The Linux operating system in a secure computing environment

The Linux operating system in a secure computing environment

1. Identification

a) The user who logs in should be identified and authenticated. The identification is unique, and the identification information has complexity requirements and is regularly replaced

"1) Interview the system administrator whether the system user has set a password, and check whether the system account used the password to verify login during the login process.
2) After logging in to the operating system as an authorized account, use the command more to view /etc/shadow File, check whether there is an empty password account in the system
3) Use the command more to view the /etc/login. defs file to see whether the password length and regular replacement requirements are set
#more /etc/login. defs
Use the command more to view /etc/pam.d /system-auth file. Check the password length and complexity requirements
4) Check whether there is a security risk that can be bypassed by bypass or identity authentication measures"

"1) Login requires a password
2) There is no empty password account
3) Similar feedback information is obtained, as follows:
PASS MAX_DAYS 90 #The login password is valid for 90 days
PASS MIN_DAYS 0 #The minimum login password modification time can be increased to prevent illegal users from changing more in the short term Times
PASS MIN_LEN 7 #The minimum length of the login password is 7 digits
PASS WARN_AGE 7 #The login password expires 7 days in advance to prompt modification
4) There is no security risk bypassing"

b) With the login failure processing function, relevant measures such as ending the session, limiting the number of illegal logins, and automatically logging out when the login connection times out should be configured and enabled

"1) The system is configured and the login failure handling function is enabled.
2) Log in to Linux as root and view the contents of the file:
cat /ete/pam.d/system -auth or in the common file depending on the Linux version
3) View /etc The TIMEOUT environment variable in /profile, whether to configure the timeout lock parameter
"

"Similar feedback information is obtained, as follows:
1) and 2) Check the relevant parameters of the login failure handling function, which exist in the /etc/pam.d/system-auth file" "account required /lib/security/pam_tally.so deny=3
no_ magic root reset"";
3) Record the timeout lock parameter set in the file /etc/profile, set TMOUT= 300s" in the profile

c) When conducting remote management, necessary measures should be taken to prevent the authentication information from being intercepted during network transmission

"Interview system administrators for remote management.
1) Log in to Linux as root to check whether the sshd service is running, service-status-all | grep sshd to
check whether the relevant ports are open, netstat -an|grep 22
if not Use SSH for remote management, check whether Telnet is used for remote management
service--status-all|grep running, check whether there is a Telnet service
2) You can use a packet capture tool such as wireshark to check whether the protocol is encrypted
3) Local Management, N/A”

"1) Use SSH for remote management to prevent the authentication information from being eavesdropped during transmission. Telnet does not comply with the default.
2) Through the packet capture tool, the intercepted information is cipher text and cannot be read, and the protocol is encrypted
3) N/A local management"

d) Two or more combinations of authentication technologies such as passwords, cryptographic techniques, and biotechnology should be used to authenticate users, and one of the authentication techniques should at least use cryptographic techniques to achieve

Interview and verify which identity authentication methods the system administrator uses when logging in to the operating system, and whether two or more combinations of authentication technologies, such as password teaching certificate Ukey, tokens, fingerprints, etc., are used, and whether there is one The authentication method uses cryptographic technology in the authentication process

In addition to the password, another authentication mechanism is adopted. This mechanism uses cryptographic technology, such as calling a cryptographic machine or adopting algorithms such as SM1-SM4

2. Access Control

a) Accounts and permissions should be assigned to the logged-in user ;

"Log in to Linux with the corresponding authority, and use the "1s-1 file name" command to check whether the authority settings of important files and directories are reasonable, such as: # 1s -1 /etc/passwd #744.
"

"Focus on checking whether the permissions of the following files and directories are set properly.
-rw------- (600) Only the owner has read and write permissions.
-rw-r--r-- (644) Only the owner has read and write permissions ; And group users and other users have only read permissions.
-rwx------ (700) Only the owner has read, write, and execute permissions.
-rwxr-xr-x (755) The owner has read, write, and Execute permissions; group users and other users only have read and execute permissions.
-rwx–x--x (711) The owner has read, write, and execute permissions; group users and other users have only execute permissions.
-rw- rw-rw- (666) All users have file read and write permissions.
-rwxrwxrwx (777) All users have read, write, and execute permissions.

