1. Identification
a) The logged-in user should be identified and authenticated. The identity identification is unique and the identification information is complex.
Complexity requirements and regular replacement;
1. It should be checked whether the user has adopted identity authentication measures when logging in;
A user needs to use an account + account password to log in to the server.
2. The user list should be checked to confirm whether the user identity is unique;
(more /etc/passwd)
//View the command result, the third field does not have the same number, and the user name does not have the same name.
3. Check user configuration information or test to verify that there are no users with empty passwords;
(more /etc/shadow)
//Check the command result, the garbled characters in the red box represent the account password after encryption
//The (!*) number in the red box means that the account is locked or disabled.
4. It should be checked whether the user identification information meets the complexity requirements and should be replaced regularly.
(more /etc/login.defs)
// Check whether the command result has set password length and complexity.
1) PASS_MAX_DAYS=90 (password login validity period)
2) PASS_MIN_DAYS=0 (minimum password modification time)
3) PASS_MIN_LEN=8 (minimum password length)
4) PASS_WARN_AGE=7 (how many days before the password expires to remind)
4.1. Strategies for complex server passwords
(more/etc/pam.d/system-auth)
//password requisite set password-related policies (in the pam _cracklib.so policy)
retry=5 (number of login attempts)
authtok_type= difok=3 (how many digits of the new password and the old password can be the same)
minlen=7 (password length)
ucreddir=-1 (minimum one uppercase letter)
lcredit=-3 (minimum three lowercase letters)
dcredit=-3 (minimum three numbers)
b) It should have a login failure processing function, and relevant measures such as ending the session, limiting the number of illegal logins, and automatically exiting when the login connection times out should be configured and enabled;
1. Check whether the login failure processing function is configured and enabled;
2. Check whether the function of restricting illegal logins is configured and enabled, and take specific actions after a certain number of illegal logins, such as account locking;
Failure handling of local login:
(more /etc/pam.d/system-auth)
(more /etc/pam.d/login)
Failure handling using SSH remote login:
(more /etc/pam.d/sshd)
//The file contains auth required pam_tally2.so onerr=fail deny=5 unlock_time=300 even_d
eny_root root_unlock_time=10
deny login attempts
time lock time (seconds)
even_deny root (lock root account)
2.1 Local login (system-auth file)
2.2 Local login (login file)
2.3 Remote SSH file (sshd file)
3. Check whether the continuous login timeout and automatic logout functions are configured and enabled.
(more /etc/profile)
//The file contains (TMOUT=300)
c) When performing remote management, necessary measures shall be taken to prevent authentication information from being eavesdropped during network transmission;
1. Whether to run the SSHD service.
1. Whether to run SSHD service
(systemctl status sshd.service)
or
(service --status-all |grep sshd)
//Check the command result is displayed as:
sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
Active: active (running) since 三 2021-07-14 15:56:20 CST; 43min ago
Main PID: 1414 (sshd)
//running green means running
2. Whether to open port 22 corresponding to SSHD service
(netstat -an |grep 22)
// Check if port 22 is being monitored by SSHD
3. Is the Telnet service enabled?
(systemctl list-unit-files |grep telnet)
//Check whether the telen service exists in the command result (should not exist)
4. Whether the corresponding port 23 of the Telnet service is opened
(netstat -an |grep 23)
// Check whether port 23 is being monitored by Telnet (should not exist)
d) Two or more combination of authentication techniques such as password, cryptography, and biotechnology should be used to authenticate users, and at least one of the authentication techniques should be implemented using cryptography.
1. It should be checked whether two or more combinations of authentication technologies such as dynamic passwords, digital certificates, biotechnology, and device fingerprints are used to authenticate user identities.
2. It should be checked whether one of the authentication techniques is implemented using cryptographic techniques.
//Ask the administrator, besides entering the password to log in, is there any other way to authenticate the identity, and whether this method uses password technology.
2. Access control
a) Accounts and permissions should be assigned to logged-in users;
1. It should be checked whether the account, authority and related settings are assigned to the user;
(umask)
//Check the server's umask=0027
2. It should be checked whether the access rights of anonymous and default accounts have been disabled or restricted;
(more /etc/shadow)
//View the result returned by the command The second field is (!*) indicating that the account is locked
//uucp, nuucp, lp, adm, shutdown are all default accounts
3. The rationality of the permission to view the file;
(ls -l /etc/passwd)
(ls -l /etc/shadow)
(ls -l /etc/profile)
(ls -l /etc/inet.conf)
(ls -l /etc/rc3.d)
//(At the beginning D is directory, L is link, B device file)
//The configuration file is not greater than 644, and the executable file is not greater than 755 (r read, w write, x execute)
b) The default account should be renamed or deleted, and the default password of the default account should be modified;
1. Check whether the default account has been renamed or deleted;
(more /etc/shadow)
//Check the command results, whether there are adm, lp, sync, shutdown, halt, mail, uucp,
Operator, games, gopher, ftp and other default useless accounts.
