####################################################################################### # # Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. # security-tool licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: # http://license.coscl.org.cn/MulanPSL # THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR # PURPOSE. # See the Mulan PSL v2 for more details. # Description: Configuration file for the security-tool. # ####################################################################################### ######################################################################## # # HowTo: # # delete key, and difference caused by blankspace/tab on key is ignored # id@d@file@key # # # modify option: find line started with key, and get the value changed # id@m@file@key[@value] # # # modify sub-option: find line started with key, and then change the value of key2 to value2(prepostive seperator should not be blank characters) in the line # id@M@file@key@key2[@value2] # # # check existence of commands # id@which@command1 [command2 ...] # # # execute command on the files found # id@find@dir@condition@command # # # any command(with or without parameter), such as 'rm -f','chmod 700','which','touch', used to extend functions, return 0 is ok # id@command@file1 [file2 ...] # # Notes: # 1. The comment line should start with '#' # 2. "value" related with "key" should contain prepositive separator("="," " and so on), if there is any. # 3. When item starts with "d", "m" or "M", "file" should be a single normal file, otherwise multi-objects(separated by blankspace) are allowed. # ######################################################################## ######################################################################## # SSH server settting ######################################################################## # Set sshd Protocol version 101@m@/etc/ssh/sshd_config@Protocol @2 102@m@/etc/ssh/sshd_config@SyslogFacility @AUTH 102@m@/etc/ssh/sshd_config@LogLevel @VERBOSE 103@m@/etc/ssh/sshd_config@X11Forwarding @no 105@m@/etc/ssh/sshd_config@PubkeyAuthentication @yes 105@m@/etc/ssh/sshd_config@RSAAuthentication @yes # Don't read the user's ~/.rhosts and ~/.shosts files 105@m@/etc/ssh/sshd_config@IgnoreRhosts @yes 105@m@/etc/ssh/sshd_config@RhostsRSAAuthentication @no # To disable host authentication 106@m@/etc/ssh/sshd_config@HostbasedAuthentication @no 108@m@/etc/ssh/sshd_config@PermitEmptyPasswords @no 109@m@/etc/ssh/sshd_config@PermitUserEnvironment @no # Set sshd password algorithm 110@m@/etc/ssh/sshd_config@Ciphers @aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@@openssh.com,aes256-gcm@@openssh.com,chacha20-poly1305@@openssh.com 111@m@/etc/ssh/sshd_config@ClientAliveCountMax @0 # Make sshd print warning banner 112@m@/etc/ssh/sshd_config@Banner @/etc/issue.net # Set sshd message authentication code algorithm 113@m@/etc/ssh/sshd_config@MACs @hmac-sha2-512,hmac-sha2-512-etm@@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@@openssh.com,hmac-sha1,hmac-sha1-etm@@openssh.com # Make sshd check file modes and ownership of the user's files and home directory before accepting login 114@m@/etc/ssh/sshd_config@StrictModes @yes # Set this to 'yes' to enable PAM authentication, account processing, and session processing. 115@m@/etc/ssh/sshd_config@UsePAM @yes # Set this to 'no', do not allowed TCP forwarding. 116@m@/etc/ssh/sshd_config@AllowTcpForwarding @no # Log on sftp. 117@m@/etc/ssh/sshd_config@Subsystem sftp @/usr/libexec/openssh/sftp-server -l INFO -f AUTH 118@m@/etc/ssh/sshd_config@AllowAgentForwarding @no 119@m@/etc/ssh/sshd_config@GatewayPorts @no 120@m@/etc/ssh/sshd_config@PermitTunnel @no #CVE-2015-4000 121@m@/etc/ssh/sshd_config@KexAlgorithms@ curve25519-sha256,curve25519-sha256@@libssh.org,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256 130@systemctl@sshd.service@restart ######################################################################## # System access and authorization ######################################################################## # close the kernel request debugging functionality 204@m@/etc/sysctl.conf@kernel.sysrq@=0 206@rm -f @/etc/motd 206@touch @/etc/motd 206@chown root:root @/etc/motd 206@chmod 644 @/etc/motd 206@m@/etc/motd@Authorized users only. All activities may be monitored and reported. 