identification
a) Identity identification and authentication should be carried out for logged-in users. The identity identification is unique, and the identity authentication information has complexity requirements and should be replaced regularly;
1. Switch administrator privileges, through the terminal, use the command cat /etc/passwd
First field: Username
Second field: password flag
Third field: UID (User ID)
The fourth field: GID (user initial group ID)
Fifth field: user description
The sixth field: home directory
Ordinary user: /home/username
Superuser: /root
The seventh field: Shell after login
You can use the command cat /etc/shadow to check whether the user has an empty password
2. User list Confirm whether the user identity is unique, check whether the user name and user id are unique (that is, check whether the first field and the third field are unique)
3. Use the command
.rhosts file check: find / -name ".rhosts"
hosts.equiv check: cat /etc/hosts.equiv
Requirement: Delete username or host in .rhosts file and hosts.equiv file.
4. The interview asked about the currently set password length and replacement cycle
cat /etc/login.defs | grep PASS
login.def file
PASS_MAX_DAYS:90;
PASS_MIN_DAYS:2;
PASS_MIN_LENS:8;
PASS_WARN_AGE:7;
cat /etc/pam.d/system-auth
system-auth file
password requisite pam_cracklib.so
minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
5. Use " chage -l login name " to view the existing account password policy
.
Chage -l root View account time information
Chage -M 90 root Set the password to be valid for up to 90 days
Chage -m 2 root Set the number of days that the password can be modified to 2 days
Chage -W 7 root Set password expiration warning days to 7 days
Result record:
1. Describe whether there is an empty password field
2. Describe the password complexity of the server settings, and extract the configuration
3. Describe the policy for regularly changing passwords (related documents or mandatory policies).
4. Describe the password policy for existing passwords
b) It should have a login failure processing function, and relevant measures such as ending sessions, limiting the number of illegal logins, and automatically exiting when the login connection times out should be configured and enabled;
1. View cat /etc/pam.d/system-auth file
Does system-auth have the following parameters (X is the number of locks, this parameter needs to be added manually)
account required /lib/security/pam tally.so deny=X no_magic_root reset;(pam_tally2.so)
2. View cat etc/profile file
There is export TMOUT=600 in the profile file, and the terminal is automatically disconnected if the user does not operate within 600 seconds.
Result record:
1. Describe the login failure processing function and extract the configuration
2. Describe and set the login connection timeout, and extract the configuration
c) When performing remote management, necessary measures shall be taken to prevent authentication information from being eavesdropped during network transmission;
1. Ask and verify whether Linux has closed Telnet, FTP and other services, and whether SSH encryption protocol is used for remote login and management (for telnet services, see the file cat /etc/xinetd.d/krb5-telnet
disable=yes Telnet should not be enabled or the telnet command cannot be found;
ps: the lower version is inetd; rpm -qa |grep ssh to check whether the corresponding package of SSH is installed);
Display the corresponding SSH package installed;
Enter netstat -an or lsof -i:21 , lsof -i:22 , lsof -i:23 and other commands to check the operation status of ports 21 (FTP), 22 (SSH), and 23 (Telnet);
2. SSH should be used for remote management
lsof -i:22
print out all ssh port status
Result record:
1) Describe the remote login method and extract the SSH package number
2) Describe whether the Telnet mode is closed.
d) Two or more combination of authentication techniques such as password, cryptography, and biotechnology should be used to authenticate users, and at least one of the authentication techniques should be implemented using cryptography.
- Inquire whether the operating system login uses password + token, USB KEY, etc. for identity authentication.
Two-factor authentication should be used;
When SSH should be used for remote access, the use of certificates for identity verification can be determined to be partially compliant
Result record:
1. Describe whether a two-factor inspection mechanism is used;
2. Describe how to verify.
Access control
a) Accounts and permissions should be assigned to logged-in users;
1. Ask the system administrator whether to establish a user authority comparison table, and whether the set user authority is consistent with the authority table
A user permission table has been formulated, and users are assigned according to the permission table.
Result record:
1) Describe the established authority allocation table, and extract the system user authority settings
2) Describe the permissions of the default account
b) The default account should be renamed or deleted, and the default password of the default account should be modified;
1. Check whether the system default account has been renamed, ask and confirm whether there is a default password account based on the operating system scanning results.
The system default account should be renamed;
The password for the default account should be modified.