//No change by default
2. Check whether the default password of the default account has been modified;
//Ask the administrator whether to rename the default account and change the default password.
3. Check whether the root account can log in remotely;
(/etc/ssh/sshd_config)
//Check the result of the command, it should be PermitRootLogin NO (the # sign cannot be used in front of the command, otherwise it will be invalid even if there is one, # means that the comment will change the line.)
c) Delete or deactivate redundant and expired accounts in time to avoid the existence of shared accounts;
1. It should be checked whether there are no redundant or expired accounts, and whether there is a one-to-one correspondence between administrator users and accounts;
//Ask the administrator if each account corresponds to an individual
(more /etc/shadow)
//Disable or delete unnecessary system default accounts, such as games, news, ftp, lp, halt
,shutdown etc.
//Whether the privileged account halt and shutdown have been deleted
2. Tests should be conducted to verify whether redundant and expired accounts are deleted or disabled;
(more /etc/shadow)
//Expired account, privileged user halt.shutdown has been deleted.
3. Avoid account sharing;
//Ask the administrator if one person logs in to the system
d) The minimum privileges required by administrative users should be granted to achieve separation of privileges for administrative users;
1. It should be checked whether roles are divided;
//Ask if the administrator has established, system administrator, security administrator, audit administrator account
2. It should be checked whether the authority of the management user has been separated;
(more /etc/passwd)
//first segment user name
second segment password flag
The third field user ID (0 means super user)
The fourth field user group ID
Description of the fifth field user terminal
The sixth field user home directory
The seventh field is the user's command interpreter
Check whether there is a third field other than the root account is 0
3. It should be checked whether the management user permissions are the minimum permissions required for their work tasks.
(more /etc/sudoers)
//Allow root to run any commands anywhere
root ALL=(ALL) ALL
System administrator privileges are only assigned to the root user
e) The access control policy should be configured by the authorized subject, and the access control policy stipulates the access rules of the subject to the object;
1. It should be checked whether the authorized subject (such as the management user) is responsible for configuring the access control policy;
// Ask the system administrator to check whether the access control authority of the operating system is configured by the designated authorizer.
2. It should be checked whether the authorized subject has configured the access rules of the subject to the object according to the security policy;
// Check the account permission configuration to know whether the access rules of each account are configured according to the security policy
3. It should be tested to verify whether the user has unauthorized access.
f) The granularity of access control should be such that the subject is at the user level or process level, and the object is at the file and database table level;
1. It should be checked whether the control granularity of the access control policy reaches the user level or process level as the subject, and the file, database table, record or field level as the object.
# ls – 1 /etc
# ls – 1 /tmp
# ls – 1 /etc/passwd
# ls – 1 /etc/shadow
# ls – 1 /etc/security/passwd
# ls – 1 /etc/security/login.cfg
# ls – 1 /etc/security/user
2. Use ordinary users to edit the /etc/passwd file to see if it is successful.
(vim /etc/passwd)
//Ordinary users cannot edit
g) Security marks should be set for important subjects and objects, and the subject's access to information resources with security marks should be controlled.
1. It should be checked whether safety marks are set for the subject and object; for example
(ls -Z (uppercase) /etc/passwd)
//-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/passwd
//The server sets security flags for important subjects and objects
//The first part of the identity system_u indicates the identification of the system program
//user_u represents the general user-related identity; the second part defines the file process and user purpose of the role
//object_r represents resources such as files or directories
//system_r indicates the process
//The third part data type
// Need for Part IV Restricted Access (Level 0-15) (Level 3 required)
psswd_file_t:s0 (at least level 3 is required here)
2. It should be tested to verify whether the mandatory access control strategy that controls the subject's access to the object is based on the subject and object security marks.