206@rm -f @/etc/issue 206@touch @/etc/issue 206@chown root:root @/etc/issue 206@chmod 644 @/etc/issue 206@m@/etc/issue@Authorized users only. All activities may be monitored and reported. 206@rm -f @/etc/issue.net 206@touch @/etc/issue.net 206@chown root:root @/etc/issue.net 206@chmod 644 @/etc/issue.net 206@m@/etc/issue.net@Authorized users only. All activities may be monitored and reported. 208@chown root:root @/etc/crontab 208@chmod og-rwx @/etc/crontab 209@chown root:root @/etc/cron.d 209@chmod og-rwx @/etc/cron.d 210@chown root:root @/etc/cron.hourly 210@chmod og-rwx @/etc/cron.hourly 211@chown root:root @/etc/cron.daily 211@chmod og-rwx @/etc/cron.daily 212@chown root:root @/etc/cron.weekly 212@chmod og-rwx @/etc/cron.weekly 213@chown root:root @/etc/cron.monthly 213@chmod og-rwx @/etc/cron.monthly 214@rm -f @/etc/at.deny 214@touch @/etc/at.allow 214@chown root:root @/etc/at.allow 214@chmod og-rwx @/etc/at.allow 215@rm -f @/etc/cron.deny 215@touch @/etc/cron.allow 215@chown root:root @/etc/cron.allow 215@chmod og-rwx @/etc/cron.allow #rpm initscripts drop /etc/sysconfig/init defaultly 216@touch @/etc/sysconfig/init 217@m@/etc/sysconfig/init@PROMPT=@no ######################################################################## # Kernel parameters ######################################################################## # Disable IP forwarding 301@m@/etc/sysctl.conf@net.ipv4.ip_forward=@0 # Disable sending ICMP redirects 302@m@/etc/sysctl.conf@net.ipv4.conf.all.send_redirects=@0 302@m@/etc/sysctl.conf@net.ipv4.conf.default.send_redirects=@0 # Disable IP source routing 303@m@/etc/sysctl.conf@net.ipv4.conf.all.accept_source_route=@0 303@m@/etc/sysctl.conf@net.ipv4.conf.default.accept_source_route=@0 # Disable ICMP redirects acceptance 304@m@/etc/sysctl.conf@net.ipv4.conf.all.accept_redirects=@0 304@m@/etc/sysctl.conf@net.ipv4.conf.default.accept_redirects=@0 # Disable ICMP redirect messages only for gateways 305@m@/etc/sysctl.conf@net.ipv4.conf.all.secure_redirects=@0 305@m@/etc/sysctl.conf@net.ipv4.conf.default.secure_redirects=@0 # Disable response to broadcasts. 306@m@/etc/sysctl.conf@net.ipv4.icmp_echo_ignore_broadcasts=@1 # Enable ignoring bogus error responses 307@m@/etc/sysctl.conf@net.ipv4.icmp_ignore_bogus_error_responses=@1 # Enable route verification on all interfaces 308@m@/etc/sysctl.conf@net.ipv4.conf.all.rp_filter=@1 308@m@/etc/sysctl.conf@net.ipv4.conf.default.rp_filter=@1 # Enable TCP-SYN cookie protection 309@m@/etc/sysctl.conf@net.ipv4.tcp_syncookies=@1 # Enable preventing normal users from getting dmesg output 310@m@/etc/sysctl.conf@kernel.dmesg_restrict=@1 ######################################################################## # Only Wants NetworkManager ######################################################################## 401@m@/usr/lib/systemd/system/openEuler-security.service@Wants=@NetworkManager.service #del SHA1 pem 402@rm -f @/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem #limit user environment variables when used su 403@m@/etc/login.defs@ALWAYS_SET_PATH=@yes #add umask 077 to /etc/csh.login 404@m@/etc/csh.login@umask@ 077 #disable ICMP redirects acceptance 407@m@/etc/sysctl.conf@net.ipv6.conf.all.accept_redirects=@0 407@m@/etc/sysctl.conf@net.ipv6.conf.default.accept_redirects=@0 #set LOG_UNKFAIL_ENAB to no 622@m@/etc/login.defs@LOG_UNKFAIL_ENAB @no #fix the problem of 700@chown root:dbus @/usr/libexec/dbus-1/dbus-daemon-launch-helper 700@chmod 4750 @/usr/libexec/dbus-1/dbus-daemon-launch-helper