Linux system Security Configuration baseline

One: Shared account check

配置名称：用户账号分配检查，避免共享账号存在配置要求：1、系统需按照实际用户分配账号；          2、避免不同用户间共享账号，避免用户账号和服务器间通信使用的账号共享。操作指南：参考配置操作：cat /etc/passwd查看当前所有用户的情况；检查方法：命令cat /etc/passwd查看当前所有用户的信息，与管理员确认是否有共享账号情况存在。配置方法：如需建立用户，参考如下：          #useradd username  #创建账号          #passwd username   #设置密码          使用该命令为不同的用户分配不同的账号，设置不同的口令及权限信息等。适用版本：Linux Redhat AS 3、Linux Redhat AS 4

Second: Excess account lockout policy

配置名称：多余账户锁定策略配置要求：应锁定与设备运行、维护等工作无关的账号。操作指南：参考配置操作：          查看锁定用户：          cat /etc/password，查看哪些账户的shell域中为nologin；检查方法：人工检查：          ?# cat /etc/password后查看多余账户的shell域为nologin为符合；          BVS基线检查：          ?多余账户处于锁定状态为符合。配置方法：锁定用户：        ?修改/etc/password文件，将需要锁定的用户的shell域设为nologin； ?或通过#passwd –l username锁定账户； 只有具备超级用户权限的使用者方可使用#passwd –l username锁定用户,用#passwd –d username解锁后原有密码失效，登录需输入新密码。 补充操作说明： 一般情况下，需要锁定的用户：lp,nuucp,hpdb,www,demon适用版本：Linux Redhat AS 3、Linux Redhat AS 4

Three: Root account remote Login restrictions

配置名称：root账户远程登录账户限制配置要求：1、限制具备超级管理员权限的用户远程登录。          2、远程执行管理员权限操作，应先以普通权限用户远程登录后，再切换到超级管理员权限账号后执行相应操作。操作指南：使用root账户远程尝试登陆检查方法：1、root远程登录不成功，提示“Not on system console”；         2、普通用户可以登录成功，而且可以切换到root用户；配置方法：修改/etc/ssh/sshd_config文件，将PermitRootLogin yes改为PermitRootLogin no，重启sshd服务。适用版本：Linux Redhat AS 3、Linux Redhat AS 4

Four: Password complexity policy

Configuration name: Operating system Password Complexity policy configuration requirements: The password is at least 12 bits long and includes numbers, lowercase letters, capitals, and special symbols. Operation Guide: 1, reference configuration operation #Cat/etc/pam.D/system-auth, locate the configuration section of the Password module interface and locate a configuration line similar to the following: password requisite/lib/security/$ISA/pam_cracklib.So Minlen = 6 2, supplementary operating instructions the parameters are described as follows: 1, retry=N, determines the number of times the user is allowed to retry when creating a password; 2, minlen=N, determine the minimum password length requirement, in fact, in the default configuration, this parameter represents the minimum password length ofN-1; 3, dcredit=N, when N is less than 0 o'clock, the number of numeric characters in the new password must not be less than (-N). For example, the dcredit=-2 represents a minimum of two numeric characters in the password, 4, ucredit=N, when N is less than 0 o'clock, the number of uppercase characters in the new password must not be less than (-n); 5, lcredit=N, when N is less than 0 o'clock , the new password can not be less than the number of characters (-N), 6, ocredit=N, when N is less than 0 o'clock, represents the new password in the number of special character must not be less than (-n); Check method: # Cat/etc/pam. D/system-auth, refer to the Operation Guide to check the corresponding parameters? Minimum password length of at least 12 bits? The minimum number of characters that should be included in the password? The minimum number of alphabetic characters that should be included in the password The output of the above 4 sub-items is synthesized to determine whether the item is satisfied. Configuration method: # Vi/etc/pam.D/system-auth, locate the configuration section of the Password module interface and modify the corresponding properties according to the configuration requirements. Applicable version: Linux Redhat as 4               

Five: Password Maximum lifetime policy

配置名称：口令最长生存期策略配置要求：要求操作系统的账户口令的最长生存期不长于90天操作指南：# cat /etc/login.defs文件中指定配置项，其中：          PASS_MAX_DAYS配置项决定密码最长使用期限；          PASS_MIN_DAYS配置项决定密码最短使用期限；          PASS_WARN_AGE配置项决定密码到期提醒时间。检查方法：PASS_MAX_DAYS值小于等于90为符合；         “对于采用静态口令认证技术的设备，账户口令的生存期不长于90天”项的当前值：表示当前的口令生存期长度。配置方法：vi /etc/login.defs文件，修改PASS_MAX_DAYS值为小于等于9适用版本：Linux Redhat AS 3、Linux Redhat AS 4

