没有合适的资源？快使用搜索试试~ 我知道了~

首页CIS CentOS 7 Linux系统安全基准V3.1.2：强化配置最佳实践

CIS CentOS 7 Linux系统安全基准V3.1.2：强化配置最佳实践

linux

CentOS7

Benchmark

需积分: 0 0 下载量 138 浏览量更新于2024-06-22 收藏 4.3MB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

试读

625页

CIS CentOS Linux 7 Benchmark v3.1.2是一份根据CIS (Center for Internet Security) 最新的基线标准设计的系统层面安全基准测试工具。这份文档是针对CentOS 7操作系统的，旨在帮助组织和个人遵循全球公认的网络安全最佳实践，减少系统中的安全漏洞风险。CIS Benchmarks因其全球共识性、跨行业的接受度和权威性而备受推崇，它超越了单一地域的法律和安全规定，为企业提供了一个全面的框架来管理和提升网络安全。文档涵盖了详细的评估标准和推荐措施，包括初始设置的多个方面。例如： 1. 文件系统配置：建议禁用未使用的文件系统，如cramfs、squashfs和udf，以减少潜在攻击面。同时，对/tmp目录的配置也非常重要，应确保自动配置以限制临时文件权限，防止恶意利用。对于/dev/shm分区，应禁止执行和设备访问权限，以进一步增强系统的安全性。 2. tmp分区选项：设置了noexec、nodev和nosuid选项，防止在这些特殊分区上执行脚本或执行设备操作，这有助于防止恶意程序的运行和数据泄露。 3. 设备文件管理：dev/shm设备文件的配置同样严谨，通过设置相应的选项，限制了对它的访问，从而降低了潜在的安全威胁。这份基准文档不仅提供了具体的配置指导，还强调了持续的评估和改进过程，以适应不断变化的威胁环境。它适合所有关心系统安全的管理员和组织使用，无论是企业环境还是个人服务器维护，都可以作为提升网络安全水平的重要参考依据。 CIS CentOS Linux 7 Benchmark v3.1.2是一份实用的工具，帮助用户确保其CentOS 7系统遵循了最严格的网络安全最佳实践，有效抵御潜在的威胁，提升整体的网络安全态势。

资源详情

资源推荐

15 | P a g e

Profile Definitions

The following configuration profiles are defined by this Benchmark:

 Level 1 - Server

Items in this profile intend to:

o be practical and prudent;

o provide a clear security benefit; and

o not inhibit the utility of the technology beyond acceptable means.

This profile is intended for servers.

 Level 2 - Server

This profile extends the "Level 1 - Server" profile. Items in this profile exhibit one or

more of the following characteristics:

o are intended for environments or use cases where security is paramount.

o acts as defense in depth measure.

o may negatively inhibit the utility or performance of the technology.

This profile is intended for servers.

 Level 1 - Workstation

Items in this profile intend to:

o be practical and prudent;

o provide a clear security benefit; and

o not inhibit the utility of the technology beyond acceptable means.

This profile is intended for workstations.

 Level 2 - Workstation

This profile extends the "Level 1 - Workstation" profile. Items in this profile exhibit

one or more of the following characteristics:

o are intended for environments or use cases where security is paramount.

o acts as defense in depth measure.

o may negatively inhibit the utility or performance of the technology.

This profile is intended for workstations.

16 | P a g e

Acknowledgements

This benchmark exemplifies the great things a community of users, vendors, and subject matter

experts can accomplish through consensus collaboration. The CIS community thanks the entire

consensus team with special recognition to the following individuals who contributed greatly to

the creation of this guide:

This benchmark is based upon previous Linux benchmarks published and would not be

possible without the contributions provided over the history of all of these benchmarks.

The CIS community thanks everyone who has contributed to the Linux benchmarks.

Contributor

Rael Daruszka

Bill Erickson

Dave Billing

Dominic Pace

Ely Pinto

Fredrik Silverskär

Joy Latten

Koen Laevens

Mark Birch

Martynas Brijunas

Robert Thomas

Tom Pietschmann

Vineetha Hari Pai

Anurag Pal

Bradley Hieber

Thomas Sjögren

James Trigg

Kenneth Karlsson

Edward Byrd

Patrick Araya

Editor

Jonathan Lewis Christopherson

Eric Pinnell

17 | P a g e

Recommendations

1 Initial Setup

Items in this section are advised for all systems, but may be difficult or require extensive

preparation after the initial setup of the system.

18 | P a g e

1.1 Filesystem Configuration

Directories that are used for system-wide functions can be further protected by placing

them on separate partitions. This provides protection for resource exhaustion and enables

the use of mounting options that are applicable to the directory's intended use. Users' data

can be stored on separate partitions and have stricter mount options. A user partition is a

filesystem that has been established for use by the users and does not contain software for

system operations.

