1、Centos安全加固 – 午后红茶

本文最后更新于 420 天前，其中的信息可能已经过时，如有错误请发送邮件到 wuxianglongblog@163.com

0x01 Kickstart 自动化安装

通过 kickstart 脚本安装操作系统，最小化安装，预分区并设置严格的挂载权限。

 #version=RHEL7
install
# System authorization information
auth --enableshadow --passalgo=sha512
# Use CDROM installation media
cdrom
# Accept EULA
eula --agreed
services --enabled=NetworkManager,sshd
reboot
# Run the Setup Agent on first boot
#firstboot --enable
ignoredisk --only-use=sda
# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'
# System language
lang en_US.UTF-8
# SELinux
selinux --enforcing
# Network information
network  --bootproto=dhcp --device=eno16777736 --onboot=on --ipv6=off
network  --hostname=default-vm
# Root password
rootpw --iscrypted HASHGOESHERE
# System timezone
timezone Europe/London --isUtc --ntpservers=prime.transformers
# System bootloader configuration
bootloader --location=mbr --boot-drive=sda
# Partition clearing information
clearpart --all --drives=sda
ignoredisk --only-use=sda
# LVM
# Disk partitioning information
part pv.18 --fstype="lvmpv" --ondisk=sda --size=8004
part pv.11 --fstype="lvmpv" --ondisk=sda --size=8004
part /boot --fstype="ext4" --ondisk=sda --size=1000
volgroup lg_data --pesize=4096 pv.18
volgroup lg_os --pesize=4096 pv.11
logvol /  --fstype="xfs" --size=4000 --name=lv_root --vgname=lg_os
logvol /home  --fstype="xfs" --size=2000 --name=lv_home --vgname=lg_data
logvol /tmp  --fstype="xfs" --size=1000 --name=lv_tmp --vgname=lg_os
logvol /var  --fstype="xfs" --size=2000 --name=lv_var --vgname=lg_os
logvol /var/tmp  --fstype="xfs" --size=1000 --name=lv_var_tmp --vgname=lg_os
logvol /var/www  --fstype="xfs" --size=5000 --name=lv_var_www --vgname=lg_data
logvol /var/log  --fstype="xfs" --size=1500 --name=lv_var_log --vgname=lg_os
logvol /var/log/audit  --fstype="xfs" --size=500 --name=lv_var_log_audit --vgname=lg_os
logvol swap  --fstype="swap" --size=1000 --name=lv_swap --vgname=lg_data
%packages
@core
 %end
%post
%end

0x02 安全地挂载分区

如果网站是动态网站，那么网站所在的盘不可以使用 noexec 挂载选项。像 /tmp 和 /var/tmp 应该使用 noexec 挂载选项，因为黑客通常在这两个目录里面上传并执行提权程序。

一个安全地 /etc/fstab 文件配置举例：

 #
# /etc/fstab
# Created by anaconda on Sat Oct 11 14:28:47 2014
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/lg_os-lv_root /                       xfs     defaults        1 1
UUID=d73c5d22-75ed-416e-aad2-8c1bb1dfc713 /boot                   ext4    defaults,nosuid,noexec,nodev        1 2
/dev/mapper/lg_data-lv_home /home                   xfs     defaults        1 2
/dev/mapper/lg_os-lv_tmp /tmp                    xfs     defaults,nosuid,noexec,nodev        1 2
/dev/mapper/lg_os-lv_var /var                    xfs     defaults,nosuid        1 2
/dev/mapper/lg_os-lv_var_tmp /var/tmp                xfs     defaults,nosuid,noexec,nodev        1 2
/dev/mapper/lg_os-lv_var_tmp /var/log                xfs     defaults,nosuid,noexec,nodev        1 2
/dev/mapper/lg_os-lv_var_tmp /var/log/audit                xfs     defaults,nosuid,noexec,nodev        1 2
/dev/mapper/lg_data-lv_var_www /var/www                xfs     defaults,nosuid,noexec,nodev        1 2
/dev/mapper/lg_data-lv_swap swap                    swap    defaults        0 0