Six: System Key directory Permissions control

Configuration name: Key directory Permissions control configuration requirements: Configure some critical directories to the minimum permissions required by the security requirements, and focus on password configuration files, shadow files,Group file permissions. The current mainstream version of the Linux system by default, the important files do the necessary permission settings, in the daily management and operation of the process should avoid modifying such file permissions, in addition, the permissions should be checked and reviewed regularly, to ensure that the permissions are set correctly. Operations Guide: View the user-appropriate permissions reference command for a critical directory ls-l/etc/passwd ls-l /etc/shadow ls-l /etc/group Check method: Verify with the administrator that the permissions are minimal. Configuration method: Refer to Configuration action: The permissions of the directory are actually set by the chmod command. Supplemental Instructions: /etc/passwd All users can read, root user can write –rw-r-r-configuration command: chmod 644 /etc/passwd /etc/shadow only root readable –r--- -----configuration command: chmod  /etc/shadow; /etc/group must be readable by all users, root user can write –rw-r-r-configuration command: chmod  644/etc/ Group; If you have write permission, you need to remove the Write permission (except for special cases) for the groups and other users to execute the command #chmod-r go-w,o-r/etc version: Linux Redhat as 3, Linux Redhat as C14>4              

Seven: User default permissions control

配置名称：用户缺省权限控制配置要求：控制用户缺省访问权限，当在创建新文件或目录时应屏蔽掉新文件或目录不应有的访问允许权限,防止同属于该组的其它用户及别的组的用户修改该用户的文件或更高限制。操作指南：1、# cat /etc/bashrc  查看全局默认设置umask值          2、查看具体用户home目录下bash_profile，具体用户的umask检查方法：查看全局默认设置umask值为027或更小权限为符合（如有特许权限需求，可根据实际情况判断）；          查看具体用户的umask，本着最小权限的原则。配置方法：参考配置操作：          单独针对用户设置          可修改用户home目录下的.bash_profile脚本文件，例如，可增加一条语句：umask 027；对于权限要求较严格的场合，建议设置为077。 全局默认设置： 默认通过全局脚本/etc/bashrc设置所有用户的默认umask值，修改脚本即可实现对用户默认umask值的全局性修改， 通常建议将umask设置为027以上，对于权限要求较严格的场合，建议设置为077。适用版本：Linux Redhat AS 3、Linux Redhat AS 4

VIII: Security log completeness requirements

cat /etc/syslog.conf查看是否有对应配置          2、# cat /var/log/secure查看是否有对应配置检查方法：1、cat /etc/syslog.conf确认有对应配置； 2、查看/var/log/secure，应记录有需要的设备相关的安全事件。配置方法：修改配置文件vi /etc/syslog.conf。 配置如下类似语句： authpriv.*/var/log/secure 定义为需要保存的设备相关安全事件。适用版本：Linux Redhat AS 3、Linux Redhat AS 4

IX: Unified Remote Log Server configuration

配置名称：统一远程日志服务器配置配置要求：当前系统应配置远程日志功能，将需要重点关注的日志内容传输到日志服务器进行备份。操作指南：# cat /etc/syslog.conf查看是否有对应配置检查方法：配置了远程日志服务器为符合配置方法：1、参考配置操作          修改配置文件vi /etc/syslog.conf，          加上这一行：          *.* @192.168.0.1 可以将"*.*"替换为你实际需要的日志信息。比如：kern.* / mail.* 等等；可以将此处192.168.0.1替换为实际的IP或域名。 重新启动syslog服务，执行下列命令： services syslogd restart 2、补充操作说明 注意：*.*和@之间为一个Tab适用版本：Linux Redhat AS 3、Linux Redhat AS 4

Ten: Set the history timestamp

配置名称：设置history时间戳配置要求：配置history时间戳，便于审计。操作指南：# cat /etc/bashrc查看是否有对应配置检查方法：已添加，如：“export HISTTIMEFORMAT="%F %T”配置为符合。配置方法：参考配置操作：          在/etc/bashrc文件中增加如下行：          export HISTTIMEFORMAT="%F %T适用版本：Linux Redhat AS 4

