ZXUN USPP¦++˜-¦-¦¦¦+½++¦¦+G+÷++¦+(CGSL++¦ß)

ZXUN USPP (CGSL ) V1.0

24 ()

Internal Use Only

V1.0 / / 2011-1-11

1 2

All Rights reserved, No Spreading abroad without Permission of ZTE

2

Internal Use Only

1 ....................................................................................................4 2 ..........................................................................................................................4 2.1 ...................................................................................................................4 2.2 ...................................................................................................................6 2.3 ...................................................................................................................9 2.4 //..........................................................................................................11 2.5 ...................................................................................................................17 2.6 ....................................................................................................................21


3

Internal Use Only

HLR CGSL

1

HLR CGSL

CIS 2 CGSL 3

2 2.12.1.1

ZTE-LINUX-SSP-01 cat /etc/klinux-release # cat /etc/klinux-release TAG_CGS_MAIN_V3_02_00_P1 CGSL ZTE-LINUX-SSP-02 #chkconfig off #service stop windows smb nfsserver autofs NIS ypbind ypserv yppasswdd ncpfs NFSwindows ncpfs

2.1.2


4

Internal Use Onlyapach2 named postgresql mysql squid xfsapach DNS SQL cache X Font Server

[FAILED] [root]# ps -ef|grep smb root 10993 7390 0 11:34 pts/0 00:00:00 grep smb [root]# service smb stop Shutting down SMB services: [FAILED] Shutting down NMB services: [FAILED CGSL nfsserver ypserv yppasswdd ncpfsapach2namedpostgresqlmysql error reading information on service ncpfs: No such file or directory ncpfs: unrecognized service 2.1.3 ZTE-LINUX-SSP-03 xinetd #chkconfig off xinetd #/etc/init.d/xinetd restart #chkconfig telnet off /* telnet */ #/etc/init.d/xinetd restart /* xinetd */ CGSL chargen-dgram chargen-stream cvs daytime-dgram daytime-stream echo-dgram echo-stream gssftp rsync telnet time-dgram time-stream All Rights reserved, No Spreading abroad without Permission of ZTE5

Internal Use Only linux ssh xinetd xinetd ZTE-LINUX-SSP-04 ftp ftp #chkconfig vsftpd off #service vsftpd stop /IQT/(windows) ftp, os ftp omc ems ems omc ftp os ftp FTP zte_udc_securitycfg.cfg no yes

2.1.4

2.22.2.1

ZTE-LINUX-UAP-01 a/etc/passwd /etc/shadow #cp /etc/passwd /etc/passwd_bak #cp /etc/shadow /etc/shadow_bak b #userdel username gameslp c # usermod -L username

bin, daemon, ftp, gdm, ldap, haldaemon, mail, man, ntp, news, nobody, uucp /etc/shadow !usermod -U All Rights reserved, No Spreading abroad without Permission of ZTE6

Internal Use Only root su root su 2.2.2 ZTE-LINUX-UAP-02 CGS-V3.00.12.P6 CGS Linux /etc/pam.d/system-auth zte CGS-V3.00.12.P6 CGS Linux , /etc/pam.d/system-auth pam_cracklib.so password requisite pam_cracklib.so use_authtok retry=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 zte

retry ucredit lcredit dcredit ocredit 2.2.3 ZTE-LINUX-UAP-03

/etc/login.defs /etc/login.defs #vi /etc/login.defs PASS_MAX_DAYS 90 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 PASS_MIN_DAYS PASS_MAX_DAYS PASS_WARN_AGE

#chage -m 0 -M 90 $NAME for NAME in `cut -d: -f1 /etc/passwd`; do uid=ìd -u $NAME` if [ $uid -ge 500 -a $uid != 65534 ]; then chage -m 0 -M 90 $NAME fi done

uid 500 root All Rights reserved, No Spreading abroad without Permission of ZTE7

Internal Use Onlylogin.defs root /etc/shadow /etc/shadow /etc/shadow /etc/lo gin.defs chage -m 0 -M 90 $NAME aging information not changed/etc/shadow PASS_MAX_DAYS root ,/etc/passwd change "" os 2.2.4 ZTE-LINUX-UAP-04

