Baseline security of Linux server — dry goods

Time:2021-6-12

Business Tags: hospital information integration platform, Internet hospital, Internet nursing, chronic disease follow-up

Technical labels: ESB, ETL + CDC, NLP, FAAS, SaaS, Hadoop, microservice

Technology wechat group:
Add wechat: wonter send: technical Q
Medical wechat group:
Add wechat: wonter send: Medical Q

 

Implementation plan of Internet hospital (1) preparation before implementation

Implementation plan of Internet hospital (2) docking with his standard interface

Implementation plan of Internet hospital (3)

Analysis on the investigation scheme of Neusoft integration platform (1)

Analysis on the investigation scheme of the integrated platform of medical and welfare (2)

Analysis on the investigation scheme of Mandala integration platform (4)

Pay attention to official account

1、 System security baseline

1.1 weak password for system login

**Description**

If the system uses weak password, there is a great risk of malicious guessing intrusion, and it needs to be repaired immediately.

**Reinforcement suggestions**

Execute command ` passwd[]`, and then input a new password according to the prompt to complete the modification“Is the user name. If it is not entered, the password of the current user will be modified.
The password should meet the complexity requirements:

1. Length more than 8 bits

2. Contains three of the following four types of characters:

Capital letters (a to Z)

English small letters (a to Z)

10 basic numbers (0 to 9)

Non alphabetic characters (for example!, $,)#、%、@、^、&)

3. Avoid using public weak passwords, such as abcd.1234 [email protected] etc.

 

1.2 make sure that root is the only account with uid 0

**Description**

All users with uid ‘0’ except ‘root’ should be deleted or assigned a new ‘uid’`

**Reinforcement suggestions**

All users with uid ‘0’ except ‘root’ should be deleted or assigned a new ‘uid’`

View command:

cat /etc/passwd awk -F: '($3 == 0) { print $1 }'|grep -v '^root$'

1.3 turn on randomization of address space layout

**Description**

It randomizes the memory address of the process to increase the difficulty of the intruder to predict the destination address, so as to reduce the risk of successful intrusion

**Reinforcement suggestions**

Set the following parameters in the file ‘/ etc / sysctl. Conf’ or ‘/ etc / sysctl. D / *’:

kernel.randomize_va_space = 2

 

Execute command: sysctl – w kernel.randomize_ va_ space=2

1.4 setting permissions of user permission profile

**Description**

Set permissions for user rights profile

**Reinforcement suggestions**

Execute the following five commands

chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow

chmod 0644 /etc/group

chmod 0644 /etc/passwd

chmod 0400 /etc/shadow

chmod 0400 /etc/gshadow

1.5 permission setting of access control configuration file

**Description**

Permission setting of access control profile

**Reinforcement suggestions**

Run the following four commands:

chown root:root /etc/hosts.allow

chown root:root /etc/hosts.deny

chmod 644 /etc/hosts.deny

chmod 644 /etc/hosts.allow

If you are a ‘redhat8’ user

chown root:root /etc/ssh/sshd_config

chmod 600 /etc/ssh/sshd_config

1.6 make sure SSH loglevel is set to info

**Description**

Make sure that ‘SSH loglevel’ is set to ‘info’ to record login and logout activities

**Reinforcement suggestions**

Edit ‘/ etc / SSH / sshd_ The config ` file sets the parameters (uncomment) as follows:

LogLevel INFO

1.7 ensure that rsyslog service has enabled security audit

 

**Description**
Make sure that the ‘rsyslog’ service is enabled and log for auditing

**Reinforcement suggestions**

Run the following command to enable the ‘rsyslog’ service:

systemctl enable rsyslog

systemctl start rsyslog

1.8 make sure SSH maxauthtries is set between 3 and 6

**Description**

Setting a lower ‘max authtrimes’ parameter will reduce the risk of successful brute force attack on the’ SSH ‘server.

**Reinforcement suggestions**

In ‘/ etc / SSH / sshd_ Cancel the ‘maxauthtries’ comment symbol’ # ‘in’ config ‘, and set the maximum number of failed password attempts’ 3-6′. It is suggested that ‘4’:

MaxAuthTries 4

1.9 ensure that the password expiration warning days are 7 or more

**Description**

Make sure the password expiration warning days are ‘7’ or more

**Reinforcement suggestions**

In ‘/ etc / login. Defs’, add’ pass’_ WARN_ The age parameter is set between ‘7’ and ’14’. It is recommended to set ‘7’:

PASS_WARN_AGE 7

At the same time, execute the command to make the ‘root’ user settings take effect

chage --warndays 7 root

1.10 forbid SSH null password users to login SSH service configuration

**Description**

Disable ‘SSH’ user login with empty password

**Reinforcement suggestions**

Edit file ‘/ etc / SSH / sshd_ Configure ‘permittemptypasswords’ to’ no ‘:

