ZXUN USPP ++ - + ++ +G+÷++ + (CGSL++ SS)

ZXUN USPP
(CGSL )
V1.0
24
()
Internal Use Only
V1.0
2011-1-11
1
2
<
>
All Rights reserved, No Spreading abroad without Permission of ZTE
Internal Use Only

1 ....................................................................................................4
2 ..........................................................................................................................4
2.1 ...................................................................................................................4
2.2 ...................................................................................................................6
2.3 ...................................................................................................................9
2.4 //..........................................................................................................11
2.5 ...................................................................................................................17
2.6 ....................................................................................................................21
<>
Internal Use Only
HLR CGSL

HLR CGSL
CIS
2 CGSL
2
2.1
2.1.1
ZTE-LINUX-SSP-01
cat /etc/klinux-release
# cat /etc/klinux-release
TAG_CGS_MAIN_V3_02_00_P1
CGSL
2.1.2
ZTE-LINUX-SSP-02
#chkconfig off
#service stop

windows
smb
nfsserver
autofs
NIS
ypbind
ypserv
yppasswdd
ncpfs NFSwindows
ncpfs
<>
Internal Use Only

apach2
named
postgresql
mysql
squid
xfs
apach
DNS
SQL
cache
X Font Server
[FAILED]
[root]# ps -ef|grep smb
root 10993 7390 0 11:34 pts/0 00:00:00 grep smb
[root]# service smb stop
Shutting down SMB services:
[FAILED]
Shutting down NMB services:
[FAILED
CGSL nfsserver ypserv yppasswdd
ncpfsapach2namedpostgresqlmysql
error reading information on service ncpfs: No such file or directory
ncpfs: unrecognized service
2.1.3
ZTE-LINUX-SSP-03
xinetd
#chkconfig <servicename> off
xinetd
#/etc/init.d/xinetd restart
#chkconfig telnet off

/* telnet */
#/etc/init.d/xinetd restart /* xinetd */
CGSL
chargen-dgram
chargen-stream
cvs
daytime-dgram
daytime-stream
echo-dgram
echo-stream
gssftp
rsync
telnet
time-dgram
time-stream
<>
Internal Use Only
linux ssh xinetd

xinetd
2.1.4
ZTE-LINUX-SSP-04
ftp ftp
#chkconfig vsftpd off
#service vsftpd stop
/IQT/(windows) ftp,
os ftp omc ems ems
omc ftp os ftp
FTP
zte_udc_securitycfg.cfg no yes
2.2
2.2.1
ZTE-LINUX-UAP-01
a/etc/passwd /etc/shadow
#cp /etc/passwd /etc/passwd_bak
#cp /etc/shadow /etc/shadow_bak
b
#userdel username
gameslp
c
# usermod -L username
bin, daemon, ftp, gdm, ldap, haldaemon, mail, man, ntp, news, nobody, uucp
/etc/shadow !usermod -U
<>
Internal Use Only

root su
root su
2.2.2
ZTE-LINUX-UAP-02
CGS-V3.00.12.P6 CGS Linux /etc/pam.d/system-auth

zte
CGS-V3.00.12.P6 CGS Linux , /etc/pam.d/system-auth
pam_cracklib.so
password requisite pam_cracklib.so use_authtok retry=3 dcredit=-1 ucredit=-1 lcredit=-1
ocredit=-1 minlen=8 zte
retry ucredit lcredit

dcredit ocredit
2.2.3
ZTE-LINUX-UAP-03
/etc/login.defs
/etc/login.defs
#vi /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
PASS_MAX_DAYS PASS_MIN_DAYS
PASS_WARN_AGE
#chage -m 0 -M 90 $NAME
for NAME in `cut -d: -f1 /etc/passwd`; do

uid=ìd -u $NAME`
if [ $uid -ge 500 -a $uid != 65534 ]; then
chage -m 0 -M 90 $NAME
fi
done
uid 500
root
<>
Internal Use Only

login.defs
root /etc/shadow
/etc/shadow /etc/shadow /etc/lo
gin.defs
chage -m 0 -M 90 $NAME aging
information not changed/etc/shadow
PASS_MAX_DAYS root ,/etc/passwd

change
""
os
2.2.4
ZTE-LINUX-UAP-04
5 5
/etc/pam.d/system-auth
password required pam_pwhistory.so use_authtok remember=5
2.2.5
ZTE-LINUX-UAP-05
1)
# awk -F: '($2 == "!!") { print $1 }' /etc/shadow
2) rootUID0
#awk -F: '($3 == 0) { print $1 }' /etc/passwd
root
3) id>500
/
ssh
for DIR in ` awk -F: '{if ($3 >= 500) print $6`; do
if [ ! d $DIR ] ;then
echo e "$DIR have been set up,please modify home dir permission!"
fi
done
<>
Internal Use Only
2.2.6
2.3
2.3.1
ZTE-LINUX-UAP-06
/etc/group root root
ZTE-LINUX-SKC-01 CoreDump
/etc/pam.d/login session required /lib/security/pam_limits.so

