Level 3 Security Baseline Configuration Checklist for Linux: 12 Items to Avoid High-Risk Evaluation!

“Can the system go live right after installation?”“Is it secure just because the firewall is enabled?”

Wrong! The first thing a security evaluator checks is your Linux baseline!

In a certain government cloud project, due to the lack of configuration for password complexity and login failure lockout, today, we have compiled a “Level 3 Linux System Security Baseline Configuration Checklist”, covering 6 major categories and 12 core configurations, each with executable commands, compatible with <span>Kylin</span>, <span>UnionTech</span>, <span>CentOS</span>, and <span>Ubuntu</span>, which can be directly implemented by government, enterprise, finance, and healthcare teams!

1. Identity Authentication (Security Requirement: Strong Password + Login Control)

✅ 1.1 Password Complexity Policy (must enable pam_pwquality)

# CentOS/RHEL/Kylin
echo "password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" >> /etc/pam.d/system-auth

# Ubuntu/UnionTech
echo "password requisite pam_pwquality.so retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" >> /etc/pam.d/common-password

🔹 Requirement: At least 8 characters, including uppercase and lowercase letters, numbers, and special characters

✅ 1.2 Password Validity ≤ 90 days, reminder 7 days before expiration

# Modify /etc/login.defs
sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS   90/' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS   0/' /etc/login.defs
sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE   7/' /etc/login.defs

✅ 1.3 Lockout after 5 failed login attempts for 30 minutes

# Configure PAM faillock (CentOS 7+/Kylin V10+)
echo "auth required pam_faillock.so preauth silent deny=5 unlock_time=1800" >> /etc/pam.d/system-auth
echo "auth [default=die] pam_faillock.so authfail deny=5 unlock_time=1800" >> /etc/pam.d/system-auth
echo "account required pam_faillock.so" >> /etc/pam.d/system-auth

💡 Verification: faillock –user testuser

2. Access Control (Least Privilege + Account Cleanup)

✅ 2.1 Disable or delete unused accounts (e.g., games, ftp, news)

# Lock unused accounts
for user in games ftp news uucp; do
  if id "$user" >/dev/null; then
    usermod -L "$user"
    echo "Locked account: $user"
  fi
done

✅ 2.2 Disable remote SSH login for the root account

# Modify /etc/ssh/sshd_config
sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl restart sshd

✅ 2.3 Set timeout for automatic logout (10 minutes)

echo "TMOUT=600" >> /etc/profile
echo "readonly TMOUT" >> /etc/profile
echo "export TMOUT" >> /etc/profile

3. Security Auditing (Core Requirement! Must be enabled!)

✅ 3.1 Enable dual auditing with rsyslog + auditd

# Enable auditd (record critical system calls)
systemctl enable --now auditd
# Configure critical audit rules (/etc/audit/rules.d/protect.rules)
cat > /etc/audit/rules.d/protect.rules <<EOF
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/sudoers -p wa -k priv_esc
-a always,exit -F arch=b64 -S execve -k exec
EOF

# Restart to take effect
augenrules --load

✅ 3.2 Log retention ≥ 180 days, and cannot be tampered with

# Configure rsyslog for remote backup (recommended to connect to SIEM)
echo "*.info;mail.none;authpriv.none;cron.none @your-siem-server:514" >> /etc/rsyslog.conf

# Harden local log permissions
chmod 600 /var/log/*.log
chown root:root /var/log/*.log

4. Intrusion Prevention (Vulnerability + Patch Management)

✅ 4.1 Disable unnecessary services (e.g., avahi, cups, postfix)

systemctl disable --now avahi-daemon cups postfix

✅ 4.2 Regularly update the system (establish a patch management process)

# Create a patch check script (execute monthly)
echo "0 3 1 * * /usr/bin/yum check-update --security | mail -s 'Security Updates' [email protected]" >> /var/spool/cron/root

📌 Requirement: High-risk vulnerabilities must be fixed within 7 days, medium-risk within 30 days

5. Malicious Code Prevention

✅ 5.1 Deploy host antivirus software (mandatory requirement for Level 3)

Recommended for domestic environments:Qihoo 360 Network God Host Guardian, Venustech Tianxun, Huawei Cloud Host Security (HSS)

✅ 5.2 Disable USB auto-mounting (to prevent ferry attacks)

# Create udev rules to disable USB storage
echo 'SUBSYSTEM=="usb", ATTR{bDeviceClass}=="00", ACTION=="add", RUN+="/bin/sh -c \"echo 0 > /sys$DEVPATH/authorized\"' > /etc/udev/rules.d/99-disable-usb-storage.rules

6. Resource Control (Prevent DoS)

✅ 6.1 Limit user process count & memory (via limits.conf)

# /etc/security/limits.conf
cat >> /etc/security/limits.conf <<EOF
* soft nproc 100
* hard nproc 200
* soft as 2048000
* hard as 4096000
root soft nproc unlimited
root hard nproc unlimited
EOF

✅ 6.2 Configure kernel parameters to prevent SYN Flood

# /etc/sysctl.conf
cat >> /etc/sysctl.conf <<EOF
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_syn_retries = 2
EOF
sysctl -p

📋 Appendix: Level 3 Linux Baseline Inspection Checklist

Control Item Check Command Compliance Standard
Password Complexity <span>grep pam_pwquality /etc/pam.d/*</span> Enabled and policy compliant
Password Validity <span>grep PASS_MAX_DAYS /etc/login.defs</span> ≤90 days
Root Remote Login <span>grep PermitRootLogin /etc/ssh/sshd_config</span> no
Audit Logs <span>systemctl is-active auditd</span> active
Unused Accounts <span>awk -F: '$3<1000 && $1!="root" {print $1}' /etc/passwd</span> No active low UID accounts
Service Minimization <span>systemctl list-unit-files --state=enabled</span> Only necessary services

🌟 Final Thoughts

Security compliance is not just about "patching", but about "establishing a baseline".

A compliant Linux system,
is not secure just because it is installed,
but because every configuration line can withstand an audit.

It is recommended to include this checklist in your “System Go-Live Checklist”,

so that security starts from day one!

Recommended Reading

  • • Is your MySQL 8 exposed? These 6 scripts will automatically “armor” your database!
  • • How to effectively reduce the Swap usage of Linux servers? Practical guide

Level 3 Security Baseline Configuration Checklist for Linux: 12 Items to Avoid High-Risk Evaluation!

Leave a Comment