PermitEmptyPasswords no

1.11 check system blank password account

**Description**

Check system empty password account

**Reinforcement suggestions**

Set a non empty password for the user, or execute ` passwd – L`Lock users

1.12 check whether password reuse is restricted

**Description**

Force users not to reuse the recently used password to reduce the risk of password guessing attack

**Reinforcement suggestions**

In ‘/ etc / PAM. D / password auth’ and ‘/ etc / PAM. D / system auth’,’password sufficient ‘   pam_ At the end of the UNIX. So line, configure the ‘Remember’ parameter to be between ‘5’ and ’24’. The original content does not need to be changed, only add ‘remember = 5’ at the end.

1.13 password complexity check

**Description**

Check the password length and whether the password uses multiple character types

**Reinforcement suggestions**

Edit ‘/ etc / security / pwquality. Conf’, set ‘minlen’ (minimum password length) to ‘8-32’ bits, and set ‘minclass’ (including at least lowercase letters, uppercase letters, numbers, special characters, etc.) to’ 3 ‘or’ 4 ‘. For example:

minlen=10

minclass=3

1.14 setting SSH idle timeout exit time

**Description**

Setting the ‘SSH’ idle timeout exit time can reduce the risk of unauthorized users accessing other users’ SSH ‘sessions

**Reinforcement suggestions**

Edit ‘/ etc / SSH / sshd_ Set ‘clientaliveinterval’ to ‘300’ to ‘900’, that is, ‘5-15’ minutes, and ‘clientalivecountmax’ to ‘0-3’.

ClientAliveInterval 600

ClientAliveCountMax 2

1.15 setting the minimum interval of password modification

**Description**

Set the minimum interval between password changes to limit the frequent password changes

**Reinforcement suggestions**

In ‘/ etc / login. Defs’, add’ pass’_ MIN_ The days’ parameter is set between ‘7’ and ’14’. It is recommended to set ‘7’:

PASS_MIN_DAYS 7

You need to execute the command at the same time to set for the root user:

chage --mindays 7 root

1.16 setting password expiration time

**Description**

Set the password expiration time, and force to modify the password regularly to reduce the risk of password leakage and guessing. If you use non password login method (such as key pair), please ignore this item.

**Reinforcement suggestions**

Use non password login mode, such as key pair, please ignore this item.
In ‘/ etc / login. Defs’, add’ pass’_ MAX_ The days parameter is set between 60 and 180, for example:

PASS_MAX_DAYS 90

You need to execute the command at the same time to set the root password expiration time:

chage --maxdays 90 root

2、 Nginx security baseline

2.1 make sure the auto index module is disabled

**Description**

The automatic index module processes requests that end with a slash character. This feature enables directory list, which may be useful in attacker reconnaissance, so it should be disabled.

**Reinforcement suggestions**

Do the following to disable the auto index module:
Search the nginx configuration file (nginx.conf and any included configuration files) for the ‘autoindex’ directive.

egrep -i '^\s*autoindex\s+' egrep -i '^\s*autoindex\s+' 

Delete or modify it to ‘autoindex off’ under ‘location’`

2.2 security reinforcement for nginx SSL Protocol

**Description**

The encryption strategy of nginx SSL protocol is strengthened

**Reinforcement suggestions**

Nginx SSL protocol adopts tlsv1.2:
Open the ‘conf / nginx. Conf’ configuration file (or the ‘include’ file in the main configuration file);

server {

...

ssl_protocols TLSv1.2;

...

}

**Note * *: to configure this item, please confirm that nginx supports’ OpenSSL ‘. Run’ nginx – V ‘. If’ build with OpenSSL ‘is included in the return, then’ OpenSSL ‘is supported. If not, you may need to add configuration ` SSL_ protocols TLSv1 TLSv1.1 TLSv1.2;`

If the SSL protocol has not been configured, please configure it as soon as possible (refer to connection) https://www.nginx.cn/doc/optional/ssl.html )

2.3 ensure that nginx configuration file permission is 644

**Description**

Control configuration file permissions to resist external attacks

**Reinforcement suggestions**

Modify nginx profile permissions: execute ` Chmod 644`To restrict the permission of nginx configuration file;
(“Is the path of the configuration file, such as the default ‘/ installation directory / conf / nginx. Conf’ or ‘/ etc / nginx / nginx. Conf’, or user-defined, please find it by yourself.)

2.4 web access logging status of nginx

**Description**

‘access’ should be enabled for each core site_ Log ` instruction. Enabled by default.