0x03 安装 NTP 服务

在进行一些合规性审计的时候 NTP 是必要的，同步时间有利于审计日志。

 yum install ntp ntpdate
chkconfig ntpd on
ntpdate pool.ntp.org
/etc/init.d/ntpd start

0x04 配置完整性检查工具 AIDE

Pre-linking binaries 功能缩短了运行时间，然而这种方式会导致 AIDE 出现故障，所以配置 AIDE 之前需要禁止此项。打开 /etc/sysconfig/prelink 确保 PRELINKING=no ，或者直接使用下面的脚本：

 # Disable prelinking altogether
#
if grep -q ^PRELINKING /etc/sysconfig/prelink
then
  sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
else
  echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink
  echo "PRELINKING=no" >> /etc/sysconfig/prelink
fi
Disable previous prelink changes to binaries:
Disable previous prelink changes to binaries
root:~# /usr/sbin/prelink -ua

安装 AIDE

 yum install aide -y && /usr/sbin/aide --init && cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz && /usr/sbin/aide --check
Configure periodic execution of AIDE, runs every morning at 04:30
echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab

0x05 阻止用户挂载 USB

 echo "install usb-storage /bin/false" > /etc/modprobe.d/usb-storage.conf

0x06 启用高强度的密码策略

下面这条命令将启用 SHA512 替代 MD5

 authconfig --passalgo=sha512 —update

0x07 配置密码策略 pwquality.conf

 vi /etc/security/pwquality.conf
# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password.
difok = 5
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
minlen = 14
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
dcredit = 1
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
ucredit = 1
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
lcredit = 1
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
ocredit = 1
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
minclass = 4
#
# The maximum number of allowed consecutive same characters in the new password.
# The check is disabled if the value is 0.
maxrepeat = 3
#
# The maximum number of allowed consecutive characters of the same class in the
# new password.
# The check is disabled if the value is 0.
maxclassrepeat = 3
#
# Whether to check for the words from the passwd entry GECOS string of the user.
# The check is enabled if the value is not 0.
gecoscheck = 1
#
# Path to the cracklib dictionaries. Default is to use the cracklib default.
# dictpath =

设置密码策略

 Add the following to /etc/login.defs
PASS_MIN_LEN 14
PASS_MIN_DAYS 1
PASS_MAX_DAYS 60

0x08 设置提示上次登录信息

 vim /etc/pam.d/system-auth 
session required pam_lastlog.so showfailed

0x09 设置每个会话最大密码尝试次数

Set the amount of password reprompts per session, by editing the pam_pwquality.so statement in

 vim  /etc/pam.d/system-auth 
auth pam_pwquality.so  retry=3

0x0a 阻止错误密码尝试

编辑 /etc/pam.d/system-auth 和 /etc/pam.d/password-auth 两个 PAM 配置文件

 auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

0x0b 限制密码重用

使用 PAM 模块配置，在 /etc/pam.d/system-auth 这个 PAM 配置文件里面，在 pam_unix.so 所在的行添加 remember=24 。这样服务器就会记录历史上的前 24 个旧密码，为啥为 24？因为这是美国国防部的标准。

 password sufficient pam_unix.so existing_options remember``=``24

0x0c 设置 /boot/grub2/grub.cfg 权限

Set grub.conf to chmod 600:

