├── guan-li-zhi-du.md ├── chapter1 ├── shu-ju-ku.md ├── cao-zuo-xi-tong │ ├── hp-ux.md │ ├── ibm-aix.md │ ├── terminal-pc.md │ ├── windowsxi-tong.md │ └── linux.md ├── ying-yong-xi-tong.md ├── shu-ju-ku │ ├── oracle.md │ └── oracle │ │ └── oracleshu-ju-ku-bu-ding.md └── cao-zuo-xi-tong.md ├── README.md ├── chapter1.md ├── assets ├── kb.png ├── kb2.png ├── 屏保.png ├── import.png ├── telnet.png ├── 安全选项.png ├── 屏幕保护.png ├── 禁用默认共享.png ├── 系统口策略.png ├── 账户锁定策略.png ├── 445入站过滤.png ├── 445出站阻止.png ├── 禁用guest.png ├── 禁用telnet.png ├── 重命名admin.png ├── 勾选“用户名+密码”.png └── windows_audit.png ├── .gitignore └── SUMMARY.md /guan-li-zhi-du.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /chapter1/shu-ju-ku.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /chapter1/cao-zuo-xi-tong/hp-ux.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /chapter1/ying-yong-xi-tong.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /chapter1/cao-zuo-xi-tong/ibm-aix.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /chapter1/cao-zuo-xi-tong/terminal-pc.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /chapter1/shu-ju-ku/oracle.md: -------------------------------------------------------------------------------- 1 | ## 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 前言 2 | 3 | ### 主要介绍等级保护测评中主机的加固方案,参考等级为三级。 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /chapter1.md: -------------------------------------------------------------------------------- 1 | # 主机层面的加固介绍 2 | 3 | ### 主机层面的加固包括,主机操作系统、运维终端、业务终端、数据库。 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /chapter1/shu-ju-ku/oracle/oracleshu-ju-ku-bu-ding.md: -------------------------------------------------------------------------------- 1 | # 1.Oracle数据库补丁: 2 | 3 | ## 仅 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /assets/kb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/kb.png -------------------------------------------------------------------------------- /assets/kb2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/kb2.png -------------------------------------------------------------------------------- /assets/屏保.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/屏保.png -------------------------------------------------------------------------------- /assets/import.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/import.png -------------------------------------------------------------------------------- /assets/telnet.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/telnet.png -------------------------------------------------------------------------------- /assets/安全选项.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/安全选项.png -------------------------------------------------------------------------------- /assets/屏幕保护.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/屏幕保护.png -------------------------------------------------------------------------------- /assets/禁用默认共享.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/禁用默认共享.png -------------------------------------------------------------------------------- /assets/系统口策略.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/系统口策略.png -------------------------------------------------------------------------------- /assets/账户锁定策略.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/账户锁定策略.png -------------------------------------------------------------------------------- /assets/445入站过滤.