Professional Documents
Culture Documents
(CGSL )
V1.0
24
()
V1.0
2011-1-11
1
2
<
>
All Rights reserved, No Spreading abroad without Permission of ZTE
1 ....................................................................................................4
2 ..........................................................................................................................4
2.1 ...................................................................................................................4
2.2 ...................................................................................................................6
2.3 ...................................................................................................................9
2.4 //..........................................................................................................11
2.5 ...................................................................................................................17
2.6 ....................................................................................................................21
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
HLR CGSL
HLR CGSL
CIS
2 CGSL
2
2.1
2.1.1
ZTE-LINUX-SSP-01
cat /etc/klinux-release
# cat /etc/klinux-release
TAG_CGS_MAIN_V3_02_00_P1
CGSL
2.1.2
ZTE-LINUX-SSP-02
#chkconfig off
#service stop
windows
smb
nfsserver
autofs
NIS
ypbind
ypserv
yppasswdd
ncpfs NFSwindows
ncpfs
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
apach
DNS
SQL
cache
X Font Server
[FAILED]
[root]# ps -ef|grep smb
root 10993 7390 0 11:34 pts/0 00:00:00 grep smb
[root]# service smb stop
Shutting down SMB services:
[FAILED]
Shutting down NMB services:
[FAILED
CGSL nfsserver ypserv yppasswdd
ncpfsapach2namedpostgresqlmysql
error reading information on service ncpfs: No such file or directory
ncpfs: unrecognized service
2.1.3
ZTE-LINUX-SSP-03
xinetd
#chkconfig <servicename> off
xinetd
#/etc/init.d/xinetd restart
CGSL
chargen-dgram
chargen-stream
cvs
daytime-dgram
daytime-stream
echo-dgram
echo-stream
gssftp
rsync
telnet
time-dgram
time-stream
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
2.1.4
ZTE-LINUX-SSP-04
ftp ftp
/IQT/(windows) ftp,
os ftp omc ems ems
omc ftp os ftp
FTP
zte_udc_securitycfg.cfg no yes
2.2
2.2.1
ZTE-LINUX-UAP-01
a/etc/passwd /etc/shadow
#cp /etc/passwd /etc/passwd_bak
#cp /etc/shadow /etc/shadow_bak
b
#userdel username
gameslp
c
# usermod -L username
bin, daemon, ftp, gdm, ldap, haldaemon, mail, man, ntp, news, nobody, uucp
/etc/shadow !usermod -U
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
ZTE-LINUX-UAP-02
2.2.3
ZTE-LINUX-UAP-03
/etc/login.defs
/etc/login.defs
#vi /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
PASS_MAX_DAYS PASS_MIN_DAYS
PASS_WARN_AGE
#chage -m 0 -M 90 $NAME
uid 500
root
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
2.2.4
ZTE-LINUX-UAP-04
5 5
/etc/pam.d/system-auth
password required pam_pwhistory.so use_authtok remember=5
2.2.5
ZTE-LINUX-UAP-05
1)
# awk -F: '($2 == "!!") { print $1 }' /etc/shadow
2) rootUID0
#awk -F: '($3 == 0) { print $1 }' /etc/passwd
root
3) id>500
/
ssh
for DIR in ` awk -F: '{if ($3 >= 500) print $6`; do
if [ ! d $DIR ] ;then
echo e "$DIR have been set up,please modify home dir permission!"