(more /etc/selinux/config)
//Check if SELinux is enabled
//SELinux configuration
SELINUX=disable means that Selinux is closed
=ecforcing force mode
=permissive tolerance mode
3. Security audit
a) The security audit function should be enabled, and the audit covers every user, and audits important user behaviors and important security events;
1. Check whether the security audit function is enabled;
service rsyslog status (security audit)
//View the command result Active: active (running) means it is running
service auditd status (security audit daemon)
//View the command result Active: active (running) means it is running
ps -ef |grep auditd (Security Audit Daemon)
//View the command results and found that there is an audit process, indicating that the process is starting
auditctl -s (check whether the audit module is enabled)
//View command results (enabled 1 "on" 0 "off")
//security audit
//Security audit guard
//Security audit daemon
//Security audit module
2. It should be checked whether the scope of security audit covers every user;
view configuration
(log audit more /etc/rsyslog.conf)
//The file has related audit policies
(Security events are equipped with
more/etc/audit/filter.conf) (Usually, this folder is not available)
//The file has related audit policies
(log audit policy
more/etc/audit/audit.rules) (usually displayed -D -bXXX (xxx represents memory))
//There are related security audit policies in the file
Digression: Audit related information
1. Configuration example of /etc/audit/auditd.conf
#vi /etc/audit/auditd.conf
# Line 5 sets up the log file
log_file = /var/log/audit/audit.log
#Line 11 sets the number of log file polls, which is a number between 0 and 99. If set to less than 2, logs will not be rotated. If the num_logs value is not set, it defaults to 0, meaning the log files are never rotated
num_logs = 5
#Line 14 sets whether to use the host name for the log file, generally choose NONE
name_format = NONE
#The fifth line sets the log file size, the maximum log file capacity expressed in megabytes. When this capacity is reached, the action specified by max_log_file_action will be executed
max_log_file = 6
#Line 17 sets the action after the log file reaches the maximum value, here select ROTATE (polling)
max_log_file_action = ROTATE
2. Introduction to auditctl command
The auditctl command is the most important part of the Linux user space audit system. The command format is:
1
auditctl [options] filter,action -S syscall -F condition -k label
The description of the main parameters is shown in Table 1.
Table 1. auditctl command options
Item Optional parameter Description
filter user,exit,task,exclude filter specifies which kernel rules match the filter to apply to the event. Here is one of the processes that match the rule
Filters: task, exit, user, and exclude
action always, never Whether to audit the event (always means yes) (never means no)
syscall all, 2, open etc. All system calls can be
found in /usr/include/asm/unistd_64.h file. Many system calls can form a rule
condition euid=0, arch=b64 specifies additional options to further modify the rules to match events based on specific architectures, group IDs, process IDs, and more
label Any text Label audit event and retrieve logs
-S indicates the system call number or name
-F indicates a rule domain.
-k means to set the filter key on the audit rule
3、
The audit audit rules are divided into three parts:
Control Rules: These rules are used to change the configuration and settings of the audit system itself.
Filesystem Rules: These are file or directory watches. Using these rules, we can audit any type of access to a specific file or directory.
System call rules: These rules are used to monitor system calls made by any process or by a specific user.
control rules
Control rules can be set in /etc/audit/audit.rules. mainly include:
-D #Delete all currently loaded audit rules#
-b 8192 #Set the maximum number of existing audit buffers in the kernel to 8Mb#
-e 2 #Lock audit configuration#
file system rules
It can be set by the auditctl command. Monitor file system behavior (identified by file and directory permission attributes)
Rule format:
-w path
-p permissions
-k keyword
Among them, the actions of -p permission are divided into four types
r — read a file or directory.
w — write to a file or directory.
x — run a file or directory.
a — Change attributes in a file or directory.
For example, to monitor the modification behavior of the /etc/passwd file, you can use this command: #auditctl -w /etc/passwd -p wa
You can also add the above content to the file
/etc/audit/rules.d/audit.rules to monitor the file.
3. It should be checked whether important user behaviors and important security events are audited.
log overview;
(aureport -i)
//Range of time in logs: XXXXXXXXXX (time range in logs)
Selected time for report: XXXXXXXXXX (selected report time)
4. Check whether the log file has 6 months:
(more
/var/log/audit/audit.log.X) (X represents a variable, depending on how many log files exist in the system)
(head -10 /var/log/audit/audit.log.X)
(tial -10 /var/log/audit/audit.log.X)
// You can use the two commands head (view the first few lines) and tail (view the last few lines)
(msg=audit(1626333001)
//Query the timestamp to find the farthest record
//https://tool.lu/timestamp/ (timestamp queryer)
b) Audit records should include the date and time of the event, the user, the type of event, whether the event was successful, and other audit-related information;
1. It should be checked whether the audit record information includes the date and time of the event, user, event type, whether the event was successful, and other audit-related information. (tail
-20/var/log/audit/audit.log (view the last 20 lines of logs);
(tail -20/var/log/audit/audit.log)
//Audit records should include the date, time, type, subject ID, object ID and result of the event
type (message type), msg (time, event ID), syscall (system call type),
success (whether the syscall is successful), exe (the execution path of the process file).
c) Audit records should be protected and backed up regularly to avoid unexpected deletion, modification or overwriting;
1. It should be checked whether protective measures have been taken to protect audit records;
(ls -l /var/log/audit) View audit file permissions
(ls -l /var/log) View directory permissions
//The file can have read permission, but not write permission.
