Centos7 operating system security hardening series (2)

1、 Password repeat limit

Rule description ： Re enable an old password , Make sure that the password has been changed several times since it was last used . This policy enables administrators to enhance security by ensuring that old passwords are not continuously reused  

Audit description ： Check the documents /etc/pam.d/system-auth And documents /etc/pam.d/password-auth Whether the following configuration exists ：password sufficient pam_unix.so remember=5   or password required pam_pwhistory.so remember=5   among remember Option is greater than or equal to 5

Suggestions for modification ： Edit profile /etc/pam.d/system-auth And documents /etc/pam.d/password-auth Modify or add configuration ：password sufficient pam_unix.so remember=5   or password required pam_pwhistory.so remember=5   remarks ： Use remember=5 The configuration covers the original module configuration

Practical solutions ： Edit profile /etc/pam.d/system-auth And documents /etc/pam.d/password-auth Modify or add the following configuration

password    required      pam_pwhistory.so use_authtok remember=5

2、 File and directory default permission control

Rule description ： This setting determines the default permissions for newly created directories and files  

Audit description ： Check /etc/profile,  /etc/profile.d/.sh,  /etc/bashrc Of umask Configure to 027（ perhaps 0027）

Suggestions for modification ： Set up /etc/profile /etc/profile.d/.sh、/etc/bashrc In the document umask Configure to 027（ perhaps 0027）

umask Value means ： When a user creates a new file or directory , The file or directory has a default permission . The default permission is set by umask Value to specify .umask Value represents permission “ Complement code ”, That is to subtract from the default maximum permission value umask It's worth the actual permission value . 

The default maximum permissions for a file are readable and writable , The default maximum permissions for a directory are read, write, and executable .

That is, the actual default permissions of a file are 666 subtract umask value . The actual default permissions for the directory are 777 subtract umask value

resolvent ：

sed -i 's/umask 022/umask 027/g' /etc/profile
sed -i 's/umask 022/umask 027/g' /etc/bashrc

Before the change

After modification

3、 Configure user minimum Authorization

Rule description ： Check the documents /etc/passwd、/etc/shadow、/etc/group、/etc/services、/etc/xinetd.conf And contents /etc/security Authority  

Audit description ： Check the documents /etc/passwd、/etc/group、/etc/services Whether the permission of is less than or equal to 644, Check the documents /etc/shadow Whether the permission of is less than or equal to 400, Check /etc/xinetd.conf file 、/etc/security Whether the directory permission is less than or equal to 600, Check whether the owners and groups of the above files and directories are root:root

Suggestions for modification ： Settings file /etc/passwd、/etc/group、/etc/services The authority of is 0644, Settings file /etc/shadow The authority of is 0400, Settings file /etc/xinetd.conf、 Catalog /etc/security The authority of is 0600,

For example, to perform ：chmod 600 /etc/passwd. Set the owner and group of the above files and directories as root:root, For example, to perform ：chown root:root /etc/passwd

Test case information ：{ "checkDescription": " In the catalog /etc/security In existence , Check file permissions , Nonexistence pass: stat --format="%U:%G %a" /etc/security 2>/dev/null", "current_value": "/etc/security root:root 0755", "suggest_value": " The file does not exist or /etc/security root:root 600( Or more strictly )" }

To solve the process

stat --format="%U:%G %a" /etc/passwd
stat --format="%U:%G %a" /etc/shadow
ll /etc/shadow 
stat --format="%U:%G %a" /etc/group
stat --format="%U:%G %a" /etc/services
stat --format="%U:%G %a" /etc/security
 
chmod 600 /etc/security
stat --format="%U:%G %a" /etc/security

4、 modify SSH Of Banner Warning message

Rule description ： Check ssh Service status , If it is not turned on pass, If on, check if it is set ssh Login alarm information , Setting rules pass

Audit description ： Check ssh Service status , If it is not turned on pass, If open, check /etc/ssh/sshd_config file , Whether to configure Banner, Get its path file , Check that the file is not empty , If it is not empty pass

Suggestions for modification ： If ssh Service doesn't need , The service needs to be shut down . if necessary ssh service , You need to configure /etc/ssh/sshd_config In file Banner , And configure warning signs in the corresponding path file ：Authorized users only. All activity may be monitored and reported.

[root@VM_Server ~]# grep "^\s*Banner\s*" /etc/ssh/sshd_config 2>/dev/null | awk '{print $2}'
[root@VM_Server ~]# grep "Banner*" /etc/ssh/sshd_config 2>/dev/null | awk '{print $2}'       
none
[root@VM_Server ~]# grep "Banner*" /etc/ssh/sshd_config 2>/dev/null 
#Banner none
[root@VM_Server ~]# sed -i "s/#Banner none/Banner \/etc\/issue.net/g" /etc/ssh/sshd_config
[root@VM_Server ~]# echo "Authorized users only. All activity may be monitored and reported.">/etc/issue.net
[root@VM_Server ~]# service sshd restart

5、 Set key file properties

Rule description ： Check /var/log/messages Does the file exist a attribute  

Audit description ： Check /var/log/messages Does the file exist a attribute :lsattr /var/log/messages | cut -b 6

Suggestions for modification ： Use the command to change the log file properties ：chattr +a /var/log/messages

lsattr /var/log/messages
lsattr /var/log/messages | cut -b 6
chattr +a /var/log/messages
lsattr /var/log/messages | cut -b 6