Alerts in SELinux

Support for security such as Firewalls and securing linux
Post Reply
yaoyansi
Posts: 23
Joined: 2014/08/24 07:10:22

Alerts in SELinux

Post by yaoyansi » 2015/12/28 03:53:17

Hi all,
I reinstalled my centos7 system yesterday,
the system version is centos7 7.0.1406 x64.

After the installation, I run:
yum update

SELinux prompts several alerts during the update, and my cdrom ejected later. So I'm afraid that my system is hacked.

After the update, my system version is :
Linux localhost.localdomain 3.10.0-327.3.1.el7.x86_64 #1 SMP Wed Dec 9 14:09:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Here is the details of these alerts. Could you give me any help?
Alert 1-------------------------------------------------------------------------------

Code: Select all

    SELinux is preventing /usr/libexec/abrt-handle-event from open access on the file .

    *****  Plugin catchall (100. confidence) suggests   **************************

    If you believe that abrt-handle-event should be allowed open access on the  file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # grep abrt-handle-eve /var/log/audit/audit.log | audit2allow -M mypol
    # semodule -i mypol.pp

    Additional Information:
    Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
    Target Context                system_u:object_r:var_spool_t:s0
    Target Objects                 [ file ]
    Source                        abrt-handle-eve
    Source Path                   /usr/libexec/abrt-handle-event
    Port                          <Unknown>
    Host                          localhost.localdomain
    Source RPM Packages           abrt-2.1.11-12.el7.centos.x86_64
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.12.1-153.el7.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     localhost.localdomain
    Platform                      Linux localhost.localdomain 3.10.0-123.el7.x86_64
                                  #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64
    Alert Count                   2
    First Seen                    2015-12-27 09:21:35 EST
    Last Seen                     2015-12-27 09:21:35 EST
    Local ID                      5f7559d5-313a-4f09-96c3-bea0c3fd67c5

    Raw Audit Messages
    type=AVC msg=audit(1451226095.531:608): avc:  denied  { open } for  pid=17177 comm="abrt-handle-eve" path="/var/spool/abrt/ccpp-2015-12-27-09:21:35-883/time" dev="dm-1" ino=202708314 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file


    type=SYSCALL msg=audit(1451226095.531:608): arch=x86_64 syscall=open success=no exit=EACCES a0=7fec1af67c10 a1=0 a2=7fec1af67c1f a3=0 items=0 ppid=17167 pid=17177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-handle-eve exe=/usr/libexec/abrt-handle-event subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)

    Hash: abrt-handle-eve,abrt_t,var_spool_t,file,open

Alert 2--------------------------------------------------------------------------------

Code: Select all

    SELinux is preventing /usr/libexec/abrt-handle-event from create access on the lnk_file .

    *****  Plugin catchall (100. confidence) suggests   **************************

    If you believe that abrt-handle-event should be allowed create access on the  lnk_file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # grep abrt-handle-eve /var/log/audit/audit.log | audit2allow -M mypol
    # semodule -i mypol.pp

    Additional Information:
    Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
    Target Context                system_u:object_r:var_spool_t:s0
    Target Objects                 [ lnk_file ]
    Source                        abrt-handle-eve
    Source Path                   /usr/libexec/abrt-handle-event
    Port                          <Unknown>
    Host                          localhost.localdomain
    Source RPM Packages           abrt-2.1.11-12.el7.centos.x86_64
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.12.1-153.el7.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     localhost.localdomain
    Platform                      Linux localhost.localdomain 3.10.0-123.el7.x86_64
                                  #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64
    Alert Count                   4
    First Seen                    2015-12-27 09:21:35 EST
    Last Seen                     2015-12-27 09:21:35 EST
    Local ID                      8caf01b0-e3c6-4695-bf85-887026cb13af

    Raw Audit Messages
    type=AVC msg=audit(1451226095.534:610): avc:  denied  { create } for  pid=17167 comm="abrt-server" name=".lock" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=lnk_file


    type=SYSCALL msg=audit(1451226095.534:610): arch=x86_64 syscall=symlinkat success=no exit=EACCES a0=7fffad941200 a1=5 a2=7faa8ee00b32 a3=7fffad940ed0 items=0 ppid=866 pid=17167 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-server exe=/usr/sbin/abrt-server subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)

    Hash: abrt-handle-eve,abrt_t,var_spool_t,lnk_file,create

alert3--------------------------------------------------------------------------------

Code: Select all

    SELinux is preventing /usr/lib/systemd/systemd-logind from read access on the directory .

    *****  Plugin catchall (100. confidence) suggests   **************************

    If you believe that systemd-logind should be allowed read access on the  directory by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
    # semodule -i mypol.pp

    Additional Information:
    Source Context                system_u:system_r:systemd_logind_t:s0
    Target Context                system_u:object_r:tmpfs_t:s0
    Target Objects                 [ dir ]
    Source                        systemd-logind
    Source Path                   /usr/lib/systemd/systemd-logind
    Port                          <Unknown>
    Host                          localhost.localdomain
    Source RPM Packages           systemd-208-11.el7.x86_64
                                  systemd-219-19.el7.x86_64
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.12.1-153.el7.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     localhost.localdomain
    Platform                      Linux localhost.localdomain 3.10.0-123.el7.x86_64
                                  #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64
    Alert Count                   1
    First Seen                    2015-12-27 09:21:54 EST
    Last Seen                     2015-12-27 09:21:54 EST
    Local ID                      e9da0e86-de1d-4784-93fa-f2cf68b23979

    Raw Audit Messages
    type=AVC msg=audit(1451226114.223:620): avc:  denied  { read } for  pid=17173 comm="systemd-logind" name="/" dev="mqueue" ino=7612 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir


    type=SYSCALL msg=audit(1451226114.223:620): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7f6fedaa71ee a2=90800 a3=0 items=0 ppid=1 pid=17173 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null)

    Hash: systemd-logind,systemd_logind_t,tmpfs_t,dir,read

alert4------------------------------------------------------------------------------

Code: Select all

    SELinux is preventing /usr/lib/systemd/systemd-logind from mounton access on the directory .