The recommendations in this section are easier to perform during initial system

installation. If the system is already installed, it is recommended that a full backup be

performed before repartitioning the system.

Note: If you are repartitioning a system that has already been installed, make sure the data

has been copied over to the new partition, unmount it and then remove the data from the

directory that was in the old partition. Otherwise it will still consume space in the old

partition that will be masked when the new filesystem is mounted. For example, if a system is

in single-user mode with no filesystems mounted and the administrator adds a lot of data to

the /tmp directory, this data will still consume space in / once the /tmp filesystem is mounted

unless it is removed first.

19 | P a g e

1.1.1 Disable unused filesystems

A number of uncommon filesystem types are supported under Linux. Removing support for

unneeded filesystem types reduces the local attack surface of the system. If a filesystem

type is not needed it should be disabled. Native Linux file systems are designed to ensure

that built-in security controls function as expected. Non-native filesystems can lead to

unexpected consequences to both the security and functionality of the system and should

be used with caution. Many filesystems are created for niche use cases and are not

maintained and supported as the operating systems are updated and patched. Users of

non-native filesystems should ensure that there is attention and ongoing support for them,

especially in light of frequent operating system changes.

Standard network connectivity and Internet access to cloud storage may make the use of

non-standard filesystem formats to directly attach heterogeneous devices much less

attractive.

Note: This should not be considered a comprehensive list of filesystems. You may wish to

consider additions to those listed here for your environment.

剩余624页未读，继续阅读

TASK [jingantech.nexus.nexus : Extract ../accessory/nexus-3.37.3-02-unix-centos7.tar.gz to /opt/offline] *************************** An exception occurred during task execution. To see the full traceback, use -vvv. The error was: If you are using a module and expect the file to exist on the remote, see the remote_src option fatal: [ngiam-02]: FAILED! => {"changed": false, "msg": "Could not find or access '../accessory/nexus-3.37.3-02-unix-centos7.tar.gz'\nSearched in:\n\t/home/taapp/deploy-ngiam/collections/ansible_collections/jingantech/nexus/roles/nexus/files/../accessory/nexus-3.37.3-02-unix-centos7.tar.gz\n\t/home/taapp/deploy-ngiam/collections/ansible_collections/jingantech/nexus/roles/nexus/../accessory/nexus-3.37.3-02-unix-centos7.tar.gz\n\t/home/taapp/deploy-ngiam/collections/ansible_collections/jingantech/nexus/roles/nexus/tasks/files/../accessory/nexus-3.37.3-02-unix-centos7.tar.gz\n\t/home/taapp/deploy-ngiam/collections/ansible_collections/jingantech/nexus/roles/nexus/tasks/../accessory/nexus-3.37.3-02-unix-centos7.tar.gz\n\t/home/taapp/deploy-ngiam/playbooks/files/../accessory/nexus-3.37.3-02-unix-centos7.tar.gz\n\t/home/taapp/deploy-ngiam/playbooks/../accessory/nexus-3.37.3-02-unix-centos7.tar.gz on the Ansible Controller.\nIf you are using a module and expect the file to exist on the remote, see the remote_src option"}

具体错误是：无法找到或访问 '../accessory/nexus-3.37.3-02-unix-centos7.tar.gz' 文件。这个错误提示了在多个路径下搜索了这个文件但都没有找到，如果你在使用一个模块并期望文件存在于远程主机上，可以考虑使用 ...

Error: Package: MariaDB-client-10.3.39-1.el7.centos.x86_64 (mariadb) Requires: libaio.so.1()(64bit) Error: Package: MariaDB-server-10.3.39-1.el7.centos.x86_64 (mariadb) Requires: libaio.so.1(LIBAIO_0.4)(64bit) Error: Package: MariaDB-server-10.3.39-1.el7.centos.x86_64 (mariadb) Requires: libaio.so.1(LIBAIO_0.1)(64bit) Error: Package: galera-25.3.37-1.el7.centos.x86_64 (mariadb) Requires: libboost_program_options-mt.so.1.53.0()(64bit) Error: Package: MariaDB-server-10.3.39-1.el7.centos.x86_64 (mariadb) Requires: perl(DBI) Error: Package: MariaDB-server-10.3.39-1.el7.centos.x86_64 (mariadb) Requires: libaio.so.1()(64bit) Error: Package: MariaDB-client-10.3.39-1.el7.centos.x86_64 (mariadb) Requires: libaio.so.1(LIBAIO_0.4)(64bit) Error: Package: MariaDB-client-10.3.39-1.el7.centos.x86_64 (mariadb) Requires: libaio.so.1(LIBAIO_0.1)(64bit) Error: Package: MariaDB-server-10.3.39-1.el7.centos.x86_64 (mariadb) Requires: perl(Data::Dumper) Error: Package: MariaDB-server-10.3.39-1.el7.centos.x86_64 (mariadb) Requires: lsof如何解决