设置 /boot/grub2/grub.cfg 的权限为 600

 sudo chmod  /boot/grub2/grub.cfg 600

0x0d 设置 BootLoader 密码

Grub2 BootLoader 需要配置一个 superuser 并设置密码。创建一个 superuser 并放到 /etc/grub.d 里面，由于明文密码不安全，要使用 grub2-mkpasswd-pbkdf2 生成一个 hash 过得密码存储。

 password_pbkdf2

0x0e grub2 superuser 名字不应该是管理员的名字

grub2 superuser 账号要避免使用常用的管理员用户名比如 admin，root，administrator，要满足 FISMA Moderate 等级要求，BootLoader superuser 的密码必须和 root 用户不一样。

 grub2-mkconfig -o /boot/grub2/grub.cfg

不应该手工像 grub.cfg 里面添加超级用户

因为执行 grub2-mkconfig 会覆盖掉这个文件

0x0f 为单用户模式设置认证

 vim /etc/sysconfig/init  
SINGLE=/sbin/sulogin

0x10 禁止 Ctrl+Alt+Del 快捷键重启

 vim /etc/init/control-alt-delete.conf and modify the existing line:
exec /sbin/shutdown -r now "Control-Alt-Delete pressed"
To:
exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"

0x11 启用 Screen

Screen 是一个可以在多个进程之间多路复用一个物理终端的窗口管理器。

 sudo yum install screen

0x12 禁用 Zeroconf Networking

当系统无法连接 DHCP server 的时候，就会尝试通过 ZEROCONF 来获取 IP。然后网卡将会被设置为 169.254.0.0 段的地址，可以禁止这项功能。

 echo "NOZEROCONF=yes" >> /etc/sysconfig/network

0x13 禁止 IPv6 自动启用

 vim /etc/modprobe.d/disabled.conf 
options ipv6 disable=1

0x14 禁止网卡使用 IPv6

 vim /etc/sysconfig/network
NETWORKING_IPV6=no
IPV6INIT=no

0x15 禁止对 RPC IPv6 的支持

像 NFSv4 这样的 RPC 服务会尝试使用 IPv6 ，为了防止这种行为打开 /etc/netconfig 将下面两行注释掉

 udp6       tpi_clts      v     inet6    udp     -       -
tcp6       tpi_cots_ord  v     inet6    tcp     -       -

0x16 配置安全地 root 登录

设置 root 只能从本地终端登录

 echo "tty1" > /etc/securetty
chmod 700 /root

0x17 设置默认 UMASK 值

 perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc
perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc

0x18 删除 Idle 用户

 echo "Idle users will be removed after 15 minutes"
echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh
echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
chmod +x /etc/profile.d/os-security.sh

0x19 加固 Cron

 echo "Locking down Cron"
touch /etc/cron.allow
chmod 600 /etc/cron.allow
awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny
echo "Locking down AT"
touch /etc/at.allow
chmod 600 /etc/at.allow
awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny

0x1a 加固 Linux 内核

 vim /etc/sysctl.conf
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0

0x1b 禁止所有 TCP Wrappers

TCP wrappers 允许提供一种快捷方便的方法访问应用程序，比如

 echo "ALL:ALL" >> /etc/hosts.deny
echo "sshd:ALL" >> /etc/hosts.allow

0x1c 基本的 iptables 防火墙规则

默认禁止全部入站，允许全部出站。

 #Drop anything we aren't explicitly allowing. All outbound traffic is okay
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
# Accept Pings
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Log anything on eth0 claiming it's from a local or non-routable network
# If you're using one of these local networks, remove it from the list below
-A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: "
-A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: "
-A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: "
-A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: "
-A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: "
-A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "
# Accept any established connections
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept ssh traffic. Restrict this to known ips if possible.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#Log and drop everything else
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMIT

0x1c 启用 iptables

 sudo systemctl enable iptables
systemctl start iptables.service

0x1d 禁用异常协议

可以禁用如下协议：

Datagram Congestion Control Protocol (DCCP)
Stream Control Transmission Protocol (SCTP)
Reliable Datagram Sockets (RDS)
Transparent Inter-Process Communication (TIPC)

 echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf
echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf
echo "install rds /bin/false" > /etc/modprobe.d/rds.conf
echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf

0x1e 安装并启用 rsyslog

 yum -y install rsyslog
systemctl enable rsyslog.service
systemctl start rsyslog.service