    *****  Plugin catchall (100. confidence) suggests   **************************

    If you believe that systemd-logind should be allowed mounton access on the  directory by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
    # semodule -i mypol.pp

    Additional Information:
    Source Context                system_u:system_r:systemd_logind_t:s0
    Target Context                system_u:object_r:user_tmp_t:s0
    Target Objects                 [ dir ]
    Source                        systemd-logind
    Source Path                   /usr/lib/systemd/systemd-logind
    Port                          <Unknown>
    Host                          localhost.localdomain
    Source RPM Packages           systemd-208-11.el7.x86_64
                                  systemd-219-19.el7.x86_64
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.12.1-153.el7.noarch selinux-
                                  policy-3.13.1-60.el7.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     localhost.localdomain
    Platform                      Linux localhost.localdomain 3.10.0-123.el7.x86_64
                                  #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64
    Alert Count                   2
    First Seen                    2015-12-27 09:21:35 EST
    Last Seen                     2015-12-27 09:30:01 EST
    Local ID                      24895b84-2738-405b-91a6-e462387b530c

    Raw Audit Messages
    type=AVC msg=audit(1451226601.411:685): avc:  denied  { mounton } for  pid=17173 comm="systemd-logind" path="/run/user/0" dev="tmpfs" ino=3042889 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir


    type=SYSCALL msg=audit(1451226601.411:685): arch=x86_64 syscall=mount success=no exit=EACCES a0=7f6fedaa6250 a1=7f6fedfa7400 a2=7f6fedaa6250 a3=6 items=0 ppid=1 pid=17173 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null)

    Hash: systemd-logind,systemd_logind_t,user_tmp_t,dir,mounton
And here is my /var/log/audit/audit.log
http://pastebin.ca/3305655

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Alerts in SELinux

Post by aks » 2015/12/28 22:58:40

Yeah this is not good abrt catches aborts (surprise!) That means things are crashing - never a good thing.
It looks like something's wrong with dm-1. What's the hardware like?

yaoyansi
Posts: 23
Joined: 2014/08/24 07:10:22

Re: Alerts in SELinux

Post by yaoyansi » 2016/01/01 03:21:07

My computer is Thinkpad T430
here is the details:

# dmidecode

Code: Select all

# dmidecode 2.12-dmifs
# SMBIOS entry point at 0xdf69e000
SMBIOS 2.7 present.
72 structures occupying 2814 bytes.
Table at 0xDF69D000.

Handle 0x0000, DMI type 134, 16 bytes
OEM-specific Type
	Header and Data:
		86 10 00 00 00 53 54 4D 20 01 01 00 00 02 01 02
	Strings:
		TPM INFO
		System Reserved

Handle 0x0001, DMI type 4, 42 bytes
Processor Information
	Socket Designation: CPU Socket - U3E1
	Type: Central Processor
	Family: Core i5
	Manufacturer: Intel(R) Corporation
	ID: A9 06 03 00 FF FB EB BF
	Signature: Type 0, Family 6, Model 58, Stepping 9
	Flags:
		FPU (Floating-point unit on-chip)
		VME (Virtual mode extension)
		DE (Debugging extension)
		PSE (Page size extension)
		TSC (Time stamp counter)
		MSR (Model specific registers)
		PAE (Physical address extension)
		MCE (Machine check exception)
		CX8 (CMPXCHG8 instruction supported)
		APIC (On-chip APIC hardware supported)
		SEP (Fast system call)
		MTRR (Memory type range registers)
		PGE (Page global enable)
		MCA (Machine check architecture)
		CMOV (Conditional move instruction supported)
		PAT (Page attribute table)
		PSE-36 (36-bit page size extension)
		CLFSH (CLFLUSH instruction supported)
		DS (Debug store)
		ACPI (ACPI supported)
		MMX (MMX technology supported)
		FXSR (FXSAVE and FXSTOR instructions supported)
		SSE (Streaming SIMD extensions)
		SSE2 (Streaming SIMD extensions 2)
		SS (Self-snoop)
		HTT (Multi-threading)
		TM (Thermal monitor supported)
		PBE (Pending break enabled)
	Version: Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz
	Voltage: 0.9 V
	External Clock: 100 MHz
	Max Speed: 2500 MHz
	Current Speed: 2500 MHz
	Status: Populated, Enabled
	Upgrade: Socket rPGA988B
	L1 Cache Handle: 0x0003
	L2 Cache Handle: 0x0004
	L3 Cache Handle: 0x0005
	Serial Number: None
	Asset Tag: None
	Part Number: None
	Core Count: 2
	Core Enabled: 2
	Thread Count: 4
	Characteristics:
		64-bit capable

Handle 0x0002, DMI type 7, 19 bytes
Cache Information
	Socket Designation: L1-Cache
	Configuration: Enabled, Not Socketed, Level 1
	Operational Mode: Write Through
	Location: Internal
	Installed Size: 32 kB
	Maximum Size: 32 kB
	Supported SRAM Types:
		Unknown
	Installed SRAM Type: Unknown
	Speed: Unknown
	Error Correction Type: Parity
	System Type: Data
	Associativity: 8-way Set-associative

Handle 0x0003, DMI type 7, 19 bytes
Cache Information
	Socket Designation: L1-Cache
	Configuration: Enabled, Not Socketed, Level 1
	Operational Mode: Write Through
	Location: Internal
	Installed Size: 32 kB
	Maximum Size: 32 kB
	Supported SRAM Types:
		Unknown
	Installed SRAM Type: Unknown
	Speed: Unknown
	Error Correction Type: Parity
	System Type: Instruction
	Associativity: 8-way Set-associative

Handle 0x0004, DMI type 7, 19 bytes
Cache Information
	Socket Designation: L2-Cache
	Configuration: Enabled, Not Socketed, Level 2
	Operational Mode: Write Through
	Location: Internal
	Installed Size: 256 kB
	Maximum Size: 256 kB
	Supported SRAM Types:
		Unknown
	Installed SRAM Type: Unknown
	Speed: Unknown
	Error Correction Type: Multi-bit ECC
	System Type: Unified
	Associativity: 8-way Set-associative

