Common Security Configuration Issues Ops Engineers Face During Grade‑Protection Remediation

Problem Background

Grade‑Protection (GB/T 22239‑2019) is China’s mandatory graded security framework for critical information infrastructure. All operators must align their systems with the requirements of the assigned level, typically level 2 or 3, and address a checklist of high‑risk items issued by the assessment agency.

Grade‑Protection 2.0 Overview

Grade‑Protection 2.0 divides systems into five security levels and defines ten security domains: physical environment, communication network, zone boundary, management centre, management policies, management organisations, management personnel, construction management, operation management, and computing environment.

Domains Most Relevant to Operations

Operations engineers most often deal with issues in the security computing environment, zone boundary, and communication network domains. The article explains each common problem, the underlying regulatory requirement, typical findings, remediation steps, and verification commands.

Category 1: Identity Authentication Issues

Issue 1.1 – Password Complexity

Requirement: Passwords must be unique, meet complexity rules, and be changed periodically.

Typical finding: Minimum length less than 8 characters; no mandatory inclusion of uppercase, lowercase, digits, or special symbols.

Remediation: Install libpwquality and configure /etc/security/pwquality.conf with a minimum length of 12, at least one digit, one uppercase, one lowercase, one special character, a maximum of two repeated characters, and require four character classes. Configure password history, expiration (90 days), and minimum age (7 days) via /etc/login.defs and chage.

# CentOS/RHEL configure password complexity
sudo yum install -y libpwquality
sudo vi /etc/security/pwquality.conf
# Example settings
minlen = 12
 dcredit = -1
 ucredit = -1
 lcredit = -1
 ocredit = -1
 maxrepeat = 2
 minclass = 4
 difok = 3
# Password history (last 5 passwords)
sudo vi /etc/security/pam_unix.so
password    requisite     pam_pwhistory.so remember=5
# Expiration settings
sudo vi /etc/login.defs
PASS_MAX_DAYS   90
PASS_MIN_DAYS   7
PASS_WARN_AGE   7
# Apply to existing user
sudo chage -M 90 -m 7 -W 7 <username>

Verification: Attempt to set a simple password (e.g., "123456") and confirm rejection; inspect pwquality.conf values; check user password aging with chage -l.

Issue 1.2 – Unique Account Identifiers

Requirement: Each login account must have a unique identifier; no duplicate usernames; no non‑root account with UID 0.

Remediation: Use awk to detect UID 0 accounts other than root, cut and sort to find duplicate UIDs or usernames, and delete or merge duplicates with userdel.

# Detect non‑root UID 0 accounts
awk -F: '($3 == 0) {print $1}' /etc/passwd
# Find duplicate UIDs
cut -d: -f3 /etc/passwd | sort | uniq -d
# Find duplicate usernames
cut -d: -f1 /etc/passwd | sort | uniq -d
# Remove duplicate account
sudo userdel -r <duplicate_username>

Verification: Re‑run the detection commands and ensure no output.

Issue 1.3 – Sudo Privilege Control

Requirement: Limit default accounts, disable direct root login, and avoid password‑less sudo.

Remediation: Ensure the wheel group has sudo rights, disable root SSH login, remove NOPASSWD entries, delete unnecessary default accounts, and verify allowed users with grep on /etc/passwd.

# Verify wheel group sudo rights
sudo grep wheel /etc/sudoers
# Disable root SSH login
sudo vi /etc/ssh/sshd_config
PermitRootLogin no
# Remove NOPASSWD entries
sudo grep "NOPASSWD" /etc/sudoers
sudo grep "NOPASSWD" /etc/sudoers.d/*
# Delete unnecessary accounts
sudo userdel games
sudo userdel lp
# List accounts with login shells
sudo awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") {print $1}' /etc/passwd

Verification: Confirm wheel entry, absence of NOPASSWD, and that only required accounts remain.

Category 2: Access Control Issues

Issue 2.1 – Access Control Policy Configuration

Requirement: Configure policies that restrict user permissions.

Typical finding: No or incomplete access‑control policies.

Remediation: Restrict SSH login users and groups, set a restrictive umask (0027) in /etc/profile and /etc/csh.cshrc, and enforce pam_wheel.so for su to limit su to the wheel group.

# Limit SSH users and groups
sudo vi /etc/ssh/sshd_config
AllowUsers admin deploy
AllowGroups sudo
# Set default umask
sudo vi /etc/profile
umask 0027
sudo vi /etc/csh.cshrc
umask 0027
# Restrict su to wheel group
sudo vi /etc/pam.d/su
auth    required    pam_wheel.so use_uid

Verification: Verify sshd_config entries, check umask values, and confirm pam_wheel.so is active.

Issue 2.2 – Mandatory Access Control (SELinux/AppArmor)

Requirement: Enable OS‑level MAC and configure policies per data classification.

Typical finding: SELinux disabled or in permissive mode.