**Reinforcement suggestions**

Open web access logging of nginx:
1. Open the ‘conf / nginx. Conf’ configuration file, including the sub configuration files contained in the include item in the main configuration file;
2. Configure access under http_ Log ` entry ‘access_ log logs/host.access.log main;`
3. And delete the ‘off’ item in the main configuration file and the include file under the main configuration file or configure it to an appropriate value

2.5 hiding the banner of nginx service

**Description**

Banner hidden state of nginx service

**Reinforcement suggestions**

The header hidden state specified by the nginx back-end service hides the state of the nginx service banner:
1. Open the ‘conf / nginx. Conf’ configuration file;
2. Under the ‘server’ column, configure ‘server’_ Tokens ` item ` server_ tokens off;` If multiple items are not supported, execute ` LN /etc/nginx/nginx.conf`

 

2.6 hidden state of header specified by nginx back end service

**Description**

Hide nginx backend service ‘x-powered-by’ header

**Reinforcement suggestions**

Hide the state of the specified header of the nginx backend service:
1. Open the ‘conf / nginx. Conf’ configuration file;
2. Configure ` proxy under http_ hide_ Header ‘;
Add or modify to ` proxy_ hide_ header X-Powered-By;` ` proxy_ hide_ header Server;`

2.7 check the startup account of nginx process

**Description**

Nginx process starts account status to reduce the attack probability

**Reinforcement suggestions**

Modify the nginx process startup account:
1. Open the ‘conf / nginx. Conf’ configuration file;
2. View the ‘user’ configuration item in the configuration file and confirm that it is not started by ‘root’;
3. If it is started by ‘root’, change it to ‘nobody’ or ‘nginx’;
Note: 4. After modifying the configuration file, you need to restart nginx.

2.8 check whether the nginx account locking policy is configured

**Description**

1. Execute the system command ‘passwd – s nginx’ to check the lock status
‘password locked’ appears to prove that the lock is successful

For example: ` nginx LK 2020-12-29 – 1 – 1 – 1 (password locked.)`

2. It is consistent by default, and only after modification (it is consistent by default)
3. Execute the system command ‘passwd – L nginx’ to lock

**Reinforcement suggestions**

To configure the login locking policy of nginx account:
Nginx service is recommended to be started by non root users (such as’ nginx ‘and’ nobody ‘), and ensure that the starting user’s state is locked.
Executable ` passwd – L`For example, ‘passwd – L nginx’ is used to lock the starting user of nginx service.
The command ‘passwd – s’, such as’ passwd – s nginx’, can view the user status.
Modify the ‘nginx’ in the configuration file to start the user as’ nginx ‘or’ nobody ‘`

For example: ` user nobody`

If you are a ‘docker’ user, you can ignore this item (or add a white list)

3、 Redis security baseline

3.1 high risk of unauthorized access to redis

**Description**

The redis port is open to the outside world and there is no authentication option configured. In addition to directly obtaining all the information in the database, unauthorized users can also attack the system through unauthorized access vulnerability.

**Reinforcement suggestions**

You can fix it in the following ways:
1. Configure authentication for redis service, configure complex password in ‘requirepass’ in the configuration file’ redis. Conf ‘, and then restart’ redis’.
2. In the redis configuration file ‘redis. Conf’, configure as follows:’bind 127.0.0.1 ‘, only allow local access, and then restart’ redis’`

3.2 open redis password authentication and set high complexity password

**Description**

`Redis ` in the ‘redis. Conf’ configuration file, set the configuration item ‘requirepass’ for account opening password authentication.
`Redis has high query efficiency, and the command ‘auth’ can process more than 9W times per second. The simple password of ‘redis’ can be easily broken by attackers.

**Reinforcement suggestions**

Open ‘redis. Conf’, find the location of ‘requirepass’, and change it to the specified password. The password should meet the complexity requirements

1. Length more than 8 bits

2. Contains three of the following four types of characters:

Capital letters (a to Z)

English small letters (a to Z)

10 basic numbers (0 to 9)

Non alphabetic characters (for example!, $,)#、%、@、^、&)

3. Avoid using public weak passwords, such as abcd.1234 [email protected] etc.

Then remove the # – character and restart ` redis`

 

3.3 modify the default port 6379

**Description**

Avoid using well-known ports to reduce the risk of primary scanning

**Reinforcement suggestions**

Edit the configuration file ‘redis. Conf’ of the file ‘redis’, find the line containing’ port ‘, change the default’ 6379 ‘to a custom port number, and then restart’ redis’`

3.4 open protection mode

**Description**

`Redis’ turns on the protection mode by default. If ‘bind’ and password are not specified in the configuration, after this parameter is turned on, ‘redis’ can only be accessed locally and external access is denied.

**Reinforcement suggestions**

`Redis. Conf ` security settings: # open protected mode ` protected mode yes`

3.5 disable or rename dangerous commands

**Description**

It is also very dangerous to use the keys * command on the redis midline. Therefore, online redis must consider disabling some dangerous commands, or try to avoid that anyone can use these commands. Redis does not have a complete management system, but it also provides some solutions.

