The last section of the Linux system security performance check notes has not been understood yet.
Note:
1. Accounts check
# Less/etc/passwd
# Grep: 0:/etc/passwd
Note that new users, UID, and GID are 0.
2. Log Check
Note "entered promiscuous mode"
Note:
Remote Procedure Call (rpc) programs with a log entry that includes des a large number (> 20) strange characters (-^ PM)
The last one has not been understood yet and has not been met yet. please give me some advice.
3. Processes check
# Ps-aux
Note that the UID is 0
# Suspicious lsof-p process number
View the ports and files opened by the process
4. Files check
# Find/-uid 0-perm-4000-print
# Find/-size + 10000 k-print
# Find/-name "… "-Print
# Find/-name "-print
# Find/-name ". "-Print
# Find/-name "-print
Note that the SUID file is larger than 10 MB ,...,. And space Files
5. Rpm check
# Rpm-Va
Output format:
S-File size differs
M-Mode differs (permissions)
5-MD5 sum differs
D-Device number mismatch
L-readLink path mismatch
U-user ownership differs
G-group ownership differs
T-modification time differs
Note that/sbin,/bin,/usr/sbin, and/usr/bin
Check MD5 when installing third-party files.
There will be a lot of 5 or missing prompts during the operation. if it is not the above pass Directory, do not pay too much attention
6. Network check
# Ip link | grep PROMISC
The normal Nic should not be in promisc mode, except for the security server. Otherwise, someone may intrude into the sniffer.
# Lsof-I
# Netstat-nap
Check the TCP/UDP ports that are not normally opened. hey, you need to pay attention to them at ordinary times. it seems that I have never done this too well :)
# Arp-
This is even more frightening. Is it true that all MAC addresses of document are used first?
7. Schedule check
Note that the root and UID are 0 schedule
# Crontab-u root-l
# Cat/etc/crontab
# Ls/etc/cron .*
Article from: linux.cn
Link: http://linux.cn/article-397-1.html