Remediation (CentOS/RHEL): Install selinux-policy, set SELINUX=enforcing in /etc/selinux/config, reboot, and adjust file contexts and booleans as needed.

# Check SELinux status
getenforce
# Enable if disabled
sudo yum install -y selinux-policy selinux-policy-targeted
sudo sed -i 's/SELINUX=disabled/SELINUX=enforcing/g' /etc/selinux/config
sudo reboot
# Change permissive to enforcing
sudo setenforce 1
sudo sed -i 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config
# Set file contexts for web directories
sudo yum install -y policycoreutils-devel
sudo semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
sudo restorecon -Rv /web
# Enable common booleans
sudo setsebool -P httpd_can_network_connect 1
sudo setsebool -P nis_enabled 1

Remediation (Ubuntu – AppArmor): Install apparmor-utils, enable profiles, and verify status.

# Check AppArmor status
sudo apparmor_status
# Install tools
sudo apt-get install -y apparmor-utils
# Enforce all profiles
sudo aa-enforce /etc/apparmor.d/*
# List profiles
sudo ls /etc/apparmor.d/

Verification: getenforce should output Enforcing; sestatus should show enabled; audit logs should contain no AVC denials.

Category 3: Security Auditing Issues

Issue 3.1 – Incomplete Audit Policies

Requirement: Enable audit, define rules covering user actions, system events, and record timestamps, users, event types, and results.

Typical finding: Audit rules missing or not covering critical operations.

Remediation (CentOS/RHEL): Install and start auditd, add rules to monitor /etc/passwd, /etc/shadow, SSH config, sudoers, file deletions, and network config. Configure log size and rotation.

# Install and start auditd
sudo yum install -y audit
sudo systemctl enable auditd
sudo systemctl start auditd
# Add rules
sudo vi /etc/audit/rules.d/audit.rules
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/ssh/sshd_config -k sshd_config
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers
-w /usr/bin/rm -p x -k delete
-w /usr/bin/mv -p x -k delete
-w /etc/sysconfig/network -p wa -k network
-w /etc/sysconfig/network-scripts/ -p wa -k network
# Log size and rotation
sudo vi /etc/audit/auditd.conf
max_log_file = 50
max_log_file_action = ROTATE
num_logs = 5
space_left_action = SYSLOG
admin_space_left_action = HALT
# Restart auditd
sudo systemctl restart auditd

Remediation (Ubuntu): Install auditd and reuse the same rule set.

# Ubuntu install auditd
sudo apt-get install -y auditd
sudo systemctl enable auditd
sudo systemctl start auditd
# Use same rule file as CentOS
sudo vi /etc/audit/rules.d/audit.rules
# (copy the rules above)

Verification: Use ausearch -k identity to view logged events; test by creating a user and confirming the event appears.

Category 4: Intrusion Prevention Issues

Issue 4.1 – Unnecessary Services

Requirement: Disable services and protocols that are not needed.

Typical finding: Services such as Telnet, FTP, Sendmail are running.

Remediation: List running services, stop and disable each unnecessary service, and verify only required ports (SSH, HTTP/HTTPS, MySQL, etc.) are listening.

# List running services
systemctl list-units --type=service --state=running
# Disable Telnet
sudo systemctl stop telnet.socket
sudo systemctl disable telnet.socket
# Disable FTP
sudo systemctl stop vsftpd
sudo systemctl disable vsftpd
# Disable Sendmail
sudo systemctl stop sendmail
sudo systemctl disable sendmail
# Disable NFS/CIFS if not a file server
sudo systemctl stop nfs-server
sudo systemctl disable nfs-server
# Disable printing service
sudo systemctl stop cups
sudo systemctl disable cups
# Verify listening ports
ss -tunapl | grep LISTEN

Issue 4.2 – ICMP Flood Mitigation

Requirement: Limit ICMP traffic to prevent resource‑exhaustion attacks.

Remediation: Add iptables rules to rate‑limit echo‑request packets, configure firewalld equivalents, and set sysctl parameters to ignore broadcast and bogus ICMP.

# Rate‑limit ICMP echo requests (iptables)
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 4 -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# firewalld alternative
sudo firewall-cmd --permanent --add-icmp-block=echo-reply
sudo firewall-cmd --permanent --add-icmp-block=echo-request
sudo firewall-cmd --reload
# sysctl settings
sudo vi /etc/sysctl.conf
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
sudo sysctl -p

Issue 4.3 – Intrusion Detection Deployment

Requirement: Deploy IDS/IPS to detect common attacks.

Remediation: Install file‑integrity tools (AIDE), rootkit scanners (rkhunter), and malware scanners (ClamAV). Initialise databases, schedule regular checks via cron, and configure email alerts.