Result record:
1) Describe whether the default account was disabled or renamed
2) Describe whether the default password has been replaced
c) Delete or deactivate redundant and expired accounts in time to avoid the existence of shared accounts
1. It should be checked whether there are no redundant or expired accounts, and whether there is a one-to-one correspondence between administrator users and accounts;
//Ask the administrator if each account corresponds to an individual
(more /etc/shadow)
//Disable or delete unnecessary system default accounts, such as games, news, ftp, lp, halt
Delete, lock or prohibit the login of redundant accounts such as: uucp, nuucp, lp, adm, sync, shutdown, halt, news, operator, gopher users
, shutdown , etc.
// Whether the privileged account halt and shutdown have been deleted
2) Tests should verify that redundant, expired accounts are not deleted or deactivated. Check the /etc/shadow file and ask whether the corresponding account is an expired or redundant account (the password field between the first and second colons of the line where the locked account is located is "!! or *").
A locked account has a password field between the first and second colons on its line that is "!! or *").
These accounts are locked
Result record:
1) Describe the corresponding relationship of the system administrator
2) Describe the existing accounts and whether there are redundant accounts
d) The minimum authority required by the management user shall be granted to realize the separation of authority of the management user;
1. Is there a division of roles?
//Ask if the administrator has established, system administrator, security administrator, audit administrator account
2. Check whether the permissions of the management user have been separated
3. Check the more /etc/shadow file, and ask whether the corresponding account permission settings meet the minimum permission requirements, and whether the account has achieved permission separation before
4. more /etc/sudoers
It should be checked that administrative user rights are the minimum rights required for their job tasks.
System administrator privileges are only assigned to the root user
Result analysis:
1) Describe the existing administrative roles and their permissions
2) Describe whether the assigned permissions are separated according to the principle of least privilege
e) The access control policy should be configured by the authorized subject, and the access control policy stipulates the access rules of the subject to the object;
1) It should be checked whether the authorized subject (such as an administrative user) is responsible for configuring access control policies;
2) It should be checked whether the authorized subject has configured the access rules of the subject to the object according to the security policy;
3) It should be tested to verify whether the user has unauthorized access
By switching users, check whether the user can modify the file vim /etc/passwd
Result record:
1) Describe the administrator who configures the access control policy
f) The granularity of access control should be such that the subject is at the user level or process level, and the object is at the file and database table level;
It should be checked whether the control granularity of the access control policy reaches the user level or process level as the subject, and the file, database table, record or field level as the object
# ls – 1 /etc
# ls – 1 /tmp
# ls – 1 /etc/passwd
# ls – 1 /etc/shadow
# ls – 1 /etc/security/passwd
# ls – 1 /etc/security/login.cfg
# ls – 1 /etc/security/user
Result record:
By default, the system administrator achieves access control where the subject is the user and the object is the database table;
1) It should be checked whether safety marks are set for the subject and object;
2) It should be tested to verify whether the mandatory access control policy that controls the subject's access to the object is based on the subject and object security tags.
g) Security marks should be set for important subjects and objects, and the subject's access to information resources with security marks should be controlled.
1. It should be checked whether the subject and object are provided with security marks;
(ls -Z /etc/passwd)
//-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/passwd
//The server sets security flags for important subjects and objects
//The first part of the identity system_u indicates the identification of the system program
//user_u represents the general user-related identity; the second part defines the file process and user purpose of the role
//object_r represents resources such as files or directories
//system_r indicates the process
//The third part data type
// Need for Part IV Restricted Access (Level 0-15) (Level 3 required)
psswd_file_t:s0 (at least level 3 is required here)
2. It should be tested to verify whether the mandatory access control strategy for controlling the subject's access to the object is based on the subject and object security marks
more /etc/selinux/config
// Check if SELinux is enabled
//SELinux configuration
SELINUX=disable means that Selinux is closed
=ecforcing force mode
=permissive tolerance mode
Result record:
1. Describe whether to set security marks on the subject and object;
2. Describe whether access control is based on security markings.
3. If this item is not met, it means that the system has not set up the safety mark function.
security audit
a) The security audit function should be enabled, and the audit covers every user, and audits important user behaviors and important security events;
1. Check whether the audit function is enabled
service rsyslog status (security audit)
//View the command result Active: active (running) means it is running
service auditd status (Security Audit Daemon)
//View the command result Active: active (running) means it is running
ps -ef |grep auditd (Security Audit Daemon)
//View the command results and found that there is an audit process, indicating that the process is starting
auditctl -s (check whether the audit module is enabled)
//View command results (enabled 1 "on" 0 "off")
2.more /etc/rsyslog.conf
rsyslog.conf should contain values similar to:
*.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages;
3. auditctl -s to view the audit running status; auditctl -l to view the audit rules
Result record:
1) Describe whether the security audit function is started
2) Describe whether the audit rules are enabled, and extract the rules
b) Audit records should include the date and time of the event, the user, the type of event, whether the event was successful, and other audit-related information;
It should be checked that the audit record information includes the date and time of the event, the user, the type of event, whether the event was successful, and other audit-relevant information.
