Security Services

Systems Audit

What is audit

• Based on pre-configured rules to generate log records events that may occur in the system
• Audit will not provide additional security for the system, but will detect and record security policy violations and their corresponding behavior

The audit log can record the contents:

• Dates and events, event results
• Users departure event
• Use any authentication mechanism can be recorded, such as ssh
• Modify the behavior of critical files and other data

Audit Case:

• Monitor file access
• Call monitoring system
• Record command run by the user
• Audit can monitor network access behavior
• ausearchFiltered according to the conditions audit log
• aureport, Generate audit reports

yum -y install audit
systemctl start auditd
systemctl enable auditd

file	Explanation
/var/log/audit/audit.log	Log Files
/etc/audit/auditd.conf	Profiles
/etc/audit/rules.d/audit.rules	Rules file

auditctl -h # 查看帮助
auditctl -l # 查看规则
auditctl -s # 查看状态
auditctl -D  # 删除所有规则

1) the definition of temporary rules

Definition File system rules, syntax:

auditctl -w path -p permission -k key_name

• path to file or directory to be audited
• Permissions may be r / w / x / a (a: a file or directory attribute change)
• key_name is optional, easy to distinguish what rules generate specific log entry

Example:

auditctl -w /etc/passwd -p wa -k passwd_change
auditctl -w /usr/sbin/fdisk -p x -k disk_part
auditctl -w /etc -p w -k etc_change

2) the definition of permanent rules

vim /etc/audit/rules.d/audit.rules # 规则文件
-w /etc/passwd -p wa -k passwd_change	# 写到文件末尾
-w /usr/sbin/fdisk -p x -k disk_part
-w /etc -p w -k etc_change

• Log Query

ausearch -k KEY_NAME
ausearch -k passwd_change
ausearch -k disk_part
ausearch -k etc_change
查询结果解析：
1.执行的命令是什么 comm="fdisk" exe="/usr/sbin/fdisk"
2.谁执行的 uid=0
3.执行成功了吗 success=yes
4.什么时间执行的 time->Sat Feb  8 22:20:37 2020

Web Services Security

1）nginx：

1. Delete unnecessary modules

./configure --without-http_autoindex_module    # 取消默认模块的安装 
./configure --help      # 查看默认安装的模块
/usr/local/nginx/sbin/nginx -V      # 查看编译时的选项

2. Modify version information

vim /nginx-1.12.2/src/http/ngx_http_header_filter_module.c
 49 static u_char ngx_http_server_string[] = "Server: tomcat" CRLF;
 50 static u_char ngx_http_server_full_string[] = "Server: tomcat" NGINX_VER CRL    F;
 51 static u_char ngx_http_server_build_string[] = "Server: tomcat" NGINX_VER_BU    ILD CRLF;
重新编译安装  ./configure && make && make install
vim /usr/local/nginx/conf/nginx.conf
38  server_tokens off;
curl -i IP      # 测试

3. Limit concurrent

ngx_http_limit_req_module The module can reduce the risk of attack DDos (installed by default)

vim /usr/local/nginx/conf/nginx. conf  
http{ 
....
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;   # 
       server {            
       listen 80; 
       server name localhost;  
       limit_req zone=one burst=5;
....

• 语法：limit_req_zone key zone=name:size rate=rate;
• The information stored in the client IP name for one of the shared memory space can store information for the 10M 1M 8,000 of IP's, 10M deposit 80,000 hosts
• Only accepts one request per second, the excess into the hopper
• The error funnel over 5

4. illegal request denied

• Common HTTP request method
  HTTP defines a number of methods, practical applications are generally only required getandpost

Request method	Functional Description
GET	Request page information specified, and returns the entity body
HEAD	Similar to get request, but the response is not returned in the specific content, for obtaining the header
POST	Submitting data to the processing request specified resource (e.g., file or upload submission form)
DELETE	Requests the server to delete the specified page
PUT	Upload information to the server-specific location

vim /usr/local/nginx/conf/nginx.conf
server {
        if ($request_method !~ ^(GET|POST)$) {   # 除GET和POST以外的访问请求返回错误码444
                return 444;
        }
....

/usr/local/nginx/sbin/nginx -s reload

test:

curl -i -X GET 192.168.4.51  	# 正常访问
curl -i -X HEAD 192.168.4.51    # 访问不到

5. To prevent buffer overflow

• Overflow preventing client requests
• Dos effectively reduce the risk of attack

vim /usr/local/nginx/conf/nginx.conf
http{
        client_body_buffer_size 1K;  
        client_header_buffer_size 1k;  
        client_max_body_size 16k;
        large_client_header_buffers 4 4k;
....
}

Database Security (mariadb)

] yum -y install mariadb mariadb-server
] systemctl start mariadb
] mysqladmin -uroot -p password 123456   # 设置密码，直接回车
] mysql_secure_installation # 安全优化脚本,根据提示输入选项
输入旧密码，配置新root密码
Remove anonymous users?(删除匿名账户）
Disallow root login remotely?(禁止root远程登录）
Remove test database（删除测试数据库）
Reload privilege(刷新权限）