**Reinforcement suggestions**

Modify redis.conf file and add

rename-command FLUSHALL ""

rename-command FLUSHDB ""

rename-command CONFIG ""

rename-command KEYS ""

rename-command SHUTDOWN ""

rename-command DEL ""

rename-command EVAL ""

Then restart ‘redis’.
Renaming to “‘” means that the command is disabled. If you want to keep the command, you can rename it to an unpredictable string, such as:

rename-command FLUSHALL joYAPNXRPmcarcR4ZDgC

3.6 restrict access to redis configuration file

**Description**

Because the ‘redis’ password is stored in clear text in the configuration file, it is necessary to prohibit unrelated users from accessing the configuration file. Set the’ redis’ configuration file permission to ‘600’`

Reinforcement suggestions

Execute the following command to modify the profile permissions:

chmod 600 //redis.conf

3.7 do not use root to start

**Description**

It is risky to use the ‘root’ permission to run network services (both ‘nginx’ and ‘Apache’ have independent ‘work’ users, while ‘redis’ does not).
`Redis crackit ‘vulnerability is to use the permissions of’ root ‘user to replace or add’ authorized ‘_ To get the login permission of ‘root’

**Reinforcement suggestions**

Use ‘root’ to switch to ‘redis’ to start the service:

useradd -s /sbin/nolog -M redis

sudo -u redis //redis-server //redis.conf 2&1>/dev/null &

3.8 no monitoring on public network

**Description**

Redis monitoring in 0.0.0.0 may lead to the risk of penetration of external or internal network horizontal movement, which is very easy to be used by hackers.

**Reinforcement suggestions**

In the ‘redis’ configuration file’ redis. Conf ‘, configure as follows:’bind 127.0.0.1’ or intranet ‘IP’, and then restart ‘redis’`

 

4、 Zookeeper safety baseline

4.1 zookeeper unauthorized access

**Description**

Without setting access control, zookeeper can obtain a large amount of sensitive information by executing ‘envi’ command. Task users or clients can connect to ‘ZK’ server without authentication, and can add or delete ‘znode’, which is very insecure and easy to be attacked and tampered with.

**Reinforcement suggestions**

You can fix it in the following ways
Limit zookeeper’s direct exposure to the public network. Change the port binding address to ` 127.0.0.1`
Set up access control
1. Add an authenticated user
`Addauth digest ` user name: password plaintext
2. Set access control authority
`Setacl / path auth ‘: user name: password plaintext: permission

For example, set permissions to the root directory: ` setacl/ auth:user1 :password1:cdrwa`

Set the IP white list access control. For example, set the white list for the ‘192.168.0.0/24’ network segment. When setting the IP white list, add the local IP ‘127.0.0.1’ to make it accessible and modifiable

setAcl / ip:127.0.0.1:cdrwa,ip:192.168.0.1/24:cdrwa

5、 MySQL security baseline

5.1 disable symbolic links option

**Description**

Disable symbolic links to prevent various security risks

**Reinforcement suggestions**

Edit MySQL configuration file`/My. CNF ‘, configure’ symbolic links = 0 ‘in the’ mysqld ‘section, and configure’ skip ‘for version 5.6 and above_ symbolic_ Link = yes’, and restart the ‘MySQL’ service.

5.2 anonymous login check

**Description**

Check whether MySQL service allows anonymous login

**Reinforcement suggestions**

Log in to MySQL database and execute the following command to delete the anonymous account:

delete from user where user='';

flush privileges;

5.3 make sure that the log raw option is not configured to on

**Description**

When ‘log raw’ logging is enabled, people who have access to log files may see plain text passwords.

**Reinforcement suggestions**

Edit MySQL configuration file`/Delete the ‘log raw’ parameter and restart the ‘MySQL’ service

5.4 make sure that the log error option is configured

**Description**

Enabling error logging can improve the ability to detect malicious attempts against ‘MySQL’ and other critical messages. For example, if error logging is not enabled, connection errors may be ignored.

**Reinforcement suggestions**

Edit MySQL configuration file`/My. CNF ‘, in’ mysqld ‘_ Configure the ‘log error’ parameter in the ‘safe’ section“Represents the path to store log files, such as’ / var / log / mysqld. Log ‘, and restart the’ MySQL ‘service

log-error=

5.5 delete ‘test’ database

**Description**

The test database is accessible to all users and can be used to consume system resources. Deleting the test database will reduce the attack surface of the ‘MySQL’ server.

**Reinforcement suggestions**

Log in to the database and execute the following SQL statement to delete the ‘test’ database:

DROP DATABASE test;

flush privileges;

5.6 it is forbidden to use the — skip grant tables option to start MySQL service

**Description**

Using this option causes all clients to have unrestricted access to all databases.

