这里记录一下师傅发的安全环境作业指导书的熟悉练习,这个版本是linux版本的,这里使用的是centos7.9
等保先前写了一个文章是关于等保的十大层面,那我们的测评也是从这10个层面逐步测评的。等保测评的10个层面-CSDN博客
师傅给我的作业指导书的控制类类编号是从4开始的,可能是对服务器做测试是控制类编号。这个后面问问师傅。
首先是身份鉴别:
a)对登录的用户进行身份标识和辨别,身份标识具有唯一性,身份鉴别信息具有复杂度并且定期更换。
步骤1:查看能登陆的用户
输入grep '/bin/bash'/etc/passwd
或者去查看下/etc/shadow文件,这个文件能够查看密文消息,但是需要sudo权限
步骤2:查看能够登陆的用户是否设置了密码。
命令就是
sudo cat /ect/shadow
[user@localhost ~]$ sudo cat /etc/shadow
root:$6$4smooHmircvV.RNZ$7ouZ/RI1ZImktSr8yTZ5aIH1wmVeyQc8vu48fBw56nYX7QNzd3L5Vu/h5QHjHqjSyx5ko3yHgBfJMUG0Dz4ag0::0:99999:7:::
bin:*:18353:0:99999:7:::
daemon:*:18353:0:99999:7:::
adm:*:18353:0:99999:7:::
lp:*:18353:0:99999:7:::
sync:*:18353:0:99999:7:::
shutdown:*:18353:0:99999:7:::
halt:*:18353:0:99999:7:::
mail:*:18353:0:99999:7:::
operator:*:18353:0:99999:7:::
games:*:18353:0:99999:7:::
ftp:*:18353:0:99999:7:::
nobody:*:18353:0:99999:7:::
systemd-network:!!:19971::::::
dbus:!!:19971::::::
polkitd:!!:19971::::::
libstoragemgmt:!!:19971::::::
colord:!!:19971::::::
rpc:!!:19971:0:99999:7:::
saned:!!:19971::::::
gluster:!!:19971::::::
saslauth:!!:19971::::::
abrt:!!:19971::::::
setroubleshoot:!!:19971::::::
rtkit:!!:19971::::::
pulse:!!:19971::::::
radvd:!!:19971::::::
chrony:!!:19971::::::
unbound:!!:19971::::::
qemu:!!:19971::::::
tss:!!:19971::::::
sssd:!!:19971::::::
usbmuxd:!!:19971::::::
geoclue:!!:19971::::::
ntp:!!:19971::::::
gdm:!!:19971::::::
rpcuser:!!:19971::::::
nfsnobody:!!:19971::::::
gnome-initial-setup:!!:19971::::::
sshd:!!:19971::::::
avahi:!!:19971::::::
postfix:!!:19971::::::
tcpdump:!!:19971::::::
user:$6$pZK26d/9Ip114njZ$.5cozL/GT0yic.EzXvi5zfR4mEaQZ.hU9XDj6VlI5dBcU.J0mjzKF5Vi6DP.F.S3qlTpRDJg8sbQwK16xmESq1:19971:0:99999:7:::
下面是当前的一个字段
- 第1段:用户名
- 第2段:密码密文(SHA512散列加密算法)
- 第3段:最近一次修改密码时间(从1970-01-01开始的天数)
- 第4段:密码最小修改间隔的天数(依赖第3段的时间,如:0 表示 随时可以修改密码)
- 第5段:密码有效期(最晚 N 天之后必须修改,如:99999 表示 密码长期有效)
- 第6段:密码到期前提醒(依赖第5段的时间,如:7 表示密码有效期第7天开始,每次登录时提示)
- 第7段:密码过期后宽限天数(依赖第5段的时间,如:10 表示 密码过期后10天内允许登录,过期禁用)
- 第8段:账号失效日期(从1970-01-01开始的天数,到期无论账号是否有效,都将无法使用)
- 第9段:保留字段,无含义
步骤3:查看用户名和UID是否具有唯一性
输入cat /etc/passwd
[user@localhost ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
libstoragemgmt:x:998:995:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
colord:x:997:994:User for colord:/var/lib/colord:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
saned:x:996:993:SANE scanner daemon user:/usr/share/sane:/sbin/nologin
gluster:x:995:992:GlusterFS daemons:/run/gluster:/sbin/nologin
saslauth:x:994:76:Saslauthd user:/run/saslauthd:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
setroubleshoot:x:993:990::/var/lib/setroubleshoot:/sbin/nologin
rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
chrony:x:992:987::/var/lib/chrony:/sbin/nologin
unbound:x:991:986:Unbound DNS resolver:/etc/unbound:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
sssd:x:990:984:User for sssd:/:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
geoclue:x:989:983:User for geoclue:/var/lib/geoclue:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
gnome-initial-setup:x:988:982::/run/gnome-initial-setup/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
user:x:1000:1000:user:/home/user:/bin/bash
文件 /etc/passwd 存储着所有用户的基本信息,并且 所有用户 都对此文件拥有读权限。
- 第1段:用户名
- 第2段:登录密码,默认用x替代,真实密码详见《/etc/shadow》文件
- 第3段:uid 用户唯一ID
- 第4段:gid 所属的用户组ID,uid 和 gid 对应关系详见《/etc/group》文件
- 第5段:账号的说明性描述
- 第6段:用户的家目录路径
- 第7段:默认shell,如果为 /sbin/nologin/ 则不允许登录
步骤4:查看密码策略
[user@localhost ~]$ cat /etc/login.defs
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 201
SYS_GID_MAX 999
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512
这个文件当中记录着密码长度以及有效期参数
检查下密码复杂度,输入cat /ect/pam.d/system-auth
[user@localhost ~]$ cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
1)在/etc/pam.d/system-auth中有如下一行:
password requisite pam_cracklib.so
minlen=8 (ucredit、lcredit、dcredit、
ocredit至少设置3个)
或者,
2)在/etc/pam.d/system-auth中有如下一行:
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 enforce_for_root
在/etc/security/pwquality.conf中至少设置如下参数:
difok=5
minlen=8
dcredit、ucredit、lcredit、ocredit至少设置3个
minclass=3
输入:cat /etc/security/pwquality.conf
[user@localhost ~]$ cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
[user@localhost ~]$ cat /etc/security/pwquality.conf
# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password.