5 5 /etc/pam.d/system-auth password required pam_pwhistory.so use_authtok remember=5 2.2.5 ZTE-LINUX-UAP-05

1) # awk -F: '($2 == "!!") { print $1 }' /etc/shadow 2) rootUID0 #awk -F: '($3 == 0) { print $1 }' /etc/passwd root 3) id>500 / ssh for DIR in ` awk -F: '{if ($3 >= 500) print $6`; do if [ ! d $DIR ] ;then echo e "$DIR have been set up,please modify home dir permission!" fi done


8

Internal Use Only 2.2.6 ZTE-LINUX-UAP-06 /etc/group root root

2.32.3.1

ZTE-LINUX-SKC-01 CoreDump /etc/pam.d/login session required /lib/security/pam_limits.so limits.conf pam_limits.so login session required pam_limits.so

/etc/security/limits.conf * soft core 0 * hard core 0 soft limits.conf hard limits.conf ulimit -c unlimited core root ulimit -c unlimited core root su root core ulimit -c unlimited zte_udc_securitycf g.cfg zte_linux_skc_1:yes

2.3.2

ZTE-LINUX-SKC-02 /etc/security/limits.conf * soft stack 4096 * hard stack 4096 ZTE-LINUX-SKC-03 shell /etc/shellsshell9

2.3.3


Internal Use Only /bin/sh /bin/bash /sbin/nologin /bin/tcsh /bin/csh /bin/ksh /etc/shells shell /etc/shells shell 2.3.4 ZTE-LINUX-SKC-04 at/cron root /etc/cron.allow /etc/at.allow root cron at /etc/cron.deny /etc/at.deny 2 deny allow allow allow deny deny 2 /etc/cron.allow /etc/at.allow root ZTE-LINUX-SKC-05

2.3.5

1/etc/sysctl.confTCP/IP TCP SYN Cookie net.ipv4.tcp_syncookies = 1 IP net.ipv4.conf.all.accept_source_route = 0 ICMP net.ipv4.conf.all.accept_redirects = 0 IP net.ipv4.conf.default.rp_filter = 1 ICMP net.ipv4.icmp_echo_ignore_all = 1 ICMP net.ipv4. icmp_echo_ignore_broadcasts =1 net.ipv4. icmp_ignore_bogus_error_responses=1 IP net.ipv4.conf.all.log_martians = 1 TCP 10


Internal Use Onlynet.ipv4.tcp_max_orphans = 256 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.tcp_max_syn_backlog = 4096 2 # /etc/init.d/network restart IP_forward LBS net.ipv4.conf.all.rp_filter uagw zte_udc_securitycfg.cfg

2.42.4.1

//ZTE-LINUX-AAA-01

1) SSH /etc/ssh/sshd_config300 ssh5 ClientAliveInterval 300 ssh 2)Shell # vi/etc/profile TMOUT=300 ; export TMOUT 2.4.2 ZTE-LINUX-AAA-02


11

Internal Use Only KDE CGSL ->-> ,: Activate screensaver when computer is idle Lock screen when screensaver is acticve

gnome gnome screensaver dbus chkconfig ps dbus-daemon CGSL dbus-daemon messagebus # gnome-screensaver-preferences Activate screensaver when session is idle Lock screen when screensaver is active


12

Internal Use Only

idle/ 5 root gconftool-2 --direct \ --config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true > /dev/null gconftool-2 --direct \ --config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true > /dev/null gconftool-2 --direct \ --config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/idle_delay 5 > /dev/null gconftool-2 --direct \ --config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/lock_delay 0 > /dev/null All Rights reserved, No Spreading abroad without Permission of ZTE 13

Internal Use Only.gconfd 2.4.3 ZTE-LINUX-AAA-03 /etc/pam.d/system-auth auth required pam_tally.so onerr=succeed deny=3 unlock_time=60 unlock_time ZTE-LINUX-AAA-04 umask

