我有一台VPS CentOS 6 Linux网络服务器.它在KVM上运行.
运行Lynis审计时,它注意到单个用户模式和GRUB不受任何密码/身份验证的保护:
[16:00:28] Warning: No password set for single mode [AUTH-9308]
[15:59:26] Suggestion: Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122]
此外,Lynis还提到了存储驱动器:
[16:05:09] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840]
[16:05:09] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846]
由于这是一个虚拟化的Linux实例并且是一个服务器,对上面提到的点采取行动实际上是否有益?将身份验证机制添加到单用户模式和GRUB实际上会导致引导期间出现问题(特别是使用GRUB),因为它的虚拟化服务器不是典型的Linux桌面客户端,尽管Lynis显然不知道这一点.
我不确定Lynis是否来自服务器配置角度,这就是我的困惑所在.
任何关于突出点的澄清将不胜感激!
谢谢,
解决方法:
您可以使用我为一般硬化而制作的centos-6.x-harden.sh
#!/bin/bash
echo "readonly TMOUT=900" >> /etc/profile.d/os-sec.sh
echo "readonly HISTFILE" >> /etc/profile.d/os-sec.sh
chmod +x /etc/profile.d/os-sec.sh
echo "tty1" > /etc/securetty
chmod 700 /root
echo "blacklist usb-storage" > /etc/modprobe.d/blacklist-usbstorage
cat << EOF > /etc/sysconfig/init
BOOTUP=color
RES_COL=60
MOVE_TO_COL="echo -en \\033[${RES_COL}G"
SETCOLOR_SUCCESS="echo -en \\033[0;32m"
SETCOLOR_FAILURE="echo -en \\033[0;31m"
SETCOLOR_WARNING="echo -en \\033[0;33m"
SETCOLOR_NORMAL="echo -en \\033[0;39m"
PROMPT=no
AUTOSWAP=no
ACTIVE_CONSOLES=/dev/tty[1-6]
SINGLE=/sbin/sulogin
EOF
cat << EOF > /etc/init/control-alt-delete.override
start on control-alt-delete
exec /usr/bin/logger -p authpriv.notice -t init "Ctrl-Alt-Del was pressed and ignored"
EOF
cat << EOF > /tmp/grub.patch
--- grub.conf 2014-11-09 13:43:45.085378787 +0330
+++ grub.conf.new 2014-11-09 13:43:48.508377857 +0330
@@ -9,6 +9,7 @@
default=0
timeout=5
+password --md5 \$1\$T.IYz1\$wLQ21IjrUuMeLfkGd1Xby0
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
EOF
patch -s /boot/grub/grub.conf < /tmp/grub.patch
# alternate to the latter patch is: echo 'password --md5 $1$T.IYz1$wLQ21IjrUuMeLfkGd1Xby0' >> /boot/grub/grub.conf
>如果我打开终端,保护外壳.
>在终端暴力的情况下保护.
>通过使用户提供root密码来保护单用户模式
>通过强制密码保护GRUB菜单.
>通过禁用基于alt-ctrl-delete的重启来保护系统.
**请考虑更改md5哈希值以获得所需的密码.
希望能帮助到你