LINUX Security CheckList
时间:2006-07-24 来源:cifan
得到系统主机名、域名
hostname domainname
# hostname
cat
# domainname
(none)
得到系统版本信息
uname -a
# uname -a
Linux Sec 2.4.19 #17 SMP Wed Oct 30 14:18:13 CST 2002 i686 i686 i386 GNU/Linux
本例输出中系统内核版本为2.4.19
得到网卡信息
ifconfig -a
# ifconfig -a
HWaddr:MAC地址
inet addr:IP地址
Bcast:广播地址
Mask:掩码
如果系统已经安装iproute2(通过rpm -qa | grep iproute确认),则可以使用ip命令获得网卡信息。
获得网卡地址:
# ip add ls
获得网卡信息:
# ip link ls
获得系统ARP表:
# ip neigh ls
获得系统路由表:
# ip ro ls
更多ip命令请参考ip(8),即# man 8 ip
得到系统路由信息
netstat –r ip ro ls
# netstat -r
# ip ro ls
如果系统支持ip命令,建议使用ip命令进行信息检查。
1.5 系统加载模块信息检查
查看系统已加载的模块
lsmod
# lsmod
得到系统已经安装的rpm包列表
rpm -qa
# rpm -qa
查看系统是否存在空密码帐号
awk -F: '($2 = = "") { print $1 }' /etc/shadow
# awk -F: '($2 = = "") { print $1 }' /etc/shadow
查看系统uid=0的帐号
awk -F: '($3 = = 0) { print $1 }' /etc/passwd
# awk -F: '($3 == 0) { print $1 }' /etc/passwd
root
本例输出说明只有root帐号uid=0
得到系统缺省用户(组)
cat /etc/passwd
查看是否存在系统缺省帐号,如:
lp, sync, shutdown, halt, news, uucp, operator, games, gopher等
得到系统帐号shell变量
cat /etc/passwd
# cat /etc/passwd
看最后域是否是/sbin/nologin或/dev/null
检查系统passwd、shadow文件,确保系统中每个用户都有密码,并且密码被shadow。
pwck
# pwck
得到系统缺省密码最短长度
cat /etc/login.defs | grep PASS_MIN_LEN
# cat /etc/login.defs | grep PASS_MIN_LEN
# PASS_MIN_LEN Minimum acceptable password length.
PASS_MIN_LEN 5
得到超时后系统自动注销帐号登录信息
cat /etc/profile | grep TMOUT
# cat /etc/profile | grep TMOUT
本例输出表示并未对自动注销帐号登录作设置
得到root PATH环境变量,是否包含当前目录“.”
echo $PATH | grep “:.”
# echo $PATH | grep “:.”
此检查有一定的局限性,只检查了当前用户的路径设置。
得到禁止使用ftp的帐号
cat /etc/ftpusers
# cat /etc/ftpusers
检查是否允许任何人su为root
vi /etc/pam.d/su
# vi /etc/pam.d/su
…
auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_wheel.so group=wheel
…
本例输出表示只有wheel组中的用户才可以允许su为root
3.11.5 bash shell保存少量命令检查
得到bash shell能保存的命令条数
cat /etc/profile | grep HISTSIZE
# cat /etc/profile | grep HISTSIZE
HISTSIZE=1000
得到系统限制用户对主机使用的信息
cat /etc/security/limits.conf
# cat /etc/security/limits.conf
# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - an user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#<item> can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open files
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit
# - maxlogins - max number of logins for this user
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
#
#<domain> <type> <item> <value>
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
# End of file
本例输出表示系统并未限制用户对主机的使用(进程使用、尝试登录次数等)