Handle 0x0005, DMI type 7, 19 bytes
Cache Information
	Socket Designation: L3-Cache
	Configuration: Enabled, Not Socketed, Level 3
	Operational Mode: Write Back
	Location: Internal
	Installed Size: 3072 kB
	Maximum Size: 3072 kB
	Supported SRAM Types:
		Unknown
	Installed SRAM Type: Unknown
	Speed: Unknown
	Error Correction Type: Multi-bit ECC
	System Type: Unified
	Associativity: 12-way Set-associative

Handle 0x0006, DMI type 129, 8 bytes
OEM-specific Type
	Header and Data:
		81 08 06 00 01 01 02 01
	Strings:
		Intel_ASF
		Intel_ASF_001

Handle 0x0007, DMI type 16, 23 bytes
Physical Memory Array
	Location: System Board Or Motherboard
	Use: System Memory
	Error Correction Type: None
	Maximum Capacity: 16 GB
	Error Information Handle: Not Provided
	Number Of Devices: 2

Handle 0x0008, DMI type 17, 34 bytes
Memory Device
	Array Handle: 0x0007
	Error Information Handle: Not Provided
	Total Width: 64 bits
	Data Width: 64 bits
	Size: 4096 MB
	Form Factor: SODIMM
	Set: None
	Locator: ChannelA-DIMM0
	Bank Locator: BANK 0
	Type: DDR3
	Type Detail: Synchronous
	Speed: 1600 MHz
	Manufacturer: Hynix/Hyundai
	Serial Number: 12815735
	Asset Tag: None
	Part Number: HMT351S6CFR8C-PB  
	Rank: Unknown
	Configured Clock Speed: 1600 MHz

Handle 0x0009, DMI type 17, 34 bytes
Memory Device
	Array Handle: 0x0007
	Error Information Handle: Not Provided
	Total Width: 64 bits
	Data Width: 64 bits
	Size: 8192 MB
	Form Factor: SODIMM
	Set: None
	Locator: ChannelB-DIMM0
	Bank Locator: BANK 2
	Type: DDR3
	Type Detail: Synchronous
	Speed: 1600 MHz
	Manufacturer: Kingston
	Serial Number: 1F2E367A
	Asset Tag: None
	Part Number: 99U5428-063.A00LF 
	Rank: Unknown
	Configured Clock Speed: 1600 MHz

Handle 0x000A, DMI type 20, 35 bytes
Memory Device Mapped Address
	Starting Address: 0x00000000000
	Ending Address: 0x001FFFFFFFF
	Range Size: 8 GB
	Physical Device Handle: 0x0008
	Memory Array Mapped Address Handle: 0x000D
	Partition Row Position: 1
	Interleave Position: 1
	Interleaved Data Depth: 2

Handle 0x000B, DMI type 20, 35 bytes
Memory Device Mapped Address
	Starting Address: 0x00000000000
	Ending Address: 0x001FFFFFFFF
	Range Size: 8 GB
	Physical Device Handle: 0x0008
	Memory Array Mapped Address Handle: 0x000D
	Partition Row Position: 1
	Interleave Position: 2
	Interleaved Data Depth: 2

Handle 0x000C, DMI type 20, 35 bytes
Memory Device Mapped Address
	Starting Address: 0x00200000000
	Ending Address: 0x002FFFFFFFF
	Range Size: 4 GB
	Physical Device Handle: 0x0009
	Memory Array Mapped Address Handle: 0x000D
	Partition Row Position: 1

Handle 0x000D, DMI type 19, 31 bytes
Memory Array Mapped Address
	Starting Address: 0x00000000000
	Ending Address: 0x002FFFFFFFF
	Range Size: 12 GB
	Physical Array Handle: 0x0007
	Partition Width: 2

Handle 0x000E, DMI type 134, 13 bytes
OEM-specific Type
	Header and Data:
		86 0D 0E 00 05 12 12 20 00 00 00 00 00

Handle 0x000F, DMI type 0, 24 bytes
BIOS Information
	Vendor: LENOVO
	Version: G1ET73WW (2.09 )
	Release Date: 10/19/2012
	Address: 0xE0000
	Runtime Size: 128 kB
	ROM Size: 12288 kB
	Characteristics:
		PCI is supported
		PNP is supported
		BIOS is upgradeable
		BIOS shadowing is allowed
		Boot from CD is supported
		Selectable boot is supported
		EDD is supported
		3.5"/720 kB floppy services are supported (int 13h)
		Print screen service is supported (int 5h)
		8042 keyboard services are supported (int 9h)
		Serial services are supported (int 14h)
		Printer services are supported (int 17h)
		CGA/mono video services are supported (int 10h)
		ACPI is supported
		USB legacy is supported
		BIOS boot specification is supported
		Targeted content distribution is supported
		UEFI is supported
	BIOS Revision: 2.9
	Firmware Revision: 1.8

Handle 0x0010, DMI type 1, 27 bytes
System Information
	Manufacturer: LENOVO
	Product Name: 23442MC
	Version: ThinkPad T430
	Serial Number: PB57Z8H
	UUID: 0B71F681-5215-11CB-BDA3-D00B76ED82B5
	Wake-up Type: Power Switch
	SKU Number: LENOVO_MT_2344
	Family: ThinkPad T430

Handle 0x0011, DMI type 2, 15 bytes
Base Board Information
	Manufacturer: LENOVO
	Product Name: 23442MC
	Version: Not Defined
	Serial Number: 1ZLU528R1TO
	Asset Tag: Not Available
	Features:
		Board is a hosting board
		Board is replaceable
	Location In Chassis: Not Available
	Chassis Handle: 0x0000
	Type: Motherboard
	Contained Object Handles: 0

Handle 0x0012, DMI type 3, 22 bytes
Chassis Information
	Manufacturer: LENOVO
	Type: Notebook
	Lock: Not Present
	Version: Not Available
	Serial Number: PB57Z8H
	Asset Tag: No Asset Information
	Boot-up State: Unknown
	Power Supply State: Unknown
	Thermal State: Unknown
	Security Status: Unknown
	OEM Information: 0x00000000
	Height: Unspecified
	Number Of Power Cords: Unspecified
	Contained Elements: 0
	SKU Number: LENOVO_MT_2344