**Reinforcement suggestions**

Edit MySQL configuration file`/Delete the ‘skip grant tables’ parameter and restart the’ MySQL ‘service

 

5.7 use a dedicated minimum privilege account for MySQL service

**Description**

Using the lowest privilege account to run the service can reduce the impact of MySQL inherent vulnerability. Restricted accounts will not be able to access resources unrelated to MySQL, such as operating system configuration.

**Reinforcement suggestions**

Use non root and non sudo users to start the MySQL service

5.8 modify the default 3306 port

**Description**

Avoid using well-known ports to reduce the risk of primary scanning

**Reinforcement suggestions**

Editor**/Configure new port parameters in my.cnf * * file and * * mysqld * * section, and restart * * MySQL * * service:

port=3506

5.9 ensure MySQL_ PWD environment variable not set

**Description**

`MYSQL_ The use of PWD ‘environment variables means that’ MySQL ‘credentials are stored in clear text, which greatly increases the risk of’ MySQL ‘credentials leakage.

**Reinforcement suggestions**

Delete the MySQL password (` MySQL) in the system environment variable_ PWD configuration

5.10 make sure that no user has a wildcard host name configured

**Description**

Avoiding using only wildcards in the host name helps to limit the clients who can connect to the database, otherwise the service will be open to the public network

**Reinforcement suggestions**

Execute the ‘SQL’ UPDATE statement to specify the ‘host’ range of allowed connections for each user.

1. Log in to the database and execute

use mysql;

2. Execute the statement

select user,Host from user where Host='%';

View users whose ‘host’ is a wildcard;

3. Delete the user or modify the user ‘host’ field

Delete statement:

DROP USER 'user_name'@'%';

UPDATE statement:

update user set host = where host ='%';

 

4. Execute SQL statement:

OPTIMIZE TABLE user;

flush privileges;

5.11 disable local infile option

**Description**

Disable ` local_ The infile option will reduce the ability of an attacker to read sensitive files through the SQL injection vulnerability

**Reinforcement suggestions**

Edit MySQL configuration file`/My. CNF ‘, configure the’ local infile ‘parameter to’ 0 ‘in the’ mysqld ‘section, and restart the’ MySQL ‘service:

local-infile=0

5.12 weak password for database login

**Description**

If the system uses weak password, there is a great risk of malicious guessing intrusion, and it needs to be repaired immediately.

**Reinforcement suggestions**

Login MySQL database;
To view database user password information:

SELECT user, host, authentication_string FROM user;

 

Some version query commands are as follows:

 

SELECT user, host, password FROM user;

 

Modify the user's password according to the query result and weak password alarm information

 

SET PASSWORD FOR 'user name'@'host' = PASSWORD('new password');

 

Execute the refresh command:

 

flush privileges;

 

The new password should meet the complexity requirements:

1. Length more than 8 bits

2. Contains three of the following four types of characters:

Capital letters (a to Z)

English small letters (a to Z)

10 basic numbers (0 to 9)

Non alphabetic characters (for example!, $,)#、%、@、^、&)

3. Avoid using public weak passwords, such as abcd.1234 [email protected] etc.

6、 Tomcat security baseline

6.1 limit information leakage of server platform

**Description**

Limiting the server platform information disclosure will make it more difficult for attackers to determine which vulnerabilities will affect the server platform.

**Reinforcement suggestions**

1. Enter the ‘lib’ directory in the Tomcat installation home directory, such as’ CD / usr / local / tomcat7 / lib ‘`
2. Implementation:

jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties

Modify the values of ‘server. Info’ and ‘server. Number’ in the file ‘serverinfo. Properties’, such as’ Apache / 11.0.92′ and ‘11.0.92.0’`

3. Implementation:

jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties

4. Restart Tomcat service

 

6.2 avoid configuring manager GUI weak password for Tomcat

**Description**

Tomcat manger is a hot deployment function of web application provided by Tomcat. This function has high authority and can directly control Tomcat application. We should avoid using this function as far as possible. If you have special requirements, be sure to configure a strong password for this function

**Reinforcement suggestions**

Edit the configuration file ‘conf / Tomcat user. XML’ in the Tomcat root directory, and modify the ‘password’ attribute value of the ‘user’ node to a complex password. The password should meet the complexity requirements

1. Length more than 8 bits

2. Contains three of the following four types of characters:

Capital letters (a to Z)

English small letters (a to Z)

10 basic numbers (0 to 9)

Non alphabetic characters (for example!, $,)#、%、@、^、&)

3. Avoid using public weak passwords, such as abcd.1234 [email protected] etc.

6.3 deleting irrelevant files and directories

**Description**

Tomcat installation provides sample applications, documents and other programs and directories that may not be used for production, which poses great security risks and is recommended to be removed

**Reinforcement suggestions**

Please delete the Tomcat sample program and directory, management console, etc., that is, from the ‘webapps’ directory of the’ Tomcat ‘root directory, move out or delete the’ docs’, ‘examples’,’ host manager ‘and’ manager ‘directories.

