Technical Specifications for Security Compliance Configuration of Linux Systems

Preparation Instructions

This article is based on the “GB/T 22239-2019 Information Security Technology – Basic Requirements for Cybersecurity Level Protection” and “GB/T 28448-2019 Information Security Technology – Evaluation Requirements for Cybersecurity Level Protection”, combined with international security standards such as CIS Linux Benchmark v3.0.0 and NIST SP 800-171 r3. It is applicable to security configuration auditing and hardening for Linux operating systems such as CentOS/RHEL 7+ and Ubuntu 20.04+, meeting the requirements of Level Protection 2.0 Tier 3.

Core Objectives

  1. Provide executable security configuration verification methods

  2. Clarify the handling process for high-risk scenarios

  3. Establish a standardized compliance evidence chain

  4. Achieve closed-loop management of security requirements

Scope of Application

  • Identity Authentication

  • Access Control

  • Security Auditing

  • Intrusion Prevention

  • Data Backup

  • Five Core Security Domains

Identity Authentication

Security Requirement: Password Policy Enforcement

Technical Verification Method:

Complexity Verification: grep “pam_pwquality” /etc/pam.d/system-auth

Empty Password Account Detection: awk -F: ‘$2 == “” {print $1}’ /etc/shadow

Compliance Evidence Requirements:

PAM Policy: minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1

Password Validity ≤ 90 days (PASS_MAX_DAYS=90)

High-Risk Scenarios:Empty Password Accounts

Security Requirement: Login Failure Lockout

Technical Verification Method:

Brute Force Testing: ssh user@ip fails 5 times in a row

Lockout Status Check: faillock –user testuser

Compliance Evidence Requirements:

PAM Configuration: auth required pam_faillock.so deny=5 unlock_time=600 Auto-unlock time ≥ 10 minutes

High-Risk Scenarios:

Failure Lockout Not Configured (Detection Command: grep “deny=” /etc/pam.d/* | grep -v “#”)

Security Requirement: Remote Management Encryption

Technical Verification Method:

Protocol Sniffing: Wireshark to verify encryption of port 22 traffic

Configuration Check: sshd -T | grep -E “ciphers|macs”

Weak Algorithm Detection: nmap -p22 –script ssh2-enum-algos

Compliance Evidence Requirements:

Disable Weak Encryption: Ciphers aes256-ctr

Certificate Authentication: PubkeyAuthentication yes

High-Risk Scenarios:

Telnet Service Enabled (Detection Command: systemctl status telnet)

Security Requirement: Two-Factor Authentication

Technical Verification Method:

PAM Integration Testing: Verify Google Authenticator dynamic code

Log Check: grep “pam_google_authenticator” /var/log/auth.log (Ubuntu) or /var/log/secure (RHEL)

Compliance Evidence Requirements:

PAM Configuration: auth required pam_google_authenticator.so Ukey

Driver Load: lsmod | grep uhid

High-Risk Scenarios:Only Static Password Authentication (Detection Command: grep -q “pam_google_authenticator.so” /etc/pam.d/sshd)

Access Control

Security Requirement: User Lifecycle

Technical Verification Method:

Inactive Account Detection: lastlog | grep “Never logged in”

Sharing Detection: Audit log analysis for multiple logins from the same account

Compliance Evidence Requirements: Single Account Concurrent Sessions ≤ 3

High-Risk Scenarios:Shared Accounts

Security Requirement: Mandatory Access Control

Technical Verification Method:

SELinux Status: sestatus | grep “Current mode”

Policy Testing: Low privilege user access to /etc/shadow (Command: sudo -u nobody cat /etc/shadow)

Compliance Evidence Requirements:

SELinux Mode: enforcing

Sensitive File Label: /etc/shadow system_u:object_r:shadow_t

High-Risk Scenarios:SELinux Disabled (Detection Command: getenforce | grep Disabled)

Security Auditing

Security Requirement: Full Auditing

Audit Rule Check:auditctl -l | grep -E “delete|sudo”

Behavior Verification: Regular user executes sudo rm /tmp/testfile

Compliance Evidence Requirements:Key Operation Audit: -a always,exit -F arch=b64 -S unlink -k file_deletion Audit field contains complete command