limits.conf pam_limits.so login
session required pam_limits.so
/etc/security/limits.conf
* soft core 0
* hard core 0
soft limits.conf hard limits.conf
ulimit -c unlimited core

root ulimit -c unlimited core root
su root core ulimit -c unlimited
zte_udc_securitycf
g.cfg zte_linux_skc_1:yes
2.3.2
ZTE-LINUX-SKC-02
/etc/security/limits.conf
* soft stack 4096
* hard stack 4096
2.3.3
ZTE-LINUX-SKC-03 shell
/etc/shellsshell
<>
Internal Use Only

/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/ksh
/etc/shells shell
/etc/shells shell
2.3.4
/etc/cron.allow /etc/at.allow root

cron at
/etc/cron.deny /etc/at.deny 2 deny allow
allow
allow deny deny
2
/etc/cron.allow /etc/at.allow root
2.3.5
ZTE-LINUX-SKC-04 at/cron root
ZTE-LINUX-SKC-05
1/etc/sysctl.confTCP/IP
TCP SYN Cookie
net.ipv4.tcp_syncookies = 1
IP
net.ipv4.conf.all.accept_source_route = 0
ICMP
net.ipv4.conf.all.accept_redirects = 0
IP
net.ipv4.conf.default.rp_filter = 1
ICMP
net.ipv4.icmp_echo_ignore_all = 1
ICMP
net.ipv4. icmp_echo_ignore_broadcasts =1
net.ipv4. icmp_ignore_bogus_error_responses=1
IP
net.ipv4.conf.all.log_martians = 1
TCP
<>
10
Internal Use Only

net.ipv4.tcp_max_orphans = 256
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 4096
2
# /etc/init.d/network restart
IP_forward LBS net.ipv4.conf.all.rp_filter

uagw
zte_udc_securitycfg.cfg
2.4
2.4.1
//
ZTE-LINUX-AAA-01
1) SSH
/etc/ssh/sshd_config300
ssh5
ClientAliveInterval 300
ssh
2)Shell
# vi/etc/profile
TMOUT=300 ; export TMOUT
2.4.2
ZTE-LINUX-AAA-02
<>
11
Internal Use Only

KDE
CGSL ->->
,:
Activate screensaver when computer is idle
Lock screen when screensaver is acticve
gnome
gnome screensaver dbus
chkconfig
ps
dbus-daemon CGSL dbus-daemon messagebus
# gnome-screensaver-preferences
Activate screensaver when session is idle

Lock screen when screensaver is active
<>
12
Internal Use Only
idle/ 5
root
gconftool-2 --direct \
--config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/idle_activation_enabled true > /dev/null
--type bool \
--set /apps/gnome-screensaver/lock_enabled true > /dev/null
--type int \
--set /apps/gnome-screensaver/idle_delay 5 > /dev/null
--type int \
--set /apps/gnome-screensaver/lock_delay 0 > /dev/null
<>
13
Internal Use Only

.gconfd
2.4.3
2.4.4
ZTE-LINUX-AAA-03
/etc/pam.d/system-auth
auth required pam_tally.so onerr=succeed deny=3 unlock_time=60
unlock_time
ZTE-LINUX-AAA-04 umask
/etc/profile/etc/csh.login/etc/csh.cshrc/etc/bashrc
umask 027
/etc/profile
#vi /etc/profile
umask 027
2) .bash_profile.bashrc.profile.kshrc.login.cshrc.tcshrc shell
umask
/etc/passwd
.bash_profile.bashrc.profile.kshrc.login.cshrc.tcshrc
umask027
2.4.5
ZTE-LINUX-AAA-05 SSH
OpenSSH ssh
# ps -ef|grep ssh
root
5009 1 0 14:00 ?
00:00:00 /usr/sbin/sshd
sshd ssh
sshd ssh
# /etc/init.d/sshd start
<>
14
Internal Use Only