查看系统是否允许guest或匿名连接
cat /etc/ftpaccess | grep class
# cat /etc/ftpaccess | grep class
# User classes...
class all real,guest,anonymous *
得到系统运行进程
ps -aux
# ps -aux
计算系统运行进程个数:# ps –aux | wc -l
得到系统打开的端口信息
netstat -an
# netstat -an
得到系统服务信息
lsof -i netstat -at
# lsof -i
netstat -at
如果系统未安装lsof,使用netstat –a --ip:
# netstat -a --ip
查看系统是否运行xinetd/inetd服务
ps -aux | grep inetd ps -aux | grep xinetd
# ps -aux | grep xinetd
root 383 0.0 0.6 2088 832 ? S 20:06 0:00 xinetd -stayalive
本例输出表示系统运行xinetd,
# cd /etc/xinetd.d
# grep “disable” ./*
./chargen: disable = yes
./chargen-udp: disable = yes
./cvs: disable = no
./daytime: disable = yes
./daytime-udp: disable = yes
./echo: disable = yes
./echo-udp: disable = yes
./rsync: disable = yes
./servers: disable = yes
./services: disable = yes
./time: disable = yes
./time-udp: disable = yes
./wu-ftpd: disable = yes
输出中disable=no表示xinetd启动cvs进程,执行netstat -a进行确认。
# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:cvspserver *:* LISTEN
得到系统解析地址的信息
/etc/host.conf
# cat /etc/host.conf
order hosts,bind
本例输出表示先通过hosts文件解析,然后通过DNS解析。
查看是否存在/etc/hosts.equiv文件
ls -al /etc/hosts.equiv
# ls -al /etc/hosts.equiv
查看系统开机自动运行的脚本
ls -al /etc/rc.d/init.d
# ls -al /etc/rc.d/init.d/
total 208
drwxr-xr-x 2 root 4096 Nov 13 14:12 ./
drwxr-xr-x 10 root 4096 May 10 22:12 ../
-rwxr-xr-x 1 root 2633 Aug 23 2002 aep1000*
-rwxr-xr-x 1 root 941 Aug 28 2002 anacron*
-rwxr-xr-x 1 root 1458 Jun 23 2002 apmd*
-rwxr-xr-x 1 root 1176 Jul 25 2002 atd*
-rwxr-xr-x 1 root 9435 Aug 27 2002 autofs*
-rwxr-xr-x 1 root 2455 Aug 23 2002 bcm5820*
-rwxr-xr-x 1 root 1095 Aug 24 2002 cpqarrayd*
-rwxr-xr-x 1 root 1316 Jul 20 2002 crond*
-rwxr-xr-x 1 root 10068 Jul 14 2002 functions*
-rwxr-xr-x 1 root 1541 Jun 24 2002 gpm*
-rwxr-xr-x 1 root 5075 Aug 14 2002 halt*
-rwxr-xr-x 1 root 2366 Sep 5 2002 httpd*
-rwxr-xr-x 1 root 5636 Aug 7 2002 iptables*
-rwxr-xr-x 1 root 1152 Jul 9 2002 irda*
-rwxr-xr-x 1 root 1084 Aug 3 2002 kdcrotate*
-rwxr-xr-x 1 root 1347 Sep 5 2002 keytable*
-rwxr-xr-x 1 root 481 Jul 6 2002 killall*
-rwxr-xr-x 1 root 1919 Sep 3 2002 kudzu*
-rwxr-xr-x 1 root 1539 Aug 24 2002 microcode_ctl*
-rwxr-xr-x 1 root 5024 Jun 26 2002 netfs*
-rwxr-xr-x 1 root 6402 Jul 10 2002 network*
-rwxr-xr-x 1 root 4522 Aug 1 2002 nfs*
-rwxr-xr-x 1 root 2286 Aug 1 2002 nfslock*
-rwxr-xr-x 1 root 2066 Sep 6 2002 nscd*
-r-xr-xr-x 1 root 4596 Aug 31 2002 pcmcia*
-rwxr-xr-x 1 root 1901 Aug 7 2002 portmap*
-rwxr-xr-x 1 root 1516 Jun 26 2002 random*
-rwxr-xr-x 1 root 2211 Jun 26 2002 rawdevices*
-rwxr-xr-x 1 root 1782 Sep 10 2002 rhnsd*