Handle 0x0013, DMI type 8, 9 bytes
Port Connector Information
	Internal Reference Designator: Not Available
	Internal Connector Type: None
	External Reference Designator: External Monitor
	External Connector Type: DB-15 female
	Port Type: Video Port

Handle 0x0014, DMI type 8, 9 bytes
Port Connector Information
	Internal Reference Designator: Not Available
	Internal Connector Type: None
	External Reference Designator: Mini DisplayPort
	External Connector Type: Other
	Port Type: Video Port

Handle 0x0015, DMI type 126, 9 bytes
Inactive

Handle 0x0016, DMI type 126, 9 bytes
Inactive

Handle 0x0017, DMI type 8, 9 bytes
Port Connector Information
	Internal Reference Designator: Not Available
	Internal Connector Type: None
	External Reference Designator: Headphone/Microphone Combo Jack
	External Connector Type: Mini Jack (headphones)
	Port Type: Audio Port

Handle 0x0018, DMI type 126, 9 bytes
Inactive

Handle 0x0019, DMI type 126, 9 bytes
Inactive

Handle 0x001A, DMI type 8, 9 bytes
Port Connector Information
	Internal Reference Designator: Not Available
	Internal Connector Type: None
	External Reference Designator: Ethernet
	External Connector Type: RJ-45
	Port Type: Network Port

Handle 0x001B, DMI type 126, 9 bytes
Inactive

Handle 0x001C, DMI type 8, 9 bytes
Port Connector Information
	Internal Reference Designator: Not Available
	Internal Connector Type: None
	External Reference Designator: USB 1
	External Connector Type: Access Bus (USB)
	Port Type: USB

Handle 0x001D, DMI type 8, 9 bytes
Port Connector Information
	Internal Reference Designator: Not Available
	Internal Connector Type: None
	External Reference Designator: USB 2
	External Connector Type: Access Bus (USB)
	Port Type: USB

Handle 0x001E, DMI type 8, 9 bytes
Port Connector Information
	Internal Reference Designator: Not Available
	Internal Connector Type: None
	External Reference Designator: USB 3
	External Connector Type: Access Bus (USB)
	Port Type: USB

Handle 0x001F, DMI type 8, 9 bytes
Port Connector Information
	Internal Reference Designator: Not Available
	Internal Connector Type: None
	External Reference Designator: USB 4
	External Connector Type: Access Bus (USB)
	Port Type: USB

Handle 0x0020, DMI type 126, 9 bytes
Inactive

Handle 0x0021, DMI type 126, 9 bytes
Inactive

Handle 0x0022, DMI type 126, 9 bytes
Inactive

Handle 0x0023, DMI type 126, 9 bytes
Inactive

Handle 0x0024, DMI type 126, 9 bytes
Inactive

Handle 0x0025, DMI type 126, 9 bytes
Inactive

Handle 0x0026, DMI type 126, 9 bytes
Inactive

Handle 0x0027, DMI type 126, 9 bytes
Inactive

Handle 0x0028, DMI type 126, 9 bytes
Inactive

Handle 0x0029, DMI type 9, 17 bytes
System Slot Information
	Designation: ExpressCard Slot
	Type: x1 PCI Express
	Current Usage: Available
	Length: Other
	ID: 1
	Characteristics:
		Hot-plug devices are supported
	Bus Address: 0000:00:00.0

Handle 0x002A, DMI type 9, 17 bytes
System Slot Information
	Designation: Media Card Slot
	Type: Other
	Current Usage: Available
	Length: Other
	Characteristics:
		Hot-plug devices are supported
	Bus Address: 0000:00:00.0

Handle 0x002B, DMI type 126, 17 bytes
Inactive

Handle 0x002C, DMI type 10, 6 bytes
On Board Device Information
	Type: Other
	Status: Disabled
	Description: IBM Embedded Security hardware

Handle 0x002D, DMI type 12, 5 bytes
System Configuration Options

Handle 0x002E, DMI type 13, 22 bytes
BIOS Language Information
	Language Description Format: Abbreviated
	Installable Languages: 1
		en-US
	Currently Installed Language: en-US

Handle 0x002F, DMI type 22, 26 bytes
Portable Battery
	Location: Rear
	Manufacturer: SANYO
	Name: 45N1001
	Design Capacity: 56160 mWh
	Design Voltage: 10800 mV
	SBDS Version: 03.01
	Maximum Error: Unknown
	SBDS Serial Number: 5074
	SBDS Manufacture Date: 2012-10-30
	SBDS Chemistry: LION
	OEM-specific Information: 0x00000000

Handle 0x0030, DMI type 126, 26 bytes
Inactive

Handle 0x0031, DMI type 18, 23 bytes
32-bit Memory Error Information
	Type: OK
	Granularity: Unknown
	Operation: Unknown
	Vendor Syndrome: Unknown
	Memory Array Address: Unknown
	Device Address: Unknown
	Resolution: Unknown

Handle 0x0032, DMI type 21, 7 bytes
Built-in Pointing Device
	Type: Track Point
	Interface: PS/2
	Buttons: 3

Handle 0x0033, DMI type 21, 7 bytes
Built-in Pointing Device
	Type: Touch Pad
	Interface: PS/2
	Buttons: 2

Handle 0x0034, DMI type 131, 22 bytes
OEM-specific Type
	Header and Data:
		83 16 34 00 01 00 00 00 00 00 00 00 00 00 00 00
		00 00 00 00 00 01
	Strings:
		TVT-Enablement

Handle 0x0035, DMI type 136, 6 bytes
OEM-specific Type
	Header and Data:
		88 06 35 00 5A 5A

Handle 0x0036, DMI type 130, 20 bytes
OEM-specific Type
	Header and Data:
		82 14 36 00 24 41 4D 54 00 00 00 00 01 A5 FF 03
		00 00 00 00