Detailed linux permissions: https://blog.csdn.net/qq_39131177/article/details/85060694 The
configuration file permission value cannot be greater than 644, and for executable files it cannot be greater than 755"

b) The default account should be renamed or deleted, and the default password of the default account should be modified

"1) Log in to Linux with the corresponding authority, use more to view the /etc/shadow file, and check the user in the file, whether there are adm, lp. sync, shutdown, halt., mail, uucp, operator,, games. , Gopher ftp and other default and useless users.
2) Check whether the root account can log in remotely"

"1) There is no default useless account.
2) Use more to view the "PermitRootLogin" parameter in the /etc/ssh/sshd_config file and set the parameter to "no", that is: PermitRootLogin no, that is, root remote login is not permitted.

c) Delete or disable redundant and expired accounts in time to avoid the existence of shared accounts;

"1) Check whether there are redundant or expired accounts. For example, check whether the system default accounts such as games, news, ftp, 1p are disabled, and whether the privileged accounts halt and shutdown have been deleted.
2) Interview network administrators, security administrators, etc. Do different users of the system administrator use different accounts to log in to the system"

"1) Disable or delete unnecessary system default accounts, such as games, news, ftp, 1p, halt, shutdown, etc.
2) All types of administrators use their assigned specific permissions to log in, and there are no redundant or expired accounts
"
d ) The minimum authority required for the management user should be granted to realize the separation of the authority of the management user;

"1) Log in to Linux with the corresponding authority, use more to view the non-default users in the /etc/passwd file, and ask for the authority of each account, whether to achieve the separation of authority of the management user
2) Login with the corresponding authority Linux, use more to view the /etc/sudo.conf file to check which accounts are granted to root-level users"

"
1) Each user has the minimum authority and does not overlap with the authority of other users. The device can support the function of creating a new multi-user role.
2) The administrator authority is only assigned to the root user"

e) The authorized subject should configure the access control strategy, and the access control strategy stipulates the subject's access rules to the object;

"1) Interview the system administrator, whether to designate an authorized person to configure the access control authority of the operating system
2) Check the account authority configuration, and whether to configure the access rules of each account according to the security policy"

"1) A dedicated security officer is responsible for the authorization of access control authority.
2) The authority configuration of each account is based on the security policy configuration of the security officer for access control"

f) The granularity of access control should reach the user level or process level as the subject and the file and database table level as the object;

Use the "ls -1 file name" command to check whether the permissions of important files and directories are reasonable, such as: #ls -1/etc/passwd #744, you should focus on checking whether the permissions of the following files and directories have been modified

The management user assigns user access authority to set up, and accesses various files and database table level according to the access control strategy. Important files and directory permissions are within a reasonable range, users can operate according to different permissions on files

g) Set up security marks for important subjects and objects, and control the subject's access to information resources with security marks;

"1) Make it clear whether there is sensitive information in the system
2) Divide the level of the subject user or process and set sensitive marks, and set sensitive marks on the object files
3) Test whether the subject's mandatory access control to the object is controlled based on the subject and object security marks Strategy
4) Log in to Linux with the corresponding permissions, use more to view the SELINUX parameter settings in the /etc/selinux/config file"

"Linux server turns off SELinux service by default. Or adopt a third-party host to reinforce the system or re-develop and reinforce the operating system kernel, and actually view the system visual interface.
SELINUX has three working modes, namely:
enforcing: mandatory mode. Violation of SELinux rules The behavior of will be blocked and recorded in the log, indicating that SELinux is used.
permissive: Permissive mode. Behaviors that violate SELinux rules will only be recorded in the log, generally for debugging purposes, indicating the use of SELinux disabled: turn off SELinux, use SELinux"

3. Security Audit

a) The security audit function should be enabled to cover every user, and important user behaviors and important security events should be audited;

"1) Log in to Linux as root and check the service process
2) If the security audit service is running, check whether the security audit daemon is normal
#ps -ef|grep auditd
3) If the system security audit function is not enabled, confirm whether to deploy a third-party security audit tools
4) to log into Linux as root view security event configuration: #gerep "@ PRIV-OPS" "/etc/audit/filter.conf
...
More / etc / audit / audit.rules
..."

