CentOS 55 安装加固方案

CentOS 5.5 安装加固方案目录1.硬盘分区顺序：22.修改 gdm 配置文件开启 xdmcp23.设置口令策略满足复杂度要求24.新建一个普通用户并设置高强度密码：25.参看 disk 性能 36.禁止除 root 外帐户使用 at/cron37.闭那些不需要的服务38.IP 协议安全配置49.升级操作系统410.数据完整性监测系统的构建( Tripwire )51.硬盘分区顺序：swap 8G/var 8G/usr 4G 其他自由分配2.修改 gdm 配置文件开启 xdmcpvi /etc/gdm/custom.conf securityDisallowTCP=falsexdmcpEnable=true3.设置口令策略满足复杂度要求执行备份：#cp-p /etc/login.defs /etc/login.defs_bak#cp-p /etc/passwd /etc/passwd_bak执行下列命令，编辑/etc/login.defs#vi /etc/login.defs 修改以下各项复杂度参数：PASS_MAX_DAYS 90PASS_MIN_LEN 8PASS_WARN_AGE 7#passwd -username4.新建一个普通用户并设置高强度密码：#useradd username#passwd username#usermod -G wheel username#vi /etc/pam.d/su#auth required /lib/security/$ISA/pam_wheel.so use_uid 找到此行，去掉行首的 “#”Iauth required /lib/security/$ISA/pam_wheel.so use_uid 变为此状态（大约在第 6 行的位置）# echo SU_WHEEL_ONLY yes /etc/login.defs 添加语句到行末禁止 root 用户远程登录系统：#vi /etc/securetty去掉 console 前面的注释，保存退出#vi /etc/ssh/sshd_config将 PermitRootLogin 后的 yes 改为 no将 PORT 改为 1000 以上端口 Port 10000不允许使用低版本的SSH协议将#protocol 2,1改为protocol 2#vi /etc/aliases 编辑aliases,添加如下行到文尾root: yourname5.参看 disk 性能# hdparm -Tt /dev/sda/dev/sda:Timing cached reads: 16988 MB in 2.00 seconds = 8502.65 MB/secTiming buffered disk reads: 334 MB in 3.02 seconds = 110.65 MB/sec6. 禁止除 root 外帐户使用 at/cron# cd /etc#cp -p cron.denycron.deny_bak#cp -p at.denyat.deny_bak添加 root 到 cron.allow 和 at.allow，并删除 cron.deny 和 at.deny。#rm -f cron.denyat.deny#echo root cron.allow#echo root at.allow#chownroot:syscron.allowat.allow#chmod 400 cron.allowat.allow7. 闭那些不需要的服务以下仅列出需要启动的服务，未列出的服务一律关闭：#setupacpidanacroncpuspeedcrondgpmiptablerqbalance 仅当服务器CPU为S.M.P架构或支持双核心、HT技术时，才需开启，否则关 闭。lvm2-monitor microcode_ctl networkntpd random sendmail sshd syslog yum-updatesd8.IP 协议安全配置#vi /etc/modprobe.confalias net-pf-10 offalias ipv6 off#shutdown -r now#vi /etc/sysctl.conf net.ipv4.conf.default.accept_source_route=0 net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_echo_ignore_all=1 net.ipv4.icmp_ignore_bogus_error_responses=1 net.ipv4.ip_conntrack_max=65535 net.ipv4.tcp_syncookies=1 net.ipv4.tcp_syn_retries=1 net.ipv4.tcp_fin_timeout=5 net.ipv4.tcp_synack_retries=1 net.ipv4.tcp_syncookies=1 net.ipv4.route.gc_timeout=100 net.ipv4.tcp_keepalive_time=500 net.ipv4.tcp_max_syn_backlog=100009.升级操作系统rootcentos root#yum updata all10.数据完整性监测系统的构建( Tripwire )rootcentosroot#wget .2-src/tripwire-2.4.2-src.tar.bz2rootcentos root#tar -jxvf tripwire-2.4.2-src.tar.bz2rootcentos root#cd tripwire-2.4.2-srcrootcentos tripwire-2.4.2-src# ./configurechecking build system type. x86_64-unknown-linux-gnuchecking host system type. x86_64-unknown-linux-gnuchecking target system type. x86_64-unknown-linux-gnuchecking for a BSD-compatible install. /usr/bin/install -cchecking whether build environment is sane. yeschecking for gawk. gawkchecking whether make sets $(MAKE). yeschecking for gcc. nochecking for cc. nochecking for cl.exe. noconfigure: error: no acceptable C compiler found in $PATH /缺少 c 编译环境，我们来安装一 个 gccSee confi g.log for more details.rootcentos tripwire-2.4.2-src# yum install gccgcc-c+rootcentos tripwire-2.4.2-src# makerootcentos tripwire-2.4.2-src# make installPublic License instead of this License.Please type accept to indicate your acceptance of this license agreement. do not