1. 运行以下命令，安装缺少的依赖包： ``` sudo yum install libaio libboost-program-options perl-DBI perl-Data-Dumper lsof ``` 2. 如果你已经安装了这些依赖包，但仍然出现错误，请尝试更新它们： ``` ...

camot install the best update candidate for package centos-linux-release-8.5-1.2111.el8.noarchproblem with installed package centos-linux-repos-8-3.el8.noarch

这个错误提示看起来是你正在尝试更新 `cent-linux-release` 包，更新过程中遇了与已安装的centos-linux-repos 包存在的问题。为解决这个问题你可以尝试通过以下命令来更新 `centos-linux-release` 包： ``` sudo ...

camnot install the best update candidate for package centos-limux-release-8.5-1.2111.el8.noarchproblem with installed package centos-linux-repos-8-3.el8.noarch

2. 安装新版的 `centos-linux-release` 软件包。使用以下命令可以安装 `centos-linux-release` 软件包： ``` sudo yum install centos-linux-release ``` 如果您已经下载了 `centos-linux-release` 软件包，也...

用yum源安装提示Error: Package: ntp-4.2.6p5-29.el7.centos.2.x86 64 (base)Requires: ntpdate = 4.2.6p5-29.e7.centos .2Installed: ntpdate-4.2.6p5-29.el7_8.2.x86 64 (anaconda/7.9)ntpdate =4.2.6p5-29.e7 8.2Available: ntpdate-4.2.6p5-29.el7.centos.2.x86_64 (base)ntpdate = 4.2.6p5-29.e7.centos .2You could try using --skipbroken to work around the problemYou could try running: rpm -Va --nofiles --nodigest

这个错误提示是由于安装的ntp和ntpdate版本不匹配导致的。可以尝试使用以下命令来解决该问题...yum install ntpdate-4.2.6p5-29.el7.centos.2.x86_64 ``` 这样就可以解决该错误提示了。如果还有其他问题可以继续问我。

zlm-release-centos 下载

sudo rpm -ivh zlm-release-centos-7.x86_64.rpm ``` 5. 完成安装后，zlm-release-centos软件源将被添加到您的系统中，您可以使用yum命令从该软件源中安装和更新软件包。通过以上步骤，您可以成功下载和安装zlm-...

zh_132106

粉丝: 3
资源: 1

上传资源快速赚钱

我的内容管理展开

我的资源快来上传第一个资源

我的收益

登录查看自己的收益

我的积分登录查看自己的积分

我的C币登录后查看C币余额

我的收藏

我的下载

下载帮助

CIS CentOS 7 Linux系统安全基准V3.1.2：强化配置最佳实践

CIS_CentOS_Linux_7_Benchmark_v3.0.0.pdf

CIS_CentOS_Linux_7_Benchmark_v3.1.1.pdf

CIS_CentOS_Linux_7_Benchmark_v2.2.0

ambari-2.7.5.0-centos7.tar.gz 下载

proxysql-2.0.8-1-centos7.x86_64.rpm下载

下载httpd-2.4.6-80.el7.centos.1.x86_64.rpm软件包到/root并安装

httpd-tools = 2.4.6-95.el7.centos 被 httpd-2.4.6-95.el7.centos.x86_64 需要

wget 下载openssh-askpass-9.3p2-1.el7.centos.x86_64

centos-release-scl-2-3.el7.centos.noarch.rpm

centos-release-7-9.2009.1.el7.centos.x86_64.rpm

package centos-linux-repos-8-3.e18.noarch conflicts with centos-repos(8) provided by centos-stream-repos-8-2.el8.moarch

httpd-2.2.15-15.el6.centos.1.i686.rpm 下载

libcrypto.so.10()(64bit) 被 MariaDB-common-10.4.28-1.el7.centos.x86_64 需要

redhat-lsb-core-4.0-7.el6.centos.x86_64 离线安装

camot install the best update candidate for package centos-linux-release-8.5-1.2111.el8.noarchproblem with installed package centos-linux-repos-8-3.el8.noarch

camnot install the best update candidate for package centos-limux-release-8.5-1.2111.el8.noarchproblem with installed package centos-linux-repos-8-3.el8.noarch

zlm-release-centos 下载

最新资源