"1) The content of the audit process is as follows:
[root@localhost april]# service auditd status auditd (pid 1656) is running...
[root@localhost april]# service rsyslog statusr syslogd (pid 1681) is running...
[root@localhost april ]#
2) The Linux server
enables the daemon by default. 3) Audit.rules records related records of files and low-level calls, and the recorded security events are more comprehensive"

b) The audit record should include the date and time of the event, user, event type, whether the event was successful, and other audit-related information;

Log in to Linux with the appropriate permissions, use the command "ausearch-ts today", where -ts log after the specified time, or command "tail -20 /var/log/audit/audit.log" to view the audit log

Audit records should include the date, time, type, subject identification, object identification and results of the event

c) The audit records should be protected and backed up regularly to avoid unexpected deletion, modification or overwriting;

"Interview audit record storage, backup and protection measures, whether to send operating system logs to the log server regularly, and use sylog or smp to send the logs to the log server.
If the log server is deployed, log in to the log server to view Whether the log of the operating system is within the scope of collection
"

Operating system logs are backed up regularly, and local storage logs are regularly forwarded to the log server.

d) The audit process should be protected to prevent unauthorized interruption;

"1) Interview measures to monitor and protect the audit process.
2) Test the use of non-security auditors to interrupt the audit process and check whether the access rights of the audit process are set properly.
3) Check whether there is a third-party system auditing the operating system under test. To monitor and protect"

"The audit process cannot be modified by non-auditors.
Third-party audit tools are deployed, which can record the audit log in real time, and the administrator cannot delete the log."

4. Intrusion Prevention

a) The principle of minimum installation should be followed, and only the required components and applications should be installed;

"1) Interview whether the minimum installation principle was followed when installing the system, and check the installation manual.
2) Use the command "yum list installed"" to view the installed packages in the operating system, and ask if there are currently unneeded components and applications"

"1) The system installation follows the principle of minimal installation
2) There are no components and applications that are not needed for the business"

b) Unnecessary system services, default sharing and high-risk ports should be closed;

"1) Log in to L.inux with the corresponding authority, use the command ""service-status-all| grep running"" to check whether the dangerous network service has been closed
2) Log in to L.inux with the corresponding authority ,Use the command "netstat -ntlp" to check and confirm whether all open ports are required for business, and whether non-essential ports have been closed. There is no sharing problem with L.inux.

"1) Turn off redundant services, dangerous services and processes in the system
2) Turn off redundant ports"

c) The management terminal managed through the network should be restricted by setting the terminal access mode or network address range;

"Check whether there is "ALL: ALL" in /etc/hosts.deny, and prohibit all requests: In /etc/hosts.allow, whether there is the following configuration (for example):
sshd: 192.168.1.10/255. 255 . 255. 0
2) Whether to use the firewall to set the restriction on the access terminal"

"1) Use more to check whether there are the following configurations in /etc/hosts.allow to restrict IP and its access methods, such as (for example): ssbd; 192. 168. 1.10/255.255 255.0
2) Terminal access method, network address range Restrictions such as conditions. Through operation and maintenance methods such as RADUS., bastion host, security city, firewall, etc., restrictions on terminal entry methods are implemented."

d) The data validity check function should be provided to ensure that the content input through the man-machine interface or through the communication interface meets the system setting requirements;
this item is not suitable, and this item is generally implemented on the application system.

e) It should be able to find possible known vulnerabilities, and repair the vulnerabilities in a timely manner after sufficient testing and evaluation;

"1) Check the self-inspected hole scan report or the third-party inspection vulnerability report, whether there are high-risk vulnerabilities
2) Is there a vulnerability test environment in the system, and what is the patch update mechanism and process?
3) Interview patch update mechanism , Check the patch installation status: #rpm -qa grep patch”

"1 There is an operation and maintenance team that regularly conducts vulnerability scans, finds security risks, and repairs them in a timely manner
2) 3) The patch is updated to the latest time, and the patch is controlled and managed."

f) It should be able to detect the intrusion of important nodes and provide an alarm when a serious intrusion event occurs;