High-Risk Scenarios:auditd Service Not Enabled (Detection Command: systemctl status auditd)

Security Requirement: Audit Log Protection

Technical Verification Method:

1. Permission Test: Non-root user attempts to delete /var/log/audit/audit.log (Command: sudo -u testuser rm /var/log/audit/audit.log)

2. Log Rotation: grep max_log_file /etc/audit/auditd.conf

Compliance Evidence Requirements:Log File Permissions 600 (root:root) Log Retention: max_log_file=8 (units: MB)

High-Risk Scenarios:audit.log Permissions 777

Intrusion Prevention

Security Requirement: Service Minimization

Technical Verification Method:

Service Scan: systemctl list-unit-files | grep enabled

High-Risk Port Detection: ss -tuln | grep -E “:23|:111”

Compliance Evidence Requirements:Disabled Service List: telnet.socket, rpcbind• Open Ports Limited to 22,443

High-Risk Scenarios:NFS Service Enabled (Port 2049)

Security Requirement: Management Terminal Restrictions

Technical Verification Method:

TCPWrapper Check: grep “sshd:192.168.1.” /etc/hosts.allow

Privilege Escalation Test: Unauthorized IP attempts SSH connection

Compliance Evidence Requirements:Access Policy: sshd:192.168.1.0/24• Global Deny: ALL:ALL@/etc/hosts.deny

High-Risk Scenarios:Allowing 0.0.0.0 Access to SSH

Security Requirement: Vulnerability Remediation

Technical Verification Method:

Patch Scan: yum list updates –security

CVE Verification: lynis audit system

Compliance Evidence Requirements:Latest Kernel Version (e.g., 5.4.0-150-generic) Key Vulnerability Fix Evidence (CVE-2022-0847)

High-Risk Scenarios:Kernel Version Below 3.10.0-1160

Security Requirement: Intrusion Detection

Technical Verification Method:

1. HIDS Testing: Trigger Rootkit Detection Rules

2. Alert Verification: Simulate /tmp Directory Injection Test

Compliance Evidence Requirements:HIDS Alert Logs (including path, hash value) Real-time Alert Push Records (Email/SMS)

High-Risk Scenarios:File Integrity Monitoring (FIM) Not Deployed

Data Backup

Security Requirement: Local Hot Redundancy

Technical Verification Method:

1.Cluster Status Check: pcs status | grep “Online”

2. Data Synchronization Verification: drbdadm status

Compliance Evidence Requirements:Node Status: Online: [node1 node2] Resource Synchronization: UpToDate/UpToDate

High-Risk Scenarios:Single Machine Running Critical Services

Security Requirement: Offsite Real-Time Backup

Technical Verification Method:

Offsite Synchronization Verification: rsync -avz –dry-run /data backup@remote:/backup

Encryption Check: grep “secrets file” /etc/rsyncd.conf

Compliance Evidence Requirements:Scheduled Task: crontab -l | grep rsync Transmission Encryption: aes-256-cbc

High-Risk Scenarios:Offsite Backup Not Encrypted

Note: Network Security!

END

About Us:

Beijing Lujin Technology Co., Ltd. was established on January 4, 2019, and is a professional IT service company providing comprehensive system integration and information security solutions. The company adheres to the corporate vision of “Safeguarding Network Security” and the mission of “Enhancing National Overall Security”, conducting cybersecurity-related business based on risk assessment models and level protection standards, utilizing big data and other technological means. The company is committed to providing software and general solutions, system architecture, system management and data security services, as well as IT consulting planning, system integration, and system services for the informatization of various industries. Based in Beijing, the company is expanding nationwide, always adhering to the core values of “Empathy, Detail, Gratitude” and the business philosophy of “Win-Win, Share, Grow Together”, gathering a group of innovative, vibrant, and dedicated talents to serve the IT industry, and striving to become your network security expert.

Follow Lujin Technology, Follow Network Security!

Company: Beijing Lujin Technology Co., Ltd.

Address: 5th Floor, Building 2, No. 78, Shuangying West Road, Nanshao Town, Changping District, Beijing

Leave a Comment