CentOS 7 主機加固手冊-上

TIPs:

世界上有一撮人專門研究主機安全加固基線，有興趣的讀者能夠到 http://benchmarks.cisecurity.org/ 獲取更加詳細專業的主機安全基線配置文檔。或者到 https://www.open-scap.org/security-policies/choosing-policy/獲取scap格式的加固模板。

CentOS 7 主機加固手冊-上

CentOS 7 主機加固手冊-中

CentOS 7 主機加固手冊-下

0x01 Kickstart自動化安裝

經過kickstart腳本安裝操做系統，最小化安裝，預分區並設置嚴格的掛載權限。

#version=RHEL7



install

# System authorization information

auth --enableshadow --passalgo=sha512



# Use CDROM installation media

cdrom

# Accept EULA

eula --agreed



services --enabled=NetworkManager,sshd

reboot



# Run the Setup Agent on first boot

#firstboot --enable

ignoredisk --only-use=sda

# Keyboard layouts

keyboard --vckeymap=us --xlayouts='us'

# System language

lang en_US.UTF-8

# SELinux

selinux --enforcing

# Network information

network  --bootproto=dhcp --device=eno16777736 --onboot=on --ipv6=off

network  --hostname=default-vm

# Root password

rootpw --iscrypted HASHGOESHERE

# System timezone

timezone Europe/London --isUtc --ntpservers=prime.transformers

# System bootloader configuration

bootloader --location=mbr --boot-drive=sda

# Partition clearing information

clearpart --all --drives=sda

ignoredisk --only-use=sda

# LVM



# Disk partitioning information

part pv.18 --fstype="lvmpv" --ondisk=sda --size=8004

part pv.11 --fstype="lvmpv" --ondisk=sda --size=8004

part /boot --fstype="ext4" --ondisk=sda --size=1000

volgroup lg_data --pesize=4096 pv.18

volgroup lg_os --pesize=4096 pv.11

logvol /  --fstype="xfs" --size=4000 --name=lv_root --vgname=lg_os

logvol /home  --fstype="xfs" --size=2000 --name=lv_home --vgname=lg_data

logvol /tmp  --fstype="xfs" --size=1000 --name=lv_tmp --vgname=lg_os

logvol /var  --fstype="xfs" --size=2000 --name=lv_var --vgname=lg_os

logvol /var/tmp  --fstype="xfs" --size=1000 --name=lv_var_tmp --vgname=lg_os

logvol /var/www  --fstype="xfs" --size=5000 --name=lv_var_www --vgname=lg_data

logvol /var/log  --fstype="xfs" --size=1500 --name=lv_var_log --vgname=lg_os

logvol /var/log/audit  --fstype="xfs" --size=500 --name=lv_var_log_audit --vgname=lg_os

logvol swap  --fstype="swap" --size=1000 --name=lv_swap --vgname=lg_data



%packages

@core

 %end



%post

%end

0x02 安全地掛載分區

若是網站是動態網站，那麼網站所在的盤不能夠使用noexec掛載選項。像/tmp和/var/tmp應該使用noexec掛載選項，由於黑客一般在這兩個目錄裏面上傳並執行提權程序。

一個安全地/etc/fstab 文件配置舉例：

 

#

# /etc/fstab

# Created by anaconda on Sat Oct 11 14:28:47 2014

#

# Accessible filesystems, by reference, are maintained under '/dev/disk'

# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info

#

/dev/mapper/lg_os-lv_root /                       xfs     defaults        1 1

UUID=d73c5d22-75ed-416e-aad2-8c1bb1dfc713 /boot                   ext4    defaults,nosuid,noexec,nodev        1 2

/dev/mapper/lg_data-lv_home /home                   xfs     defaults        1 2

/dev/mapper/lg_os-lv_tmp /tmp                    xfs     defaults,nosuid,noexec,nodev        1 2

/dev/mapper/lg_os-lv_var /var                    xfs     defaults,nosuid        1 2

/dev/mapper/lg_os-lv_var_tmp /var/tmp                xfs     defaults,nosuid,noexec,nodev        1 2

/dev/mapper/lg_os-lv_var_tmp /var/log                xfs     defaults,nosuid,noexec,nodev        1 2

/dev/mapper/lg_os-lv_var_tmp /var/log/audit                xfs     defaults,nosuid,noexec,nodev        1 2

