Preparation Instructions
This article is based on the “GB/T 22239-2019 Information Security Technology – Basic Requirements for Cybersecurity Level Protection” and “GB/T 28448-2019 Information Security Technology – Evaluation Requirements for Cybersecurity Level Protection”, combined with international security standards such as CIS Linux Benchmark v3.0.0 and NIST SP 800-171 r3. It is applicable to security configuration auditing and hardening for Linux operating systems such as CentOS/RHEL 7+ and Ubuntu 20.04+, meeting the requirements of Level Protection 2.0 Tier 3.
Core Objectives
-
Provide executable security configuration verification methods
-
Clarify the handling process for high-risk scenarios
-
Establish a standardized compliance evidence chain
-
Achieve closed-loop management of security requirements
Scope of Application
-
Identity Authentication
-
Access Control
-
Security Auditing
-
Intrusion Prevention
-
Data Backup
-
Five Core Security Domains
Identity Authentication
Security Requirement: Password Policy Enforcement
Technical Verification Method:
Complexity Verification: grep “pam_pwquality” /etc/pam.d/system-auth
Empty Password Account Detection: awk -F: ‘$2 == “” {print $1}’ /etc/shadow
Compliance Evidence Requirements:
PAM Policy: minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
Password Validity ≤ 90 days (PASS_MAX_DAYS=90)
High-Risk Scenarios:Empty Password Accounts
Security Requirement: Login Failure Lockout
Technical Verification Method:
Brute Force Testing: ssh user@ip fails 5 times in a row
Lockout Status Check: faillock –user testuser
Compliance Evidence Requirements:
PAM Configuration: auth required pam_faillock.so deny=5 unlock_time=600 Auto-unlock time ≥ 10 minutes
High-Risk Scenarios:
Failure Lockout Not Configured (Detection Command: grep “deny=” /etc/pam.d/* | grep -v “#”)
Security Requirement: Remote Management Encryption
Technical Verification Method:
Protocol Sniffing: Wireshark to verify encryption of port 22 traffic
Configuration Check: sshd -T | grep -E “ciphers|macs”
Weak Algorithm Detection: nmap -p22 –script ssh2-enum-algos
Compliance Evidence Requirements:
Disable Weak Encryption: Ciphers aes256-ctr
Certificate Authentication: PubkeyAuthentication yes
High-Risk Scenarios:
Telnet Service Enabled (Detection Command: systemctl status telnet)
Security Requirement: Two-Factor Authentication
Technical Verification Method:
PAM Integration Testing: Verify Google Authenticator dynamic code
Log Check: grep “pam_google_authenticator” /var/log/auth.log (Ubuntu) or /var/log/secure (RHEL)
Compliance Evidence Requirements:
PAM Configuration: auth required pam_google_authenticator.so Ukey
Driver Load: lsmod | grep uhid
High-Risk Scenarios:Only Static Password Authentication (Detection Command: grep -q “pam_google_authenticator.so” /etc/pam.d/sshd)
Access Control
Security Requirement: User Lifecycle
Technical Verification Method:
Inactive Account Detection: lastlog | grep “Never logged in”
Sharing Detection: Audit log analysis for multiple logins from the same account
Compliance Evidence Requirements: Single Account Concurrent Sessions ≤ 3
High-Risk Scenarios:Shared Accounts
Security Requirement: Mandatory Access Control
Technical Verification Method:
SELinux Status: sestatus | grep “Current mode”
Policy Testing: Low privilege user access to /etc/shadow (Command: sudo -u nobody cat /etc/shadow)
Compliance Evidence Requirements:
SELinux Mode: enforcing
Sensitive File Label: /etc/shadow system_u:object_r:shadow_t
High-Risk Scenarios:SELinux Disabled (Detection Command: getenforce | grep Disabled)
Security Auditing
Security Requirement: Full Auditing
Audit Rule Check:auditctl -l | grep -E “delete|sudo”
Behavior Verification: Regular user executes sudo rm /tmp/testfile
Compliance Evidence Requirements:Key Operation Audit: -a always,exit -F arch=b64 -S unlink -k file_deletion Audit field contains complete command
