security-tool/security.conf

#######################################################################################
#
# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved.
# security-tool licensed under the Mulan PSL v1.
# You can use this software according to the terms and conditions of the Mulan PSL v1.
# You may obtain a copy of Mulan PSL v1 at:
#     http://license.coscl.org.cn/MulanPSL
# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
# PURPOSE.
# See the Mulan PSL v1 for more details.
# Description: Configuration file for the security-tool.
#
#######################################################################################

########################################################################
#
# HowTo:
#	# delete key, and difference caused by blankspace/tab on key is ignored
#	id@d@file@key
#
#	# modify option: find line started with key, and get the value changed
#	id@m@file@key[@value]
#
#	# modify sub-option: find line started with key, and then change the value of key2 to value2(prepostive seperator should not be blank characters) in the line
#	id@M@file@key@key2[@value2]
#
#	# check existence of commands
#	id@which@command1 [command2 ...]
#
#	# execute command on the files found
#	id@find@dir@condition@command
#
#	# any command(with or without parameter), such as 'rm -f','chmod 700','which','touch', used to extend functions, return 0 is ok
#	id@command@file1 [file2 ...]
#
# Notes:
#	1. The comment line should start with '#'
#	2. "value" related with "key" should contain prepositive separator("="," " and so on), if there is any.
#	3. When item starts with "d", "m" or "M", "file" should be a single normal file, otherwise multi-objects(separated by blankspace) are allowed.
#
########################################################################

########################################################################
# SSH server settting
########################################################################
# Set sshd Protocol version
101@m@/etc/ssh/sshd_config@Protocol @2

102@m@/etc/ssh/sshd_config@SyslogFacility @AUTH
102@m@/etc/ssh/sshd_config@LogLevel @VERBOSE

103@m@/etc/ssh/sshd_config@X11Forwarding @no

105@m@/etc/ssh/sshd_config@PubkeyAuthentication @yes
105@m@/etc/ssh/sshd_config@RSAAuthentication @yes
# Don't read the user's ~/.rhosts and ~/.shosts files
105@m@/etc/ssh/sshd_config@IgnoreRhosts @yes
105@m@/etc/ssh/sshd_config@RhostsRSAAuthentication @no

# To disable host authentication
106@m@/etc/ssh/sshd_config@HostbasedAuthentication @no

108@m@/etc/ssh/sshd_config@PermitEmptyPasswords @no

109@m@/etc/ssh/sshd_config@PermitUserEnvironment @no

# Set sshd password algorithm
110@m@/etc/ssh/sshd_config@Ciphers @aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@@openssh.com,aes256-gcm@@openssh.com,chacha20-poly1305@@openssh.com

111@m@/etc/ssh/sshd_config@ClientAliveCountMax @0

# Make sshd print warning banner
112@m@/etc/ssh/sshd_config@Banner @/etc/issue.net

# Set sshd message authentication code algorithm
113@m@/etc/ssh/sshd_config@MACs @hmac-sha2-512,hmac-sha2-512-etm@@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@@openssh.com,hmac-sha1,hmac-sha1-etm@@openssh.com

# Make sshd check file modes and ownership of the user's files and home directory before accepting login
114@m@/etc/ssh/sshd_config@StrictModes @yes

# Set this to 'yes' to enable PAM authentication, account processing, and session processing. 
115@m@/etc/ssh/sshd_config@UsePAM @yes

# Set this to 'no', do not allowed TCP forwarding.
116@m@/etc/ssh/sshd_config@AllowTcpForwarding @no

# Log on sftp.
117@m@/etc/ssh/sshd_config@Subsystem sftp @/usr/libexec/openssh/sftp-server -l INFO -f AUTH

118@m@/etc/ssh/sshd_config@AllowAgentForwarding @no

119@m@/etc/ssh/sshd_config@GatewayPorts @no

120@m@/etc/ssh/sshd_config@PermitTunnel @no

#CVE-2015-4000
121@m@/etc/ssh/sshd_config@KexAlgorithms@ curve25519-sha256,curve25519-sha256@@libssh.org,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256

130@systemctl@sshd.service@restart

########################################################################
# System access and authorization
########################################################################

# close the kernel request debugging functionality
204@m@/etc/sysctl.conf@kernel.sysrq@=0

206@rm -f @/etc/motd
206@touch @/etc/motd
206@chown root:root @/etc/motd
206@chmod 644 @/etc/motd
206@m@/etc/motd@Authorized users only. All activities may be monitored and reported.
206@rm -f @/etc/issue
206@touch @/etc/issue
206@chown root:root @/etc/issue
206@chmod 644 @/etc/issue
206@m@/etc/issue@Authorized users only. All activities may be monitored and reported.
206@rm -f @/etc/issue.net
206@touch @/etc/issue.net
206@chown root:root @/etc/issue.net
206@chmod 644 @/etc/issue.net
206@m@/etc/issue.net@Authorized users only. All activities may be monitored and reported.

