CIS_CentOS_Linux_7_Benchmark_v3.1.1.pdf资源-CSDN文库

需积分: 26 182 浏览量 2021-08-04 11:47:34 上传评论收藏 4.3MB PDF 举报

CIS_CentOS_Linux_7_Benchmark_v3.1.1.pdf文件是关于如何安全配置CentOS Linux 7系统的指南。这份文档由Center for Internet Security（CIS）发布，旨在为用户提供一套标准化的安全基准测试，以帮助管理员加强系统安全防护。本文档涵盖了系统初始设置、软件更新配置、服务配置以及系统管理等多个方面的安全建议。 ### 文档概览文档首先介绍了使用的条款和版权信息，紧接着介绍了目标受众、共识指导原则以及评估状态。文档中定义了不同的安全配置文件，以及对CIS Benchmark项目表示感谢的内容。 ### 初始设置初始设置部分详细说明了如何对CentOS Linux 7进行初始安全配置。内容包括对文件系统的配置、各种分区的配置、文件系统挂载选项的设置，以及如何确保系统中不存在不必要的文件系统类型。 #### 文件系统配置文档建议禁用未使用的文件系统，包括但不限于cramfs、squashfs和udf。这些文件系统在大多数Linux发行版中很少使用，且可能成为攻击者的攻击点。例如，*.*.*.*条款推荐确保cramfs文件系统的挂载被禁用，*.*.*.*条款推荐确保squashfs文件系统的挂载被禁用。这些措施都可以通过自动化脚本执行，确保系统的一致性和安全性。 #### 分区和挂载选项对于像/tmp、/dev/shm、/var、/var/tmp、/var/log、/var/log/audit、/home和可移动介质分区，文档中建议设置特定的挂载选项，如noexec、nodev和nosuid。例如，1.1.2条款要求确保/tmp目录被正确配置，而1.1.3条款要求确保/tmp分区没有执行权限。这些措施用来防止潜在的代码执行和恶意文件安装。对于/dev/shm，文档建议在1.1.6条款中设置noexec、nodev和nosuid选项，以限制该分区的使用。1.1.17条款要求为/home目录单独分区，并在1.1.18条款中为其设置nodev选项，以防止对设备文件的访问。文档中还提及了可移动介质分区的安全配置（如1.1.19条款至1.1.21条款），以及设置具有写权限的目录的粘滞位（1.1.22条款），以防止非所有者删除或重命名文件。 ### 软件更新配置在软件更新配置部分（1.2ConfigureSoftwareUpdates），文档说明了如何保证系统软件包的更新安全。特别建议确保软件包的GPG密钥被正确配置，以验证软件包的完整性和来源。 ### 总结 CIS_CentOS_Linux_7_Benchmark_v3.1.1.pdf文件是一份详尽的指南，它为管理员提供了一个详细的安全配置清单，以强化CentOS Linux 7系统的安全性。通过一系列的配置建议，包括文件系统的禁用、分区策略、挂载选项的正确设置，以及软件更新的安全配置，管理员可以大大减少安全漏洞的风险，并提升系统的整体安全性。这份文档强调了遵循共识指导和社区最佳实践的重要性，并体现了在保障系统安全时细致和周到考虑的必要性。遵循这些准则不仅可以提高系统的防御能力，还能为可能的安全审核提供一个预先准备好的基础。

资源推荐

资源详情

资源评论

CIS CentOS Linux 7 Benchmark

v3.1.1 - 05-21-2021

| P a g e  
 
Table of Contents 
Terms of Use ........................................................................................................................................................... 1 
Overview ............................................................................................................................................................... 13 
Intended Audience ........................................................................................................................................ 13 
Consensus Guidance ..................................................................................................................................... 13 
Assessment Status......................................................................................................................................... 14 
Profile Definitions ......................................................................................................................................... 15 
Acknowledgements ...................................................................................................................................... 16 
Recommendations ............................................................................................................................................. 17 
Initial Setup .................................................................................................................................................. 17 
1 Filesystem Configuration ............................................................................................................... 18 
1.1 Disable unused filesystems ................................................................................................... 19 
1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated) ................ 20 
1.1.2 Ensure mounting of squashfs filesystems is disabled (Automated) ............. 22 
1.1.3 Ensure mounting of udf filesystems is disabled (Automated) ........................ 24 
1.2 Ensure /tmp is configured (Automated) .................................................................... 26 
1.3 Ensure noexec option set on /tmp partition (Automated) .................................. 30 
1.4 Ensure nodev option set on /tmp partition (Automated) ................................... 32 
1.5 Ensure nosuid option set on /tmp partition (Automated) .................................. 34 
1.6 Ensure /dev/shm is configured (Automated) .......................................................... 36 
1.7 Ensure noexec option set on /dev/shm partition (Automated) ........................ 38 
1.8 Ensure nodev option set on /dev/shm partition (Automated) ......................... 40 
1.9 Ensure nosuid option set on /dev/shm partition (Automated) ........................ 42 
1.10 Ensure separate partition exists for /var (Automated) ..................................... 44 
1.11 Ensure separate partition exists for /var/tmp (Automated) ........................... 46 
1.12 Ensure /var/tmp partition includes the noexec option (Automated) .......... 48 
1.13 Ensure /var/tmp partition includes the nodev option (Automated) ........... 50 
1.14 Ensure /var/tmp partition includes the nosuid option (Automated) .......... 52 
1.15 Ensure separate partition exists for /var/log (Automated) ............................. 54 
1.16 Ensure separate partition exists for /var/log/audit (Automated) ................ 56 