Handle 0x0037, DMI type 131, 64 bytes
OEM-specific Type
	Header and Data:
		83 40 37 00 31 00 00 00 08 00 00 00 00 00 42 00
		F8 00 55 1E FF FF FF FF 21 20 00 00 01 00 08 00
		F1 04 00 00 00 00 00 00 C8 00 02 15 00 00 00 00
		00 00 00 00 60 00 00 00 76 50 72 6F 00 00 00 00

Handle 0x0038, DMI type 135, 74 bytes
OEM-specific Type
	Header and Data:
		87 4A 38 00 54 50 07 02 42 41 59 20 49 2F 4F 20
		03 00 06 00 00 0E 00 F0 01 F6 03 02 00 0F 00 70
		01 76 03 04 01 0E 00 F0 01 F6 03 FF 01 0F 00 70
		01 76 03 03 00 00 00 80 60 A2 60 FF 00 00 00 80
		60 A2 60 06 00 02 04 FF 03 FF

Handle 0x0039, DMI type 133, 5 bytes
OEM-specific Type
	Header and Data:
		85 05 39 00 01
	Strings:
		KHOIHGIUCCHHII

Handle 0x003A, DMI type 15, 81 bytes
System Event Log
	Area Length: 66 bytes
	Header Start Offset: 0x0000
	Header Length: 16 bytes
	Data Start Offset: 0x0010
	Access Method: General-purpose non-volatile data functions
	Access Address: 0x00F0
	Status: Valid, Not Full
	Change Token: 0x00000003
	Header Format: Type 1
	Supported Log Type Descriptors: 29
	Descriptor 1: Single-bit ECC memory error
	Data Format 1: Multiple-event handle
	Descriptor 2: Multi-bit ECC memory error
	Data Format 2: Multiple-event handle
	Descriptor 3: Parity memory error
	Data Format 3: None
	Descriptor 4: Bus timeout
	Data Format 4: None
	Descriptor 5: I/O channel block
	Data Format 5: None
	Descriptor 6: Software NMI
	Data Format 6: None
	Descriptor 7: POST memory resize
	Data Format 7: None
	Descriptor 8: POST error
	Data Format 8: POST results bitmap
	Descriptor 9: PCI parity error
	Data Format 9: None
	Descriptor 10: PCI system error
	Data Format 10: None
	Descriptor 11: CPU failure
	Data Format 11: None
	Descriptor 12: EISA failsafe timer timeout
	Data Format 12: None
	Descriptor 13: Correctable memory log disabled
	Data Format 13: None
	Descriptor 14: Logging disabled
	Data Format 14: None
	Descriptor 15: System limit exceeded
	Data Format 15: None
	Descriptor 16: Asynchronous hardware timer expired
	Data Format 16: None
	Descriptor 17: System configuration information
	Data Format 17: None
	Descriptor 18: Hard disk information
	Data Format 18: None
	Descriptor 19: System reconfigured
	Data Format 19: None
	Descriptor 20: Uncorrectable CPU-complex error
	Data Format 20: None
	Descriptor 21: Log area reset/cleared
	Data Format 21: None
	Descriptor 22: System boot
	Data Format 22: None
	Descriptor 23: OEM-specific
	Data Format 23: None
	Descriptor 24: OEM-specific
	Data Format 24: None
	Descriptor 25: OEM-specific
	Data Format 25: None
	Descriptor 26: OEM-specific
	Data Format 26: None
	Descriptor 27: OEM-specific
	Data Format 27: None
	Descriptor 28: OEM-specific
	Data Format 28: None
	Descriptor 29: OEM-specific
	Data Format 29: None

Handle 0x003B, DMI type 140, 67 bytes
OEM-specific Type
	Header and Data:
		8C 43 3B 00 4C 45 4E 4F 56 4F 0B 00 01 15 8D C3
		B3 99 7E 9E 84 07 99 DD DD F1 A7 B2 0F 01 00 00
		00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
		00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
		00 00 00

Handle 0x003C, DMI type 140, 47 bytes
OEM-specific Type
	Header and Data:
		8C 2F 3C 00 4C 45 4E 4F 56 4F 0B 01 01 28 00 67
		48 21 39 16 FA A4 A7 13 16 2A CD A0 9D EB E7 00
		00 00 00 10 00 10 00 10 01 D0 00 20 01 00 01

Handle 0x003D, DMI type 140, 63 bytes
OEM-specific Type
	Header and Data:
		8C 3F 3D 00 4C 45 4E 4F 56 4F 0B 02 01 00 00 00
		00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
		00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
		00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Handle 0x003E, DMI type 140, 17 bytes
OEM-specific Type
	Header and Data:
		8C 11 3E 00 4C 45 4E 4F 56 4F 0B 03 01 00 00 00
		00

Handle 0x003F, DMI type 140, 19 bytes
OEM-specific Type
	Header and Data:
		8C 13 3F 00 4C 45 4E 4F 56 4F 0B 04 01 B2 00 4D
		53 20 00

Handle 0x0040, DMI type 140, 19 bytes
OEM-specific Type
	Header and Data:
		8C 13 40 00 4C 45 4E 4F 56 4F 0B 05 01 07 00 00
		00 00 00

Handle 0x0041, DMI type 140, 23 bytes
OEM-specific Type
	Header and Data:
		8C 17 41 00 4C 45 4E 4F 56 4F 0B 06 01 7E 14 00
		00 00 00 00 00 00 00

Handle 0x0042, DMI type 24, 5 bytes
Hardware Security
	Power-On Password Status: Disabled
	Keyboard Password Status: Not Implemented
	Administrator Password Status: Disabled
	Front Panel Reset Status: Not Implemented

Handle 0x0043, DMI type 132, 7 bytes
OEM-specific Type
	Header and Data:
		84 07 43 00 01 D8 36

Handle 0x0044, DMI type 135, 18 bytes
OEM-specific Type
	Header and Data:
		87 12 44 00 54 50 07 01 01 D2 00 00 00 00 00 00
		00 00