/dev/mapper/lg_data-lv_var_www /var/www                xfs     defaults,nosuid,noexec,nodev        1 2

/dev/mapper/lg_data-lv_swap swap                    swap    defaults        0 0

0x03  安裝NTP服務

在進行一些合規性審計的時候NTP是必要的，同步時間有利於審計日誌。

yum install ntp ntpdate

chkconfig ntpd on

ntpdate pool.ntp.org

/etc/init.d/ntpd start 

0x04 配置完整性檢查工具AIDE

Pre-linking binaries功能縮短了運行時間，然而這種方式會致使AIDE出現故障，因此配置AIDE以前須要禁止此項。打開/etc/sysconfig/prelink確保PRELINKING=no ，或者直接使用下面的腳本：

# Disable prelinking altogether

#

if grep -q ^PRELINKING /etc/sysconfig/prelink

then

  sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink

else

  echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink

  echo "PRELINKING=no" >> /etc/sysconfig/prelink

fi

Disable previous prelink changes to binaries:

Disable previous prelink changes to binaries

root:~# /usr/sbin/prelink -ua

安裝AIDE

yum install aide -y && /usr/sbin/aide --init && cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz && /usr/sbin/aide --check

Configure periodic execution of AIDE, runs every morning at 04:30

echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab

　　

0x05 阻止用戶掛載USB

echo "install usb-storage /bin/false" > /etc/modprobe.d/usb-storage.conf

0x06 啓用高強度的密碼策略

下面這條命令將啓用SHA512替代MD5

authconfig --passalgo=sha512 —update

0x07 配置密碼策略pwquality.conf

vi /etc/security/pwquality.conf

# Configuration for systemwide password quality limits

# Defaults:

#

# Number of characters in the new password that must not be present in the

# old password.

difok = 5

#

# Minimum acceptable size for the new password (plus one if

# credits are not disabled which is the default). (See pam_cracklib manual.)

# Cannot be set to lower value than 6.

minlen = 14

#

# The maximum credit for having digits in the new password. If less than 0

# it is the minimum number of digits in the new password.

dcredit = 1

#

# The maximum credit for having uppercase characters in the new password.

# If less than 0 it is the minimum number of uppercase characters in the new

# password.

ucredit = 1

#

# The maximum credit for having lowercase characters in the new password.

# If less than 0 it is the minimum number of lowercase characters in the new

# password.

lcredit = 1

#

# The maximum credit for having other characters in the new password.

# If less than 0 it is the minimum number of other characters in the new

# password.

ocredit = 1

#

# The minimum number of required classes of characters for the new

# password (digits, uppercase, lowercase, others).

minclass = 4

#

# The maximum number of allowed consecutive same characters in the new password.

# The check is disabled if the value is 0.

maxrepeat = 3

#

# The maximum number of allowed consecutive characters of the same class in the

# new password.

# The check is disabled if the value is 0.

maxclassrepeat = 3

#

# Whether to check for the words from the passwd entry GECOS string of the user.

# The check is enabled if the value is not 0.

gecoscheck = 1

#

# Path to the cracklib dictionaries. Default is to use the cracklib default.

# dictpath =

 

設置密碼策略

Add the following to /etc/login.defs

PASS_MIN_LEN 14

PASS_MIN_DAYS 1

PASS_MAX_DAYS 60

0x08 設置提示上次登陸信息

vim /etc/pam.d/system-auth 

session required pam_lastlog.so showfailed

0x09 設置每一個會話最大密碼嘗試次數

Set the amount of password reprompts per session, by editing the pam_pwquality.so statement in

vim  /etc/pam.d/system-auth 

auth pam_pwquality.so  retry=3  

0x0a 阻止錯誤密碼嘗試

編輯 /etc/pam.d/system-auth 和 /etc/pam.d/password-auth兩個PAM配置文件

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900

auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

0x0b 限制密碼重用

使用PAM模塊配置，在 /etc/pam.d/system-auth這個PAM配置文件裏面，在pam_unix.so所在的行添加 remember=24 。這樣服務器就會記錄歷史上的前24箇舊密碼，爲啥爲24？由於這是美國國防部的標準。

password sufficient pam_unix.so existing_options remember=24