How to Harden Linux Servers for Tier‑3 Security Compliance with Open‑Source Scripts

China's network security tiered protection system requires Linux servers to implement Tier‑3 controls covering identity authentication, access control, security auditing, intrusion prevention, malicious code protection, and data integrity/confidentiality.

Key Security Controls

Identity Authentication : Unique user IDs, complex passwords with regular rotation, login failure handling, encrypted remote management, and multi‑factor authentication.

Access Control : Assign accounts and permissions per user, rename or delete default accounts, remove expired accounts, and enforce least‑privilege for administrators.

Security Auditing : Enable audit logging for critical actions, record timestamp, user, event type and success status, and protect and back up audit logs.

Intrusion Prevention : Install only required components, disable unused services and high‑risk ports, restrict management terminal access, and promptly patch known vulnerabilities.

Malicious Code Prevention : Deploy anti‑malware and trusted verification mechanisms to detect and block attacks.

Data Integrity & Confidentiality : Use checksums or encryption to ensure data integrity and confidentiality during transmission and storage.

Implementation Steps

System Classification : Determine protection level based on system importance and data sensitivity.

System Registration : Report classification to the relevant authority.

System Construction : Configure the system according to the above controls.

System Assessment : Engage a third‑party assessor to verify compliance.

Remediation & Hardening : Fix identified issues and apply hardening measures.

Periodic Review : Regularly re‑evaluate the system to maintain compliance.

Check_Script – One‑Click Compliance Check

Based on the open‑source project https://github.com/xiaoyunjie/Shell_Script, this script adds password length and rotation requirements and suggests protecting audit logs via a log server.

# Run the check script on CentOS/RedHat
sudo sh CentOS_Check_Script.sh | tee check_$(date +%Y%m%d_%H%M%S).txt

The script creates a timestamped text file with the results. It is designed for RedHat/CentOS; on Ubuntu some configuration files differ, so the script may need modification.

Protective_Script – One‑Click Hardening

The hardening script backs up relevant configuration files to a backup directory before modification.

# Execute the protective script on CentOS/RedHat
sudo sh CentOS_Protective_Script.sh
# On Ubuntu, use bash to avoid syntax errors
sudo bash CentOS_Protective_Script.sh

Key functions include:

Apply all hardening measures in one step.

Enforce password complexity, length, and periodic change policies.

Optionally add an openroot account.

Optionally disable remote root login.

Configure command history retention, timestamps, and session timeout.

Optionally change the SSH port.

Handle login failures.

Optionally restore original configuration files.

Recommend protecting audit logs and backing them up to a log server.

Exit the program.

Project repositories:

Check script: https://github.com/NatChao/check_script Base hardening scripts: https://github.com/xiaoyunjie/Shell_Script These open‑source scripts provide a practical solution for achieving Tier‑3 security compliance on Linux servers, but users must manually review the generated reports and adapt the scripts for non‑RedHat distributions.