# difok = 5
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
# minlen = 9
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
# dcredit = 1
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
# ucredit = 1
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
# lcredit = 1
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
# ocredit = 1
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
# minclass = 0
#
# The maximum number of allowed consecutive same characters in the new password.
# The check is disabled if the value is 0.
# maxrepeat = 0
#
# The maximum number of allowed consecutive characters of the same class in the
# new password.
# The check is disabled if the value is 0.
# maxclassrepeat = 0
#
# Whether to check for the words from the passwd entry GECOS string of the user.
# The check is enabled if the value is not 0.
# gecoscheck = 0
#
# Path to the cracklib dictionaries. Default is to use the cracklib default.
# dictpath =
步骤5:访谈配合人员所有用户的密码是否已按设置的密码策略修改(也可以询问密码长度及组成自行判断是否符合密码策略。
这个自行询问了
b) 应具有登录失败处理功能,应配置并启用结束会话、限制非法登录次数和当登录连接超时自动退出等相关措施;
1 查看登录失败处理策略:
cat /etc/pam.d/system-auth
[user@localhost ~]$ cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
/etc/pam.d/system-auth文件中包含如下行:
auth required pam_tally2.so deny=5 even_deny_root unlock_time=600
上面表示登陆失败5次后600s后再尝试
(当然这台虚拟机啥也没有
去看看/etc/profile 在这里应该设置export TMOUT= 300。
[user@localhost ~]$ cat /etc/profile
# /etc/profile
# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrc
# It's NOT a good idea to change this file unless you know what you
# are doing. It's much better to create a custom.sh shell script in
# /etc/profile.d/ to make custom changes to your environment, as this
# will prevent the need for merging in future updates.
pathmunge () {
case ":${PATH}:" in
*:"$1":*)
;;
*)
if [ "$2" = "after" ] ; then
PATH=$PATH:$1
else
PATH=$1:$PATH
fi
esac
}
if [ -x /usr/bin/id ]; then
if [ -z "$EUID" ]; then
# ksh workaround
EUID=`/usr/bin/id -u`
UID=`/usr/bin/id -ru`
fi
USER="`/usr/bin/id -un`"
LOGNAME=$USER
MAIL="/var/spool/mail/$USER"
fi
# Path manipulation
if [ "$EUID" = "0" ]; then
pathmunge /usr/sbin
pathmunge /usr/local/sbin
else
pathmunge /usr/local/sbin after
pathmunge /usr/sbin after
fi
HOSTNAME=`/usr/bin/hostname 2>/dev/null`
HISTSIZE=1000
if [ "$HISTCONTROL" = "ignorespace" ] ; then
export HISTCONTROL=ignoreboth
else
export HISTCONTROL=ignoredups
fi
export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL
# By default, we want umask to get set. This sets it for login shell
# Current threshold for system reserved uid/gids is 200
# You could check uidgid reservation validity in
# /usr/share/doc/setup-*/uidgid file
if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
umask 002
else
umask 022
fi
for i in /etc/profile.d/*.sh /etc/profile.d/sh.local ; do
if [ -r "$i" ]; then
if [ "${-#*i}" != "$-" ]; then
. "$i"
else
. "$i" >/dev/null
fi
fi
done
unset i
unset -f pathmunge
当然这里示例也没有 没有配置
c) 当进行远程管理时,应采取必要措施防止鉴别信息在网络传输过程中被窃听;
这里应核查是否采用加密等安全方式对系统进行远程管理,防止鉴别信息在网络传输过程中被窃听。所以用采取远程ssh链接的方式。所以这里采用主机远程控制下主机。采用的工具是xshell。
步骤1:访谈系统管理员,进行远程管理的方式。
可以先看看自己的虚拟机支不支持ssh
可以输入如图的命令查一下(笑死我之前为了这个脚手架安装半天 后面原来这里面就默认有
输入下更改配置文件
sudo vi /etc/ssh/sshd_config
将这个port 22前面的#取消掉,后面框框部分改成yes用于可以让root用户可以使用
配置好使用xshell链接
这部分我的centos配置不成功,需要后面再看看
d) 应采用口令、密码技术、生物技术等两种或两种以上组合的鉴别技术对用户进行身份鉴别,且其中一种鉴别技术至少应使用密码技术来实现。
这部分访谈和核查系统管理员在登录操作系统的过程中使用了哪些身份鉴别方法,是否采用了两种或两种以上组合的鉴别技术,如口令教字证书Ukey、令牌、指纹等,是否有一种鉴别方法在鉴别过程中使用了密码技术