edit-icon download-icon

Harden operating system security for Linux

Last Updated: May 08, 2018

This article is intended to guide system administrators and security inspectors through security compliance inspections and reinforcements on Linux.


1. Accounts and passwords

1.1 Disable or delete idle accounts

We recommend that you reduce the number of idle accounts in the system to lower security risks.

Procedure

  • Run the userdel <username> command to delete unnecessary accounts.
  • Run the passwd -l <username> command to lockout unnecessary accounts.
  • Run the passwd -u <username> command to unlock necessary accounts.

1.2 Check special accounts

Check if there are any accounts with null passwords or root permissions.

Procedure

  1. View accounts with null passwords or root permissions to make sure there are no abnormal accounts.
    • Run the awk -F: '($2=="")' /etc/shadow command to view accounts with null passwords.
    • Run the awk -F: '($3==0)' /etc/passwd command to view accounts with the UID as zero.
  2. Harden accounts with null passwords.
    • Run the passwd <username> command to set a password for an account with null password.
    • Make sure that accounts with the UID as zero are root accounts.

1.3 Add password policy

Enhance password complexity to reduce the possibility of brute-force attacks.

Procedure

  1. Run the vi /etc/login.defs command to modify configuration files.
    • PASS_MAX_DAYS 90 #Maximum number of days a new user’s password may be used.
    • PASS_MIN_DAYS 0 #Minimum number of days a new user’s password may be used.
    • PASS_WARN_AGE 7 #Number of days to prompt a user to change password before current password expires.
  2. Use the chage command to modify user settings.
    For example, the chage -m 0 -M 30 -E 2000-01-01 -W 7 <username>command sets the maximum number of days this user’s password may be used to 30, minimum number of days to 0, the password expires on 2000-01-01, and the warning is prompted to the user 7 days before.
  3. Set accounts to be locked for five minutes after three consecutive wrong password attempts. Run the vi /etc/pam.d/common-auth command to modify configuration files, and add auth required pam_tally.so onerr=fail deny=3 unlock_time=300 into the configuration files.

1.4 Restrict user from su

Restrict the number of users that can use the su root.

Procedure

Run the vi /etc/pam.d/su command to modify the configuration file, and add the required lines. For example, to allow users in a test group to use the su root, add auth required pam_wheel.so group=test in the configuration file.

2. Services

2.1 Disable unnecessary services

Disable unnecessary services such as normal service and xinetd service, to reduce security risks.

Procedure

Run the systemctl disable <service name> command to disable a service when the system starts.

Note: For some earlier versions of Linux system (such as CentOS 6), run the chkconfig --level <init level> <service name> off to disable a service when the system starts in a specific init level.

2.2 SSH service security

Harden SSH service security to prevent brute-force attacks.

Procedure

Run the vim /etc/ssh/sshd_config command to edit the configuration file.

  • Root accounts are not allowed to log on to the system directly.
    Set the PermitRootLogin value to no.
  • Change the protocol version used by SSH.
    Set protocol version to 2.
  • Change number of allowable authentication attempts (the default value is 6).
    Set the MaxAuthTries value to 3.

If the configuration file is modified, restart the SSHD service to enable the changes.

3. File system

3.1 Set umask value

Set the default umask value to improve security.

Procedure

Run the vi /etc/profile command to modify the configuration file, and add the umask 027 line. The owner of the new file has read and write permissions, users in the same group have read and execution permissions, and other users have no permissions.

3.2 Set logon time-out

Set a connection time-out after logging onto the system to improve security.

Procedure

Run the vi /etc/profile command to modify the configuration file, annotate the line that begins with TMOUT= and set it to TMOUT=180. With this, the connection time-out is three minutes.

4. Log

4.1 syslogd log

Enable the log feature to configure the log record.

Procedure

By default, the following types of logs are enabled in the Linux OS.

  • System log (default) /var/log/messages
  • cron log (default) /var/log/cron
  • Security log (default) /var/log/secure

Note: Some systems may use syslog-ng log. The configuration files for these systems are: /etc/syslog-ng/syslog-ng.conf.

You can configure detailed logs as needed.

4.2 Record logon and operation logs for all users

Record logon and operation logs of all users through script code to prevent data loss after a security event.

Procedure

  1. Run the [root@xxx /]# vim /etc/profile command to open the configuration file.
  2. Enter the following content in the configuration file.
    1. history
    2. USER=`whoami`
    3. USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
    4. if [ "$USER_IP" = "" ]; then
    5. USER_IP=`hostname`
    6. fi
    7. if [ ! -d /var/log/history ]; then
    8. mkdir /var/log/history
    9. chmod 777 /var/log/history
    10. fi
    11. if [ ! -d /var/log/history/${LOGNAME} ]; then
    12. mkdir /var/log/history/${LOGNAME}
    13. chmod 300 /var/log/history/${LOGNAME}
    14. fi
    15. export HISTSIZE=4096
    16. DT=`date +"%Y%m%d_%H:%M:%S"`
    17. export HISTFILE="/var/log/history/${LOGNAME}/${USER}@${USER_IP}_$DT"
    18. chmod 600 /var/log/history/${LOGNAME}/*history* 2>/dev/null
  3. Run the [root@xxx /]# source /etc/profile command to enable the configuration.
    Note: /Var/log/history is the customizable location for recorded logs.

According to the preceding steps, you can create a folder in the /var/log/history directory for each user, and record when the user exits each time. The system generates a log with the user name, logon IP, and logon time. This contains all operations the user (except root users) performed.

Additionally, we recommend using the OSS service to collect and store the logs.

Thank you! We've received your feedback.