2. It should be checked whether technical measures are taken to backup audit records regularly, and its backup strategy should be checked.
//Ask the administrator to view the relevant configuration.
d) The audit process should be protected against unauthorized interruption.
1. It should be tested and verified to interrupt the audit process through other accounts that are not audit administrators, and verify whether the audit process is protected.
(Switch ordinary users: service auditd stop stops the daemon process)
//Using a normal user, the end of the audit process failed
//A third-party audit tool is deployed, which can record the audit log in real time, and the administrator cannot delete the log
4. Intrusion prevention
a) The principle of minimal installation should be followed, and only required components and applications should be installed;
1. It should be checked whether the minimum installation principle is followed;
(yum list installed)
//Ask the administrator if there are redundant and useless services in the current installation package
2. It should be checked whether unnecessary components and applications are not installed;
(cat /etc/redhat-release)
//Check the system version
b) Unnecessary system services, default shared and high-risk ports should be closed;
1. Check whether unnecessary system services and default sharing are closed;
(systemctl list-units --type=service --all)
//Ask the administrator if there are redundant services
(Close the shell, login, echo, talk, ntalk, sendmail services.)
2. Check whether there are no unnecessary high-risk ports.
(netstat -ntlp or netstat -anp)
//Ask the administrator if there are redundant ports
c) The management terminal managed through the network should be restricted by setting the terminal access method or network address range;
1. Check whether the configuration file or parameters limit the access range of the terminal.
(more /etc/hosts.deny与more /etc/hosts.allow)
//Check if there is ALL in the file: ALL (all connections are prohibited)
//sshd:192.168.1.10/255.255.255.0 (allow this IP connection)
2. Whether the restrictions on access terminals are set from the firewall;
(systemctl status firewalld)
//Check whether the firewall is enabled (Active: active (running) is running)
(firewall-cmd --zone=public --list-rich-rules)
// Check whether the firewall has a policy
rule family IP type
source address IP address
port port port number
protocol agreement
reject limit
accept contact restrictions
e) It should be able to discover possible known loopholes, and after full testing and evaluation, patch the loopholes in a timely manner;
1. Check whether there are no high-risk vulnerabilities through vulnerability scanning and penetration testing;
//WEB services use tools to scan
2. It should be checked whether the loopholes are repaired in time after sufficient testing and evaluation.
(more/var/log/secure | grep refused)
3. Interview the patch upgrade mechanism and check the patch installation status
(rpm -qa |grep patch)
//Check how long the patch version is, go to the official website to check.
f) It should be able to detect the behavior of intrusion on important nodes, and provide an alarm when a serious intrusion event occurs;
1. Interview and check whether there are intrusion detection measures;
(more/var/log/secure | grep refused)
//View intrusion clues
(Find/-name<daemon name>-print)
// intrusion detection software
2. It should be checked whether an alarm is provided in the event of a serious intrusion.
//Ask the administrator, whether the intrusion alarm function is provided, and how to alarm.
3. View the host firewall status systemctl status firewalld
(systemctl status firewalld)
//Check whether the firewall is enabled (Active: active (running) is running)
5. Malicious code prevention
a) Technical measures against malicious code attacks or active immune and trusted verification mechanisms should be adopted to identify intrusions and virus behaviors in a timely manner and effectively block them.
1. Check whether anti-malicious code software or software with corresponding functions is installed, and regularly upgrade and update the anti-malicious code library;
//Ask the administrator whether the anti-malicious code software or software with corresponding functions is installed, and regularly upgrade and update the anti-malicious code library;
2. It should be checked whether active immunization and trusted verification technology is used to identify intrusion and virus behavior in a timely manner;
//Record antivirus tool, software version, virus database version.
3. It should be checked whether intrusion and virus behaviors are effectively blocked when they are identified.
//View antivirus software, antivirus records.
6. Credible Verification
a) Based on the root of trust, the system boot program, system program, important configuration parameters and application programs of the computing device can be trusted and verified, and the dynamic trusted verification can be carried out in the key execution link of the application program. Alarm will be issued after the property is damaged, and the verification result will be sent to the security management center as an audit record.