-rwxr-xr-x 1 root 1260 Sep 3 2002 saslauthd*
-r-x------ 1 root 177 Nov 13 14:12 secuve_file*
-rwxr-xr-x 1 root 2362 Aug 30 2002 sendmail*
-rwxr-xr-x 1 root 1175 Jul 10 2002 single*
-rwxr-xr-x 1 root 627 Aug 24 2002 smartd*
-rwxr-xr-x 1 root 1160 Sep 1 2002 snmpd*
-rwxr-xr-x 1 root 1131 Sep 1 2002 snmptrapd*
-rwxr-xr-x 1 root 2647 Aug 14 2002 sshd*
-rwxr-xr-x 1 root 1369 Jun 24 2002 syslog*
-rwxr-xr-x 1 root 2407 Aug 16 2002 xinetd*
-rwxr-xr-x 1 root 2501 Jun 24 2002 ypbind*
查看某个开放端口由哪个进程打开
假设要查看的开放端口是2401,执行fuser -n tcp 2401,返回的进程ID为pid,
再执行ps -aux | grep pid。
# fuser -n tcp 2401
2401/tcp: 383
# ps -aux | grep 383
root 383 0.0 0.6 2088 832 ? S 20:06 0:00 xinetd -stayalive
本例输出表示2401端口由xinetd进程打开。
此检查可以检测系统开放的不明端口。
查看/etc/rc.d/rc[0-6].d下运行的脚本
ls -al /etc/rc.d/rc0.d
…
ls -al /etc/rc.d/rc6.d
# ls -al rc3.d/
total 8
drwxr-xr-x 2 root 4096 Nov 13 14:21 ./
drwxr-xr-x 10 root 4096 May 10 22:12 ../
lrwxrwxrwx 1 root 28 Nov 13 14:12 BS99file -> /etc/rc.d/init.d/secuve_file*
lrwxrwxrwx 1 root 15 Oct 29 2002 K03rhnsd -> ../init.d/rhnsd*
lrwxrwxrwx 1 root 17 Oct 29 2002 K05anacron -> ../init.d/anacron*
lrwxrwxrwx 1 root 13 Oct 29 2002 K05atd -> ../init.d/atd*
lrwxrwxrwx 1 root 18 Oct 29 2002 K05keytable -> ../init.d/keytable*
lrwxrwxrwx 1 root 19 Oct 29 2002 K05saslauthd -> ../init.d/saslauthd*
lrwxrwxrwx 1 root 13 Oct 29 2002 K15gpm -> ../init.d/gpm*
lrwxrwxrwx 1 root 13 Oct 29 2002 K20nfs -> ../init.d/nfs*
lrwxrwxrwx 1 root 14 Oct 29 2002 K24irda -> ../init.d/irda*
lrwxrwxrwx 1 root 18 Oct 29 2002 K30sendmail -> ../init.d/sendmail*
lrwxrwxrwx 1 root 16 Oct 29 2002 K45smartd -> ../init.d/smartd*
lrwxrwxrwx 1 root 15 Oct 29 2002 K50snmpd -> ../init.d/snmpd*
lrwxrwxrwx 1 root 19 Oct 29 2002 K50snmptrapd -> ../init.d/snmptrapd*
lrwxrwxrwx 1 root 15 Oct 29 2002 K60crond -> ../init.d/crond*
lrwxrwxrwx 1 root 17 Oct 29 2002 K70aep1000 -> ../init.d/aep1000*
lrwxrwxrwx 1 root 17 Oct 29 2002 K70bcm5820 -> ../init.d/bcm5820*
lrwxrwxrwx 1 root 16 Oct 29 2002 K72autofs -> ../init.d/autofs*
lrwxrwxrwx 1 root 14 Oct 29 2002 K74apmd -> ../init.d/apmd*
lrwxrwxrwx 1 root 15 Oct 29 2002 K75netfs -> ../init.d/netfs*
lrwxrwxrwx 1 root 17 Oct 29 2002 K86nfslock -> ../init.d/nfslock*
lrwxrwxrwx 1 root 17 Oct 29 2002 K87portmap -> ../init.d/portmap*
lrwxrwxrwx 1 root 18 Oct 29 2002 K92iptables -> ../init.d/iptables*
lrwxrwxrwx 1 root 15 Oct 29 2002 K95kudzu -> ../init.d/kudzu*
lrwxrwxrwx 1 root 16 Oct 29 2002 K96pcmcia -> ../init.d/pcmcia*
lrwxrwxrwx 1 root 23 Oct 29 2002 S00microcode_ctl -> ../init.d/microcode_ctl*
lrwxrwxrwx 1 root 17 Oct 29 2002 S10network -> ../init.d/network*