0x1f 配置 Audit

开启 Auditd 审计服务

 systemctl enable auditd.service
systemctl start auditd.service

Audit Processes Which Start Prior to auditd

在 /etc/grub.conf 里面添加一行：

 kernel ``/``vmlinuz``-``version ro vga``=``ext root``=``/``dev``/``VolGroup00``/``LogVol00 rhgb quiet audit``=``1

Auditd Number of Logs Retained

打开 /etc/audit/auditd.conf 添加:

 num_logs = 5

Auditd 日志最大值

max_log_file = 30MB

Auditd max_log_file_action

 vim /etc/audit/auditd.conf  
max_log_file_action = rotate

Auditd space_left

Configure auditd to email you when space gets low, open /etc/audit/auditd.conf and modify the following:

 vim  /etc/audit/auditd.conf 
space_left_action = email

Auditd admin_space_left

Configure auditd to halt when auditd log space is used up, forcing the system admin to rectify the space issue.

On some systems where monitoring is less important another action could be leveraged.

 admin_space_left_action = halt

Auditd mail_acct

When space gets low auditd can send a email notification via email, to configure this and the following line to /etc/audit/auditd.conf:

 action_mail_acct = root

启用 auditd audispd 插件

Aduitd 并不能将 logs 直接发送到外部日志服务器，需要通过 audispd 这个插件先将日志发送给本地 syslog 服务器。启用这个插件：编辑 /etc/audisp/plugins.d/syslog.conf ，然后设置 active=yes。然后重启 audispd daemon：

 sudo service auditd restart

配置 Audit 策略

 vim /etc/audit/audit.rules 
# audit_time_rules - Record attempts to alter time through adjtime
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
# audit_time_rules - Record attempts to alter time through settimeofday
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
# audit_time_rules - Record Attempts to Alter Time Through stime
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime
-k audit_time_rules
# audit_time_rules - Record Attempts to Alter Time Through clock_settime
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
# Record Attempts to Alter the localtime File
-w /etc/localtime -p wa -k audit_time_rules
# Record Events that Modify User/Group Information
# audit_account_changes
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes
# Record Events that Modify the System's Network Environment
# audit_network_modifications
-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications
-w /etc/issue -p wa -k audit_network_modifications
-w /etc/issue.net -p wa -k audit_network_modifications
-w /etc/hosts -p wa -k audit_network_modifications
-w /etc/sysconfig/network -p wa -k audit_network_modifications
#Record Events that Modify the System's Mandatory Access Controls
-w /etc/selinux/ -p wa -k MAC-policy
#Record Events that Modify the System's Discretionary Access Controls - chmod
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod  -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - chown
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - fchmod
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - fchmodat
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - fchown
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - fchownat
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - fremovexattr
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - fsetxattr
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - lchown
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - lremovexattr
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - lsetxattr
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - removexattr
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - fchown
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - fchownat
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - fremovexattr
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - fsetxattr
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - removexattr
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Events that Modify the System's Discretionary Access Controls - setxattr
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record Attempts to Alter Logon and Logout Events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
#Record Attempts to Alter Process and Session Initiation Information
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
#Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
#Ensure auditd Collects Information on the Use of Privileged Commands
#
#  Find setuid / setgid programs then modify and uncomment the line below.
#
##  sudo find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null
#
# -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
#Ensure auditd Collects Information on Exporting to Media (successful)
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
#Ensure auditd Collects File Deletion Events by User
-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
#Ensure auditd Collects System Administrator Actions
-w /etc/sudoers -p wa -k actions
#Ensure auditd Collects Information on Kernel Module Loading and Unloading
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
#Make the auditd Configuration Immutable
-e 2
##Removal of Unrequired Services