//not applicable
7. Data Integrity
a) Verification technology or cryptographic technology should be used to ensure the integrity of important data during transmission, including but not limited to authentication data, important business data, important audit data, important configuration data, important video data, and important personal information;
1. The system design documents should be checked to see whether verification technology and encryption technology are used to ensure the integrity of identification data, important business data, important audit data, important configuration data, important video data, and important personal information during transmission;
//Ask the administrator, what protocol is used for important data transmission (Linux generally uses the SSH protocol)
2. It should be tested to verify whether the authentication data, important business data, important audit data, important configuration data, important video data and important personal information are tampered with during the transmission process, and whether the integrity of the data during the transmission process can be detected. damaged and able to recover in a timely manner.
//Ask the administrator, what protocol is used for important data transmission (Linux generally uses the SSH protocol), and whether there is a check mechanism.
b) Verification technology or cryptographic technology should be used to ensure the integrity of important data during storage, including but not limited to authentication data, important business data, important audit data, important configuration data, important video data, and important personal information.
1. Business application systems, database management systems, middleware, system management software and system design documents, data security protection systems, operating systems, network devices and security devices in equipment such as terminals and servers.
//Use verification technology or cryptographic technology to ensure the integrity of important data in the storage process
8. Data Confidentiality
a) Encryption technology should be used to ensure the confidentiality of important data during transmission, including but not limited to authentication data, important business data and important personal information;
1. The system design documents should be checked to see whether encryption technology is used to ensure confidentiality during the transmission process of identification data, important business data and important personal information;
//Ask the administrator, what protocol is used for important data transmission (Linux generally uses the SSH protocol), and whether there is a check mechanism.
2. Sniffing and other methods should be used to capture data packets during transmission, and identify whether data, important business data, and important personal information have been encrypted during transmission.
//Ask the administrator, what protocol is used for important data transmission (Linux generally uses the SSH protocol), and whether there is a check mechanism.
b) Encryption technology should be used to ensure the confidentiality of important data during storage, including but not limited to authentication data, important business data, and important personal information.
1. Business application systems, database management systems, middleware, system management software and system design documents, data security protection systems, operating systems in terminals and servers, and important configuration data in network devices and security devices.
//Ask the administrator, what protocol is used for important data transmission (Linux generally uses the SSH protocol), and whether there is a check mechanism.
9. Data backup and recovery
a) Local data backup and recovery functions for important data should be provided;
1. Check whether a backup strategy is installed for local backup;
//Ask the administrator whether to set the backup strategy (time, backup location, backup strategy (incremental, full))
2. Check whether the backup policy setting is reasonable and whether the configuration is correct;
//View backup strategy
3. Check whether the backup result is consistent with the backup strategy;
//View the backup result
4. It should be checked whether the recent recovery test records can perform normal data recovery.
//Ask the administrator whether a backup recovery test has been performed recently.
b) The off-site real-time backup function shall be provided, and the important data shall be backed up to the backup site in real time by using the communication network;
1. It should be checked whether the off-site real-time backup function is provided, and the important configuration data and important business data are backed up to the backup site in real time through the network.
//Ask the administrator if there is remote backup, what is the backup strategy (time, backup location, strategy (full, incremental))
c) Hot redundancy of important data processing systems shall be provided to ensure high availability of the system.
1. Interview the host administrator, which are the important data processing systems, whether the data processing system has a backup mechanism, whether it adopts local hot backup site backup or mutual aid backup for remote activities
2. Check the equipment list, whether the important data processing system adopts hot standby server
//Should check important data processing system
(Including border routers, border firewalls, core switches, application servers and database servers, etc.)
Whether to deploy in hot redundancy mode.
10. Protection of residual information
a) It should be ensured that the storage space where the authentication information is located is completely cleared before being released or reallocated;
1. Check the relevant configuration information or system design documents, and check whether the storage space where the user's authentication information is located is completely cleared before being released or redistributed.
// default match
b) It should be ensured that the storage space containing sensitive data is completely cleared before being released or reallocated.
1. Relevant configuration information or system design documents should be checked, and whether the storage space where sensitive data is located is completely cleared before being released or reassigned to other users.
// default match
11. Personal Information Protection
a) Only collect and save user personal information necessary for business;
1. It should be checked whether the collected user personal information is necessary for business applications;
2. It should be checked whether a management system and process for the protection of relevant users' personal information has been formulated.
//not applicable
b) Unauthorized access and illegal use of user personal information should be prohibited;
1. It should be checked whether technical measures are adopted to restrict the access and use of users' personal information;
2. It should be checked whether a management system and process for the protection of users' personal information has been formulated;
//not applicable