# Install AIDE
sudo yum install -y aide   # CentOS
sudo apt-get install -y aide   # Ubuntu
sudo aide --init
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# Schedule daily check
echo "0 3 * * * /usr/sbin/aide --check | /usr/bin/mail -s \"AIDE Check Report\" [email protected]" | sudo tee -a /etc/crontab
# Install rkhunter
sudo yum install -y rkhunter   # CentOS
sudo apt-get install -y rkhunter   # Ubuntu
sudo rkhunter --update
echo "0 4 * * * /usr/bin/rkhunter --check --sk | /usr/bin/mail -s \"rkhunter Report\" [email protected]" | sudo tee -a /etc/crontab
# Install ClamAV
sudo yum install -y clamav   # CentOS
sudo apt-get install -y clamav   # Ubuntu
sudo freshclam
echo "0 5 * * * clamscan -r /home --remove -l /var/log/clamscan.log" | sudo tee -a /etc/crontab

Category 5: Resource Control Issues

Issue 5.1 – User Resource Limits

Requirement: Limit maximum resources per user/process to prevent exhaustion attacks.

Remediation: Edit /etc/security/limits.conf to set soft/hard limits for processes, open files, core dumps, and memory locks. Enable the limits via PAM and systemd defaults.

# Configure limits.conf
sudo vi /etc/security/limits.conf
*               soft    nproc           4096
*               hard    nproc           8192
*               soft    nofile          65535
*               hard    nofile          65535
*               soft    core            0
*               hard    core            0
*               soft    memlock         unlimited
*               hard    memlock         unlimited
root            soft    nproc           unlimited
root            hard    nproc           unlimited
root            soft    nofile          unlimited
root            hard    nofile          unlimited
# Enable PAM limits
sudo vi /etc/pam.d/common-session   # Ubuntu
# or
sudo vi /etc/pam.d/system-auth      # CentOS
session required pam_limits.so
# Systemd defaults
sudo vi /etc/systemd/system.conf
#DefaultLimitNOFILE=65535
#DefaultLimitNPROC=4096

Verification: Run ulimit -a for current limits; test a fork bomb ( :(){ :|:& };:) and confirm the system blocks further process creation.

Category 6: Data Confidentiality Issues

Issue 6.1 – Data Transmission Encryption

Requirement: Use cryptographic protocols for data in transit.

Remediation: Disable Telnet and plain FTP, enforce SSH, configure web servers for HTTPS with strong TLS ciphers, and redirect HTTP to HTTPS.

# Disable Telnet
sudo systemctl stop telnet.socket
sudo systemctl disable telnet.socket
# Disable plain FTP, enable SFTP
sudo systemctl stop vsftpd
sudo systemctl disable vsftpd
# Enforce HTTPS in Nginx/Apache (example snippet)
server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;

Issue 6.2 – Data-at‑Rest Encryption

Requirement: Encrypt stored data and protect secrets.

Remediation: Encrypt configuration files with Ansible Vault or SOPS, move database passwords to environment variables or Kubernetes Secrets, and optionally encrypt whole disks with LUKS.

# Encrypt file with Ansible Vault
ansible-vault encrypt my_secret_file.yml
# Store DB password in environment
export MYSQL_ROOT_PASSWORD=xxx   # /etc/environment or systemd unit
# Kubernetes secret example
kubectl create secret generic db-creds --from-literal=username=admin --from-literal=password=xxx
# LUKS disk encryption (example)
sudo cryptsetup luksFormat /dev/sdb1
sudo cryptsetup open /dev/sdb1 encrypted_disk
sudo mkfs.ext4 /dev/mapper/encrypted_disk

Frequently Asked Questions (FAQ)

Q1: Assessment says "firewall not enabled" but I have cloud security groups.

Security groups are cloud‑level firewalls; the standard requires an OS‑level firewall (firewalld/iptables). Keep the cloud group, enable a host firewall, and open only necessary ports.

Q2: Requirement to close port 22 conflicts with remote ops.

Instead of closing, change the SSH port, restrict source IPs, enforce public‑key authentication, and enable fail2ban.

Q3: High password‑complexity requirement but legacy accounts have weak passwords.

All admin passwords must be updated first; coordinate with developers to adjust application policies, or use SSO to satisfy the identity‑verification clause.

Q4: Audit logs must be retained 180 days but disk space is insufficient.

Enable log compression, configure logrotate with retention, offload logs to a dedicated log server, or allocate a separate large partition for /var/log.

Summary and Implementation Workflow

Grade‑Protection remediation is a systematic effort. Ops engineers should understand each item’s regulatory background, remediation goal, concrete configuration steps, and verification method. Follow the workflow:

1. Receive assessment report and categorize items (identity, access control, audit, intrusion prevention, resource control, data security).
2. Prioritise by risk level (high‑risk first).
3. Validate changes in a test environment.
4. Document configuration changes for audit.
5. Deploy to production with rollback plans.
6. Run verification commands to confirm effect.
7. Request re‑assessment from the audit agency.

The ultimate principle is that Grade‑Protection is not merely a checklist but a means to raise the security baseline; even if an item cannot be immediately implemented, record the risk assessment and compensating measures.