6.4 prevent Tomcat from displaying directory file list

**Description**

Tomcat allows the list of directory files to be displayed, leading to a directory traversal vulnerability

**Reinforcement suggestions**

Modify the configuration file ‘conf / Web. XML’ in the ‘Tomcat’ directory and set the value of ‘lists’ to’ false ‘.

<param-name>listingsparam-name>

<param-value>falseparam-value>

6.5 turn on logging

**Description**

Tomcat needs to save the output log to facilitate the analysis and location of errors and security events

**Reinforcement suggestions**

1. Modify the ‘conf / server. XML’ file in the Tomcat root directory.
2. Uncomment the ‘valve’ node under the ‘host’ node (if not, add it).

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" />

 

3. Restart Tomcat

 

6.6 disable abnormal debugging information

**Description**

When a runtime error occurs during request processing, Apache Tomcat displays debugging information to the requester. It is not recommended to provide such debugging information to the requester.

**Reinforcement suggestions**

Add a child node to the ‘web app’ in the ‘conf / Web. XML’ file in the Tomcat root directory

<error-page>

<exception-type>java.lang.Throwableexception-type>

<location>/error.jsplocation>

error-page>

Create ‘error. JSP’ in the ‘webapps’ directory to define user-defined error information

6.7 Tomcat process running permission detection

**Description**

When running ‘Internet’ service, it is best to avoid using ‘root’ user as far as possible, so as to reduce the chance for attackers to get the server control permission.

**Reinforcement suggestions**

Create a low privilege account to run ‘Tomcat’. The operation steps are as follows:

1. New Tomcat users

useradd tomcat

 

2. Change the owner of Tomcat directory to Tomcat

chown -R tomcat:tomcat /opt/tomcat

 

3. Stop the original Tomcat service

 

4. Switch to Tomcat user

su - tomcat

 

5. Restart Tomcat

/opt/tomcat/bin/startup.sh

6.8 Tomcat directory permission detection

**Description**

When running Tomcat service, avoid using root user to run. The owner of Tomcat directory (Catalina. Home, Catalina. Base directory) should be changed to non root user

**Reinforcement suggestions**
Use ` chown – R: `Modify the owner of the ‘Tomcat’ directory file, such as

chown -R tomcat:tomcat /usr/local/tomcat

 

6.9 prohibit automatic deployment

**Description**

Configure automatic deployment, which is easy to deploy malicious or untested applications and should be disabled

**Reinforcement suggestions**

Modify the configuration file ‘conf / server. XML’ in the root directory of ‘Tomcat’ and set the ‘autodeploy’ attribute of ‘host’ node to ‘false’. If the ‘deployonstartup’ attribute of ‘host’ (which can be ignored without ‘deployonstartup’ configuration) is’ true ‘, it will also be changed to’ false ‘`

7、 Docker security baseline

7.1 ensure docker.sock is not mounted

**Description**

`The container attached to docker. Sock ‘is easy to obtain special permissions. Once danger enters into docker, the security of host computer will be seriously affected

**Reinforcement suggestions**

Follow the prompts“Find the started docker container and restart it in the form of non docker mount docker. Sock

docker stop

Docker run [options] or docker run [options] ID >

7.2 do not share the process namespace of the host

**Description**

The process’ ID (PID) namespace isolates the process’ ID ‘space, which means that processes in different’ PID ‘namespace can have the same’ PID ‘. This is process level isolation between the container and the host.
`The PID ` namespace provides process separation` The PID ‘namespace removes the view of the system process and allows the process’ ID’ to be reused, including ‘pid1’. If the ‘PID’ namespace of the host is shared with the container, it will basically allow the processes in the container to see all the processes on the host. System. This undermines the benefits of process level isolation between hosts and containers. People who have access to the container can finally know all the processes running on the host system, and even kill the host system processes from inside the container. It can be catastrophic. Therefore, do not share the host’s process namespace with the container.

**Reinforcement suggestions**

Do not use the ‘– PID = host’ parameter to start the container.

7.3 do not use privilege containers

**Description**

Use the ‘– privileged’ flag to assign all ‘Linux’ kernel functions to the container, thus overriding the ‘– CAP add’ and ‘– cap drop’ flags. Make sure you don’t use it.
`–The privileged flag provides all the functions for the container, and also removes all the restrictions imposed by the device CGroup controller.
In other words, a container can do almost everything a host can do. This flag exists to allow special use cases, such as running ‘docker’ in ‘docker’`

**Reinforcement suggestions**

Do not use the ‘– privileged’ flag to run the container

7.4 do not use aufs storage driver

**Description**

`”Aufs” storage driver is the earliest storage driver. It is based on the ‘Linux’ kernel patch set, which is unlikely to be incorporated into the main ‘Linux’ kernel. It is also known that the ‘aufs’ driver can cause some serious kernel crashes Aufs’ ` has just been supported by docker. Most importantly, many Linux distributions that use the latest Linux kernel do not support the ‘aufs’ driver.