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/445入站过滤.png -------------------------------------------------------------------------------- /assets/445出站阻止.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/445出站阻止.png -------------------------------------------------------------------------------- /assets/禁用guest.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/禁用guest.png -------------------------------------------------------------------------------- /assets/禁用telnet.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/禁用telnet.png -------------------------------------------------------------------------------- /assets/重命名admin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/重命名admin.png -------------------------------------------------------------------------------- /assets/勾选“用户名+密码”.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/勾选“用户名+密码”.png -------------------------------------------------------------------------------- /assets/windows_audit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Information-security-reinforcement-scheme/HEAD/assets/windows_audit.png -------------------------------------------------------------------------------- /chapter1/cao-zuo-xi-tong.md: -------------------------------------------------------------------------------- 1 | # 操作系统主要介绍当前主流的操作系统 2 | 3 | * Windows 4 | * Centos/Red-Hat 5 | * HP-UX 6 | * IBM AIX 7 | 8 | 9 | 10 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Node rules: 2 | ## Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files) 3 | .grunt 4 | 5 | ## Dependency directory 6 | ## Commenting this out is preferred by some people, see 7 | ## https://docs.npmjs.com/misc/faq#should-i-check-my-node_modules-folder-into-git 8 | node_modules 9 | 10 | # Book build output 11 | _book 12 | 13 | # eBook build output 14 | *.epub 15 | *.mobi 16 | *.pdf -------------------------------------------------------------------------------- /SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Summary 2 | 3 | * [前言](README.md) 4 | * [主机层面](chapter1.md) 5 | * [操作系统](chapter1/cao-zuo-xi-tong.md) 6 | * [Windows加固](chapter1/cao-zuo-xi-tong/windowsxi-tong.md) 7 | * [Centos/Red-Hat](chapter1/cao-zuo-xi-tong/linux.md) 8 | * [数据库](chapter1/shu-ju-ku.md) 9 | * [Oracle](chapter1/shu-ju-ku/oracle.md) 10 | * [Oracle数据库补丁](chapter1/shu-ju-ku/oracle/oracleshu-ju-ku-bu-ding.md) 11 | * Mysql 12 | * MSsql 13 | * [应用系统](chapter1/ying-yong-xi-tong.md) 14 | 15 | -------------------------------------------------------------------------------- /chapter1/cao-zuo-xi-tong/windowsxi-tong.md: -------------------------------------------------------------------------------- 1 | # 本方案以 Windows Server 2008 为示例: 2 | 3 | --- 4 | 5 | # 身份鉴别 6 | 7 | ### 1. 勾选 “要使用本机,用户必须输入同户名和密码” 8 | 9 | * 加固方法: 10 | 11 | ``` 12 | Win + r # 调出运行窗口 13 | rundll32 netplwiz.dll UsersRunDll # 输入命令,调出如下对话框,勾选,应用 14 | ``` 15 | 16 | ![](/assets/勾选“用户名+密码”.png) 17 | 18 | ### 2. 完善系统口令策略,配置登录失败策略 19 | 20 | * 加固方法: 21 | 22 | ``` 23 | Win + r # 调出运行窗口 24 | gpedit.msc # 输入命令,调出"本地组策略编辑器"对话框 25 | # 依此路径打开如下密码策略配置项 26 | 计算机配置 -> Windows 设置 -> 安全设置 -> 账户策略 -> 密码策略 27 | # 依此路径打开如下账户锁定策略配置项 28 | 计算机配置 -> Windows 设置 -> 安全设置 -> 账户策略 -> 账户锁定策略 29 | ``` 30 | 31 | ![](/assets/系统口策略.png) 32 | 33 | ![](/assets/import.png) 34 | 35 | * 配置参考: 36 | 37 | | 配置项 | 参考建议值 | 38 | | :---: | :---: | 39 | | 密码必须符合复杂性要求 | 已启用 | 40 | | 密码长度最小值 | 8 个字符 | 41 | | 密码最短使用期限 | 2 天 | 42 | | 密码最长使用期限 | 90 天 | 43 | | 强制密码历史 | 5 个记住的密码 | 44 | | 用可还原的加密来存储密码 | 已禁用 | 45 | | 账户锁定时间 | 30 分钟 | 46 | | 重置账户锁定计数器 | 30 分钟 | 47 | | 账户锁定阈值 | 5 次 | 48 | 49 | ### 50 | 51 | ### 3. 