最短使用天数
Pass_warn_age 7 #新建用户的密码到期提前提醒天数
Pass_min_len 9 #最小密码长度9
Risk: No visible risk

1.3 Disable Super User outside root
Check method:
#cat/etc/passwd View the password file, the password file format is as follows:
Login_name:password:user_ID:group_ ID:comment:home_dir:command
login_name: User name
Password: Encrypted user password
user_id: User ID, (1 ~ 6000) if user id= 0, the user has superuser privileges. See if there are multiple id=0 here.
group_id: User group ID
Comment: User's full name or other comment information
Home_dir: User root
Command: Execute command after user logon
Backup method:
#cp-P/etc/passwd /etc/passwd_bak
Hardening Method:
Use the command Passwd-l < username > lock unnecessary super accounts.
Use the command passwd-u < username > Unlock the super account that needs to be restored.
Risk: You need to confirm the use of this superuser with your administrator.

1.4 Restrict users who can be su to root
Check method:
#cat/etc/pam.d/su to see if there is a configuration entry such as Auth required/lib/security/pam_wheel.so
Backup method: #cp-P/etc/pam.d/etc/pam.d_bak
Reinforcement method:
#vi/etc/pam.d/su
In the header add:
Auth required/lib/security/pam_wheel.so Group=wheel
This way, only users of the wheel group can su to root
#usermod-G10 test to join the test user to the wheel group
Risk: Pam package support is required; changes to the Pam file should be checked carefully, in the event of an error that could result in a failure to log in, and an administrator to confirm which users need su.
When the system verification problems, the first should check the output information in the/var/log/messages or/var/log/secure, according to this information to determine the validity of the user account
Of If you are unable to log on because of a PAM authentication failure, you can only use single user or rescue mode for troubleshooting.

1.5 Check Shadow Hollow password account
Check method:
#awk-F: ' (= = "") {print} '/etc/shadow
Backup method: Cp-p/etc/shadow/etc/shadow_bak
Hardening method: Lock the empty password account or ask for additional password
Figure 4
Risk: To confirm whether an empty password account is associated with an app, increasing the password will cause the app to fail to connect.

Second, the minimization of services

2.1 Stop or disable services unrelated to the hosting business
Check method:
View the current init level #who –r or RunLevel
#chkconfig--list View the status of all services
Backup method: Record the name of the service that needs to be closed
Reinforcement method:
#chkconfig--level < service name > on|off|reset setting up the service is booting at an init level
Risk: Certain applications require specific services and need to be identified with the administrator.

Third, data access control
3.1 Set Reasonable initial file permissions
Check method:
#cat/etc/profile View the value of Umask
Backup method:
#cp-P/etc/profile/etc/profile_bak
Reinforcement method:
#vi/etc/profile
umask=027
Risk: The default permissions for the new file are modified, and if the server is a Web app, this item is modified with caution.

Iv. Network access control

4.1 Using SSH for Management
Check method:
#ps –AEF | grep sshd See if this service is available
Backup method:
Reinforcement method:
Use the command to turn on SSH services
#service sshd Start
Risk: Changing the usage habits of administrators

4.2 Setting access control policies restricts the ability to manage native IP addresses
Check method:
#cat/etc/ssh/sshd_config to view statements with or without allowusers
Backup method:
#cp-P/etc/ssh/sshd_config/etc/ssh/sshd_config_bak
Reinforcement method:
#vi/etc/ssh/sshd_config, add the following statement
Allowusers *@10.138.*.* This sentence means: Only allow all users of the 10.138.0.0/16 network segment to access via SSH
Restart SSH service after saving
#service sshd Restart
Risk: Need and administrator to confirm the IP segment that can be managed

4.3 Disable root user remote login
Check method:
#cat/etc/ssh/sshd_config to see if Permitrootlogin is no
Backup method:
#cp-P/etc/ssh/sshd_config/etc/ssh/sshd_config_bak
Reinforcement method:
#vi/etc/ssh/sshd_config
Permitrootlogin No
Restart SSH service after saving
Service sshd Restart
Risk: The root user cannot log in directly and needs to log in with a regular account after Su

4.4 Restricting trusted hosts
Check method:
#cat/ETC/HOSTS.EQUIV View the hosts
#cat/$HOME/.rhosts View the hosts
Backup method:
#cp-P/etc/hosts.equiv/etc/hosts.equiv_bak
#cp-P/$HOME/.rhosts/$HOME/.rhosts_bak
Reinforcement method:
#vi/etc/hosts.equiv Remove unnecessary hosts
#vi/$HOME/.rhosts Remove unnecessary hosts
Risk: In a multi-machine-ready environment, you need to keep the IP of other hosts trusted.

