CentOS 7 主機加固手冊-中

 

CentOS 7 主機加固手冊-上

CentOS 7 主機加固手冊-中

CentOS 7 主機加固手冊-下

 

0x0c 設置/boot/grub2/grub.cfg權限

Set grub.conf to chmod 600:

設置/boot/grub2/grub.cfg的權限為600 

sudo chmod  /boot/grub2/grub.cfg 600 

0x0d 設置BootLoader密碼

Grub2 BootLoader需要配置一個superuser並設置密碼。創建一個superuser並放到/etc/grub.d里面，由於明文密碼不安全，要使用grub2-mkpasswd-pbkdf2生成一個hash過得密碼存儲。

password_pbkdf2

0x0e grub2 superuser名字不應該是管理員的名字

 grub2 superuser賬號要避免使用常用的管理員用戶名比如admin，root，administrator，要滿足FISMA Moderate等級要求，BootLoader superuser的密碼必須和root用戶不一樣。

grub2-mkconfig -o /boot/grub2/grub.cfg

不應該手工像grub.cfg里面添加超級用戶

因為 執行grub2-mkconfig 會覆蓋掉這個文件

0x0f 為單用戶模式設置認證

vim /etc/sysconfig/init  

SINGLE=/sbin/sulogin

0x10 禁止Ctrl+Alt+Del快捷鍵重啟

vim /etc/init/control-alt-delete.conf and modify the existing line:

exec /sbin/shutdown -r now "Control-Alt-Delete pressed" To: exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"

0x11 啟用Screen

Screen是一個可以在多個進程之間多路復用一個物理終端的窗口管理器。

sudo yum install screen

0x12 禁用 Zeroconf Networking

當系統無法連接DHCP server的時候，就會嘗試通過ZEROCONF來獲取IP。然后網卡將會被設置為 169.254.0.0段的地址，可以禁止這項功能。

echo "NOZEROCONF=yes" >> /etc/sysconfig/network

0x13 禁止IPv6自動啟用

vim /etc/modprobe.d/disabled.conf 

options ipv6 disable=1

0x14 禁止網卡使用IPv6

 

vim /etc/sysconfig/network NETWORKING_IPV6=no IPV6INIT=no

0x15 禁止對 RPC IPv6的支持

像NFSv4這樣的RPC 服務會嘗試使用 IPv6 ，為了防止這種行為打開 /etc/netconfig 將下面兩行注釋掉

udp6       tpi_clts      v     inet6    udp     -       -

tcp6       tpi_cots_ord  v     inet6    tcp     -       -

0x16 配置安全地root登錄

設置root只能從本地終端登錄

echo "tty1" > /etc/securetty

chmod 700 /root

0x17 設置默認UMASK 值

perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc

perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc

0x18 刪除 Idle 用戶

echo "Idle users will be removed after 15 minutes"

echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh chmod +x /etc/profile.d/os-security.sh

0x19 加固 Cron

echo "Locking down Cron"

touch /etc/cron.allow chmod 600 /etc/cron.allow awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny echo "Locking down AT" touch /etc/at.allow chmod 600 /etc/at.allow awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny

0x1a 加固Linux內核

vim /etc/sysctl.conf

net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.tcp_max_syn_backlog = 1280 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.tcp_timestamps = 0 

0x1b 禁止所有TCP Wrappers

TCP wrappers允許提供一種快捷方便的方法訪問應用程序，比如

echo "ALL:ALL" >> /etc/hosts.deny

echo "sshd:ALL" >> /etc/hosts.allow

0x1c 基本的iptables防火牆規則

默認禁止全部入站，允許全部出站。

#Drop anything we aren't explicitly allowing. All outbound traffic is okay

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [0:0]

:RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Accept Pings -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT # Log anything on eth0 claiming it's from a local or non-routable network # If you're using one of these local networks, remove it from the list below -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: " -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: " -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: " -A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: " -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: " -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: " # Accept any established connections -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept ssh traffic. Restrict this to known ips if possible. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT #Log and drop everything else -A RH-Firewall-1-INPUT -j LOG -A RH-Firewall-1-INPUT -j DROP COMMIT 