High-Risk Scenarios:auditd Service Not Enabled (Detection Command: systemctl status auditd)
Security Requirement: Audit Log Protection
Technical Verification Method:
1. Permission Test: Non-root user attempts to delete /var/log/audit/audit.log (Command: sudo -u testuser rm /var/log/audit/audit.log)
2. Log Rotation: grep max_log_file /etc/audit/auditd.conf
Compliance Evidence Requirements:Log File Permissions 600 (root:root) Log Retention: max_log_file=8 (units: MB)
High-Risk Scenarios:audit.log Permissions 777
Intrusion Prevention
Security Requirement: Service Minimization
Technical Verification Method:
Service Scan: systemctl list-unit-files | grep enabled
High-Risk Port Detection: ss -tuln | grep -E “:23|:111”
Compliance Evidence Requirements:Disabled Service List: telnet.socket, rpcbind• Open Ports Limited to 22,443
High-Risk Scenarios:NFS Service Enabled (Port 2049)
Security Requirement: Management Terminal Restrictions
Technical Verification Method:
TCPWrapper Check: grep “sshd:192.168.1.” /etc/hosts.allow
Privilege Escalation Test: Unauthorized IP attempts SSH connection
Compliance Evidence Requirements:Access Policy: sshd:192.168.1.0/24• Global Deny: ALL:ALL@/etc/hosts.deny
High-Risk Scenarios:Allowing 0.0.0.0 Access to SSH
Security Requirement: Vulnerability Remediation
Technical Verification Method:
Patch Scan: yum list updates –security
CVE Verification: lynis audit system
Compliance Evidence Requirements:Latest Kernel Version (e.g., 5.4.0-150-generic) Key Vulnerability Fix Evidence (CVE-2022-0847)
High-Risk Scenarios:Kernel Version Below 3.10.0-1160
Security Requirement: Intrusion Detection
Technical Verification Method:
1. HIDS Testing: Trigger Rootkit Detection Rules
2. Alert Verification: Simulate /tmp Directory Injection Test
Compliance Evidence Requirements:HIDS Alert Logs (including path, hash value) Real-time Alert Push Records (Email/SMS)
High-Risk Scenarios:File Integrity Monitoring (FIM) Not Deployed
Data Backup
Security Requirement: Local Hot Redundancy
Technical Verification Method:
1.Cluster Status Check: pcs status | grep “Online”
2. Data Synchronization Verification: drbdadm status
Compliance Evidence Requirements:Node Status: Online: [node1 node2] Resource Synchronization: UpToDate/UpToDate
High-Risk Scenarios:Single Machine Running Critical Services
Security Requirement: Offsite Real-Time Backup
Technical Verification Method:
Offsite Synchronization Verification: rsync -avz –dry-run /data backup@remote:/backup
Encryption Check: grep “secrets file” /etc/rsyncd.conf
Compliance Evidence Requirements:Scheduled Task: crontab -l | grep rsync Transmission Encryption: aes-256-cbc
High-Risk Scenarios:Offsite Backup Not Encrypted
Note: Network Security!
END
About Us:
Beijing Lujin Technology Co., Ltd. was established on January 4, 2019, and is a professional IT service company providing comprehensive system integration and information security solutions. The company adheres to the corporate vision of “Safeguarding Network Security” and the mission of “Enhancing National Overall Security”, conducting cybersecurity-related business based on risk assessment models and level protection standards, utilizing big data and other technological means. The company is committed to providing software and general solutions, system architecture, system management and data security services, as well as IT consulting planning, system integration, and system services for the informatization of various industries. Based in Beijing, the company is expanding nationwide, always adhering to the core values of “Empathy, Detail, Gratitude” and the business philosophy of “Win-Win, Share, Grow Together”, gathering a group of innovative, vibrant, and dedicated talents to serve the IT industry, and striving to become your network security expert.
Follow Lujin Technology, Follow Network Security!
Company: Beijing Lujin Technology Co., Ltd.
Address: 5th Floor, Building 2, No. 78, Shuangying West Road, Nanshao Town, Changping District, Beijing