系统稳定性 衡量
As a follow up on changing the default password, I was running an overall security audit on a number of systems I manage, as part of a monthly administrative routine.
作为更改默认密码的后续措施,作为每月管理程序的一部分,我正在对自己管理的许多系统进行全面的安全审核。
As many readers know I try to inject security-consciousness into many of my columns and blog posts, referencing authentication, intrusion detection, spam prevention and other factors/products for securing your open source system. Thus, I decided to explore the Center for Internet Security’s benchmark tool for Linux. Currently it supports only Red Hat platforms (Enterprise Linux and the Fedora Cores).
正如许多读者所知道的那样,我试图在我的许多专栏和博客文章中注入安全意识,引用身份验证,入侵检测,垃圾邮件防护以及其他因素/产品来保护您的开源系统。 因此,我决定探索Internet Security Center的Linux基准测试工具 。 当前,它仅支持Red Hat平台(Enterprise Linux和Fedora Cores)。
Installation is as simple as untarring the download and switching to the root user. The tool is read-only – so no fear is necessary in executing the script. I ran the tool on my own dedicated web server as a test prior to shifting to any customer hardware. This particular server runs Fedora Core 3, uses iptables for firewalling, and allows ssh and sftp only for remote access. It also contains the usual LAMP-platform daemons, Tripwire for Linux for intrusion detection and change control on configuration files, and QMail as an MTA (running vpopmail, qmailadmin, tcpserver and spamassassin).
安装就像取消下载并切换到root用户一样简单。 该工具是只读的-因此执行脚本无需担心。 在转移到任何客户硬件之前,我都在自己的专用Web服务器上运行了该工具作为测试。 该特定服务器运行Fedora Core 3,使用iptables进行防火墙保护,并仅允许ssh和sftp进行远程访问。 它还包含常用的LAMP平台后台驻留程序,用于入侵检测和对配置文件进行更改控制的Tripwire(用于Linux)以及作为MTA(运行vpopmail,qmailadmin,tcpserver和spamassassin)的QMail。
This box runs a tight ship and little is left to chance as far as possible cracks through which an intruder can slip. However, the CIS revealed an eye-opening number details for tweaking the system to tighten it to an almost completely hardened level (short of turning off Apache, Qmail and MySQL) beyond the tuning I had expedited when building it.
这个盒子运行得很紧,几乎没有机会闯入入侵者可能滑过的裂缝。 但是,CIS透露了一些令人大开眼界的细节,用于调整系统以将其拧紧到几乎完全加固的水平(没有关闭Apache,Qmail和MySQL),这超出了我在构建它时所进行的快速调整。
In particular, I like that the tool takes note of services not necessary to starting or running the OS which can be disabled for the next reboot (i.e Kudzu for hardware discovery – handy for a desktop scenario but not necessary for a server, CUPS for printing if no printing is needed, etc.).
特别是,我喜欢该工具记录了启动或运行操作系统所不需要的服务,这些服务可以在下次重新启动时禁用(例如,Kudzu用于硬件发现–对于桌面场景非常方便,但对于服务器而言则不是必需的,对于打印来说是CUPS)如果不需要打印等)。
Ideally it would be optimal to run this benchmark after a clean build of a Red Hat flavored box – tuning it prior to placing it into production. Being that we do not live in a perfect world – I will simply build this tool into my process of checking and re-checking servers on a regular basis. I would encourage the same for all reading this.
理想情况下,最好是在干净构建Red Hat调味盒之后运行此基准测试-在投入生产之前对其进行调整。 由于我们生活在一个不完美的世界中,因此,我将在定期检查和重新检查服务器的过程中简单地使用此工具。 我鼓励所有阅读此书的人都一样。
If you are running BSD, Solaris or Windows, see the CIS home page as there are benchmark tools for multiple platforms.
如果您运行的是BSD,Solaris或Windows,请参阅CIS主页,因为有适用于多个平台的基准测试工具。
翻译自: https://www.sitepoint.com/measure-system-security/
系统稳定性 衡量