fi
done
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
2.2.6
2.3
2.3.1
ZTE-LINUX-UAP-06
ZTE-LINUX-SKC-01 CoreDump
/etc/security/limits.conf
* soft core 0
* hard core 0
soft limits.conf hard limits.conf
zte_udc_securitycf
g.cfg zte_linux_skc_1:yes
2.3.2
ZTE-LINUX-SKC-02
/etc/security/limits.conf
* soft stack 4096
* hard stack 4096
2.3.3
ZTE-LINUX-SKC-03 shell
/etc/shellsshell
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
/etc/shells shell
/etc/shells shell
2.3.4
2.3.5
ZTE-LINUX-SKC-05
1/etc/sysctl.confTCP/IP
TCP SYN Cookie
net.ipv4.tcp_syncookies = 1
IP
net.ipv4.conf.all.accept_source_route = 0
ICMP
net.ipv4.conf.all.accept_redirects = 0
IP
net.ipv4.conf.default.rp_filter = 1
ICMP
net.ipv4.icmp_echo_ignore_all = 1
ICMP
net.ipv4. icmp_echo_ignore_broadcasts =1
net.ipv4. icmp_ignore_bogus_error_responses=1
IP
net.ipv4.conf.all.log_martians = 1
TCP
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
10
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 4096
2
# /etc/init.d/network restart
2.4
2.4.1
//
ZTE-LINUX-AAA-01
1) SSH
/etc/ssh/sshd_config300
ssh5
ClientAliveInterval 300
ssh
2)Shell
# vi/etc/profile
2.4.2
ZTE-LINUX-AAA-02
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
11
gnome
gnome screensaver dbus
chkconfig
ps
# gnome-screensaver-preferences
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
12
idle/ 5
root
gconftool-2 --direct \
--config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/idle_activation_enabled true > /dev/null
gconftool-2 --direct \
--config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/lock_enabled true > /dev/null
gconftool-2 --direct \
--config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory \
--type int \
--set /apps/gnome-screensaver/idle_delay 5 > /dev/null
gconftool-2 --direct \
--config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory \
--type int \
--set /apps/gnome-screensaver/lock_delay 0 > /dev/null
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
13
2.4.3
2.4.4
ZTE-LINUX-AAA-03
/etc/pam.d/system-auth
auth required pam_tally.so onerr=succeed deny=3 unlock_time=60
unlock_time
ZTE-LINUX-AAA-04 umask
/etc/profile/etc/csh.login/etc/csh.cshrc/etc/bashrc
umask 027
/etc/profile
#vi /etc/profile
umask 027
2) .bash_profile.bashrc.profile.kshrc.login.cshrc.tcshrc shell
umask
/etc/passwd
.bash_profile.bashrc.profile.kshrc.login.cshrc.tcshrc
umask027
2.4.5
ZTE-LINUX-AAA-05 SSH
OpenSSH ssh
# ps -ef|grep ssh
root
5009 1 0 14:00 ?
00:00:00 /usr/sbin/sshd
sshd ssh
sshd ssh
# /etc/init.d/sshd start
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
14
[ OK ]
SSH SSH 2
/etc/ssh/ssh_config Host * Protocol 2
protocol 1 protocol 2 Protocol
2 Protocol 2
Protocol 2,1 #Protocol 2,1
Protocol 1 #Protocol 1
/etc/ssh/sshd_config :
Protocol 2
# ssh2 ssh1
AllowTcpForwarding yes AllowTcpForwarding no
X11Forwarding yes X11Forwarding no
/etc/init.d/sshd stop sshd /etc/init.d/sshd
start sshd
2.4.6
ZTE-LINUX-AAA-06
SSH
/etc/issue /etc/issue.net /etc/motd
Authorized uses only. All activity may be monitored and reported
SSH
X Windows xdmkdmgdm
if [ -e /etc/X11/Xresources ]; then
cd /etc/X11
awk '/xlogin*greeting:/ \
{ print "xlogin*greeting: Authorized uses only!";next };
{ print }' Xresources-preCIS > Xresources
chown root:root Xresources
chmod 644 Xresources
diff Xresources-preCIS Xresources
fi
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
15
2.4.7
ZTE-LINUX-AAA-07 IP
/etc/hosts.deny /etc/hosts.allow/etc
hosts.denyhosts.allow
ssh
# ps -ef|grep ssh
root
5009 1 0 14:00 ?