禁用系统 Telnet 服务 52 | 53 | > Telnet远程管理服务,身份鉴别信息明文传输,如系统安装并且开启了 Telnet 服务,请务必禁用. 54 | 55 | * 加固方法: 56 | 57 | ``` 58 | Win + r # 调出运行窗口 59 | services.msc # 输入命令,调出"服务"对话框查看,如下 60 | ``` 61 | 62 | ![](/assets/telnet.png) 63 | 64 | ![](/assets/禁用telnet.png) 65 | 66 | --- 67 | 68 | # 访问控制 69 | 70 | ### 1. 禁用或关闭不必要的系统默认共享 71 | 72 | * 加固方法: 73 | 74 | ``` 75 | Win + r # 调出运行窗口 76 | regedit # 输入命令,调出 “注册表编辑器” 窗口 77 | # 依次展开注册表路径,添加REG_DWORD类型值项AutoShareServer,并赋值为0,如下: 78 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters] 79 | ``` 80 | 81 | ![](/assets/禁用默认共享.png) 82 | 83 | ### 2.重命名系统Administrator账户,禁用Guest来宾账户. 84 | 85 | * 加固方法: 86 | 87 | ``` 88 | Win + r # 调出运行窗口 89 | lusrmgr.msc # 输入命令,调出 用户用户组管理窗口 90 | ``` 91 | 92 | > 重命名Administrator账户,禁用Guest账户,如下 93 | 94 | ![](/assets/重命名admin.png) 95 | 96 | ![](/assets/禁用guest.png) 97 | 98 | --- 99 | 100 | # 安全审计 101 | 102 | ### 1. 开启系统审计策略 103 | 104 | * 加固方法: 105 | 106 | ``` 107 | Win + r # 调出运行窗口 108 | gpedit.msc # 输入命令,调出"本地组策略编辑器"对话框 109 | # 依此路径打开如下审核策略配置项,全部开启 "成功,失败" 110 | 计算机配置 -> Windows 设置 -> 安全设置 -> 本地策略 -> 审核策略 111 | ``` 112 | 113 | ![](/assets/windows_audit.png) 114 | 115 | --- 116 | 117 | # 剩余信息保护 118 | 119 | ### 1. 启用“关机前清除虚拟内存页面”,“登录不显示最后用户名”. 120 | 121 | * 加固方法 122 | 123 | ``` 124 | Win + r # 调出运行窗口 125 | gpedit.msc # 输入命令,调出"本地组策略编辑器"对话框 126 | # 依此路径打开 安全选项 127 | 计算机配置 -> Windows 设置 -> 安全设置 -> 本地策略 -> 安全选项 128 | ``` 129 | 130 | ![](/assets/安全选项.png) 131 | 132 | --- 133 | 134 | # 入侵防范 135 | 136 | ### 1. 及时更新安装系统安全补丁 137 | 138 | > 补丁安装可采用离线安装的方式 139 | 140 | * 访问微软补丁目录页面:[http://www.catalog.update.microsoft.com](http://www.catalog.update.microsoft.com) 搜索相关系统版本的补丁: 141 | 142 | ![](/assets/kb.png) 143 | 144 | * 根据漏洞扫描结果下载相关的安全补丁程序:![](/assets/kb2.png) 145 | 146 | 待补充....... 147 | 148 | ### 2. 禁用不需要的135,139,445端口 149 | 150 | > 打开系统防火墙,新建入站,出站规则,在主机层面过滤135 139 445 等高危端口. 151 | 152 | * 禁用445端口示例: 153 | 154 | ![](/assets/445入站过滤.png)![](/assets/445出站阻止.png) 155 | 156 | --- 157 | 158 | # 恶意代码防范 159 | 160 | > 应统一部署专业的企业版杀毒软件,统一升级及时更新病毒库. 161 | 162 | --- 163 | 164 | # 资源控制 165 | 166 | ### 1. 设置屏幕超时锁定 167 | 168 | > 建议配置屏幕超时锁定不低于15分钟 169 | 170 | ![](/assets/屏幕保护.png) 171 | 172 | ### 2. 监控系统资源,服务水平 173 | 174 | > 三级系统要求当系统服务降低到预先规定的最小值时,具备告警功能 175 | 176 | 177 | 178 | -------------------------------------------------------------------------------- /chapter1/cao-zuo-xi-tong/linux.md: -------------------------------------------------------------------------------- 1 | # 本方案以CentOS 6.5为示例: 2 | 3 | --- 4 | 5 | # 身份鉴别 6 | 7 | ### 1. 完善系统口令策略 8 | 9 | * 打开 /etc/login.defs 配置文件, 修改口令策略配置参数,如下: 10 | 11 | ```bash 12 | [root@oracledb /]# vi /etc/login.defs 13 | 14 | # Password aging controls: 15 | # 16 | # PASS_MAX_DAYS Maximum number of days a password may be used. 17 | # PASS_MIN_DAYS Minimum number of days allowed between password changes. 18 | # PASS_MIN_LEN Minimum acceptable password length. 19 | # PASS_WARN_AGE Number of days warning given before a password expires. 20 | # 21 | PASS_MAX_DAYS 90 # 口令最长有效期 22 | PASS_MIN_DAYS 2 # 口令最短留存期 23 | PASS_MIN_LEN 8 # 口令长度最小值 24 | PASS_WARN_AGE 7 # 口令有效期警告 25 | ``` 26 | 27 | > 该配置修改保存后立即生效, 但只对修改后创建的账户生效。 