Essential Linux Security Baseline for Tier‑3 Compliance: Step‑by‑Step Guide

1. Identity Verification (Requirement: Strong Password + Login Control)

✅ 1.1 Password Complexity Policy (pam_pwquality required)

# CentOS/RHEL/Kirin
 echo "password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" >> /etc/pam.d/system-auth
# Ubuntu/Tongxin
 echo "password requisite pam_pwquality.so retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" >> /etc/pam.d/common-password

Requirement: at least 8 characters, including upper‑ and lower‑case letters, numbers, and special symbols.

✅ 1.2 Password Expiration ≤ 90 days, warn 7 days before expiry

# Modify /etc/login.defs
sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS   90/' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS   0/' /etc/login.defs
sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE   7/' /etc/login.defs

✅ 1.3 Lock account after 5 failed logins for 30 minutes

# Configure PAM faillock (CentOS 7+/Kirin V10+)
echo "auth required pam_faillock.so preauth silent deny=5 unlock_time=1800" >> /etc/pam.d/system-auth
echo "auth [default=die] pam_faillock.so authfail deny=5 unlock_time=1800" >> /etc/pam.d/system-auth
echo "account required pam_faillock.so" >> /etc/pam.d/system-auth

Verification:

faillock --user testuser

2. Access Control (Least Privilege + Account Cleanup)

✅ 2.1 Disable or delete unused accounts (e.g., games, ftp, news)

# Lock unused accounts
for user in games ftp news uucp; do
  if id "$user" >/dev/null 2>&1; then
    usermod -L "$user"
    echo "Locked account: $user"
  fi
done

✅ 2.2 Prohibit remote SSH login for root

# Edit /etc/ssh/sshd_config
sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl restart sshd

✅ 2.3 Set automatic logout after 10 minutes of inactivity

echo "TMOUT=600" >> /etc/profile
echo "readonly TMOUT" >> /etc/profile
echo "export TMOUT" >> /etc/profile

3. Security Auditing (Core Requirement)

✅ 3.1 Enable rsyslog + auditd dual auditing

# Enable auditd
systemctl enable --now auditd
# Create audit rules (/etc/audit/rules.d/protect.rules)
cat > /etc/audit/rules.d/protect.rules <<EOF
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/sudoers -p wa -k priv_esc
-a always,exit -F arch=b64 -S execve -k exec
EOF
augenrules --load

✅ 3.2 Retain logs for ≥ 180 days and make them tamper‑proof

# Remote log backup (e.g., to SIEM)
echo "*.info;mail.none;authpriv.none;cron.none @your-siem-server:514" >> /etc/rsyslog.conf
# Harden local log permissions
chmod 600 /var/log/*log
chown root:root /var/log/*log

4. Intrusion Prevention (Vulnerabilities + Patch Management)

✅ 4.1 Disable unnecessary services (e.g., avahi, cups, postfix)

systemctl disable --now avahi-daemon cups postfix

✅ 4.2 Establish regular patch management process

# Monthly security update notification
echo "0 3 1 * * /usr/bin/yum check-update --security | mail -s 'Security Updates' [email protected]" >> /var/spool/cron/root

Requirement: critical vulnerabilities fixed within 7 days, high‑risk within 30 days.

5. Malicious Code Prevention

✅ 5.1 Deploy host‑based antivirus (Tier‑3 mandatory)

Recommended domestic solutions: QiAnXin NetShen Host Defender, Venustech Tianxun, Huawei Cloud Host Security (HSS).

✅ 5.2 Disable automatic USB mounting (prevent ferry attacks)

# Create udev rule to block USB storage
echo 'SUBSYSTEM=="usb", ATTR{bDeviceClass}=="00", ACTION=="add", RUN+="/bin/sh -c \"echo 0 > /sys$DEVPATH/authorized\""' > /etc/udev/rules.d/99-disable-usb-storage.rules

6. Resource Control (DoS Mitigation)

✅ 6.1 Limit user processes and memory via limits.conf

# /etc/security/limits.conf
cat >> /etc/security/limits.conf <<EOF
* soft nproc 100
* hard nproc 200
* soft as 2048000
* hard as 4096000
root soft nproc unlimited
root hard nproc unlimited
EOF

✅ 6.2 Configure kernel parameters to prevent SYN flood

# /etc/sysctl.conf
cat >> /etc/sysctl.conf <<EOF
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_syn_retries = 2
EOF
sysctl -p

Checklist: Tier‑3 Linux Baseline Inspection Items

Control Item

Check Command

Compliance Standard

Password Complexity grep pam_pwquality /etc/pam.d/* Enabled and policy compliant

Password Expiration grep PASS_MAX_DAYS /etc/login.defs ≤90 days

Root Remote Login grep PermitRootLogin /etc/ssh/sshd_config no

Audit Logs systemctl is-active auditd active

Unused Accounts awk -F: '$3<1000 && $1!="root" {print $1}' /etc/passwd No low‑UID inactive accounts

Service Minimization systemctl list-unit-files --state=enabled Only necessary services enabled

In a compliance‑driven Linux system, security is not achieved merely by installing software; every configuration line must withstand audit scrutiny.