0x1f 删除禁用非必要的服务

删除非必要的服务

 # Remove
yum remove xinetd
yum remove telnet-server
yum remove rsh-server
yum remove telnet
yum remove rsh-server
yum remove rsh
yum remove ypbind
yum remove ypserv
yum remove tftp-server
yum remove cronie-anacron
yum remove bind
yum remove vsftpd
yum remove httpd
yum remove dovecot
yum remove squid
yum remove net-snmpd

禁止非必要的服务

 #Disable / Enable
systemctl disable xinetd
systemctl disable rexec
systemctl disable rsh
systemctl disable rlogin
systemctl disable ypbind
systemctl disable tftp
systemctl disable certmonger
systemctl disable cgconfig
systemctl disable cgred
systemctl disable cpuspeed
systemctl enable irqbalance
systemctl disable kdump
systemctl disable mdmonitor
systemctl disable messagebus
systemctl disable netconsole
systemctl disable ntpdate
systemctl disable oddjobd
systemctl disable portreserve
systemctl enable psacct
systemctl disable qpidd
systemctl disable quota_nld
systemctl disable rdisc
systemctl disable rhnsd
systemctl disable rhsmcertd
systemctl disable saslauthd
systemctl disable smartd
systemctl disable sysstat
systemctl enable crond
systemctl disable atd
systemctl disable nfslock
systemctl disable named
systemctl disable httpd
systemctl disable dovecot
systemctl disable squid
systemctl disable snmpd

禁用 Secure RPC Client 服务

Disable rpcgssd:

The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcgssd service can be disabled with the following command:

 systemctl disable rpcgssd

禁止 Secure RPC Server Service

 systemctl disable rpcsvcgssd

禁止 RPC ID Mapping Service

The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The rpcidmapd service can be disabled with the following command:

 systemctl disable rpcidmapd

禁止 Network File Systems (netfs)

The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. The netfs service can be disabled with the following command:

 sudo systemctl disable netfs

禁止 Network File System (nfs)

 systemctl disable nfs

如果不需要 SSH，则删除之：

 systemctl disable sshd

删除 SSH iptables 防火墙规则

 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

Tips™ - You probable need to leave SSH alone

 ###Remove Rsh Trust Files
rm /etc/hosts.equiv
rm ~/.rhosts

禁止 Avahi Server Software

 systemctl disable avahi-daemon

the CUPS Service

如果不需要 CUPS，禁止之，减少攻击面

 systemctl disable cups

禁止 DHCP 服务

 systemctl disable dhcpd

卸载 DHCP Server Package

如果不需要 DHCP 客户端，就删除之

 yum erase dhcp

禁止 DHCP ，使用静态 ip

Example:

 BOOTPROTO=none
NETMASK=255.255.255.0
IPADDR=192.168.1.2
GATEWAY=192.168.1.1

指定 NTP 服务器

 vim /etc/ntp.conf  
server ntpserver

当然最好使用内网的 NTP 服务器

启用 Postfix

 systemctl enable postfix

删除 Sendmail

 yum remove sendmail

设置 Postfix 仅本地监听

Open, /etc/postfix/main.cf and ensure the following inet_interfaces line appears:

 vim 
inet_interfaces = localhost

配置 SMTP banner

banner 会暴露当前的 SMTP 服务器是 Postfix.

禁止 xinetd Service

 sudo systemctl disable xinetd

System Audit Logs 权限设置

System audit logs 权限最高为 0640

 sudo chmod 0640 audit_file

System Audit Logs 所有者为 root

 sudo chown root/var/log

禁止 autofs

 chkconfig --level 0123456 autofs off
service autofs stop

0x21 禁止不常见的文件系统

 echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf
echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf
echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf
echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf
echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf
echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf
echo "install udf /bin/false" > /etc/modprobe.d/udf.conf