28 | 29 | ### 30 | 31 | ### 2. 配置系统口令复杂度策略,登录失败策略 32 | 33 | * 打开 /etc/pam.d/system-auth 配置文件, 添加或配置 pam\_cracklib.so 模块下的口令复杂度配置参数, 及 pam\_tally2.so 模块下的登录失败处理配置参数.修改如下: 34 | 35 | ``` 36 | [root@oracledb ~]# vi /etc/pam.d/system-auth 37 | 38 | #%PAM-1.0 39 | # This file is auto-generated. 40 | # User changes will be destroyed the next time authconfig is run. 41 | auth required pam_env.so 42 | auth sufficient pam_fprintd.so 43 | auth sufficient pam_unix.so nullok try_first_pass 44 | auth requisite pam_succeed_if.so uid >= 500 quiet 45 | # 登录失败策略 46 | auth required pam_tally2.so even_deny_root deny=5 unlock_time=600 root_unlock_time=1800 47 | auth required pam_deny.so 48 | 49 | account required pam_unix.so 50 | account sufficient pam_localuser.so 51 | account sufficient pam_succeed_if.so uid < 500 quiet 52 | account required pam_permit.so 53 | 54 | # 口令复杂度策略 55 | password requisite pam_cracklib.so try_first_pass difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 remember=8 56 | password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok 57 | password required pam_deny.so 58 | ``` 59 | 60 | * 配置参数对照表: 61 | 62 | ``` 63 | # 口令复杂度策略 64 | password requisite pam_cracklib.so try_first_pass difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 remember=8 65 | ``` 66 | 67 | | 参数 | 配置参考值 | 含义 | 68 | | :---: | :---: | :---: | 69 | | difok | 3 | 允许新密码中有3个字符与旧密码相同 | 70 | | ucredit | -1 | 密码中最少有1位大写字母 | 71 | | lcredit | -1 | 密码中最少有1位小写字母 | 72 | | dcredit | -3 | 密码中至少有1位数字 | 73 | | ocredit | -1 | 密码中至少有1位特殊字符 | 74 | | remember | 8 | 最近8次使用过的旧密码无法重用 | 75 | 76 | ``` 77 | # 登录失败策略 78 | auth required pam_tally2.so even_deny_root deny=5 unlock_time=600 root_unlock_time=1800 79 | ``` 80 | 81 | | 参数 | 配置参考值 | 含义 | 82 | | :---: | :---: | :---: | 83 | | even\_deny\_root | | 同时限制 root 账户 | 84 | | deny | 5 | 登录失败5次锁定账户 | 85 | | unlock\_time | 600 | 普通账户600秒解锁 | 86 | | root\_unlock\_time | 1800 | root 账户 1800秒解锁 | 87 | 88 | ### 89 | 90 | ### 3.清除多余的系统账户 91 | 92 | * linux系统下lp、adm、sync、shutdown、halt、news、operator、gopher等为多余的虚拟系统账户,在不影响业务运行的情况下应将其删除。实际情况下打开/etc/passwd文件将这些账户注释即可,如下: 93 | 94 | 95 | 96 | ``` 97 | [root@localhost ~]# vi /etc/passwd 98 | 99 | root:x:0:0:root:/root:/bin/bash 100 | bin:x:1:1:bin:/bin:/sbin/nologin 101 | daemon:x:2:2:daemon:/sbin:/sbin/nologin 102 | #adm:x:3:4:adm:/var/adm:/sbin/nologin 103 | #lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin 104 | #sync:x:5:0:sync:/sbin:/bin/sync 105 | #shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown 106 | #halt:x:7:0:halt:/sbin:/sbin/halt 107 | mail:x:8:12:mail:/var/spool/mail:/sbin/nologin 108 | #operator:x:11:0:operator:/root:/sbin/nologin 109 | games:x:12:100:games:/usr/games:/sbin/nologin 110 | ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin 111 | nobody:x:99:99:Nobody:/:/sbin/nologin 112 | systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin 113 | dbus:x:81:81:System message bus:/:/sbin/nologin 114 | polkitd:x:999:998:User for polkitd:/:/sbin/nologin 115 | sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin 116 | postfix:x:89:89::/var/spool/postfix:/sbin/nologin 117 | chrony:x:998:996::/var/lib/chrony:/sbin/nologin 118 | ``` 119 | 120 | # 安全审计 121 | 122 | 123 | 124 | --------------------------------------------------------------------------------