2.4.4

/etc/profile/etc/csh.login/etc/csh.cshrc/etc/bashrc umask 027 /etc/profile #vi /etc/profile umask 027 2) .bash_profile .bashrc .profile .kshrc .login .cshrc .tcshrc shell umask /etc/passwd .bashrc .profile .kshrc .login .cshrc .tcshrc .bash_profile umask027

ZTE-LINUX-AAA-05 SSH OpenSSH ssh # ps -ef|grep ssh root 5009 1 0 14:00 ? 00:00:00 /usr/sbin/sshd sshd ssh sshd ssh # /etc/init.d/sshd start 14

2.4.5


Internal Use OnlyStarting sshd: [ OK ]

SSH SSH 2 /etc/ssh/ssh_config Host * Protocol 2 protocol 1 protocol 2 Protocol 2 Protocol 2 Protocol 2,1 #Protocol 2,1 Protocol 1 #Protocol 1 /etc/ssh/sshd_config : Protocol 2 # ssh2 ssh1 AllowTcpForwarding yes AllowTcpForwarding no X11Forwarding yes X11Forwarding no /etc/init.d/sshd stop sshd /etc/init.d/sshd start sshd 2.4.6 ZTE-LINUX-AAA-06 SSH /etc/issue /etc/issue.net /etc/motd Authorized uses only. All activity may be monitored and reported SSH kdm gdm X Windows xdm if [ -e /etc/X11/Xresources ]; then cd /etc/X11 awk '/xlogin*greeting:/ \ { print "xlogin*greeting: Authorized uses only!";next }; { print }' Xresources-preCIS > Xresources chown root:root Xresources chmod 644 Xresources diff Xresources-preCIS Xresources fi


15

Internal Use OnlyZTE-LINUX-AAA-07 IP /etc/hosts.deny /etc/hosts.allow/etc hosts.denyhosts.allow ssh # ps -ef|grep ssh root 5009 1 0 14:00 ? 00:00:00 /usr/sbin/sshd sshd ssh sshd ssh # /etc/init.d/sshd start Starting sshd: [ OK ] sshd ip # vi /etc/hosts.allow sshd : 192.168.1.101 192.168.1.101 SSH ip ip , sshd : 192.168.1.101,192.168.1.102 # vi /etc/hosts.deny sshd : ALL ip zte_udc_securitycfg.cfg zte_linux_aaa_7:yes zte_udc_enhance_param.sh IP IP 2.4.8 ZTE-LINUX-AAA-08 root SSH #vi /etc/ssh/sshd_config PermitRootLogin yes PermitRootLogin no //# #service sshd restart ssh X root 16

2.4.7


Internal Use Only gnome /etc/gdm/custom.conf KDE /etc/opt/kde3/share/config/kdm/kdmrc AllowRemoteRoot=true false #service xdm restart xdm SSH PermitRootLogin no cygwin unix ssh zte_udc_securitycfg.cfg yes

2.52.5.1

ZTE-LINUX-FFS-01 nodev

/etc/fstab nodev awk '($3 ~ /êxt[23]$|^reiserfs$/ && $2 != "/") { $4 = $4 ",nodev" }; \ { print }' /etc/fstab.tmp > /etc/fstab ZTE-LINUX-FFS-02 nodev /etc/fstab CDROM Floppy nodev suid cp -p /etc/fstab /etc/fstab.tmp awk '($3 ~ /êxt[23]$|^reiserfs$/ && $2 != "/") { $4 = $4 ",nodev" }; \ { print }' /etc/fstab.tmp > /etc/fstab rm -f /etc/fstab.tmp ZTE-LINUX-FFS-03 /etc/fstab cdrom floppy nouser fstab defaults nouser defaults nouser 17

2.5.2

2.5.3


Internal Use Only /dev/hdb1 /home ext2 defaults 1 2 /dev/cdrom /media/cdrom auto ro,noauto,nouser,exec 0 0 2.5.4 ZTE-LINUX-FFS-04 Sticky Bit f T R A P in ` r {/c t } 2 $ ; ` b a t s p f e / f v e d x n i T R e A p \ -p m - 0 ( er 002 - ! a perm -0 n -p i 1t \) r 00 D o

