CentOS 7 主机加固手册-上

CentOS 7 主机加固手册-中

CentOS 7 主机加固手册-下

0x0c 设置/boot/grub2/grub.cfg权限

Set grub.conf to chmod 600:

设置/boot/grub2/grub.cfg的权限为600

sudo chmod  /boot/grub2/grub.cfg 600 

0x0d 设置BootLoader密码

Grub2 BootLoader需要配置一个superuser并设置密码。创建一个superuser并放到/etc/grub.d里面,由于明文密码不安全,要使用grub2-mkpasswd-pbkdf2生成一个hash过得密码存储。

password_pbkdf2

0x0e grub2 superuser名字不应该是管理员的名字

grub2 superuser账号要避免使用常用的管理员用户名比如adminrootadministrator,要满足FISMA Moderate等级要求,BootLoader superuser的密码必须和root用户不一样。

grub2-mkconfig -o /boot/grub2/grub.cfg

不应该手工像grub.cfg里面添加超级用户

因为 执行grub2-mkconfig 会覆盖掉这个文件

0x0f 为单用户模式设置认证

vim /etc/sysconfig/init  

SINGLE=/sbin/sulogin

0x10 禁止Ctrl+Alt+Del快捷键重启

vim /etc/init/control-alt-delete.conf and modify the existing line:

exec /sbin/shutdown -r now "Control-Alt-Delete pressed"

To:

exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"

0x11 启用Screen

Screen是一个可以在多个进程之间多路复用一个物理终端的窗口管理器。

sudo yum install screen

0x12 禁用 Zeroconf Networking

当系统无法连接DHCP server的时候,就会尝试通过ZEROCONF来获取IP。然后网卡将会被设置为 169.254.0.0段的地址,可以禁止这项功能。

echo "NOZEROCONF=yes" >> /etc/sysconfig/network

0x13 禁止IPv6自动启用

vim /etc/modprobe.d/disabled.conf 

options ipv6 disable=1

0x14 禁止网卡使用IPv6


vim /etc/sysconfig/network

NETWORKING_IPV6=no

IPV6INIT=no

0x15 禁止对 RPC IPv6的支持

像NFSv4这样的RPC 服务会尝试使用 IPv6 ,为了防止这种行为打开 /etc/netconfig 将下面两行注释掉

udp6       tpi_clts      v     inet6    udp     -       -

tcp6       tpi_cots_ord  v     inet6    tcp     -       -

0x16 配置安全地root登录

设置root只能从本地终端登录

echo "tty1" > /etc/securetty

chmod 700 /root

0x17 设置默认UMASK 值

perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc

perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc

0x18 删除 Idle 用户

echo "Idle users will be removed after 15 minutes"

echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh

echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh

chmod +x /etc/profile.d/os-security.sh

0x19 加固 Cron

echo "Locking down Cron"

touch /etc/cron.allow

chmod 600 /etc/cron.allow

awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny

echo "Locking down AT"

touch /etc/at.allow

chmod 600 /etc/at.allow

awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny

0x1a 加固Linux内核

vim /etc/sysctl.conf

net.ipv4.ip_forward = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

net.ipv4.tcp_max_syn_backlog = 1280

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.icmp_ignore_bogus_error_responses = 1

net.ipv4.tcp_syncookies = 1

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.tcp_timestamps = 0 

0x1b 禁止所有TCP Wrappers

TCP wrappers允许提供一种快捷方便的方法访问应用程序,比如

echo "ALL:ALL" >> /etc/hosts.deny

echo "sshd:ALL" >> /etc/hosts.allow

0x1c 基本的iptables防火墙规则

默认禁止全部入站,允许全部出站。

#Drop anything we aren't explicitly allowing. All outbound traffic is okay

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [0:0]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

# Accept Pings

-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Log anything on eth0 claiming it's from a local or non-routable network

# If you're using one of these local networks, remove it from the list below

-A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: "

-A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: "

-A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: "

-A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: "

-A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: "

-A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "

# Accept any established connections

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept ssh traffic. Restrict this to known ips if possible.

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

#Log and drop everything else

-A RH-Firewall-1-INPUT -j LOG

-A RH-Firewall-1-INPUT -j DROP

COMMIT 

0x1c 启用 iptables

sudo systemctl enable iptables

systemctl start iptables.service 

0x1d 禁用异常协议

可以禁用如下协议:

  • Datagram Congestion Control Protocol (DCCP)
  • Stream Control Transmission Protocol (SCTP)
  • Reliable Datagram Sockets (RDS)
  • Transparent Inter-Process Communication (TIPC)
echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf

echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf

echo "install rds /bin/false" > /etc/modprobe.d/rds.conf

echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf

0x1e 安装并启用rsyslog

yum -y install rsyslog

systemctl enable rsyslog.service

systemctl start rsyslog.service

0x1f 配置Audit

开启Auditd审计服务

systemctl enable auditd.service

systemctl start auditd.service

Audit Processes Which Start Prior to auditd

在 /etc/grub.conf里面添加一行:

 kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1 

Auditd Number of Logs Retained

打开/etc/audit/auditd.conf添加:

num_logs = 5

Auditd 日志最大值

max_log_file = 30MB

Auditd max_log_file_action

vim /etc/audit/auditd.conf

max_log_file_action = rotate

Auditd space_left

Configure auditd to email you when space gets low, open /etc/audit/auditd.conf and modify the following:

vim  /etc/audit/auditd.conf

space_left_action = email

Auditd admin_space_left

Configure auditd to halt when auditd log space is used up, forcing the system admin to rectify the space issue.

On some systems where monitoring is less important another action could be leveraged.

admin_space_left_action = halt

Auditd mail_acct

When space gets low auditd can send a email notification via email, to configure this and the following line to /etc/audit/auditd.conf:

action_mail_acct = root

启用auditd  audispd 插件

Aduitd并不能将logs直接发送到外部日志服务器,需要通过audispd这个插件先将日志发送给本地syslog服务器。启用这个插件:编辑/etc/audisp/plugins.d/syslog.conf ,然后设置active=yes。然后重启audispd daemon:

sudo service auditd restart

配置Audit策略

vim /etc/audit/audit.rules 

# audit_time_rules - Record attempts to alter time through adjtime

-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules

# audit_time_rules - Record attempts to alter time through settimeofday

-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules

# audit_time_rules - Record Attempts to Alter Time Through stime

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime

-k audit_time_rules

# audit_time_rules - Record Attempts to Alter Time Through clock_settime

-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules

# Record Attempts to Alter the localtime File

-w /etc/localtime -p wa -k audit_time_rules

# Record Events that Modify User/Group Information

# audit_account_changes

-w /etc/group -p wa -k audit_account_changes

-w /etc/passwd -p wa -k audit_account_changes

-w /etc/gshadow -p wa -k audit_account_changes

-w /etc/shadow -p wa -k audit_account_changes

-w /etc/security/opasswd -p wa -k audit_account_changes

# Record Events that Modify the System's Network Environment

# audit_network_modifications

-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications

-w /etc/issue -p wa -k audit_network_modifications

-w /etc/issue.net -p wa -k audit_network_modifications

-w /etc/hosts -p wa -k audit_network_modifications

-w /etc/sysconfig/network -p wa -k audit_network_modifications

#Record Events that Modify the System's Mandatory Access Controls

-w /etc/selinux/ -p wa -k MAC-policy

#Record Events that Modify the System's Discretionary Access Controls - chmod

-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S chmod  -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - chown

-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - fchmod

-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - fchmodat

-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - fchown

-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - fchownat

-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - fremovexattr

-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - fsetxattr

-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - lchown

-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - lremovexattr

-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - lsetxattr

-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - removexattr

-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - fchown

-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - fchownat

-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - fremovexattr

-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - fsetxattr

-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - removexattr

-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Events that Modify the System's Discretionary Access Controls - setxattr

-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record Attempts to Alter Logon and Logout Events

-w /var/log/faillog -p wa -k logins

-w /var/log/lastlog -p wa -k logins

#Record Attempts to Alter Process and Session Initiation Information

-w /var/run/utmp -p wa -k session

-w /var/log/btmp -p wa -k session

-w /var/log/wtmp -p wa -k session

#Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)

-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access

-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access

-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

#Ensure auditd Collects Information on the Use of Privileged Commands

#

#  Find setuid / setgid programs then modify and uncomment the line below.

#

##  sudo find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null

#

# -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

#Ensure auditd Collects Information on Exporting to Media (successful)

-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export

#Ensure auditd Collects File Deletion Events by User

-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

#Ensure auditd Collects System Administrator Actions

-w /etc/sudoers -p wa -k actions

#Ensure auditd Collects Information on Kernel Module Loading and Unloading

-w /sbin/insmod -p x -k modules

-w /sbin/rmmod -p x -k modules

-w /sbin/modprobe -p x -k modules

-a always,exit -F arch=b64 -S init_module -S delete_module -k modules

#Make the auditd Configuration Immutable

-e 2

##Removal of Unrequired Services

CentOS 7 主机加固手册-中的更多相关文章

  1. CentOS 7 主机加固手册-下

      CentOS 7 主机加固手册-上 CentOS 7 主机加固手册-中 CentOS 7 主机加固手册-下 0x1f 删除禁用非必要的服务 删除非必要的服务 # Remove yum remove ...

  2. CentOS 7 主机加固手册-上

    TIPs: 世界上有一撮人专门研究主机安全加固基线,有兴趣的读者可以到 http://benchmarks.cisecurity.org/ 获取更加详细专业的主机安全基线配置文档.或者到 https: ...