"1) Interview and view intrusion detection measures, such as the following commands to check important clues of intrusion (trying Telnet.FTP, etc.), involving the command "#more /var/log /secure|grep refused""
2) Check whether it is enabled Set up the host firewall, TCP SYN protection mechanism, etc.
3) Interview the system administrator whether the host intrusion detection software is installed. Check the installed host intrusion, check the configuration of the system, and whether it has the alarm function. Executable command: find / -namie -print Check whether the host intrusion detection software is installed, such as Dragon Squire by Enterasys Networks, ITA by Symantec. Hostsentry by Psionic Software. Logcheck by Psiomc Software. RealSecure-agent by ISS
4) View network topology Figure, check whether a network intrusion detection system, such as IDS, is deployed on the network

"1) All important paths of intrusion are deny
2) Enable host firewall related settings
3) Install host-based IDS equipment
4) If host IDS equipment is not deployed on the host, you can check whether it is IDS or IPS on the network link. In the event of an intrusion, record alarm measures, etc."

5. Malicious code prevention

a) Technical measures against malicious code attacks or active immune trusted verification mechanisms should be adopted to identify intrusions and virus behaviors in a timely manner, and effectively block them;

"1) Check what antivirus software is installed in the operating system, interview the administrator whether the virus database is frequently updated, check the latest version of the virus database, and whether the update date is more than one week
2) Check whether the operating system implements a trusted verification mechanism and can System programs, applications, and important configuration files/parameters are tested for trusted execution"

"1) The network version of anti-virus software is deployed, the virus database is up-to-date, and the unified-management of anti-malware codes is supported.
2) The active immune trusted verification mechanism is deployed, which can block the intrusion of disease responsibility in time."

6. Trusted Verification

a) Based on the root of trust, the system boot program, system program, important configuration parameters and application program of the computing device can be trusted to verify, and dynamic trusted verification can be performed in the key execution link of the application. Report to the police after the security is damaged, and form an audit record of the verification result and send it to the security management center;

"
1) Check the server's startup, whether it realizes the credible verification detection process, check which system boot program, system program or important configuration parameters are trusted to verify
2) Modify one of the important system programs and one of the application programs, Check whether it can be detected and alarm
3) Whether the verification result is formed into an audit record and sent to the safety management center"

"L) The server has a root-of-trust chip or hardware
2) The startup process is based on the root-of-trust to perform trusted verification metrics on system boot programs, system programs, important configuration parameters and key applications, etc.
3) When it is detected that its credibility is affected After the destruction, an alarm is issued, and the verification result is formed into an audit record and sent to the security management center
4) The security management center can receive the verification result record of the equipment"

7. Data Integrity

a) Verification technology or cryptographic technology should be used to ensure the integrity of important data during transmission, including but not limited to authentication data, important business data, important audit data, important configuration data, important video data and important personal information, etc.;

b) Verification technology or cryptographic technology should be used to ensure the integrity of important data in the storage process, including but not limited to authentication data, important business data, important audit data, important configuration data, important video data and important personal information, etc.;

8. Data Confidentiality

a) Encryption technology should be used to ensure the confidentiality of important data during transmission, including but not limited to authentication data, important business data and important personal information, etc.;

b) Encryption technology should be used to ensure the confidentiality of important data in the storage process, including but not limited to authentication data, important business data and important personal information, etc.;

9. Data backup and recovery

a) Local data backup and recovery functions of important data should be provided;

b) The remote real-time backup function should be provided, and the communication network should be used to backup important data to the backup site in real time;

c) The thermal redundancy of the important data processing system should be provided to ensure the high availability of the system;

"1) Interview system administrators about which important data processing systems are important data processing systems, whether important data processing systems have backup mechanisms, whether they use local hot backup site backups or mutual assistance backups for remote activities.
2) Check the list of equipment and whether important data processing systems use hot Standby server"

"1) Periodically back up important data, such as user data, authentication data, etc., and back up to the local area via tape.
2) For important equipment, adopt high-availability methods such as hot backup, clustering, and load balancing."

10. Remaining information protection

a) It should be ensured that the storage space where the authentication information is located is completely cleared before being released or reallocated;

b) It should be ensured that the storage space containing sensitive data is completely cleared before being released or reallocated;

11. Personal Information Protection

a) Only the user's personal information necessary for the business should be collected and stored.
This is not suitable, and this requirement is generally checked on the application system.
b) Unauthorized access and illegal use of user personal information should be prohibited.
This is not suitable, and this requirement is generally checked on the application system.