208@chown root:root @/etc/crontab
208@chmod og-rwx @/etc/crontab

209@chown root:root @/etc/cron.d
209@chmod og-rwx @/etc/cron.d

210@chown root:root @/etc/cron.hourly
210@chmod og-rwx @/etc/cron.hourly

211@chown root:root @/etc/cron.daily
211@chmod og-rwx @/etc/cron.daily

212@chown root:root @/etc/cron.weekly
212@chmod og-rwx @/etc/cron.weekly

213@chown root:root @/etc/cron.monthly
213@chmod og-rwx @/etc/cron.monthly

214@rm -f @/etc/at.deny
214@touch @/etc/at.allow
214@chown root:root @/etc/at.allow
214@chmod og-rwx @/etc/at.allow

215@rm -f @/etc/cron.deny
215@touch @/etc/cron.allow
215@chown root:root @/etc/cron.allow
215@chmod og-rwx @/etc/cron.allow

#rpm initscripts drop /etc/sysconfig/init defaultly
216@touch @/etc/sysconfig/init
217@m@/etc/sysconfig/init@PROMPT=@no

222@umask@user@0077

223@umask@deamon@0027

########################################################################
# Kernel parameters
########################################################################
# Disable IP forwarding
301@m@/etc/sysctl.conf@net.ipv4.ip_forward=@0

# Disable sending ICMP redirects
302@m@/etc/sysctl.conf@net.ipv4.conf.all.send_redirects=@0
302@m@/etc/sysctl.conf@net.ipv4.conf.default.send_redirects=@0

# Disable IP source routing
303@m@/etc/sysctl.conf@net.ipv4.conf.all.accept_source_route=@0
303@m@/etc/sysctl.conf@net.ipv4.conf.default.accept_source_route=@0

# Disable ICMP redirects acceptance
304@m@/etc/sysctl.conf@net.ipv4.conf.all.accept_redirects=@0
304@m@/etc/sysctl.conf@net.ipv4.conf.default.accept_redirects=@0

# Disable ICMP redirect messages only for gateways
305@m@/etc/sysctl.conf@net.ipv4.conf.all.secure_redirects=@0
305@m@/etc/sysctl.conf@net.ipv4.conf.default.secure_redirects=@0

# Disable response to broadcasts.
306@m@/etc/sysctl.conf@net.ipv4.icmp_echo_ignore_broadcasts=@1

# Enable ignoring bogus error responses
307@m@/etc/sysctl.conf@net.ipv4.icmp_ignore_bogus_error_responses=@1

# Enable route verification on all interfaces
308@m@/etc/sysctl.conf@net.ipv4.conf.all.rp_filter=@1
308@m@/etc/sysctl.conf@net.ipv4.conf.default.rp_filter=@1

# Enable TCP-SYN cookie protection
309@m@/etc/sysctl.conf@net.ipv4.tcp_syncookies=@1

# Enable preventing normal users from getting dmesg output
310@m@/etc/sysctl.conf@kernel.dmesg_restrict=@1

########################################################################
# Only Wants NetworkManager
########################################################################
401@m@/usr/lib/systemd/system/openEuler-security.service@Wants=@NetworkManager.service

401@d@/etc/sudoers@%wheel

#del SHA1 pem
402@rm -f @/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem

#limit user environment variables when used su
403@m@/etc/login.defs@ALWAYS_SET_PATH=@yes

#add umask 077 to /etc/csh.login
404@m@/etc/csh.login@umask@ 077

#disable ICMP redirects acceptance
407@m@/etc/sysctl.conf@net.ipv6.conf.all.accept_redirects=@0
407@m@/etc/sysctl.conf@net.ipv6.conf.default.accept_redirects=@0

#set LOG_UNKFAIL_ENAB to no
622@m@/etc/login.defs@LOG_UNKFAIL_ENAB @no