General Security Optimization for Linux (RHEL5)

Basic Security Measures

1. delete or disable users and groups not used in the system

# Passwd-l wang // disable account wang

# Passwd-u wang // unlock account wang

 

Or

# Vi/etc/shadow // when saving: wq! Because the file is read-only

Add two exclamation marks before the password!

2. Check that the logon shell of the program or service is unavailable.

# Vi/etc/passwd // change the user's logon shell to/sbin/nologin

Or

# Usermod-s/sbin/nologin wang

3. Restrict the password validity period (maximum number of days)

# Vi/etc/login. defs // only valid for new users

PASS_MAX_DAYS 30

Or

# Chage-M 30 wang // only valid for existing wang users

4. Specify that the user must change the password upon next login

# Chage-d 0 wang

Or

# Vi/etc/shadow

// Set the value of the wang user's last day field (colon: the third column of the split) in the shadow file to 0.

5. Restrict the minimum length of the User Password

# Vi/etc/pam. d/system-auth

Password requisite pam_cracklib.so try_first_pass retry = 3 minlen = 12

Retry time minlen Security Level

6. Limit the number of records in command history

# Vi/etc/profile

HISTSIZE = 50 (1000 by default)

# Echo "history-c" >> ~ /. Bash_logout // clear command history when logging out

7. set idle timeout to automatically log out of the terminal

# Vi/etc/profile

Export TMOUT = 600 // Add this row to use SU to switch user identities

Su [-] User Name

[-] Differences:

Usage: equivalent to-login, indicating to use the target user's logon shell environment, working directory, PATH variable, etc.

Not used: it makes the original environment inconvenient.

Use Cases to describe how to use su

Allows the wang user to switch to the root identity through the su command to execute management tasks.

Prohibit other users from using the su command to switch their identities

(1) users will be allowed to join the wheel group

# Gpasswd-a wang wheel

# Id wang // view the additional group of the wang user

(2) Modify PAM settings and add pam_wheel Authentication

# Vi/etc/pam. d/su

Auth required pam_wheel.so use_uid // remove the # ID of the row

(3) Verify su Permissions

? Use sudo to Improve Execution Permissions

1./etc/sudoers configuration file --------- export do

The sudo command provides a mechanism that allows a specific user to execute commands as a Super User (or other common user) by pre-authorization in the/etc/sudoers configuration file, this user does not need to know the password of the root user (or other users. Common syntax formats are as follows:

User MACHINE = COMMANDS

User: authorize a specified user

Machine host: the host on which the user is authorized to use

COMMANDS command: COMMANDS authorized to be called through sudo. Multiple COMMANDS are separated by commas (,).

Users, hosts, and commands in the/etc/sudoers file configuration can be replaced by custom aliases. The format is as follows:

User_Alias OPERATORS = jerry, tom, tsengyia

Host_Alias MAILSERVERS = smtp, pop

Cmnd_Alias SOFTWARE =/bin/rpm,/usr/bin/yum

2. Run the command using sudo

Sudo-l: view the sudo commands that have been used for authorization.

Sudo-k: Clear the timestamp mark. When you use the sudo command again, you need to re-verify the password.

Sudo-v: Re-update the timestamp (if necessary, the system will ask the user password again)

Case study:

Due to the heavy workload of system management, you need to assign the user account management work to the dedicated management team members.

Set up group account managers to authorize all member users in the Group to add, delete, and change user accounts.

(1) create a management group account managers

# Groupadd managers

(2) Add the Administrator account, such as wang, to the managers group.

# Gpasswd-M wang. nan managers

(3) configure the sudo file and enable user management commands such as useradd and userdel for the managers group.

# Mongodo

Cmns_Alias USERADM =/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod

% Managers localhost = USERADM

(4) log on with the wang account to verify whether the user can be deleted or added

# Su-wang

# Whoami

# Sudo-l

# Sudo/usr/sbin/useradd user1

# Sudo/usr/sbin/usermod-p "user1

# Sudo/usr/sbin/userdel-r user1

File and file system security optimization Security optimization at the file system level

1. reasonably plan system partitions

We recommend that you divide the Directory into independent partitions.

/Boot: the recommended size is more than MB.

/Home: This directory is the upper-level folder where the user's default home directory is located. If the number of server users is large, the disk space used by each user is usually unpredictable.

 

/Var: This directory is used to store system logs, running statuses, user email directories, and so on. Files are read and written frequently. The occupied space may be large.

/Opt: additional applications and other optional tools used to install the server, which are convenient for extension and use.

2. Disable the execution of set-bit programs and binary programs through the mount option.

Invalidate the execution (x) permission of the program file in the/var partition. Direct Execution of the binary program in the partition is prohibited.

# Vi/etc/fstab

/Dev/sdc1/var ext3 defaults, noexec 1 2

# Mount-o remount/var

If you want to disable the suid or sgid bit permission of a file from the file system, change noexec to nosuid.

3. Lock the system file that you do not want to change

Use the + I attribute to lock the service, passwd, and grub. conf files (system users cannot be added normally)

# Chattr + I/etc/service/etc/passd/boot/grub. conf

Remove the + I lock attribute of the/etc/passwd file

# Lsattr/etc/passwd // view the file property status

# Chattr-I/etc/passwd

? Applications and Services

1. disable unnecessary system services

2. Prohibit normal users from executing scripts in the init. d directory.

# Chmod-R o-rwx/etc/init. d

Or

# Chmod-R 750/etc/init. d

3. Prohibit common users from running console programs

Each file in the/etc/security/console. apps/directory corresponds to a system program. If you do not want common users to call these console programs, you can remove the corresponding configuration file.

# Cd/etc/security/console. apps/

# Tar jcpvf/etc/conhlp.pw.tar.bz2 poweroff halt reboot--remove

4. Remove unnecessary set-uid or set-gid additional permissions in the program file

Find the files with the set-uid or set-gid permission set in the system, and display the detailed permission attributes of these files with the-exec option.

# Find/-type f perm + 6000-exec ls-lh {};

Remove the suid/sgid bit permission of the program file

# Chmod a-s/tmp/back. vim

Write a shell script to check the newly added program file with the suid or sgid bit permission in the system.

(1) when the system is in a clean state, create a list of valid suid/sgid files as whether there are new suspicious suid