11: SSH Login Configuration

Configuration name: SSH Login Configuration requirements: The system should be configured to use SSH and other encryption protocols for remote login maintenance, and secure configuration of sshd settings. Do not use telent for remote login maintenance. Operation Guide:1. Check the status of SSH service:# Ps–elf|grep SSH;2. Check the status of Telnet service:# Ps–elf|grep Telnet. Check method:1, can not use Telnet for remote maintenance;2, should use SSH for remote maintenance;3, SSH configuration to meet the following requirements; Protocol2 #使用ssh2版本 x11forwarding yes  #允许窗口图形传输使用ssh加密 Ignorerhosts yes #完全禁止SSHD使用. rhosts file rhostsauthentication no  #不设置使用基于rhosts的安全验证 rhostsrsaauthentication no # Rhosts-based security verification using the RSA algorithm is not set hostbasedauthentication no  #不允许基于主机白名单方式认证 Permitrootlogin no  #不允许root登录 permitemptypasswords No  #不允许空密码 banner/etc/motd  #设置ssh登录时显示的banner  4, the above conditions are met for compliance. Configuration method:  1, reference configuration operation edit Sshd_config, add related settings, sshd related security settings options refer to the description in the check method.  2, supplemental instructions view SSH service status: # ps–elf|grep ssh applicable version: Linux Redhat as Span class= "Hljs-number" >4             

12: Turn off unnecessary system services

Configuration name: Turn off unnecessary system service configuration requirements: Turn off unneeded system services based on the different roles of each machine. The service items in the Operations Guide provide references to modify the startup items based on the role and application of the server. If no special needs, should be closed SendMail, Telnet, bind and other services. Operations Guide: Execute commands #chkconfig--list to see which services are open. Check method: Verify with the administrator that the useless service has been turned off configuration method:  1, reference configuration actions use the following methods to disable unnecessary services  #se Rvice < service name > Stop  #chkconfig--level 35 off  2, reference description Linux/unix system services, some services have a high security risk, should be disabled, including: "LPD", this service is a line printer daemon, for spool printing work of the Unix daemon, this service usually does not , it is recommended to disable; "Telnet", this service uses plaintext to transmit data, login information is easy to be stolen, it is recommended to use SSH instead; "Routed", this service is the routing waiting process, using dynamic RIP routing protocol, it is recommended to disable; "SendMail", this service is the Mail Service daemon, The non-mail server should turn it off; "Bluetooth", this service is Bluetooth service, if you do not need Bluetooth service should be closed; "Identd", this service for AUTH services, in the provision of user information and finger similar to, in general, the service is not necessary, it is recommended to close; "XFS" , this service is the font service for X window in Linux, and there are vulnerabilities such as information disclosure and denial of service in the history of the service that should reduce system risk, R service ("Rlogin", "rwho", "Rsh", "rexec"), there are serious security flaws in R service design, Available only for easy access between trusted hosts in a closed environment, must be disabled under other circumstances, INETD/XINETD-based services (daytime, Chargen, ECHO, etc.), which are recommended for disabling. Applicable version: Linux Redhat as  3, Linux Redhat as 4    

13: Disable control-alt-delete keyboard close command

配置名称：禁止Control-Alt-Delete键盘关闭命令配置要求：应禁止使用Control-Alt-Delete组合键重启服务器，防止误操作操作指南：命令cat /etc/inittab，查看配置检查方法：/etc/inittab 中应有：“#ca::ctrlaltdel:/sbin/shutdown -t3 -r now”配置为符合。配置方法：1、参考配置操作 在“/etc/inittab” 文件中注释掉下面这行（使用#）： ca::ctrlaltdel:/sbin/shutdown -t3 -r now 改为： #ca::ctrlaltdel:/sbin/shutdown -t3 -r now 为了使此改动生效，输入下面这个命令： # /sbin/init q 2、补充说明 禁止ctl-alt-del使得在控制台直接按ctl-alt-del不能重新启动计算机。适用版本：Linux Redhat AS 4

14: Install OS update patch

配置名称：安装操作系统更新补丁配置要求：安装操作系统更新补丁，修复系统漏洞操作指南：1、查看当前系统补丁版本          2、检查官网当前系统版本是否发布安全更新。检查方法：版本应保持为最新配置方法：通过访问https://rhn.redhat.com/errata/下载补丁安装包，在打开的页面上，选择与自己使用相对应的系统后，点击连接进入补丁包下载列表界面，选择需要的补丁下载。         下载的补丁为rpm安装包，将该安装包复制到目标系统上，使用命令rpm –ivh xxx.rpm进行安装，随后重新启动系统，         检查所安装补丁的服务或应用程序是否运行正常，即完成该补丁的安装和升级工作。适用版本：Linux Redhat AS 3 Linux Redhat AS 4

Linux system Security Configuration baseline