ALLPCB
1. Shared Account Check
Configuration name: User account allocation check to avoid shared accounts.
Requirements: 1. Accounts must be allocated according to actual users; 2. Avoid shared accounts between different users and avoid sharing accounts used for communication between users and servers.
Procedure: View current users:
# cat /etc/passwd
Check method: Use
cat /etc/passwd to list user information and confirm with administrators whether any shared accounts exist.
How to create users:
# useradd username # create account # passwd username # set password
Use these commands to assign separate accounts, different passwords, and permissions for different users.
Applicable versions: Linux Red Hat AS 3, Linux Red Hat AS 4
2. Locking Unnecessary Accounts
Configuration name: Locking policy for unnecessary accounts.
Requirements: Lock accounts that are not related to device operation or maintenance.
Procedure: Check locked users:
# cat /etc/passwd # see which accounts have shell set to nologin
Check method: Manual check: use
cat /etc/passwd and verify accounts whose shell field is
nologin. Baseline checks should show unnecessary accounts set to locked.
Configuration method: Locking users:
- Edit
/etc/passwdand set the shell field of accounts tonologinfor accounts to be locked; or - Use
passwd -l usernameto lock an account.
Only users with superuser privileges can run
passwd -l username. Unlocking with
passwd -d username will invalidate the previous password and require a new password at next login.
Typical accounts to consider locking: lp, uucp, hpdb, www, daemon.
Applicable versions: Linux Red Hat AS 3, Linux Red Hat AS 4
3. Restrict Root Remote Login
Configuration name: Restrict remote login for root account.
Requirements: 1. Restrict remote login for users with superuser privileges. 2. Remote administrative actions should be performed by first logging in as a normal user, then switching to the superuser account.
Procedure: Attempt remote login with root account.
Check method: 1. Remote root login should fail with messages such as "Not on system console". 2. Normal users should be able to log in and then switch to root.
Configuration method: Edit
/etc/ssh/sshd_config, change
PermitRootLogin yes to
PermitRootLogin no, then restart the sshd service.
Applicable versions: Linux Red Hat AS 3, Linux Red Hat AS 4
4. Password Complexity Policy
Configuration name: Operating system password complexity policy.
Requirements: Passwords must be at least 12 characters long and include digits, lowercase letters, uppercase letters, and special symbols.
Procedure: 1. Check configuration:
# cat /etc/pam.d/system-auth # locate the password module configuration
Example line:
password requisite /lib/security/$ISA/pam_cracklib.so minlen=6
Notes on parameters:
-
retry=N: number of allowed retries when creating a password; -
minlen=N: minimum password length (in some defaults this behaves as N-1); -
dcredit=N: if N<0, at least -N digits are required (e.g.,dcredit=-2requires at least two digits); -
ucredit=N: if N<0, at least -N uppercase letters are required; -
lcredit=N: if N<0, at least -N lowercase letters are required; -
ocredit=N: if N<0, at least -N special characters are required.
Check method: Inspect
/etc/pam.d/system-auth and verify parameters against the requirements:
- Minimum password length of at least 12 characters;
- Minimum required counts for digits, letters, and non-alphanumeric characters.
Configuration method: Edit
/etc/pam.d/system-auth and adjust the password module parameters to meet the policy.
Applicable versions: Linux Red Hat AS 4
5. Maximum Password Age
Configuration name: Maximum password age policy.
Requirements: The maximum lifetime of account passwords must not exceed 90 days.
Procedure: Inspect
/etc/login.defs where:
-
PASS_MAX_DAYSsets the maximum password lifetime; -
PASS_MIN_DAYSsets the minimum password lifetime; -
PASS_WARN_AGEsets the password expiration warning period.
Check method:
PASS_MAX_DAYS value must be less than or equal to 90.
Configuration method: Edit
/etc/login.defs and set
PASS_MAX_DAYS to a value less than or equal to 90.
Applicable versions: Linux Red Hat AS 3, Linux Red Hat AS 4
6. Permissions for Critical System Files
Configuration name: Permissions control for critical directories and files.
Requirements: Configure minimum required permissions for critical files, focusing on /etc/passwd, /etc/shadow, and /etc/group.
Current mainstream Linux distributions set appropriate default permissions for these files; avoid changing them unnecessarily. Periodically audit permissions to ensure correctness.
Procedure: View permissions:
ls -l /etc/passwd ls -l /etc/shadow ls -l /etc/group
Check method: Confirm with administrators that permissions are set to the minimum necessary.
Configuration method: Use
chmod to set correct permissions.
Notes:
- /etc/passwd: readable by all users, writable by root: -rw-r--r-- ;
chmod 644 /etc/passwd - /etc/shadow: readable only by root: -r-------- ;
chmod 600 /etc/shadow - /etc/group: readable by all users, writable by root: -rw-r--r-- ;
chmod 644 /etc/group - If there is write permission for group or others on /etc, remove it:
chmod -R go-w,o-r /etc
Applicable versions: Linux Red Hat AS 3, Linux Red Hat AS 4
7. Default User Permissions (umask)
Configuration name: Default user permission control.
Requirements: Control default file and directory permissions so new files/directories are not overly permissive, preventing other users in the same group or other groups from modifying them.
Procedure: 1. Check global default umask in
/etc/bashrc;
2. Check individual user umask in the user's
~/.bash_profile.
Check method: Global default umask should be 027 or more restrictive (smaller permissions). Individual user umask should follow least-privilege principle.