tail /var/log/audit/audit.log
//Audit records should include the date, time, type, subject ID, object ID and result of the event
type (message type), msg (time, event ID), syscall (system call type),
success (whether the syscall is successful), exe (execution path of the process file)
Result record:
1) Describe the log content
2) Excerpt log
c) Audit records should be protected and backed up regularly to avoid unexpected deletion, modification or overwriting, etc.;
1. Check the access rights of the files where the log information is located in the syslog.conf and audit.conf files, such as:
ls -l /var/log/messages; ls -l /var/log/secure; ls -l /var/log/audit/audit.log;
The recommended value is 640 which is -rw -r- ---
- Interview and ask if audit logs are secured.
The owner of the file must be an audit-type account, and operations such as deletion, modification, or overwriting will be recorded, and the log storage time should be more than 3 months;
Take measures such as deploying log servers, third-party behavior audit systems, bastion hosts to save operation logs, or other corresponding means, and the log storage time is more than 3 months.
Result record:
1) Describe the containment measures for audit records
2) Describe the backup situation and storage time of audit records
3) Describe whether the audit records are only managed by administrators.
d) The audit process shall be protected against unauthorized interruption.
It should be tested to verify that the audit process is protected by interrupting the audit process from an account other than the audit administrator
(Switch ordinary users: service auditd stop stops the daemon process)
//Using a normal user, the end of the audit process failed
//A third-party audit tool is deployed, which can record the audit log in real time, and the administrator cannot delete the log
1) Install additional audit process protection software to ensure that the audit process will not be interrupted unexpectedly.
2) Enter ps -x -j, if the TPGID column is -1, it is a daemon process.
Result record:
- Describes whether an open audit process can be interrupted.
Intrusion Prevention
a) The principle of minimal installation should be followed, and only required components and applications should be installed;
1.(yum list installed)
//Ask the administrator if there are redundant and useless services in the current installation package
Should check that non-essential components and applications are not installed
(cat /etc/redhat-release)
//Check the system version
rpm -q redhat-release
- Enter service --status-all to view the running services;
- Based on host vulnerability scan results.
Result record:
1) Describe the current system version number
2) Describe whether redundant applications and components are installed
3) Describe whether the vulnerability scan found the risk caused by the low version
b) Unnecessary system services, default shared and high-risk ports should be closed;
1. Check whether unnecessary system services and default sharing are closed;
(systemctl list-units --type=service --all)
// Ask the administrator if there are redundant services
(Close the shell, login, echo, talk, ntalk, sendmail services.)
2. Port scanning, to detect the ports enabled by the operating system, and check whether there are no unnecessary high-risk ports.
There are no unnecessary high-risk ports (445, 138, 139, etc.).
Result record:
1) Describe whether unnecessary system services (redundant ports) and default sharing are closed;
2) Describe whether there are unnecessary high-risk ports. (according to the missed scan results)
c) The management terminal managed through the network shall be restricted by setting the terminal access method or network address range;
- Check /etc/securetty ( check /etc/ssh/sshd_config if you log in with SSH );
There should be as few console items as possible in /etc/securetty in tty (PermitRootLogin no);
- Check whether the accessible IP is configured in the cat /etc/hosts.allow and cat /etc/hosts.deny files, or confirm whether this requirement is implemented through network devices or hardware firewalls by asking and checking;
Both files are not empty, and the addresses that can be accessed are restricted (eg: sshd:192.168.1.10/255.255.255.0); network devices and firewalls configure access control policies;
3)#service iptables status
Display the corresponding policy such as: ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 .