**Reinforcement suggestions**

Do not explicitly use “aufs” as the storage driver. For example, do not start the ‘docker’ daemon as follows:
If the ‘docker’ service is managed by ‘systemctl’, you need to edit the ‘execstart’ parameter of ‘/ usr / lib / SYSTEMd / system / docker. Service’, delete ‘- storage driver aufs’ and restart the’ docker ‘service

systemctl daemon-reload

systemctl restart docker

7.5 allow docker to change iptables

**Description**

`Iptables’ is used to set, maintain and check the ‘IP’ packet filter rule table in the Linux kernel. Allows the ‘docker’ daemon to make changes to ‘iptables’.
If you choose to do so, ‘docker’ will never change your system’s’ iptables’ rules. If allowed, the ‘docker’ server will automatically make the required changes to ‘iptables’ according to the way you select network options for the container. It is recommended that the ‘docker’ server automatically make changes to ‘iptables’ to avoid network configuration errors, which may hinder the communication between containers and the outside world. In addition, every time you choose to run the container or modify the network options, it can avoid the trouble of updating ‘iptables’.

**Reinforcement suggestions**

Do not use the ‘– iptables = false’ parameter to run the ‘docker’ daemon.
If the ‘docker’ service is managed by ‘systemctl’, you need to edit the ‘execstart’ parameter of ‘/ usr / lib / SYSTEMd / system / docker. Service’, delete ‘– iptables = false’, and restart the ‘docker’ service

systemctl daemon-reload

systemctl restart docker

7.6 setting logging level

**Description**

Set the appropriate log level and configure the docker daemon to record the events you want to view later. The basic log level of “info” and higher will capture all logs except debug logs. Until and unless necessary, you should not run the ‘docker’ daemon at the ‘debug’ log level

**Reinforcement suggestions**

Run the ‘docker’ daemon as follows:

dockerd --log-level=info

If ‘systemctl’ is used to manage docker service, you need to edit the ‘execstart’ parameter of ‘/ usr / lib / SYSTEMd / system / docker. Service’, add ‘– log level = “info”‘, and restart ‘docker’`

systemctl stop docker

systemctl start docker

7.7 confirm that the documents related to docker have appropriate permissions

**Description**

Ensuring the security of files and directories that may contain sensitive parameters is very important to ensure the correct and safe operation of the ‘docker’ daemons

**Reinforcement suggestions**

Execute the following command to configure permissions for ‘docker’ related files:

chown root:root /usr/lib/systemd/system/docker.service

chmod 644 /usr/lib/systemd/system/docker.service

chown root:root /usr/lib/systemd/system/docker.socket

chmod 644 /usr/lib/systemd/system/docker.socket

chown root:root /etc/docker

chmod 755 /etc/docker

If the file path is different from that in the actual system, you can use the following command to obtain the file path:

systemctl show -p FragmentPath docker.socket

systemctl show -p FragmentPath docker.service

7.8 mount the root file system of the container as read-only

**Description**

The root file system of the container should be treated as a “golden image” and any write operations to the root file system should be avoided. You should explicitly define the container volume for writing.
You should not write data to the container. The amount of data belonging to the container should be clearly defined and managed. This is useful in many cases where administrators control where they want developers to write files and errors.

**Reinforcement suggestions**

Add the ‘– read only’ flag to allow the root file system of the container to be mounted as read-only. It can be used in conjunction with volumes to force the container’s process to write only to the locations to be reserved. You should run the container as follows:

docker run --interactive --tty --read-only --volume

If you are a container compiled by ‘k8s’ or other container choreography software, please configure or ignore it according to the corresponding security policy.

7.9 enable content trust for docker

**Description**

Content trust is disabled by default. You should enable it.
Content trust provides the ability to use digital signatures for data sent to and received from the remote ‘docker’ registry. These signatures allow clients to verify the integrity and publisher of specific image tags. This ensures the provenance of the container image

**Reinforcement suggestions**

To enable content trust in the ‘bash shell’, enter the following command:

export DOCKER_CONTENT_TRUST=1

Alternatively, set this environment variable in your configuration file to enable content trust every time you log in. Content trust is currently only applicable to users of public docker hub. Currently not available for ‘docker trusted registry’ or private registry.

