Hacking Book | Free Online Hacking Learning


what is the wait for protection (3): host security

Posted by forbes at 2020-03-15

*The author of this article: Yuchen @ Mohan technology compliance research group, this article is an original award program of freebuf, and is not allowed to be reproduced without permission.


This article will introduce the security requirements of the host level in the ISO warranty. The content of this article is all my personal views. If there is something wrong, please correct it. Based on the three-level system, this paper interprets the requirements from the perspective of compliance.

What series of articles is waiting for insurance

What is equal protection (1): physical security

What is equal protection (2): network security

What is ISO security (4): application and data security

What is equal protection (5): system and personnel safety

What is equal protection (6): system construction management

What is equal protection (7): system operation and maintenance management part


This part interprets the standard requirements from the host security level. Some contents and network parts will overlap, with the same requirements, but based on the host level. identification (S3)

a) Identity identification and authentication shall be carried out for users logging into the operating system and database system;

b) The identity of the management user of the operating system and the database system shall not be easy to be fraudulently used, and the password shall have the complexity requirements and be changed regularly;

c) The login failure processing function should be enabled, and measures such as ending the session, limiting the number of illegal login and automatic exit can be taken;

d) When the server is managed remotely, necessary measures should be taken to prevent the identification information from being eavesdropped in the process of network transmission;

e) Different users of the operating system and the database system should be assigned different user names to ensure that they are unique.

f) Two or more combinations of authentication technologies shall be used to authenticate the identity of management users.

The requirements for identity authentication are basically the same as those for network devices, with the emphasis on:

1) The user ID is unique and the user name is representative. The internal personnel can distinguish which system or operation the account is used for from the name. In principle, the user names of different permissions / groups or systems cannot be repeated or used by more than one person;

2) Passwords with more than 8 digits (including 8 digits) contain at least 3 combinations of characters; (to mention here, recently, password free login system and management platform have been publicized, which is expected to become a trend in the future. The advantage is that it can no longer remember complex passwords, it can also prevent acts of password stealing such as blasting and database collision, and the system does not need to store password information of users. You can refer to this article:


3) The host should also do a good job in handling the login failure strategy. It is required that (1) after the password is entered more than N, the account will be locked automatically for M minutes (usually n = 5, M > 15, only recommended, not required); (2) there is no operation after login, and it will be disconnected automatically after s minutes (generally s < 5);

4) If there is no special business requirement, it is not recommended to open the remote management interface; if necessary, it is not allowed to use the direct login method, first log in the bastion machine (or first jump board machine and then switch to bastion machine; then or non important server, at least log in the springboard machine and then access the server), and then access the server to be operated; and the connection path must be encrypted;

5) Host login also uses two factor authentication (bastion machine). access control (S3)

a) The access control function shall be enabled to control the user's access to resources according to the security policy;

b) The authority should be allocated according to the role of the management user to separate the authority of the management user and only grant the minimum authority required by the management user;

c) The privilege separation between the operating system and the database system should be realized;

d) The access rights of the default account should be strictly limited, the default account of the system should be renamed, and the default password of these accounts should be modified;

e) Redundant and expired accounts should be deleted in time to avoid the existence of shared accounts.

f) Set sensitive marks for important information resources;

g) According to the security policy, users should strictly control the operation of important information resources with sensitive marks;

Access control part of the requirements are more, one by one.

a) The resource here refers to the object (information), which is to control the access rights of different users to avoid exceeding the authority;

B) This is also an emphasis on exceeding authority and minimizing authority allocation. As long as it can meet the work needs, the authority management should be detailed as much as possible (this is not easy to do on the network and security equipment, but it can be done on the host level, but we are not willing to do it because we are too bothered); the proposed authority separation is to avoid that an account has too many authorities (such as over management, administrator account) In general, this kind of high authority account needs to follow the process before use, and will not be used as an account for daily operation and maintenance;

c) This item means that the system and database accounts cannot be managed by the same account; for example, when installing MS SQL, you will be asked if you want to create a mixed login account, or you can log in to the database with a Windows account, which is generally not recommended;

d) The usual way is to disable the default account directly. If you do not want to use it, rename the account and set a more complex password before using it;