0x1c 啟用 iptables

sudo systemctl enable iptables

systemctl start iptables.service 

0x1d 禁用異常協議

可以禁用如下協議：

• Datagram Congestion Control Protocol (DCCP)
• Stream Control Transmission Protocol (SCTP)
• Reliable Datagram Sockets (RDS)
• Transparent Inter-Process Communication (TIPC)

echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf

echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf echo "install rds /bin/false" > /etc/modprobe.d/rds.conf echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf 

0x1e 安裝並啟用rsyslog

yum -y install rsyslog

systemctl enable rsyslog.service

systemctl start rsyslog.service

0x1f 配置Audit

開啟Auditd審計服務

systemctl enable auditd.service

systemctl start auditd.service

Audit Processes Which Start Prior to auditd

在 /etc/grub.conf里面添加一行：

 kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1 

Auditd Number of Logs Retained

打開/etc/audit/auditd.conf添加: 

num_logs = 5

Auditd 日志最大值

max_log_file = 30MB

Auditd max_log_file_action

vim /etc/audit/auditd.conf  
max_log_file_action = rotate

Auditd space_left

Configure auditd to email you when space gets low, open /etc/audit/auditd.conf and modify the following:

vim  /etc/audit/auditd.conf 
space_left_action = email

Auditd admin_space_left

Configure auditd to halt when auditd log space is used up, forcing the system admin to rectify the space issue.

On some systems where monitoring is less important another action could be leveraged.

admin_space_left_action = halt

Auditd mail_acct

When space gets low auditd can send a email notification via email, to configure this and the following line to /etc/audit/auditd.conf:

action_mail_acct = root

 啟用auditd  audispd 插件

Aduitd並不能將logs直接發送到外部日志服務器，需要通過audispd這個插件先將日志發送給本地syslog服務器。啟用這個插件：編輯/etc/audisp/plugins.d/syslog.conf ，然后設置active=yes。然后重啟audispd daemon：

sudo service auditd restart

配置Audit策略

vim /etc/audit/audit.rules 

# audit_time_rules - Record attempts to alter time through adjtime

-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules # audit_time_rules - Record attempts to alter time through settimeofday -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules # audit_time_rules - Record Attempts to Alter Time Through stime -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules # audit_time_rules - Record Attempts to Alter Time Through clock_settime -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules # Record Attempts to Alter the localtime File -w /etc/localtime -p wa -k audit_time_rules # Record Events that Modify User/Group Information # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes # Record Events that Modify the System's Network Environment # audit_network_modifications -a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications #Record Events that Modify the System's Mandatory Access Controls -w /etc/selinux/ -p wa -k MAC-policy #Record Events that Modify the System's Discretionary Access Controls - chmod -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - chown -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - fchmod -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - fchmodat -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - fchown -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - fchownat -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - fremovexattr -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - fsetxattr -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - lchown -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - lremovexattr -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - lsetxattr -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - removexattr -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - fchown -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - fchownat -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - fremovexattr -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - fsetxattr -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - removexattr -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Events that Modify the System's Discretionary Access Controls - setxattr -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod #Record Attempts to Alter Logon and Logout Events -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins #Record Attempts to Alter Process and Session Initiation Information -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session #Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access #Ensure auditd Collects Information on the Use of Privileged Commands # # Find setuid / setgid programs then modify and uncomment the line below. # ## sudo find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null # # -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged #Ensure auditd Collects Information on Exporting to Media (successful) -a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export #Ensure auditd Collects File Deletion Events by User -a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete #Ensure auditd Collects System Administrator Actions -w /etc/sudoers -p wa -k actions #Ensure auditd Collects Information on Kernel Module Loading and Unloading -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules #Make the auditd Configuration Immutable -e 2 ##Removal of Unrequired Services