4.5 Blocking Login Banner Information
Check method:
#cat/etc/ssh/sshd_config See if there is a banner field in the file, or banner fields are none
#cat/ETC/MOTD View the contents of the file, which is displayed as banner information to the logged-on user.
Backup method:
#cp-P/etc/ssh/sshd_config/etc/ssh/sshd_config_bak
#cp-P/etc/motd/etc/motd_bak
Reinforcement method:
#vi/etc/ssh/sshd_config
Banner NONE
#vi/ETC/MOTD
Delete all content or update to what you want to add
Risk: No visible risk

4.6 Prevent mis-use of Ctrl+alt+del restart system
Check method:
#cat/etc/inittab|grep Ctrlaltdel To see if the input line is commented
Backup method:
#cp-P/etc/inittab/etc/inittab_bak
Reinforcement method:
#vi/etc/inittab
Add a comment symbol "#" at the beginning of a row
#ca:: Ctrlaltdel:/sbin/shutdown-t3-r now
Risk: No visible risk

Five, user identification

5.1 Set account lockout logon failure lockout count, lockout time
Check method:
#cat/etc/pam.d/system-auth View settings for auth required pam_tally.so entries
Backup method:
#cp-P/etc/pam.d/system-auth/etc/pam.d/system-auth_bak
Reinforcement method:
#vi/etc/pam.d/system-auth
Auth Required pam_tally.so onerr=fail deny=6 unlock_time=300 set to password continuous error 6 times lock, lockout time 300 sec.
Unlock user faillog-u < user name >-r
Risk: The support of Pam package is needed, and the modification of Pam file should be checked carefully, which will result in the failure to log in.
When the system verification problem, the first should check the output information in/var/log/messages or/var/log/secure, according to this information to determine the validity of the user account.

5.2 Modify the account Tmout value to set the automatic logoff time
Check method:
#cat/etc/profile view settings with or without tmout
Backup method:
#cp-P/etc/profile/etc/profile_bak
Reinforcement method:
#vi/etc/profile
Increase
tmout=600 automatically exits after 600 seconds without operation
Risk: No visible risk

5.3 Grub/lilo Password
Check method:
#cat/etc/grub.conf|grep Password See if grub sets a password
#cat/etc/lilo.conf|grep Password See if Lilo sets a password
Backup method:
#cp-P/etc/grub.conf/etc/grub.conf_bak
#cp-P/etc/lilo.conf/etc/lilo.conf_bak
Hardening method: Set a password for grub or Lilo
Risk: etc/grub.conf is usually linked to/boot/grub/grub.conf

5.4 Restricting FTP logins
Check method:
#cat/etc/ftpusers confirm that the user name is included, these usernames do not allow logon to the FTP service
Backup method:
#cp-P/etc/ftpusers/etc/ftpusers_bak
Reinforcement method:
#vi/etc/ftpusers Add a row with one user name per row, the added user will be prevented from logging on to the FTP service
Risk: No visible risk

5.5 Set the number of bars for bash to keep history commands
Check method:
#cat/etc/profile|grep histsize=
#cat/etc/profile|grep histfilesize= View the number of bars preserving history commands
Backup method:
#cp-P/etc/profile/etc/profile_bak
Reinforcement method:
#vi/etc/profile
Modify histsize=5 and histfilesize=5 to keep the latest execution of the 5 commands
Risk: No visible risk

VI. Audit Strategy

6.1 Configuring the System log policy configuration file
Check method:
#ps –AEF | grep Syslog confirms that syslog is enabled
#cat/etc/syslog.conf View the configuration of the SYSLOGD and verify that the log file exists
System log (default)/var/log/messages
Cron log (default)/var/log/cron
Security log (default)/var/log/secure
Backup method:
#cp-P/etc/syslog.conf

6.2 Allocate reasonable storage space and storage time for audit-generated data
Check method:
#cat/etc/logrotate.conf View the system polling configuration, there is no
# Rotate log Files Weekly
Weekly
# Keep 4 weeks worth of backlogs
Configuration of Rotate 4
Backup method:
#cp-P/etc/logrotate.conf/etc/logrotate.conf_bak
Reinforcement method:
#vi/etc/logrotate.d/syslog
Increase
Rotate 4th The number of records saved is 4, when the 5th one is generated, delete the oldest log
Size 100k of each log
The reinforcement should resemble the following:
/var/log/syslog/*_log {
Missingok
Notifempty
Size 100k # Log files would be rotated when they grow bigger that 100k.
Rotate 5 # would keep the logs for 5 weeks.
Compress # log files would be compressed.
Sharedscripts
Postrotate
/etc/init.d/syslog condrestart >/dev/null 2>1 | | True
Endscript
}

CentOS System Reinforcement