Configuration method: Per-user: add a line like
umask 027 to the user's
.bash_profile. For stricter environments, consider
umask 077.
Global: Modify
/etc/bashrc to set the default umask for all users. Recommended default is 027; for strict environments use 077.
Applicable versions: Linux Red Hat AS 3, Linux Red Hat AS 4
8. Security Logging Completeness
Configuration name: Security logging completeness requirements.
Requirements: Configure comprehensive logging to record security-related events.
Procedure: 1. Check
/etc/syslog.conf for relevant configuration; 2. Inspect
/var/log/secure for recorded security events.
Check method: Verify
/etc/syslog.conf contains appropriate rules and that
/var/log/secure records device-related security events.
Configuration method: Edit
/etc/syslog.conf and add entries such as:
authpriv.* /var/log/secure
Define which events should be retained as device-related security events.
Applicable versions: Linux Red Hat AS 3, Linux Red Hat AS 4
9. Centralized Remote Log Server
Configuration name: Remote centralized log server configuration.
Requirements: Configure remote logging to forward important logs to a log server for backup and centralized monitoring.
Procedure: Check
/etc/syslog.conf for remote logging configuration.
Check method: Presence of remote logging configuration indicates compliance.
Configuration method: Edit
/etc/syslog.conf and add a line like:
*. * @192.168.0.1
Replace the selector
*.* and the IP address with the desired facility/priority and the actual log server IP or hostname.
After editing, restart the syslog service:
# service syslogd restart
Note: There should be a tab character between the selector and the remote host.
Applicable versions: Linux Red Hat AS 3, Linux Red Hat AS 4
10. Enable history Timestamps
Configuration name: Configure history timestamps.
Requirements: Enable timestamps for bash history to facilitate auditing.
Procedure: Check
/etc/bashrc for HISTTIMEFORMAT configuration.
Check method: Confirm an entry such as
export HISTTIMEFORMAT="%F %T" is present.
Configuration method: Add the following line to
/etc/bashrc:
export HISTTIMEFORMAT="%F %T "
Applicable versions: Linux Red Hat AS 4
11. SSH Login Configuration
Configuration name: SSH login configuration.
Requirements: Use SSH or equivalent encrypted protocols for remote maintenance and secure SSHD settings. Do not use Telnet for remote access.
Procedure: 1. Check SSH service:
ps -elf | grep ssh; 2. Check Telnet service:
ps -elf | grep telnet.
Check method: 1. Telnet must not be used for remote maintenance; 2. SSH must be used; 3. SSH configuration should meet the following requirements:
- Protocol 2
- X11Forwarding yes
- IgnoreRhosts yes
- RhostsAuthentication no
- RhostsRSAAuthentication no
- HostbasedAuthentication no
- PermitRootLogin no
- PermitEmptyPasswords no
- Banner /etc/motd
Configuration method: Edit
/etc/ssh/sshd_config and apply the SSHD security settings listed above, then restart sshd.
Applicable versions: Linux Red Hat AS 4
12. Disable Unnecessary System Services
Configuration name: Disable unnecessary system services.
Requirements: Disable services not required for each machine's role. The examples below are references; modify startup items according to server role and applications.
Services that should typically be disabled if not required include sendmail, Telnet, bind, and others.
Procedure: List services with:
# chkconfig --list
Check method: Confirm with administrators that unused services are disabled.
Configuration method: Stop and disable unnecessary services:
# service <service-name> stop # chkconfig --level 35 <service-name> off
Notes: Services with higher security risk that are recommended to disable include:
- lpd (line printer daemon)
- telnet (unencrypted remote login; use ssh instead)
- routed (routing daemon using RIP)
- sendmail (mail daemon; close if not a mail server)
- Bluetooth service (disable if not used)
- identd (user identification service)
- xfs (X Window font server; historical vulnerabilities)
- R services: rlogin, rwho, rsh, rexec — these have intrinsic security flaws and should be disabled except in closed, trusted environments
- inetd/xinetd-based services (daytime, chargen, echo, etc.) — recommended to disable
Applicable versions: Linux Red Hat AS 3, Linux Red Hat AS 4
13. Disable Control-Alt-Delete Reboot
Configuration name: Disable Control-Alt-Delete reboot.
Requirements: Prevent using Ctrl-Alt-Delete to reboot the server to avoid accidental restarts.
Procedure: Check
/etc/inittab.
Check method:
/etc/inittab should have the line commented out:
#ca:/sbin/shutdown -t3 -r now.
Configuration method: In
/etc/inittab, comment out the line:
#ca:/sbin/shutdown -t3 -r now
To apply the change, run:
# /sbin/init q
Note: Disabling Ctrl-Alt-Del prevents immediate reboot from the console via that key combination.
Applicable versions: Linux Red Hat AS 4
14. Install Operating System Updates and Patches
Configuration name: Install OS updates and patches.
Requirements: Install OS updates and patches to remediate vulnerabilities.
Procedure: 1. Check current patch level; 2. Verify vendor advisories for security updates.
Check method: Keep system packages up to date.
Configuration method: Obtain patches from the vendor's advisory pages, download the appropriate RPM packages, copy them to the target system, and install with:
# rpm -ivh xxx.rpm
Then reboot if required and verify services and applications operate normally after the update.
Applicable versions: Linux Red Hat AS 3, Linux Red Hat AS 4