P

o r y

$

2.5.5

find -exec chmod o+t {} \ ; ZTE-LINUX-FFS-05 f " = o ! 6 $ r ( i T R A n P a ` w k ' f v e d x n i T R e A p \ -p r - 0 ( e m 002 - ! a perm -0 n i r 1t \) -p 00 o d n

P

y

$

2.5.6 ZTE-LINUX-FFS-06 SUID/SGID f " = o ! 6 r $ i T R A ( n P ` a w k ' / f d n

c

t i

e


18

Internal Use Only2.5.7 ZTE-LINUX-FFS-07 { } 2 $ d n i fP$ o d

in0' ( "

2.5.8 ZTE-LINUX-FFS-08

750 . 1-499 500 65535 500 f o ` '( : F 3 $ k w a 6 c h c h o d n

2.5.9 ZTE-LINUX-FFS-09

.* f o ` '( : F 3 $ k w a 6 dEL I f D $ n i r o F o i [!- "FL"- - "FL"] te f h $IE a f $IE ; hn c f i d o d

2.5.10 ZTE-LINUX-FFS-10 root : root 644 19


Internal Use Only /etc/fstab /etc/shadow /etc/passwd /etc/hosts.allow /etc/hosts.deny /etc/xinetd.conf /etc/grub.conf /etc/inittab /etc/crontab # chmod -R 750 /etc/init.d/* # chmod 644 /etc/passwd # chmod 600 /etc/shadow # chmod 644 /etc/group # chmod -R go-w /etc

2.5.11 ZTE-LINUX-FFS-11 root : root 700

/bin/ping (755) /usr/bin/finger /usr/bin/who /usr/bin/w /usr/bin/locate /usr/bin/whereis /sbin/ifconfig /bin/vi /usr/bin/which /usr/bin/gcc /usr/bin/make /bin/rpm

2.5.12 ZTE-LINUX-FFS-12 .rhosts 20


Internal Use Only .rhosts 600 .rhost / etc / hosts.equiv .netrc for DIR in `cut -f6 -d: /etc/passwd`; do if [ -e $DIR/.netrc ]; then echo "Removing $DIR/.netrc" rm -f $DIR/.netrc fi done /root/.rhosts for FILE in /root/.rhosts /root/.shosts /etc/hosts.equiv \ /etc/shosts.equiv; do rm -f $FILE ln -s /dev/null $FILE done

2.62.6.1

ZTE-LINUX-LOG-01 ps ef | grep syslogd, #chkconfig syslog on #service syslog start

2.6.2

ZTE-LINUX-LOG-02 #vi /etc/login.defs LASTLOG_ENAB FAILLOG_ENAB

yes yes

/var/log/wtmp login /var/log/lastlog All Rights reserved, No Spreading abroad without Permission of ZTE 21

Internal Use Only/var/run/utmp session. who, last, lastlog #who /* /var/run/utmp */ #last /* /var/log/wtmp */ #lastlog /* /var/log/lastlog */ /var/log/wtmp wtmp, 2G FTP sftp

2.6.3

ZTE-LINUX-LOG-03 CGSL accton acct #rpm -qa | grep acct psacct-6.3.2-44.el5 rpm acct acct psacct #accton /var/account/pacct accounting /var/account/pacct #accton #lastcomm

/var/account/pacct acct CGSL acct accton /var/account/pacct ZTE-LINUX-LOG-04 /etc/syslog.conf *.info;mail.none;authpriv.none;cron.none /var/log/messages syslog , 22

2.6.4


Internal Use Only# service syslog restart /var/log/messages *.info;mail.none;authpriv.none;cron.none /var/log/messages ZTE-LINUX-LOG-05 /etc/logrotate.d root:root 644 /etc/syslog.conf root:root 644 ZTE-LINUX-LOG-06 syslog /etc/sysconfig/syslog SYSLOGD_OPTIONS -r x SYSLOGD_OPTIONS="-r -x -m 0"

2.6.5

2.6.6


23

Documents

ZXUN USPP¦++˜-¦-¦¦¦+½++¦¦+G+÷++¦+(CGSL++¦ß)