Result record:
- Describe the restrictions on the terminals that can connect to the server
d) The data validity inspection function shall be provided to ensure that the content input through the man-machine interface or through the communication interface meets the system setting requirements; (not applicable) ×
Linux verification does not apply.
e) It should be able to discover possible known loopholes, and after full testing and evaluation, patch the loopholes in time; (inquiry)
1) It should be checked whether vulnerability scanning is carried out regularly to detect known vulnerabilities;
The system operation and maintenance party is regularly conducting vulnerability scanning;
2) Check whether there are no high-risk vulnerabilities by means of vulnerability scanning and penetration testing;
Verify that there are no high-risk vulnerabilities through vulnerability scanning and penetration testing;
- It should be checked whether vulnerabilities are patched in a timely manner after adequate testing and evaluation.
- The system operation and maintenance party can repair the loopholes in a timely manner after sufficient testing and evaluation.
Result record:
- Describe whether there is a high risk of missed scans
f) It should be able to detect the behavior of intrusion on important nodes, and provide an alarm when a serious intrusion event occurs. (ask)
1) Interview and check whether there are intrusion detection measures;
Intrusion detection measures;
2) It should be checked whether an alarm is provided in the event of a serious intrusion;
Can provide alarm (SMS, email, sound and light, etc.) in case of serious intrusion events
Result record:
1) Describe intrusion detection measures
2) Describe whether an alarm can be provided
Malicious code prevention
a) Technical measures against malicious code attacks or active immune trusted verification mechanisms should be adopted to identify intrusions and virus behaviors in a timely manner and effectively block them. (ask)
1) Check whether anti-malicious code software or software with corresponding functions is installed, and regularly upgrade and update the anti-malicious code library;
Install anti-malicious code software or software with corresponding functions, regularly upgrade and update the anti-malicious code library;
Ask the administrator if they have installed anti-malicious code software or software with corresponding functions, and regularly upgrade and update the anti-malicious code library;
Detect whether there is IDS , IPS system, whether there is Tinder, 360 , Kaspersky and other software, but most of the protection software on the market does not have a linux version, and Kaspersky only provides a small part of protection functions
There are few antivirus software for the Linux operating system on the market, and almost no Linux hosts with antivirus software installed were encountered during the actual evaluation process. However, due to the high security of the Linux system itself, this item does not meet the requirements and is not judged as a high-risk problem. By default, non-compliance is given, and then compensation is made to reduce risks.
2) It should be checked whether active immune trusted verification technology is used to identify intrusion and virus behavior in a timely manner;
Use active immune trusted verification technology to identify intrusion and virus behavior in time;
3) It should be checked whether intrusion and virus behaviors are effectively blocked when they are identified.
It can effectively block intrusion and virus behavior when it is identified.
Result record:
1) Describe the installed host malicious code prevention software brand and version
2) Describe whether to update the signature database regularly
3) Describe whether the virus behavior can be identified and blocked
trusted verification
- Based on the root of trust, the system boot program, system program, important configuration parameters and application programs of the computing device can be trusted and verified, and the dynamic trusted verification can be carried out in the key execution link of the application program. An alarm will be issued after the damage, and the verification result will be sent to the security management center as an audit record. (ask)
Generally, there is no relevant equipment, and generally it cannot be reached
Ask the coordinators if they have used root-of-trust chips or hardware at the hardware level.
- Check whether the system bootloader, system program, important configuration parameters and applications of the computing device are credibly verified based on the root of trust:
Trustworthy verification of system boot programs, system programs, important configuration parameters and applications of computing devices based on the root of trust:
- Check whether dynamic trusted verification is performed in all execution links of the application;
Dynamic trusted verification at all execution stages of the application;
- Test to verify whether an alarm is issued when the credibility of the computing device is detected to be compromised;
Whether to issue an alarm when the credibility of the computing device is detected to be damaged;
- Whether the test verification results are sent to the security management center in the form of audit records;
The verification results are sent to the security management center in the form of audit records;
- See if dynamic association awareness is possible.
Capable of dynamic association perception.
Result record:
- The description is whether the root of trust chip is used in the server
data integrity
a ) Verification technology or cryptographic technology should be used to ensure the integrity of important data during transmission, including but not limited to authentication data, important business data, important audit data, important configuration data, important video data, and important personal information;
Check if there are https, ssl, etc.
1) The system design documents should be checked to see whether verification technology or cryptographic technology is used to ensure the integrity of identification data, important business data, important audit data, important configuration data, important video data, and important personal information during transmission;
Authentication data, important business data, important audit data, important configuration data, important video data, and important personal information are transmitted using verification technology or encryption technology to ensure integrity;
2) It should be tested to verify that the authentication data, important business data, important audit data, important configuration data, important video data, and important personal information are tampered with during the transmission process, and whether the integrity of the data during the transmission process can be detected. and recover in time.