lrwxrwxrwx 1 root 16 Oct 29 2002 S12syslog -> ../init.d/syslog*
lrwxrwxrwx 1 root 16 Oct 29 2002 S20random -> ../init.d/random*
lrwxrwxrwx 1 root 14 Oct 29 2002 S55sshd -> ../init.d/sshd*
lrwxrwxrwx 1 root 20 Oct 29 2002 S56rawdevices -> ../init.d/rawdevices*
lrwxrwxrwx 1 root 16 Oct 29 2002 S56xinetd -> ../init.d/xinetd*
lrwxrwxrwx 1 root 15 Oct 29 2002 S85httpd -> ../init.d/httpd*
lrwxrwxrwx 1 root 11 Oct 30 2002 S99local -> ../rc.local*
以S开头的为该运行级别下运行的脚本
查看系统是否响应ICMP请求
cat /proc/sys/net/ipv4/icmp_echo_ignore_all
或从同网段的另一台机器ping该主机
# cat /proc/sys/net/ipv4/icmp_echo_ignore_all
0
本例输出表示系统响应ICMP请求
查看系统服务运行等级信息
chkconfig --list
# chkconfig --list
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
microcode_ctl 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netfs 0:off 1:off 2:off 3:off 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
random 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
portmap 0:off 1:off 2:off 3:off 4:on 5:on 6:off
apmd 0:off 1:off 2:on 3:off 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:off 4:on 5:on 6:off
gpm 0:off 1:off 2:on 3:off 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:off 4:on 5:on 6:off
irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off
keytable 0:off 1:on 2:on 3:off 4:on 5:on 6:off
kudzu 0:off 1:off 2:off 3:off 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
snmptrapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sendmail 0:off 1:off 2:on 3:off 4:on 5:on 6:off
smartd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
iptables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
nfslock 0:off 1:off 2:off 3:off 4:on 5:on 6:off
rhnsd 0:off 1:off 2:off 3:off 4:on 5:on 6:off
pcmcia 0:off 1:off 2:on 3:off 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:off 4:on 5:on 6:off
anacron 0:off 1:off 2:on 3:off 4:on 5:on 6:off
aep1000 0:off 1:off 2:off 3:off 4:off 5:off 6:off
bcm5820 0:off 1:off 2:off 3:off 4:off 5:off 6:off
httpd 0:off 1:off 2:off 3:on 4:off 5:off 6:off
xinetd based services:
chargen-udp: off
chargen: off
daytime-udp: off
daytime: off
echo-udp: off
echo: off
services: off
servers: off
time-udp: off
time: off
cvs: on
wu-ftpd: off
rsync: off
说明:
查看系统是否安装ftp软件包
rpm -qa | grep ftp
ls /etc/xinetd.d/*ftp*
结果分析方法:
# rpm -qa | grep ftp
ftp-0.17-15
lftp-2.5.2-5
wu-ftpd-2.6.2-8
# ls /etc/xinetd.d/*ftp*
/etc/xinetd.d/wu-ftpd
4.13 系统是否存在sendmail服务或relay进程信息检查
查看系统是否存在sendmail服务或relay进程
cat /etc/sysconfig/sendmail
# cat /etc/sysconfig/sendmail
DAEMON=yes
QUEUE=1h
查看系统初始文件创建权限
umask
umask -S
查看普通用户初始文件创建权限
$ umask
0002
$ umask -S
u=rwx,g=rwx,o=rx