Starting sshd:
[ OK ]
SSH SSH 2
/etc/ssh/ssh_config Host * Protocol 2
protocol 1 protocol 2 Protocol
2 Protocol 2
Protocol 2,1 #Protocol 2,1
Protocol 1 #Protocol 1
/etc/ssh/sshd_config :
Protocol 2
# ssh2 ssh1
AllowTcpForwarding yes AllowTcpForwarding no
X11Forwarding yes X11Forwarding no
/etc/init.d/sshd stop sshd /etc/init.d/sshd
start sshd
2.4.6
ZTE-LINUX-AAA-06
SSH
/etc/issue /etc/issue.net /etc/motd
Authorized uses only. All activity may be monitored and reported
SSH
X Windows xdmkdmgdm
if [ -e /etc/X11/Xresources ]; then
cd /etc/X11
awk '/xlogin*greeting:/ \
{ print "xlogin*greeting: Authorized uses only!";next };
{ print }' Xresources-preCIS > Xresources
chown root:root Xresources
chmod 644 Xresources
diff Xresources-preCIS Xresources
fi
<>
15
Internal Use Only
2.4.7
ZTE-LINUX-AAA-07 IP
/etc/hosts.deny /etc/hosts.allow/etc
hosts.denyhosts.allow
ssh
# ps -ef|grep ssh
root
5009 1 0 14:00 ?
00:00:00 /usr/sbin/sshd
sshd ssh
sshd ssh
# /etc/init.d/sshd start
Starting sshd:
[ OK ]
sshd ip
# vi /etc/hosts.allow
sshd : 192.168.1.101
192.168.1.101 SSH ip ip ,
sshd : 192.168.1.101,192.168.1.102
# vi /etc/hosts.deny
sshd : ALL
ip
zte_udc_securitycfg.cfg zte_linux_aaa_7:yes
zte_udc_enhance_param.sh IP IP
2.4.8 ZTE-LINUX-AAA-08 root
SSH
#vi /etc/ssh/sshd_config
PermitRootLogin yes
PermitRootLogin no //#
#service sshd restart ssh
X
root
<>
16
Internal Use Only

gnome /etc/gdm/custom.conf KDE
/etc/opt/kde3/share/config/kdm/kdmrc
AllowRemoteRoot=true false
#service xdm restart
xdm
SSH PermitRootLogin
no cygwin
unix ssh
zte_udc_securitycfg.cfg yes
2.5
2.5.1
ZTE-LINUX-FFS-01 nodev
/etc/fstab nodev
awk '($3 ~ /êxt[23]$|^reiserfs$/ && $2 != "/") { $4 = $4 ",nodev" }; \

{ print }' /etc/fstab.tmp > /etc/fstab
2.5.2
2.5.3
ZTE-LINUX-FFS-02 nodev
/etc/fstab CDROM Floppy nodev

suid
cp -p /etc/fstab /etc/fstab.tmp
awk '($3 ~ /êxt[23]$|^reiserfs$/ && $2 != "/") { $4 = $4 ",nodev" }; \
{ print }' /etc/fstab.tmp > /etc/fstab
rm -f /etc/fstab.tmp
ZTE-LINUX-FFS-03
/etc/fstab cdrom floppy nouser

fstab defaults
nouser defaults nouser
<>
17
Internal Use Only
/dev/hdb1 /home ext2 defaults 1 2

/dev/cdrom /media/cdrom auto ro,noauto,nouser,exec 0 0
2.5.4
2.5.5
ZTE-LINUX-FFS-04 Sticky Bit
f
A
P
in
` T R
r
{
}
2
$
;
`
b
a
t
sp
f/c t
e
/
f
v
e
d
x
n
i
T
R e
A
p
$ -perm - 0002 -a ! -perm -10t00n
$ -pri
D
o
o
r
y
find -exec chmod o+t {} \ ;
ZTE-LINUX-FFS-05
f
"
=
o
!
6
$
r
(
i
T
R
A
n
P
a
`
w
k
'
f
v
e
d
x
n
i
T
R e
A
p
$ -perm - 0002 -a ! -perm -10t00n
$i-pr
o
d
n
2.5.6
ZTE-LINUX-FFS-06 SUID/SGID
f
"
=
o
!
6
r
$
i
T
R
A
(
n
P
`
a
w
k
'
/
f
d
n
t
i
<>
18
Internal Use Only

2.5.7
ZTE-LINUX-FFS-07
{
}
2
$
dP$
n
i
f
od
in0' ( "
2.5.8
ZTE-LINUX-FFS-08
750 . 1-499 500 65535

500
f
o
`
'(
:
F
3
$
k
w
a
6
c
h
ch
o
d
n
2.5.9
ZTE-LINUX-FFS-09
.*
f
o
`
'(
:
F
3
$
k
w
a
6
d
f
D
$
n
i
r
oFEL I
o
if[!-h"$FILE"-a-f"$FILE"];then
c
f
i
d
o
d
2.5.10 ZTE-LINUX-FFS-10
root : root 644
<>
19
Internal Use Only