E) This is a mistake that many enterprises are prone to make. After the delivery of various outsourcing, testing environments and testing systems, the previous environment will be unmanaged, not only redundant accounts, but also some testing environments can access the production network and office network, open the temporary interface and no protection measures, so it is easy to be blacked out as a springboard; that is, the lack of asset and process management, production and management No one knows the status of the marginal assets, which is very important. The extended problem is not only about the redundant accounts;

F) Basically speaking, most enterprises give up this requirement directly, because the general score of this requirement is not very high, but it is relatively difficult to do it. Sensitive mark includes two aspects (i It is also a sensitive mark to insert a user-defined label or logo into the data for data classification. There are not many companies that can do this in the current year, but it is necessary from the current point of view. In recent years, the data life cycle has been blowing, which includes the content required to be described;

g) As mentioned earlier, it is about reading, and here it is about writing; that is to do a good job in authority management, neither reading beyond authority nor writing beyond authority. safety audit (G3)

a) The audit scope shall cover every operating system user and database user on the server and important client;

b) Audit contents shall include important safety related events in the system, such as important user behaviors, abnormal use of system resources and use of important system commands;

c) The audit record should include the date, time, type, subject identification, object identification and result of the event;

d) It shall be able to analyze the recorded data and generate audit reports;

e) The audit process should be protected from unexpected interruption;

f) Audit records should be protected from unintended deletion, modification or overwriting.

The host security audit part is similar to the network part, and there are some differences in some parts.

1) In addition to the server involved in the system itself, the audit scope also requires that the system user and database user operations to important clients can be audited. At first, I thought it was like Taobao, which required to audit the browsing, purchase, login, exit and other records of each user. In fact, I think it was more than enough. Here, it requires the server associated with the system and the ability to access the system background For example, if the administrator can access the system background through his own PC, the logs of this PC should be kept and can be audited;

2) It is better to understand the operation audit, that is, to be comprehensive, and to record all the useful information that can be recorded, so as to facilitate the follow-up audit and the traceability of security events; the audit report mentioned in the standard is to summarize and count the operation, access, abnormal behavior, etc. according to the log, analyze the trend, and form the report, which is also to be checked during the inspection;

3) This is the protection of logs and audit records / reports. Records shall be kept for at least 6 months, managed by special personnel and backed up off-site to ensure the integrity of records. residual information protection (S3)

a) The storage space of identification information of users of operating system and database system shall be ensured to be completely cleared before being released or redistributed to other users, no matter whether the information is stored on hard disk or in memory;

b) The storage space of files, directories, database records and other resources in the system shall be completely cleared before being released or reassigned to other users.

This requirement is also a protective measure for sensitive information leakage. In several directions:

1) Cache and RAM storage are easy to say. Generally, if you restart or read more information, the previous content will be gone; this kind of information leakage is basically based on the dynamic. In the process of system operation, you can get data only when it is blacked out, and the level of equal security three is not so high, so there will be no hard requirements;

2) In terms of storage media (disk, U disk, etc.), if it is put into use again, it is necessary to do a good job in data cleaning. At present, most enterprises are not rich enough to be scrapped when they are used up, so most of them are formatted and then allocated to other departments or people for further use. However, it is well known that even after low-level operation, many data can be recovered. Generally, the practice of large companies is to Yes, format, and then write garbage data in full space repeatedly (3-7 times, depending on the actual situation); this operation is basically a common recovery method. Most of the recovered data is garbage data, which is enough for most enterprises; on the other hand, tape and CD are recommended to be used once and destroyed directly when they are used up, and the cost is not high. Therefore, enterprises do not need to do this Money is reused.

3) In the aspect of virtual storage, this part is not required in the old standard, but ISO 2.0 has clearly proposed that it is actually a requirement item in the resource control part, which should ensure that the memory space allocated to the virtual machine is only for its exclusive access, and the virtual machine can only use the computing resources allocated for it. I can't write down the specific technical means here. I'm not at the bottom either, so I recommend a paper. If you are interested, you can have a look.