accept accept /同意许可证 Using configuration file ./install/install.cfgChecking for programs specified in install configuration file/usr/sbin/sendmail -oi -t exists. Continuing installation./bin/vi exists. Continuing installation.Verifying existence of binaries./bin/siggen found./bin/tripwire found./bin/twprint found./bin/twadmin foundThis program will copy Tripwire files to the following directories:TWBIN: /usr/local/sbinTWMAN: /usr/local/manTWPOLICY: /usr/local/etcTWREPORT: /usr/local/lib/tripwire/reportTWDB: /usr/local/lib/tripwireTWSITEKEYDIR: /usr/local/etcTWLOCALKEYDIR: /usr/local/etcCLOBBER is false.Continue with installation? y/ny /确认继续安装Creating directories./usr/local/sbin: already exists /etc/tripwire: created /usr/local/lib/tripwire/report: created /usr/local/lib/tripwire: already exists /etc/tripwire: already exists /etc/tripwire: already exists /usr/local/man: already exists /usr/local/doc/tripwire: createdCopying files./usr/local/doc/tripwire/README: copied /usr/local/doc/tripwire/Release_Notes: copied /usr/local/doc/tripwire/COPYING: copied /usr/local/doc/tripwire/TRADEMARK: copied /usr/local/doc/tripwire/policyguide.txt: copied /etc/tripwire/twpol-Linux.txt: copiedThe Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files.Passphrases should be at least 8 characters in length and contain both letters and numbers.See the Tripwire manual for more information.Creating key files.(When selecting a passphrase, keep in mind that good passphrases typicallyhave upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.)Enter the site keyfile passphrase: 输入 “site keyfile” 口令(输入后不会显示)，并且记住 这个口令Verify the site keyfile passphrase:再次确认 “site keyfile” 口令Generating key (this may take several minutes).Key generation complete.(When selecting a passphrase, keep in mind that good passphrases typicallyhave upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.)Enter the local keyfile passphrase:输入“local keyfile” 口令(输入后不会显示)，并且记住这个口令Verify the local keyfile passphrase:再次确认 “local keyfile” 口令Generating key (this may take several minutes).Key generation complete.Generating Tripwire configuration file.Creating signed configuration file.Please enter your site passphrase: 输入 “site keyfile”口令(输入后不会显示) Wrote configuration file: /etc/tripwire/tw.cfgA clear-text version of the Tripwire configuration file/etc/tripwire/twcfg.txthas been preserved for your inspection. It is recommendedthat you delete this file manually after you have examined it.Customizing default policy file.Creating signed policy file.Please enter your site passphrase:输入 “site keyfile”口令（输入后不会显示）Wrote policy file: /etc/tripwire/tw.polA clear-text version of the Tripwire policy file/etc/tripwire/twpol.txthas been preserved for your inspection. This implementsa minimal policy, intended only to test essentialTripwire functionality. You should edit the policy fileto describe your system, and then use twadmin to generate a new signed copy of the Tripwire policy.The installation succeeded.Please refer to /usr/local/doc/tripwire/Release_Notesfor release information and to the printed user documentationfor further instructions on using Tripwire 2.3 Open Source.make3: Leaving directory /root/tripwire-2.4.2make2: Leaving directory /root/tripwire-2.4.2make1: Leaving directory /root/tripwire-2.4.2rootcentos # vi /usr/local/etc/twcfg.txt 修改文本格式的 Tripwire 配置文件 LOOSEDIRECTORYCHECKING =false找到这一个行，将false的值变为true （不监测所属目录的数据完整性）LOOSEDIRECTORYCHECKING =true 变为此状态REPORTLEVEL =3/找到这一行，将 3 变为 4（改变监测结果报告的等级）IREPORTLEVEL =4/变为此状态rootcentos # twadmin -create-cfgfile -S /usr/local/etc/site.key/usr/local/etc/twcfg.txt 从文本配置文件建立加密格式配置文件Please enter your site passphrase: 输入 “site keyfile” 口令（输入后不会显示）Wrote configuration file: /usr/local/etc/tw.cfgrootcentos # rm -f /usr/local/etc/twcfg.txt为不留安全隐患，删除文本格式的配置文件 rootcentos # vi /usr/local/etc/twpolmake.pl 建立用于建立 Policy 文件的 Perl 脚本 #!/usr/bin/perl# Tripwire Policy File customize tool# # Copyright （C） 2003 Hiroaki Izumi# This program is free software; you can redistribute it and/or# modify it under the terms of the GNU General Public License# as published by the Free Software Foundation; either version 2# of the License, or (at your option) any later version.# This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the# GNU General Public License for more details.# You should have received a copy of the GNU General Public License# along with this program; if not, write to the Free Software# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.# # Usage:# perl twpolmake.pl Pol file# #$POLFILE=$ARGV0;open(POL,$POLFILE) or die open error: $POLFILE ;my($myhost,$thost) ;my($sharp,$tpath,$cond) ;my($INRULE) = 0 ;while () chomp;if ($thost) = HOSTNAMEs*=s*(.*)s*;/) $myhost = hostname ; chomp($myhost);if ($thost ne $myhost) $_=HOSTNAME=$myhost; ;elsif ( /A/ ) $INRULE=1 ;elsif ( /) $INRULE=0 ;elsif ($INRULE = 1 and ($sharp,$tpath,$cond) = (s*#?s*)(/S+)b(s+-s+.+)$/) $ret = ($sharp = s/#/g) ;if ($tpatheq /sbin/e2fsadm ) $cond = s/;s+(tune2fs.*)$/; #$1/ ;if (! -s $tpath) $_ = $sharp#$tpath$cond if ($ret = 0) ;else $_ = $sharp$tpath$cond ;print $_n ;close（POL） ;rootcentos # perl/usr/local/etc/twpolmake.pl/usr/local/etc/twpol.txt /usr/local/etc/twpol.txt.out 建立 Policy 文件rootcentos # rm -f /usr/local/etc/twpol.txt 删除默认 Policy 文件rootcentos # mv /usr/local/etc/twpol.txt.out/usr/local/etc/twpol.txt 将新建立的 Policy 文件的名改为默认Policy文件的文件名rootcentos # twadmin -create-polfile -S /usr/local/etc/site.key/usr/local/etc/twpol.txt 从文本配置文件建立加密格式配置文件Please enter your site passphrase:输入 “site keyfile” 口令（输入后不会显示）Wrote policy file: /usr/local/etc/tw.polrootcentos # rm -f /usr/local/etc/twcfg.txt为不留安全隐患，删除文本格式的配置文件 rootcentos # tripwire -init 建立数据库Please enter your local passphrase: 输入 “local keyfile” 口令（输入后不会显示）Parsing policy file: /etc/tripwire/tw.polGenerating the database.* Processing Unix File System *Wrote database file: /usr/local/lib/tripwire/.twdThe database was successfully generated.rootcentos # vi tripwire-check 建立 Tripwire 运行脚本#!/bin/bashPATH=/usr/local/sbin:/usr/bin:/binSITEPASS=* # Site Key Passphrase 将星号部分换为 Site Keyfile 的口令 LOCALPASS=* # Local Key Passphrase 将星号部分换为 Local Keyfile 的口令 REPORTFILE=/usr/local/lib/tripwire/report/hostname-date +%Y%m%d.twr # Run the Tripwire tripwire -check -r $REPORTFILE| logger -t tripwire # Mail the Tripwire Report to root cd/usr/local/etcREPORTPRINT=mktemptwprint -m r -c tw.cfg -r $REPORTFILE -L hostname-local.key -t 4 $REPORTPRINT if -z $(grep Total violations found: 0 $REPORTPRINT) ; thencat $REPORTPRINT | mail -s Tripwire(R) Integrity Check Report in hostname root firm -f $REPORTPRINT# Update the Policy Filecd/usr/local/etctwadmin -print-polfile twpol.txtperl twpolmake.pl twpol.txt twpol.txt.outtwadmin -create-polfile -S site.key -Q $SITEPASS twpol.txt.out | logger -t tripwire rm -f twpol.