Handle 0x0045, DMI type 140, 15 bytes
OEM-specific Type
	Header and Data:
		8C 0F 45 00 4C 45 4E 4F 56 4F 0B 07 01 01 02
	Strings:
		G1HT30WW
		08/09/2012

Handle 0x0046, DMI type 140, 43 bytes
OEM-specific Type
	Header and Data:
		8C 2B 46 00 4C 45 4E 4F 56 4F 0B 08 01 FF FF FF
		FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
		FF FF FF FF FF FF FF FF FF FF FF

Handle 0xFEFF, DMI type 127, 4 bytes
End Of Table



#lshw

Code: Select all

localhost.localdomain     
    description: Notebook
    product: 23442MC (LENOVO_MT_2344)
    vendor: LENOVO
    version: ThinkPad T430
    serial: PB57Z8H
    width: 64 bits
    capabilities: smbios-2.7 dmi-2.7 vsyscall32
    configuration: administrator_password=disabled chassis=notebook family=ThinkPad T430 power-on_password=disabled sku=LENOVO_MT_2344 uuid=81F6710B-1552-CB11-BDA3-D00B76ED82B5
  *-core
       description: Motherboard
       product: 23442MC
       vendor: LENOVO
       physical id: 0
       version: Not Defined
       serial: 1ZLU528R1TO
       slot: Not Available
     *-cpu
          description: CPU
          product: Core i5 (None)
          vendor: Intel Corp.
          physical id: 1
          bus info: cpu@0
          version: Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz
          serial: None
          slot: CPU Socket - U3E1
          size: 2500MHz
          capacity: 3100MHz
          width: 64 bits
          clock: 100MHz
          capabilities: x86-64 fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm ida arat epb pln pts dtherm tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms xsaveopt cpufreq
          configuration: cores=2 enabledcores=2 threads=4
        *-cache:0
             description: L1 cache
             physical id: 3
             slot: L1-Cache
             size: 32KiB
             capacity: 32KiB
             capabilities: internal write-through instruction
        *-cache:1
             description: L2 cache
             physical id: 4
             slot: L2-Cache
             size: 256KiB
             capacity: 256KiB
             capabilities: internal write-through unified
        *-cache:2
             description: L3 cache
             physical id: 5
             slot: L3-Cache
             size: 3MiB
             capacity: 3MiB
             capabilities: internal write-back unified
     *-cache
          description: L1 cache
          physical id: 2
          slot: L1-Cache
          size: 32KiB
          capacity: 32KiB
          capabilities: internal write-through data
     *-memory
          description: System Memory
          physical id: 7
          slot: System board or motherboard
          size: 12GiB
        *-bank:0
             description: SODIMM DDR3 Synchronous 1600 MHz (0.6 ns)
             product: HMT351S6CFR8C-PB
             vendor: Hynix/Hyundai
             physical id: 0
             serial: 12815735
             slot: ChannelA-DIMM0
             size: 4GiB
             width: 64 bits
             clock: 1600MHz (0.6ns)
        *-bank:1
             description: SODIMM DDR3 Synchronous 1600 MHz (0.6 ns)
             product: 99U5428-063.A00LF
             vendor: Kingston
             physical id: 1
             serial: 1F2E367A
             slot: ChannelB-DIMM0
             size: 8GiB
             width: 64 bits
             clock: 1600MHz (0.6ns)
     *-firmware
          description: BIOS
          vendor: LENOVO
          physical id: f
          version: G1ET73WW (2.09 )
          date: 10/19/2012
          size: 128KiB
          capacity: 11MiB
          capabilities: pci pnp upgrade shadowing cdboot bootselect edd int13floppy720 int5printscreen int9keyboard int14serial int17printer int10video acpi usb biosbootspecification uefi
     *-pci
          description: Host bridge
          product: 3rd Gen Core processor DRAM Controller
          vendor: Intel Corporation
          physical id: 100
          bus info: pci@0000:00:00.0
          version: 09
          width: 32 bits
          clock: 33MHz
          configuration: driver=ivb_uncore
          resources: irq:0
        *-pci:0
             description: PCI bridge
             product: Xeon E3-1200 v2/3rd Gen Core processor PCI Express Root Port
             vendor: Intel Corporation
             physical id: 1
             bus info: pci@0000:00:01.0
             version: 09
             width: 32 bits
             clock: 33MHz
             capabilities: pci pm msi pciexpress normal_decode bus_master cap_list
             configuration: driver=pcieport
             resources: irq:24 ioport:5000(size=4096) memory:f2000000-f30fffff ioport:e0000000(size=301989888)
           *-display
                description: VGA compatible controller
                product: GF108M [NVS 5400M]
                vendor: NVIDIA Corporation
                physical id: 0
                bus info: pci@0000:01:00.0
                version: a1
                width: 64 bits
                clock: 33MHz
                capabilities: pm msi pciexpress vga_controller bus_master cap_list rom
                configuration: driver=nouveau latency=0
                resources: irq:27 memory:f2000000-f2ffffff memory:e0000000-efffffff memory:f0000000-f1ffffff ioport:5000(size=128) memory:f3080000-f30fffff
           *-multimedia
                description: Audio device
                product: GF108 High Definition Audio Controller
                vendor: NVIDIA Corporation
                physical id: 0.1
                bus info: pci@0000:01:00.1
                version: a1
                width: 32 bits
                clock: 33MHz
                capabilities: pm msi pciexpress bus_master cap_list
                configuration: driver=snd_hda_intel latency=0
                resources: irq:17 memory:f3000000-f3003fff
        *-usb:0
             description: USB controller
             product: 7 Series/C210 Series Chipset Family USB xHCI Host Controller
             vendor: Intel Corporation
             physical id: 14
             bus info: pci@0000:00:14.0
             version: 04
             width: 64 bits
             clock: 33MHz
             capabilities: pm msi xhci bus_master cap_list
             configuration: driver=xhci_hcd latency=0
             resources: irq:25 memory:f5220000-f522ffff
           *-usbhost:0
                product: xHCI Host Controller
                vendor: Linux 3.10.0-327.3.1.el7.x86_64 xhci-hcd
                physical id: 0
                bus info: usb@2
                logical name: usb2
                version: 3.10
                capabilities: usb-3.00
                configuration: driver=hub slots=4 speed=5000Mbit/s
           *-usbhost:1
                product: xHCI Host Controller
