This document is intended to guide system administrators or security inspectors to check and harden the Security compliance of the Linux operating system. 1. Accounts and Passwords 1.1 Disabling or Deleting Unnecessary Accounts This section describes how to disable or Delete unnecessary accounts to reduce security risks.
steps
Use the userdel < username > command to delete unnecessary accounts. Run the passwd -l < username > command to lock unnecessary accounts. Run the passwd -u < username > command to unlock necessary accounts.
1.2 Checking Special Accounts Check whether there are accounts with air command and root permission.
steps
To check whether abnormal accounts exist, run the awk -f: ‘(2==””) ‘/etc/shadow command to check the account. Run the awk−F: ‘(2==””)’ /etc/shadow command to check the air command account. Run the awk -f: ‘(2==””) ‘/etc/shadow command to check the air command account. Run the awk−F: ‘(3==0)’ /etc/passwd command to check the account whose UID is zero. Hardening the air command account: Run the passwd < username > command to set a password for the air command account. Ensure that the root account is the only one whose UID is 0.
1.3 Adding a Password Policy To enhance the password complexity and reduce the possibility of being guessed.
steps
Run the vi /etc/login.defs command to modify the configuration file. PASS_MAX_DAYS 90 # Maximum number of days in which a new user can use a password PASS_MIN_DAYS 0 # Minimum number of days in which a new user can use a password PASS_WARN_AGE 7 # Number of days in which a new user can be warned of password expiration Run the chage command to modify the user Settings. For example, chage-m 0-M 30-e 2000-01-01-w 7 < user name > indicates that the maximum number of days that the password is used is 30, the minimum number of days that the password is used is 0, and the password expires on January 1, 2000. The user is warned seven days before the expiration. If you enter a wrong password for three consecutive times, the account will be locked for five minutes. Run the vi /etc/pam.d/common-auth command to modify the configuration file and add auth required pam_tally.so onerr=fail deny=3 unlock_time=300 to the configuration file.
1.4 Limiting User su Limits the users who can su to the root.
steps
Run the vi /etc/pam.d/su command to modify the configuration file and add lines to the configuration file. For example, if only group test users are allowed to su to root, add auth required pam_wheel.so group=test.
1.5 Disabling the direct Login of the root User This section describes how to disable the direct login of the root user.
steps
Create a common permission account and configure a password to prevent remote login failures. Run the vi /etc/ssh/sshd_config command to change the value of PermitRootLogin to no and save the configuration file. Then run the service SSHD restart command to restart the service.
2. Services 2.1 Disabling Unnecessary Services Disable unnecessary services, such as common services and xinetd services, to reduce risks.
steps
Run the systemctl disable < service name > command to disable the automatic startup of the service.
Note: For some older Versions of Linux operating systems (such as CentOS 6), you can run the chkconfig –level <init level > < service name > off command to disable service startup at the specified init level.
2.2 SSH Service Security This section describes how to harden the SSH service to prevent brute force cracking.
steps
Run the vim /etc/ssh/sshd_config command to edit the configuration file.
The root account is not allowed to directly log in to the system. Set the value of PermitRootLogin to no. Example Change the SSH protocol version. Set the Protocol version to 2. Change the maximum number of incorrect passwords allowed (default: 6). Sets the MaxAuthTries value to 3. After the configuration file is modified, restart the SSHD service to take effect.
3. File System 3.1 Setting the UMAsk Value Set the default umask value to enhance security.
steps
Run the vi /etc/profile command to modify the configuration file and add umask 027. That is, the owner of the newly created file has read and write execution permissions, while the group users have read and execute permissions, but other users have no permissions.
3.2 Setting the Login Timeout This section describes how to set the login timeout period to enhance security.
steps
Run the vi /etc/profile command to modify the configuration file and set the comment starting with TMOUT= to TMOUT=180, that is, the timeout period is 3 minutes.
4. Logs 4.1 syslogd Logs Enable and configure the log function.
steps
The following types of logs are enabled by default in Linux:
System log (default) /var/log/messages Cron log (default) /var/log/cron security log (default) /var/log/Secure Note: Some systems may use syslog-ng logs. The configuration file is: The/etc/syslog – ng/syslog – ng. Conf.
You can configure detailed logging as required.
4.2 Recording Login and Operation Logs of All Users This section uses script codes to record login and operation logs of all users, preventing them from being queried after security events occur.
steps
1. Open the configuration file
[root[@xxx](https://my.oschina.net/xrf116) /]# vim /etc/profile 2. Enter the following in the configuration file:
history
USER=`whoami`
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]; then
USER_IP=`hostname`
fi
if [ ! -d /var/log/history ]; then
mkdir /var/log/history
chmod 777 /var/log/history
fi
if [ ! -d /var/log/history/${LOGNAME} ]; then
mkdir /var/log/history/${LOGNAME}
chmod 300 /var/log/history/${LOGNAME}
fi
export HISTSIZE=4096
DT=`date +"%Y%m%d_%H:%M:%S"`
export HISTFILE="/var/log/history/${LOGNAME}/${USER}@${USER_IP}_$DT"
chmod 600 /var/log/history/${LOGNAME}/*history* 2>/dev/null
Copy the code3. Run load configuration to take effect. [root [@ XXX] (https://my.oschina.net/xrf116) /] # source/etc/profile note: / var/log/history log location, can customize.
In the /var/log/history directory, you can create a folder named after each user. Each time a user logs out, a log file containing the user name, login IP address, and time is generated, including all operations performed by the user (except root user).