/etc/fstab
/etc/shadow
/etc/passwd
/etc/hosts.allow
/etc/hosts.deny
/etc/xinetd.conf
/etc/grub.conf
/etc/inittab
/etc/crontab
# chmod -R 750 /etc/init.d/*
# chmod 644 /etc/passwd
# chmod 600 /etc/shadow
# chmod 644 /etc/group
# chmod -R go-w /etc
root : root 700
/bin/ping (755)
/usr/bin/finger
/usr/bin/who
/usr/bin/w
/usr/bin/locate
/usr/bin/whereis
/sbin/ifconfig
/bin/vi
/usr/bin/which
/usr/bin/gcc
/usr/bin/make
/bin/rpm
.rhosts
<>
20
Internal Use Only

.rhosts
.rhost 600
/ etc / hosts.equiv
.netrc
for DIR in `cut -f6 -d: /etc/passwd`; do

if [ -e $DIR/.netrc ]; then
echo "Removing $DIR/.netrc"
rm -f $DIR/.netrc
fi
done
/root/.rhosts
for FILE in /root/.rhosts /root/.shosts /etc/hosts.equiv \
/etc/shosts.equiv; do
rm -f $FILE
ln -s /dev/null $FILE
done
2.6
2.6.1
ZTE-LINUX-LOG-01
ps ef | grep syslogd,
#chkconfig syslog on
#service syslog start
2.6.2
ZTE-LINUX-LOG-02
#vi /etc/login.defs
LASTLOG_ENAB
FAILLOG_ENAB
yes
yes
/var/log/wtmp login /var/log/lastlog

<>
21
Internal Use Only

/var/run/utmp session. who, last,
lastlog
#who
/* /var/run/utmp */
#last
/* /var/log/wtmp */
#lastlog
/* /var/log/lastlog */
/var/log/wtmp wtmp, 2G
FTP sftp
2.6.3
ZTE-LINUX-LOG-03
CGSL
accton acct
#rpm -qa | grep acct
psacct-6.3.2-44.el5
rpm acct
acct psacct
#accton /var/account/pacct
accounting /var/account/pacct
#accton
#lastcomm
2.6.4
/var/account/pacct
acct CGSL
acct accton /var/account/pacct
ZTE-LINUX-LOG-04
/etc/syslog.conf
*.info;mail.none;authpriv.none;cron.none
/var/log/messages
syslog ,
<>
22
Internal Use Only

# service syslog restart
/var/log/messages
2.6.5
2.6.6
*.info;mail.none;authpriv.none;cron.none
/var/log/messages
ZTE-LINUX-LOG-05
/etc/logrotate.d root:root 644

/etc/syslog.conf root:root 644
ZTE-LINUX-LOG-06 syslog
/etc/sysconfig/syslog SYSLOGD_OPTIONS -r x
SYSLOGD_OPTIONS="-r -x -m 0"
<>
23

ZXUN USPP ++ - + ++ +G+÷++ + (CGSL++ SS)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ZXUN USPP ++ - + ++ +G+÷++ + (CGSL++ SS)

Uploaded by

Copyright:

Available Formats

ZXUN USPP

Internal Use Only

Internal Use Only

Internal Use Only

Internal Use Only

#chkconfig telnet off

Internal Use Only

linux ssh xinetd

#chkconfig vsftpd off

#service vsftpd stop

Internal Use Only

CGS-V3.00.12.P6 CGS Linux /etc/pam.d/system-auth

retry ucredit lcredit

for NAME in `cut -d: -f1 /etc/passwd`; do

Internal Use Only

PASS_MAX_DAYS root ,/etc/passwd

Internal Use Only

/etc/group root root

/etc/pam.d/login session required /lib/security/pam_limits.so

ulimit -c unlimited core

Internal Use Only

/etc/cron.allow /etc/at.allow root

/etc/cron.allow /etc/at.allow root

ZTE-LINUX-SKC-04 at/cron root

Internal Use Only

IP_forward LBS net.ipv4.conf.all.rp_filter

TMOUT=300 ; export TMOUT

Internal Use Only

dbus-daemon CGSL dbus-daemon messagebus

Activate screensaver when session is idle

Internal Use Only

Internal Use Only

Internal Use Only

Internal Use Only

2.4.8 ZTE-LINUX-AAA-08 root

#service sshd restart ssh

Internal Use Only

awk '($3 ~ /^ext[23]$|^reiserfs$/ && $2 != "/") { $4 = $4 ",nodev" }; \

/etc/fstab CDROM Floppy nodev

/etc/fstab cdrom floppy nouser

Internal Use Only

/dev/hdb1 /home ext2 defaults 1 2

ZTE-LINUX-FFS-04 Sticky Bit

find -exec chmod o+t {} \ ;

Internal Use Only

750 . 1-499 500 65535

root : root 644

Internal Use Only

root : root 700

Internal Use Only

for DIR in `cut -f6 -d: /etc/passwd`; do

/var/log/wtmp login /var/log/lastlog

Internal Use Only

Internal Use Only

/etc/logrotate.d root:root 644

You might also like