| P a g e  
 
1.17 Ensure separate partition exists for /home (Automated)................................. 58 
1.18 Ensure /home partition includes the nodev option (Automated) ................. 60 
1.19 Ensure removable media partitions include noexec option (Automated) .. 62 
1.20 Ensure nodev option set on removable media partitions (Automated) ...... 64 
1.21 Ensure nosuid option set on removable media partitions (Automated) ..... 66 
1.22 Ensure sticky bit is set on all world-writable directories (Automated) ...... 68 
1.23 Disable Automounting (Automated) ......................................................................... 70 
1.24 Disable USB Storage (Automated) .............................................................................. 72 
2 Configure Software Updates ......................................................................................................... 74 
2.1 Ensure GPG keys are configured (Manual) ................................................................ 75 
2.2 Ensure package manager repositories are configured (Manual) ...................... 77 
2.3 Ensure gpgcheck is globally activated (Automated) .............................................. 79 
3 Filesystem Integrity Checking ...................................................................................................... 81 
3.1 Ensure AIDE is installed (Automated) ......................................................................... 82 
3.2 Ensure filesystem integrity is regularly checked (Automated) ......................... 84 
4 Secure Boot Settings ........................................................................................................................ 87 
4.1 Ensure bootloader password is set (Automated) .................................................... 88 
4.2 Ensure permissions on bootloader config are configured (Automated) ........ 92 
4.3 Ensure authentication required for single user mode (Automated) ............... 95 
5 Additional Process Hardening ..................................................................................................... 97 
5.1 Ensure core dumps are restricted (Automated) ...................................................... 98 
5.2 Ensure XD/NX support is enabled (Automated) ................................................... 100 
5.3 Ensure address space layout randomization (ASLR) is enabled (Automated)
 .............................................................................................................................................................. 102 
5.4 Ensure prelink is not installed (Automated) ........................................................... 104 
6 Mandatory Access Control ........................................................................................................... 106 
6.1 Configure SELinux .................................................................................................................. 107 
6.1.1 Ensure SELinux is installed (Automated) ............................................................. 108 
6.1.2 Ensure SELinux is not disabled in bootloader configuration (Automated)
 .............................................................................................................................................................. 110 
6.1.3 Ensure SELinux policy is configured (Automated) ........................................... 112 

| P a g e  
 
6.1.4 Ensure the SELinux mode is enforcing or permissive (Automated) .......... 114 
6.1.5 Ensure the SELinux mode is enforcing (Automated) ....................................... 117 
6.1.6 Ensure no unconfined services exist (Automated) ........................................... 119 
6.1.7 Ensure SETroubleshoot is not installed (Automated) ..................................... 121 
6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed 
(Automated) .................................................................................................................................... 123 
7 Command Line Warning Banners ............................................................................................. 125 
7.1 Ensure message of the day is configured properly (Automated) .................... 126 
7.2 Ensure local login warning banner is configured properly (Automated) .... 128 
7.3 Ensure remote login warning banner is configured properly (Automated)
 .............................................................................................................................................................. 130 
7.4 Ensure permissions on /etc/motd are configured (Automated) .................... 132 
7.5 Ensure permissions on /etc/issue are configured (Automated) .................... 134 
7.6 Ensure permissions on /etc/issue.net are configured (Automated) ............. 136 
8 GNOME Display Manager ............................................................................................................. 138 
8.1 Ensure GNOME Display Manager is removed (Manual) ..................................... 139 
8.2 Ensure GDM login banner is configured (Automated) ........................................ 141 
8.3 Ensure last logged in user display is disabled (Automated) ............................. 143 
8.4 Ensure XDCMP is not enabled (Automated) ............................................................ 145 
9 Ensure updates, patches, and additional security software are installed 
(Manual) ........................................................................................................................................... 147 
Services ........................................................................................................................................................ 149 
1 inetd Services .................................................................................................................................... 150 
1.1 Ensure xinetd is not installed (Automated) ............................................................. 151 
2 Special Purpose Services .............................................................................................................. 153 
2.1 Time Synchronization ........................................................................................................... 154 
2.1.1 Ensure time synchronization is in use (Manual) ............................................... 155 
2.1.2 Ensure chrony is configured (Automated) ........................................................... 157 
2.1.3 Ensure ntp is configured (Automated) .................................................................. 159 
2.2 Ensure X11 Server components are not installed (Automated) ...................... 162 
2.3 Ensure Avahi Server is not installed (Automated) ............................................... 164 