During the transmission process, the authentication data, important business data, important audit data, important configuration data, important video data and important personal information are tampered with, and the integrity of the data during the transmission process can be detected and restored in time.
Result record:
1) Describe the remote transmission method
2) Describe whether the integrity of data transmission can be guaranteed.
b ) Verification technology or cryptographic technology should be used to ensure the integrity of important data during storage, including but not limited to authentication data, important business data, important audit data, important configuration data, important video data, and important personal information. (ask)
1) Design documents should be checked to see whether verification technology or cryptographic technology is used to ensure the integrity of authentication data, important business data, important audit data, important configuration data, important video data, and important personal information during storage;
Verification technology or cryptographic technology is adopted to ensure the integrity of authentication data, important business data, important audit data, important configuration data, important video data and important personal information in the storage process;
2) It should be checked whether technical measures (such as data security protection systems, etc.) are adopted to ensure the integrity of authentication data, important business data, important audit data, important configuration data, important video data, and important personal information during storage;
Adopt technical measures (such as data security protection system, etc.) to ensure the integrity of authentication data, important business data, important audit data, important configuration data, important video data and important personal information during storage;
3) It should be tested to verify whether the integrity of the data in the storage process is damaged if the authentication data, important business data, important audit data, important configuration data, important video data, and important personal information are tampered with during the storage process. and recover in time.
During the storage process, the authentication data, important business data, important audit data, important configuration data, important video data and important personal information are tampered with, and the integrity of the data during the storage process is damaged and can be restored in time.
Result record:
1 ) Describe the way to store data locally
2 ) Describe whether the integrity of data storage can be guaranteed.
data confidentiality
- Encryption technology should be used to ensure the confidentiality of important data during transmission, including but not limited to authentication data, important business data, and important personal information; (inquiry)
It should be checked whether encryption is used to remotely manage the system.
Check whether the remote management of the system is carried out by means such as SSH, VPN, etc.
b ) Encryption technology should be used to ensure the confidentiality of important data during storage, including but not limited to authentication data, important business data and important personal information.
Linux encrypts user authentication information and stores it in /etc/shadow , which is √ by default
Data backup and recovery
- Local data backup and recovery functions for important data should be provided; (ask)
- It should be checked whether local backups are performed in accordance with the backup policy;
Perform local backup according to the backup strategy;
- Check whether the backup policy setting is reasonable and whether the configuration is correct;
The backup policy setting is reasonable and the configuration is correct;
- It should be checked whether the backup result is consistent with the backup strategy;
The backup result is consistent with the backup policy;
- The recent recovery test records should be checked for normal data recovery.
Check recent recovery test records for normal data recovery.
Result record:
1 ) Describe the backup strategy
2 ) Describe the backup method and whether to provide corresponding backup files
3 ) Whether to provide backup recovery records
- The off-site real-time backup function shall be provided, and the important data shall be backed up to the backup site in real time by using the communication network; (inquiry)
It should be checked whether the off-site real-time backup function is provided, and the important configuration data and important business data are backed up to the backup site in real time through the network;
Should provide off-site real-time backup function;
Result record:
1 ) Describe the remote backup method
c) Hot redundancy of important data processing systems shall be provided to ensure high availability of the system.
It should be checked whether important data processing systems (including border routers, border firewalls, core switches, application servers and database servers, etc.) are deployed in a hot redundant manner
Important data processing systems (including border routers, border firewalls, core switches, application servers and database servers, etc.) are deployed in a hot redundant manner
According to the actual situation, whether there is a need for hot redundancy. No individual felt that the judgment was not applicable.
It is recommended to deploy in a redundant manner to ensure high availability of the system.
Result record:
- Describe whether it is a hot redundant deployment
Protection of residual information
- It should be ensured that the storage space where the authentication information is located is completely cleared before being released or reallocated;
By default √
Result record:
1 ) Describe whether the storage space where the authentication information can be completely cleared
- It should be ensured that the storage space containing sensitive data is completely cleared before being released or reallocated.
By default √
Result record:
- Describe whether the storage space containing sensitive data can be completely cleared
Personal Information Protection
a ) Only collect and save user personal information necessary for business;
Linux itself does not collect and store user personal information, not applicable×
b ) Unauthorized access and illegal use of user personal information should be prohibited.
Linux itself does not collect and store user personal information, not applicable×