查看超级用户初始文件创建权限
# umask
0022
# umask -S
u=rwx,g=rx,o=rx
查看系统关键文件属性
ls -al file_name
应对于如下系统关键文件属性进行检查:
/etc/shadow /var/log/messages /var/log/wtmp /var/run/utmp
/etc/rc.d/init.d /etc/inittab /etc/group /etc/crontab /var/spool/cron
/etc/securetty /etc/lilo.conf /etc/grub.conf
查看/tmp目录属性
ls -al /
# ls -al / | grep tmp
drwxrwxrwt 7 root 4096 May 11 20:07 tmp/
本例输出表示/tmp目录已设置sticky位
查看系统存在的特殊文件(SUID/SGID程序,/dev下的非设备文件,非/dev下的设备文件,所有可写的文件,没有属主的文件,rhosts文件等)
查找SUID/SGID程序:
# find / -type f ( -perm -04000 -o -perm -02000 ) -ls
查找/dev下的非设备文件:
# /bin/find /dev -type f -exec ls -l {} \;
查找非/dev下的设备文件:
# /bin/find / \( -type b -o -type c\) -print | grep -v '^/dev/'
查找所有可写的文件:
# /bin/find / -perm -2 ! –type l -ls
查找没有属主的文件:
# /bin/find / \( -nouser –o –ongroup\) -print
查找rhosts文件:
# /bin/find / -name .rhosts -print
同检查方法
本例所有输出可以重定向到文件,即在每个命令之后加入 > result,方便结果汇总。
查看系统分区加载情况
mount
cat /etc/fstab
# mount
# cat /etc/fstab
查看共享的文件系统信息
exportfs cat /etc/export
# exportfs
# cat /etc/export
查看系统加载的nfs文件系统信息
df -k
# df -k
查看系统AUTH日志信息
cat syslog.conf | grep auth
# cat syslog.conf | grep auth
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
本例输出表示AUTH日志信息均发往/var/log/secure
查看系统启动LILO是否设置密码
cat /etc/lilo.conf | grep passwd
# cat /etc/lilo.conf | grep passwd
本例输出表示系统启动LILO不需要输入密码
7.2 系统禁止Control-Alt-Delete键盘关闭命令信息检查
查看系统是否禁止Control-Alt-Delete键盘关闭命令
cat /etc/inittab | grep ca
# cat /etc/inittab | grep ca
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
本例输出表示系统并未禁止Control-Alt-Delete键盘关闭命令
查看系统是否屏蔽提示信息
控制台登录或查看/etc/issue、/etc/issue.net文件
查看系统(特别是生产机)是否存在多重引导
cat /etc/lilo.conf
cat /etc/grub.conf
# cat grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/sda2
# initrd /initrd-version.img
#boot=/dev/sda
default=1
timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
title Red Hat Linux (2.4.18-14)
root (hd0,0)
kernel /vmlinuz-2.4.18-14 ro root=LABEL=/
initrd /initrd-2.4.18-14.img
title Red Hat Linux (2.4.19)
root (hd0,0)
kernel /bzImage-2.4.19 ro root=/dev/sda2
本例输出表示系统只安装了Red Hat Linux
查看系统启动时运行等级
cat /etc/inittab | grep id
# cat /etc/inittab | grep id
id:3:initdefault:
本例输出中3表示系统启动后进入多用户模式,5表示系统启动后进入X windows模式。
查看哪些系统帐号可以从控制台登录
cat /etc/security/access.conf | grep -v "#"
# cat /etc/security/access.conf | grep -v "#"
查看哪些系统虚拟设备允许远程连接
cat /etc/securetty | grep -v "tty"
# cat /etc/securetty | grep -v "tty"
本例输出说明vc设备允许远程连接
8 后门与日志检查
检查系统日志文件是否完备,是否存在异常情况,如日期,大小,完整性。
9 第三方安全产品安装情况
是否禁用telnetd service使用openssh等加密连接协议来进行remote login登陆
若安装md5软件包 请检测/bin/login的md5效检值是否一至 与文件权限问题
若有必要可以truss跟踪ls, ps ,netstat 等系统调用 查看是否存在不正常的系统调用和函数劫持.
相关阅读 更多 +
