Enterprise-Class Linux security management

1 . Operating conditions: (1) a virtual machine with Cent OS Linux operating system2 . Background: An enterprise has a server with the following information: (1There is administrator root on the server, the password is root, and there are other accounts with root privileges, confirmed that these accounts are not used for a long time;2) "/Secure folder is an important file for the company development Department, and the current permissions are fully controlled by everyone. The actual usage requirement is that only the administrators "deadmin" and "develops" team members of the "develops" group can perform any action on the group, and other user groups can only be viewed. (3The server can be logged on by default via all TTY, and the root user can log on remotely via SSH (4Any user can switch Su login.
3 Requirements: The server is now required to be securely hardened to reduce attack surface:(1) Prevent hackers from blasting the root user password and prevent hackers from hacking through other admin users. Mandatory requirement for new account 8more than a bit of complex passwords,
And at least every two months to change the password, the expiration of a week before the customer changes the password;2) to prevent unauthorized access to files;3) Prevent unauthorized TTY logins, leaving only 1, 2two TTY login portals;4) to prevent root users from logging in directly;(5) To prevent the security problems caused by forgetting the cancellation, the time-out 5 minutes after the automatic logoff;
(6) prevents any user from using SU to switch to the root account;7) To prevent the account file from being modified.
4 . Specific requirements:(1) Locate and lock the unused administrator account and set a strong password for the Administrator account [email protected]; (2) Check that the password policy is in compliance with the requirements and set correctly;3) According to the access requirements set "/Secure folder permissions; (4) correctly deploy login policies (including TTY logins, remote logins, and SU switch restrictions);(5) Set the automatic logout correctly; (6) Correct limit su switch, only wheel group can switch to root; (7) Lock the account file to prevent it from being modified.

5. Operation Steps: Step 1. Security Management account: (1to set a strong password for the root user: Open terminal, enter the following command sequentially
passwd root [email protected] [email protected] (2identify the user with UID 0 and lock: Enter the following command in the terminal in turn cat/ETC/PASSWD//found a user with UID 0 is testadmin
Passwd-l testadmin//Lock Testadmin Users (3) Create/use accounts and groups for secure folders: In the terminal, enter the following command in turn Groupadd develops useradd-G develops deadmin passwd deadmin [email protected] [email protected]//The code here is arbitrary .Step 2. File system security Management: (1set the appropriate user file permissions: In the terminal, enter the following command in turn Chown deadmin:develops/secure chmod 774/secure Step 3. System Hardening (1Set Password Policy: Enter the following command in the terminal in turn cat/etc/Login.defs VI/etc/login.defs (edit by I, QW save and eject) modify the following line: Pass_max_days60pass_min_days 0 Pass_min_len8Pass_warn_age7(2) Prevent TTY login, leave only 1, 2Two TTY Login portals: Enter the following command in the Terminal VI/etc/Inittab (edit by I, QW Save and Eject) Note the following line:#3:2345:respawn:/sbin/mingetty Tty3
#4:2345:respawn:/sbin/mingetty Tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6(3set the Automatic logoff timeout: Enter the following command in the Terminal VI/etc/profile (edited by I, QW saved and launched) in histsize=1000Add line below: Tmout=300(4) prevents any user from using Su to switch to root: Enter the following command in the Terminal VI/etc/pam.d/SU (edited by I, QW saved and rolled) adds a line to the head: Auth required pam_wheel.so Group=Wheel (5) to prevent root users from logging on remotely:enter the following command in the Terminal VI/etc/ssh/sshd_config (edit by I, QW save and eject) modify the following line: Permitrootlogin No (6) Lock the account file: In the terminal, enter the following command in turn chattr+i/etc/passwd
Chattr +i/etc/shadow
Chattr +i/etc/gshadow
Chattr +i/etc/group

Enterprise-Class Linux security management