*# update the Databaserm -f /usr/local/lib/tripwire/hostname.twd tripwire -init -P $LOCALPASS | logger -t tripwirerootcentos # chmod 700 tripwire-check 赋予运行脚本文件可执行的权限rootcentos # ./tripwire-check运行一次脚本由于增加了运行脚本本身，也被认作系统被作了改动，会发邮件通知root查看邮箱回收到 监测报告rootcentos # ./tripwire-check 再次运行一次脚本由于两次连续运行，之间不太可能有文件变更，所以请确认不会发送E-mail给rootrootcentos tripwire# cat tripwire-report 浏览监测报告Note: Report is not encrypted.Tripwire(R) 2.3.0 Integrity Check ReportReport generated by: rootReport created on: Wed 23 Aug 2006 05:45:01 AM CSTDatabase last updated on: NeverReport Summary:Host name: Host IP address: 127.0.0.1Host ID: NonePolicy file used: /etc/tripwire/tw.polConfiguration file used: /etc/tripwire/tw.cfgDatabase file used: /usr/local/lib/tripwire/.twdCommand line used: tripwire -check -r /usr/local/lib/tripwire/report/-20060823.twrRule Summary:Section: Unix File SystemRule Name Severity Level Added Removed ModifiedInvariant Directories 66 0 0 0Tripwire Data Files 100 0 0 0Temporary directories 33 0 0 0Critical devices 100 0 0 0(/proc/kcore)Tripwire Binaries 100 0 0 0Libraries 66 0 0 0User binaries 66 0 0 0Critical system boot files 100 0 0 0File System and Disk Administraton Programs 100 0 0 0Kernel Administration Programs 100 0 0 0Networking Programs 100 0 0 0System Administration Programs 100 0 0 0Hardware and Device Control Programs 100 0 0 0System Information Programs 100 0 0 0Application Information Programs100 0 0 0(/sbin/rtmon)Shell Related Programs 100 0 0 0Operating System Utilities 100 0 0 0Critical Utility Sym-Links 100 0 0 0Shell Binaries 100 0 0 0OS executables and libraries 100 0 0 0System boot changes 100 0 0 0Critical configuration files 100 0 0 0Security Control 100 0 0 0Login Scripts 100 0 0 0* Root config files 100 0 0 1Total objects scanned: 17363Total violations found: 1Object Summary:# Section: Unix File SystemRule Name: Root config files (/root)Severity Level: 100Modified:/root/tripwire-checkObject Detail:Section: Unix File SystemRule Name: Root config files (/root)Severity Level: 100Modified Objects: 1Modified object name: /root/tripwire-checkProperty: Expected ObservedObject Type Regular File Regular FileDevice Number 64768 64768File Device Number 0 0Inode Number 351317 351317Mode -rwx -rwxNum Links 1 1UID root (0) root (0)GID root (0) root (0)* Size 953 951* Modify Time Wed 23 Aug 2006 05:21:26 AM CSTWed 23 Aug 2006 05:43:10 AM CST* Change Time Wed 23 Aug 2006 05:21:26 AM CSTWed 23 Aug 2006 05:43:10 AM CSTBlocks 16 16* CRC32 Ay0oV9 BDzM8Y* MD5 BoeMoWfjEKCSLOJCs/E7mj ABQN3hl5wF0PyTcXugPE5UError Report:No Errors* End of report *Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use -version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details.All rights reserved.rootcentos tripwire# rm -f tripwire-report 删除监测报告rootcentos tripwire# cd 进入Tripwire运行脚本所在的root目录rootcentos # mv tripwire-check /etc/cron.daily/转移脚本到每天自动运行的目录中