                vendor: Linux 3.10.0-327.3.1.el7.x86_64 xhci-hcd
                physical id: 1
                bus info: usb@1
                logical name: usb1
                version: 3.10
                capabilities: usb-2.00
                configuration: driver=hub slots=4 speed=480Mbit/s
              *-usb
                   description: Mouse
                   product: USB Optical Mouse
                   vendor: PixArt
                   physical id: 2
                   bus info: usb@1:2
                   version: 1.00
                   capabilities: usb-1.10
                   configuration: driver=usbhid maxpower=100mA speed=2Mbit/s
        *-communication
             description: Communication controller
             product: 7 Series/C210 Series Chipset Family MEI Controller #1
             vendor: Intel Corporation
             physical id: 16
             bus info: pci@0000:00:16.0
             version: 04
             width: 64 bits
             clock: 33MHz
             capabilities: pm msi bus_master cap_list
             configuration: driver=mei_me latency=0
             resources: irq:28 memory:f5235000-f523500f
        *-network
             description: Ethernet interface
             product: 82579LM Gigabit Network Connection
             vendor: Intel Corporation
             physical id: 19
             bus info: pci@0000:00:19.0
             logical name: enp0s25
             version: 04
             serial: 00:21:cc:cd:7c:45
             capacity: 1Gbit/s
             width: 32 bits
             clock: 33MHz
             capabilities: pm msi bus_master cap_list ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
             configuration: autonegotiation=on broadcast=yes driver=e1000e driverversion=3.2.5-k firmware=0.13-3 latency=0 link=no multicast=yes port=twisted pair
             resources: irq:26 memory:f5200000-f521ffff memory:f523a000-f523afff ioport:6020(size=32)
        *-usb:1
             description: USB controller
             product: 7 Series/C210 Series Chipset Family USB Enhanced Host Controller #2
             vendor: Intel Corporation
             physical id: 1a
             bus info: pci@0000:00:1a.0
             version: 04
             width: 32 bits
             clock: 33MHz
             capabilities: pm debug ehci bus_master cap_list
             configuration: driver=ehci-pci latency=0
             resources: irq:16 memory:f5239000-f52393ff
           *-usbhost
                product: EHCI Host Controller
                vendor: Linux 3.10.0-327.3.1.el7.x86_64 ehci_hcd
                physical id: 1
                bus info: usb@3
                logical name: usb3
                version: 3.10
                capabilities: usb-2.00
                configuration: driver=hub slots=3 speed=480Mbit/s
              *-usb
                   description: USB hub
                   product: Integrated Rate Matching Hub
                   vendor: Intel Corp.
                   physical id: 1
                   bus info: usb@3:1
                   version: 0.00
                   capabilities: usb-2.00
                   configuration: driver=hub slots=6 speed=480Mbit/s
                 *-usb:0
                      description: USB hub
                      product: USB2.0 Hub
                      vendor: VIA Labs, Inc.
                      physical id: 2
                      bus info: usb@3:1.2
                      version: 90.80
                      capabilities: usb-2.10
                      configuration: driver=hub slots=4 speed=480Mbit/s
                 *-usb:1 UNCLAIMED
                      description: Generic USB device
                      product: Biometric Coprocessor
                      vendor: Auth
                      physical id: 3
                      bus info: usb@3:1.3
                      version: 0.01
                      capabilities: usb-1.10
                      configuration: maxpower=100mA speed=12Mbit/s
                 *-usb:2
                      description: Generic USB device
                      product: BCM20702A0
                      vendor: Broadcom Corp
                      physical id: 4
                      bus info: usb@3:1.4
                      version: 1.12
                      serial: 74E543982B34
                      capabilities: usb-2.00
                      configuration: driver=btusb speed=12Mbit/s
                 *-usb:3
                      description: Video
                      product: Integrated Camera
                      vendor: Ricoh Company Ltd.
                      physical id: 6
                      bus info: usb@3:1.6
                      version: 10.11
                      capabilities: usb-2.00
                      configuration: driver=uvcvideo maxpower=200mA speed=480Mbit/s
        *-multimedia
             description: Audio device
             product: 7 Series/C210 Series Chipset Family High Definition Audio Controller
             vendor: Intel Corporation
             physical id: 1b
             bus info: pci@0000:00:1b.0
             version: 04
             width: 64 bits
             clock: 33MHz
             capabilities: pm msi pciexpress bus_master cap_list
             configuration: driver=snd_hda_intel latency=0
             resources: irq:30 memory:f5230000-f5233fff
        *-pci:1
             description: PCI bridge
             product: 7 Series/C210 Series Chipset Family PCI Express Root Port 1
             vendor: Intel Corporation
             physical id: 1c
             bus info: pci@0000:00:1c.0
             version: c4
             width: 32 bits
             clock: 33MHz
             capabilities: pci pciexpress msi pm normal_decode bus_master cap_list
             configuration: driver=pcieport
             resources: irq:16 ioport:4000(size=4096) memory:f4a00000-f51fffff ioport:f3100000(size=8388608)
           *-generic
                description: System peripheral
                product: MMC/SD Host Controller
                vendor: Ricoh Co Ltd
                physical id: 0
                bus info: pci@0000:02:00.0
                version: 07
                width: 32 bits
                clock: 33MHz
                capabilities: msi pm pciexpress bus_master cap_list
                configuration: driver=sdhci-pci latency=0
                resources: irq:16 memory:f4a00000-f4a000ff
        *-pci:2
             description: PCI bridge
             product: 7 Series/C210 Series Chipset Family PCI Express Root Port 2
             vendor: Intel Corporation
             physical id: 1c.1
             bus info: pci@0000:00:1c.1
             version: c4
             width: 32 bits
             clock: 33MHz