Research on virtual machine detection technology, Wang Baolin, Yang Ming, Zhang Yonghui (command automation college of PLA University of science and technology, Nanjing, Jiangsu Province) Intrusion Prevention (G3)

a) It should be able to detect the behavior of intrusion on important servers, record the source IP of the intrusion, the type of attack, the purpose of the attack, the time of the attack, and provide an alarm in case of serious intrusion events;

b) It shall be able to detect the integrity of important procedures, and have recovery measures after detecting that the integrity is damaged;

c) The operating system should follow the principle of minimum installation, only install the required components and applications, and keep the system patch updated in time by setting the upgrade server and other ways.

There are too many technologies involved in host intrusion prevention. Here we mainly talk about the requirements of inferior protection.

a) IPS can do everything, and the linkage with the monitoring platform is OK, and it can send SMS or email alarm;

B) Personal understanding: similar to WAF's webpage anti tampering, periodic page crawling for comparison, integrity verification, early warning if there is a problem, which is the first half; the second half also requires recovery measures, that is, emergency response plan and emergency response team, especially government sites, attach great importance to such problems, once tampering occurs, emergency response work will be started immediately ;

C) The principle of minimum installation of the system has been said for many years, so there is nothing to discuss; in the second half of the sentence, patching should be done in a timely manner, and some hosts will not be patched for 1 year. In the current trend environment, I think that the heart of managers is big enough; for safe operation and management, it is also important to be cautious, not afraid of meticulous, stable development, and not to do without accidents The state of mind. (there are also some cases where the system is old and old. Once a new patch is made, the system will not work and affect the business. For such systems, it is recommended that enterprises redesign and develop new systems as early as possible. Unless your system does not need external connection and is purely enclosed in the internal network, it will be hacked sooner or later.) malicious code prevention (G3)

a) Install anti malicious code software, and update anti malicious code software version and malicious code base in time;

b) Host anti malicious code products should have different malicious code base from network anti malicious code products;

c) It should support the unified management of anti malicious code.

In fact, malicious code prevention is easy to understand at the host level. The first is the genuine security software (kill soft or HIDS products). Don't think it's OK to install a pirated software to deal with it. As an enterprise, it is not allowed to use pirated software according to normal requirements, but it's not strict now, even if it's to regret one day. The software version and virus library should be updated in time, and can't use IPS or FW Instead of security software, the malicious code module on should use different feature libraries; and then it should be managed uniformly for the software, not by person or department. (say a few more words, as reflected by enterprises here, Linux system is safe and generally does not need to install anti-virus software, but it turns out that it's all bullshit, isn't it cool after being recruited? On the other hand, fear of deleting system files by mistake and causing business suspension does exist. However, no matter the personal version or enterprise version of kill soft, you can define your own strategy. If there is a problem, you can set it as an alarm, and handle it manually. According to the business situation, change the strategy in time. Some of the real requests can be added to the white list.) resource control (A3)

a) The terminal login shall be restricted by setting the terminal access mode, network address range and other conditions;

b) The operation timeout lock of the login terminal should be set according to the security policy;

c) Important servers shall be monitored, including the use of CPU, hard disk, memory, network and other resources of the server;

d) The maximum or minimum use limit of system resources by a single user shall be limited;

e) It shall be able to detect and alarm the service level of the system to the minimum value specified in advance.

It is easy to understand and implement resource control in the old-class insurance standard. Please describe it briefly.

a) The number of hosts that can log in to the bastion machine or the springboard machine should not be too many, and only a few IP logins should be allowed;

b) There is no operation on the server account, and the screen will be locked automatically after n minutes (suggestion: usually 5-15 minutes can be set, and the maximum time should not exceed 30 minutes);

c) Now some large computer rooms have monitoring platforms, even if they don't, they can build one by themselves with some open source tools;

De) SLA at the host level, set thresholds for different users to call system resources; e can set alerts on the monitoring platform.


The above is the requirements of the host security part. The recommended standard is YD / T 2701-2014. You can take a look at it if you are interested.

*The author of this article: Yuchen @ Mohan technology compliance research group, this article is an original award program of freebuf, and is not allowed to be reproduced without permission.