  3. CentOS 7主机名的弯弯绕绕

    在CentOS 6中,修改主机名方式很简单,临时修改主机名使用hostname命令,永久修改主机名直接写进文件/etc/sysconfig/network中即可. 但在CentOS 7中,主机名就没那 ...

  4. 在CentOS下的docker容器中部署spring boot应用的两种方式

    我们通常在 windows 环境下开发 Java,而通常是部署在Linux的服务器中,而CentOS通常是大多数企业的首选,基于Docker的虚拟化容器技术,多数Java应用选择这种方式部署服务.本文 ...

  5. 主机加固之windows2003

    这篇与上一篇的win7主机加固内容大体类似,部分有些不同.这篇也可以用来尝试加固windows XP. 1. 配置管理 1.1用户策略 注意:在对Windows系统加固之前先新建一个临时的系统管理员账 ...

  6. 主机加固之win7

    这套主机加固方案很简单,一步一步按着顺序来弄就可以,部分步骤还配有相关图片.可以先用虚拟机来做一次加固,以防弄错后不好恢复.记得弄个快照,以防万一.下次有空写个win7暴力破解~ 1. 配置管理 1. ...

  7. VMware 设备VMnet0 上的网桥暂时关闭。此虚拟机无法与主机或网格中的其他计算机通信【转】

    今天克隆了一个win7的虚拟机,移动到我的本地.打开时发现虚拟机网格连接图标出现X断开连接,于是网上收了一堆答案无一个可用的,决定自己解决这个问题,解决过程如下: 1.报错图如下:设备VMnet0 上 ...

  8. Lua手册中的string.len 不解

    Lua手册中的string.len (s) 接收一个字符串,返回其长度. 空串 "" 的长度为 0 . 内嵌零也统计在内,因此 "a\000bc\000" 的长 ...

  9. Ubuntu宿主机与VMware中其他系统虚拟机的互通

    Ubuntu做宿主机,VMware中创建Windows10,并且通过三种模式实现两系统互通,其实并非是件难事.在有线网卡未接网线的环境下,关闭两系统防火墙,基本遵从下文便可实现. 转载:https:/ ...

随机推荐

  1. 10-Mysql数据库----数据的增删改

    本节重点: 插入数据 INSERT 更新数据 UPDATE 删除数据 DELETE 再来回顾一下之前我们练过的一些操作,相信大家都对插入数据.更新数据.删除数据有了全面的认识.那么在mysql中其实最 ...

  2. Python 异步编程笔记:asyncio

    个人笔记,不保证正确. 虽然说看到很多人不看好 asyncio,但是这个东西还是必须学的.. 基于协程的异步,在很多语言中都有,学会了 Python 的,就一通百通. 一.生成器 generator ...

  3. phpcms v9手机门户配置方法

    一.确定一个域名作为你手机wap站点的访问域名,例如:http://m.tezhengzong.com. 接下来在域名管理系统中简析这个域名到你的服务器地址. 二.修改\caches\configs\ ...

  4. 简单理解DES加密算法

    数据加密标准(Data Encryption Standard,DES)是当前使用最广泛的加密体制,对于任意的加密方案,总有两个输入:明文和密钥. 明文是64bits,密钥是56bits 加密过程就是 ...

  5. exec族

    在之前我们已经知道用fork创建子进程后执行的是和父进程相同的程序(但有可能执行不同的代码分支),子进程往往要调用一种exec函数以执行另一个程序.当进程调用一种exec函数时,该进程的用户空间代码和 ...

  6. Spring温故而知新 – bean的装配

    Spring装配机制 Spring提供了三种主要的装配机制: 1:通过XML进行显示配置 2:通过Java代码显示配置 3:自动化装配 自动化装配 Spring中IOC容器分两个步骤来完成自动化装配: ...

  7. Windows下的Memcache安装与Java部署

    Windows下的Memcache安装: 1. 下载memcached的windows稳定版,解压放某个盘下面,比如在c:\memcached 2. 在终端(也即cmd命令界面)下输入 ‘c:\mem ...

  8. 域名/网站名/URL

    http://mail.163.com/index.html 1)http://:协议,也就是HTTP超文本传输协议,网页在网上传输的协议. 2)mail:服务器名,代表着是一个邮箱服务器,所以是ma ...

  9. Struts2监听Action结果的监听器

    作者:禅楼望月 在前面我们学到了在特定的Action中配置结果监听器,在Action完成控制处理之后,struts2转入实际的物理视图之前被回调.但是这种方式的缺点是,结果的监听器不能被复用.根据设计 ...

  10. BZOJ4531 && BJOI2014 trace

    #include<cstdio> #include<cctype> using namespace std ; struct state { int len ; int p ; ...