00:00:00 /usr/sbin/sshd
sshd ssh
sshd ssh
# /etc/init.d/sshd start
Starting sshd:
[ OK ]
sshd ip
# vi /etc/hosts.allow
sshd : 192.168.1.101
192.168.1.101 SSH ip ip ,
sshd : 192.168.1.101,192.168.1.102
# vi /etc/hosts.deny
sshd : ALL
ip
zte_udc_securitycfg.cfg zte_linux_aaa_7:yes
zte_udc_enhance_param.sh IP IP
SSH
#vi /etc/ssh/sshd_config
PermitRootLogin yes
PermitRootLogin no //#
X
root
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
16
SSH PermitRootLogin
no cygwin
unix ssh
zte_udc_securitycfg.cfg yes
2.5
2.5.1
ZTE-LINUX-FFS-01 nodev
/etc/fstab nodev
2.5.2
2.5.3
ZTE-LINUX-FFS-02 nodev
cp -p /etc/fstab /etc/fstab.tmp
awk '($3 ~ /^ext[23]$|^reiserfs$/ && $2 != "/") { $4 = $4 ",nodev" }; \
{ print }' /etc/fstab.tmp > /etc/fstab
rm -f /etc/fstab.tmp
ZTE-LINUX-FFS-03
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
17
2.5.4
2.5.5
f
A
P
in
` T R
r
{
}
2
$
;
`
b
a
t
sp
f/c t
e
/
f
v
e
d
x
n
i
T
R e
A
p
\( -perm - 0002 -a ! -perm -10t00n
\) -pri
D
o
o
r
y
ZTE-LINUX-FFS-05
f
"
=
o
!
6
$
r
(
i
T
R
A
n
P
a
`
w
k
'
f
v
e
d
x
n
i
T
R e
A
p
\( -perm - 0002 -a ! -perm -10t00n
\)i-pr
o
d
n
2.5.6
ZTE-LINUX-FFS-06 SUID/SGID
f
"
=
o
!
6
r
$
i
T
R
A
(
n
P
`
a
w
k
'
/
f
d
n
t
i
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
18
ZTE-LINUX-FFS-07
{
}
2
$
dP$
n
i
f
od
in0' ( "
2.5.8
ZTE-LINUX-FFS-08
2.5.9
ZTE-LINUX-FFS-09
.*
f
o
`
'(
:
F
3
$
k
w
a
6
d
f
D
$
n
i
r
oFEL I
o
if[!-h"$FILE"-a-f"$FILE"];then
c
f
i
d
o
d
2.5.10 ZTE-LINUX-FFS-10
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
19
2.5.11 ZTE-LINUX-FFS-11
/bin/ping (755)
/usr/bin/finger
/usr/bin/who
/usr/bin/w
/usr/bin/locate
/usr/bin/whereis
/sbin/ifconfig
/bin/vi
/usr/bin/which
/usr/bin/gcc
/usr/bin/make
/bin/rpm
2.5.12 ZTE-LINUX-FFS-12
.rhosts
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
20
2.6
2.6.1
ZTE-LINUX-LOG-01
ps ef | grep syslogd,
#chkconfig syslog on
#service syslog start
2.6.2
ZTE-LINUX-LOG-02
#vi /etc/login.defs
LASTLOG_ENAB
FAILLOG_ENAB
yes
yes
21
2.6.3
ZTE-LINUX-LOG-03
CGSL
accton acct
#rpm -qa | grep acct
psacct-6.3.2-44.el5
rpm acct
acct psacct
#accton /var/account/pacct
accounting /var/account/pacct
#accton
#lastcomm
2.6.4
/var/account/pacct
acct CGSL
acct accton /var/account/pacct
ZTE-LINUX-LOG-04
/etc/syslog.conf
*.info;mail.none;authpriv.none;cron.none
/var/log/messages
syslog ,
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
22
2.6.5
2.6.6
*.info;mail.none;authpriv.none;cron.none
/var/log/messages
ZTE-LINUX-LOG-05
ZTE-LINUX-LOG-06 syslog
/etc/sysconfig/syslog SYSLOGD_OPTIONS -r x
SYSLOGD_OPTIONS="-r -x -m 0"
<>
All Rights reserved, No Spreading abroad without Permission of ZTE
23