7.10 limit the memory usage of the container

**Description**

By default, all containers on the ‘docker’ host share resources equally. By using the resource management functions of the ‘docker’ host, such as memory limitation, you can control the amount of memory that the container may consume.
By default, the container can use all the memory on the host. You can use the memory limitation mechanism to prevent the denial of service caused by a container consuming all the resources of the host, which makes other containers on the same host unable to perform their expected functions. Having no limitation on memory can lead to a problem, that is, a container can easily make the whole system unstable and therefore unusable.

**Reinforcement suggestions**

Use only the memory required to run the container. Always use the ‘– memory’ parameter to run the container. You should start the container as follows:

docker run --interactive --tty --memory 256m

 

7.11 do not mount sensitive host system directory on container

**Description**

The following sensitive host system directories are not allowed to be mounted as container volumes, especially in read-write mode.

/boot

/dev

/etc

/lib

/proc

/sys

/usr

If sensitive directories are mounted in read-write mode, the files in those sensitive directories can be changed. These changes may reduce security risks or unnecessary changes, which may damage the docker host.
If you are a container compiled by k8s or other container choreography software, please configure or ignore it according to the corresponding security policy.

**Reinforcement suggestions**

Do not mount host sensitive directory on container, especially in read-write mode

7.12 limiting network traffic between containers

**Description**

By default, all network communications are allowed between containers on the same host. If not, restrict communication between all containers. Link specific containers that need to communicate with each other. By default, unlimited network traffic is enabled between all containers on the same host. Therefore, it is possible for each container to read all packets on the whole container network on the same host. This can lead to accidental and unnecessary information leakage to other containers. Therefore, communication between containers is limited.

**Reinforcement suggestions**

Run ‘docker’ in daemon mode and pass’ — ICC = false ‘as the parameter. For example,

/usr/bin/dockerd --icc=false

 

If you use ‘systemctl’ to manage ‘docker’ service, you need to edit it

/usr/lib/systemd/system/docker.service

Add the option ‘– ICC = false’ to the ‘execstart’ parameter in the file, and then restart the ‘docker’ service

systemctl daemon-reload

systemctl restart docker

7.13 audit docker files and directories

**Description**

In addition to auditing regular ‘Linux’ file systems and system calls, it also audits all ‘docker’ related files and directories` The docker ‘daemon runs with the privilege of’ root ‘. Its behavior depends on some key files and directories. Such as’ / var / lib / docker ‘,’ / etc / docker ‘,’docker. Service’,’docker. Socket ‘,’ / usr / bin / docker containerd ‘,’ / usr / bin / docker runc ‘, etc

**Reinforcement suggestions**

Add the following lines to the files’ / etc / audit / audit. Rules’ and ‘/ etc / audit / rules. D / audit. Rules’:

-w /var/lib/docker -k docker

-w /etc/docker -k docker

-w /usr/lib/systemd/system/docker.service -k docker

-w /usr/lib/systemd/system/docker.socket -k docker

-w /usr/bin/docker-containerd -k docker

-w /usr/bin/docker-runc -k docker

Then, restart the ‘audit’ program. for example

service auditd restart

8、 Elasticsearch security baseline

8.1 es unauthorized access

**Description**

>Elasticsearch is an enterprise search service written in Java. If the service is started without reinforcement, there is a risk of unauthorized access, and it can be illegally queried or manipulated. It needs to be repaired immediately.

**Reinforcement suggestions**

Restrict the ‘IP’ access of the ‘HTTP’ port, not open to the public network

Modify the ‘config / elasticsearch. YML’ configuration file in the home directory, and configure ‘network. Host’ as the intranet address or ‘127.0.0.1’`

network.host: 127.0.0.1

Add login verification for elasticsearch using the ‘x-pack’ plug-in
1. Run ‘bin / elasticsearch plugin install x-pack’ in the home directory to install the x-pack plug-in
2. Add the following configuration to the ‘config / elasticsearch. YML’ configuration file

xpack.security.enabled: True

xpack.ml.enabled: true

Run command

bin/x-pack/setup-passwords interactive

Set the password for the ‘es’ service and restart the’ es’ service

 

Recommended reading    Click on the title to jump

Talk about platform, talk about master data first
Talk about platform, talk about metadata again
Talking about platform, talking about data element
Data integration construction scheme of hospital information integration platform (ESB)Hospital information integration platform project construction scheme and practice Chapter 1 project construction background
The construction plan and practice of hospital information integration platform project Chapter 2 the current situation and development trend of hospital informatization
Project construction scheme and practice of hospital information integration platform Chapter 3 necessity of project construction
Project construction scheme and practice of hospital information integration platform Chapter 4 project construction design (1)
Project construction scheme and practice of hospital information integration platform Chapter 4 project construction design (2)
Project construction scheme and practice of hospital information integration platform Chapter 4 project construction design (3)