0x22 禁止 core dumps

 vi /etc/security/limits.conf
* hard core 0

0x23 SUID 程序 core dumps

 Run sysctl -w fs.suid_dumpable=0 and fs.suid_dumpable = 0.
# Set runtime for fs.suid_dumpable
#
sysctl -q -n -w fs.suid_dumpable=0
#
# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0"
#     else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf
#
if grep --silent ^fs.suid_dumpable /etc/sysctl.conf ; then
     sed -i 's/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g' /etc/sysctl.conf
else
     echo "" >> /etc/sysctl.conf
     echo "# Set fs.suid_dumpable to 0 per security requirements" >> /etc/sysctl.conf
     echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
fi

0x24 防止缓冲区溢出

启用 ExecShield

用于防御 stack smashing / BOF.

 sysctl -w kernel.exec-shield=1

在 /etc/sysctl.conf 里面添加

 kernel.exec-shield = 1

启用 ASLR

Set runtime for kernel.randomize_va_space

 sysctl -q -n -w kernel.randomize_va_space=2

在 /etc/sysctl.conf 里面添加一行：

 kernel.randomize_va_space = 2

Enable XD or NX Support on x86 Systems

Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature.

Check bios and ensure XD/NX is enabled, not relevant for VM’s.

0x25 配置 SELinux

确认 SELinux 开启

 sed -i "s/selinux=0//gI" /etc/grub.conf
sed -i "s/enforcing=0//gI" /etc/grub.conf

启用 SELinux

 vim  /etc/selinux/config  
SELINUXTYPE=targeted

SELINUXTYPE=targeted 或者设置为 SELINUXTYPE=enforcing，这取决于实际情况。

启用 SELinux res4torecond 服务

estorecond (系统) 利用 /etc/selinux/restorecond.conf 的设定来判断当新建文件时，该文件的 SELinux 类型应该如何还原。需要注意的是，如果你的系统有很多非正规的 SELinux 文件类型设定时，这个 daemon 最好关闭，否则他会将你设定的 type 修改回默认值。

启用 restorecond for all run levels:

 chkconfig --level 0123456 restorecond on

启动 restorecond：

 service restorecond start

确保没有未被 SELinux 限制的守护进程

 sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }’

0x26 防止空密码登录

 sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth

0x27\ 加固 SSH 服务

只允许 SSH Protocol 2

 vim /etc/ssh/sshd_config  
Protocol 2

限制特定用户 SSH 登录

 vim  /etc/ssh/sshd_config  
DenyUsers USER1 USER2

配置 Idle Log Out Timeout 间隔为 600 秒

 ClientAliveInterval ``600

Set SSH Client Alive Count

不要支持闲置会话

To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows:

 ClientAliveCountMax 0

禁止 SSH 支持.rhosts 文件

IgnoreRhosts 参数可以忽略以前登录过主机的记录

 vim /etc/ssh/sshd_config:
IgnoreRhosts yes

禁止基于主机的认证

SSH 的加密主机身份验证比.rhosts 身份验证更安全。但是即使在一个组织内也不建议主机互相信任。

 vim /etc/ssh/sshd_config:
HostbasedAuthentication no

禁止 SSH root 登录

 vim  /etc/ssh/sshd_config
PermitRootLogin no

禁止 SSH 空密码登录

 vim /etc/ssh/sshd_config:
PermitEmptyPasswords no

开启 SSH 警告标语

开启告警标语，提高安全意识。

 banner /etc/issue

禁止 SSH Environment 选项

当客户端从 ssh 登陆到服务端时，服务端禁止从本地的～/.ssh/environment 读取特定客户端的环境变量配置文件。

 PermitUserEnvironment no

仅使用被证明的加密算法

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:

 ciphers aes128``-``ctr,aes192``-``ctr,aes256``-``ctr,aes128``-``cbc,``3des``-``cbc,aes192``-``cbc,aes256``-``cbc

0x29 加固 X 桌面（X windows）

禁止 X 桌面，减少攻击面

 yum groupremove "X Window System

0x2a 定时更新

 yum -y install yum-cron
chkconfig yum-cron on

另外设置 yum-cron 为 “check only”, 不推荐自动安装更新。