             capabilities: pci pciexpress msi pm normal_decode bus_master cap_list
             configuration: driver=pcieport
             resources: irq:17 memory:f4900000-f49fffff
           *-network
                description: Wireless interface
                product: Centrino Wireless-N 2200
                vendor: Intel Corporation
                physical id: 0
                bus info: pci@0000:03:00.0
                logical name: wlp3s0
                version: c4
                serial: 9c:4e:36:99:67:28
                width: 64 bits
                clock: 33MHz
                capabilities: pm msi pciexpress bus_master cap_list ethernet physical wireless
                configuration: broadcast=yes driver=iwlwifi driverversion=3.10.0-327.3.1.el7.x86_64 firmware=18.168.6.1 ip=192.168.1.100 latency=0 link=yes multicast=yes wireless=IEEE 802.11bgn
                resources: irq:29 memory:f4900000-f4901fff
        *-pci:3
             description: PCI bridge
             product: 7 Series/C210 Series Chipset Family PCI Express Root Port 3
             vendor: Intel Corporation
             physical id: 1c.2
             bus info: pci@0000:00:1c.2
             version: c4
             width: 32 bits
             clock: 33MHz
             capabilities: pci pciexpress msi pm normal_decode bus_master cap_list
             configuration: driver=pcieport
             resources: irq:18 ioport:3000(size=4096) memory:f4100000-f48fffff ioport:f3900000(size=8388608)
        *-usb:2
             description: USB controller
             product: 7 Series/C210 Series Chipset Family USB Enhanced Host Controller #1
             vendor: Intel Corporation
             physical id: 1d
             bus info: pci@0000:00:1d.0
             version: 04
             width: 32 bits
             clock: 33MHz
             capabilities: pm debug ehci bus_master cap_list
             configuration: driver=ehci-pci latency=0
             resources: irq:23 memory:f5238000-f52383ff
           *-usbhost
                product: EHCI Host Controller
                vendor: Linux 3.10.0-327.3.1.el7.x86_64 ehci_hcd
                physical id: 1
                bus info: usb@4
                logical name: usb4
                version: 3.10
                capabilities: usb-2.00
                configuration: driver=hub slots=3 speed=480Mbit/s
              *-usb
                   description: USB hub
                   product: Integrated Rate Matching Hub
                   vendor: Intel Corp.
                   physical id: 1
                   bus info: usb@4:1
                   version: 0.00
                   capabilities: usb-2.00
                   configuration: driver=hub slots=8 speed=480Mbit/s
        *-isa
             description: ISA bridge
             product: QM77 Express Chipset LPC Controller
             vendor: Intel Corporation
             physical id: 1f
             bus info: pci@0000:00:1f.0
             version: 04
             width: 32 bits
             clock: 33MHz
             capabilities: isa bus_master cap_list
             configuration: driver=lpc_ich latency=0
             resources: irq:0
        *-ide:0
             description: IDE interface
             product: 7 Series Chipset Family 4-port SATA Controller [IDE mode]
             vendor: Intel Corporation
             physical id: 1f.2
             bus info: pci@0000:00:1f.2
             version: 04
             width: 32 bits
             clock: 66MHz
             capabilities: ide pm bus_master cap_list
             configuration: driver=ata_piix latency=0
             resources: irq:19 ioport:1f0(size=8) ioport:3f6 ioport:170(size=8) ioport:376 ioport:6070(size=16) ioport:6060(size=16)
        *-serial
             description: SMBus
             product: 7 Series/C210 Series Chipset Family SMBus Controller
             vendor: Intel Corporation
             physical id: 1f.3
             bus info: pci@0000:00:1f.3
             version: 04
             width: 64 bits
             clock: 33MHz
             configuration: driver=i801_smbus latency=0
             resources: irq:18 memory:f5234000-f52340ff ioport:efa0(size=32)
        *-ide:1
             description: IDE interface
             product: 7 Series Chipset Family 2-port SATA Controller [IDE mode]
             vendor: Intel Corporation
             physical id: 1f.5
             bus info: pci@0000:00:1f.5
             version: 04
             width: 32 bits
             clock: 66MHz
             capabilities: ide pm bus_master cap_list
             configuration: driver=ata_piix latency=0
             resources: irq:19 ioport:6088(size=8) ioport:60a4(size=4) ioport:6080(size=8) ioport:60a0(size=4) ioport:6050(size=16) ioport:6040(size=16)
     *-scsi:0
          physical id: 0
          logical name: scsi0
          capabilities: emulated
        *-disk
             description: ATA Disk
             product: HGST HTS725050A7
             physical id: 0.0.0
             bus info: scsi@0:0.0.0
             logical name: /dev/sda
             version: B550
             serial: TF655AY9J2JXWC
             size: 465GiB (500GB)
             capabilities: gpt-1.00 partitioned partitioned:gpt
             configuration: ansiversion=5 guid=53a635f6-9a4a-4e9e-a5e0-3e62e58681d3 logicalsectorsize=512 sectorsize=4096
           *-volume:0 UNCLAIMED
                description: Windows FAT volume
                vendor: mkfs.fat
                physical id: 1
                bus info: scsi@0:0.0.0,1
                version: FAT16
                serial: 0997-8170
                size: 199MiB
                capacity: 199MiB
                capabilities: boot fat initialized
                configuration: FATs=2 filesystem=fat name=EFI System Partition
           *-volume:1
                description: data partition
                vendor: Windows
                physical id: 2
                bus info: scsi@0:0.0.0,2
                logical name: /dev/sda2
                logical name: /boot
                serial: 6075446d-f031-4cb8-9fa0-ed95a38dd391
                capacity: 499MiB
                configuration: mount.fstype=xfs mount.options=rw,seclabel,relatime,attr2,inode64,noquota state=mounted
           *-volume:2
                description: LVM Physical Volume
                vendor: Linux
                physical id: 3
                bus info: scsi@0:0.0.0,3
                logical name: /dev/sda3
                serial: EtAC2z-inym-QIWX-dHxl-2KSF-KHtw-KWxOF7
                size: 465GiB
                capabilities: multi lvm2
     *-scsi:1
          physical id: 3
          logical name: scsi1
          capabilities: emulated
        *-cdrom
             description: DVD-RAM writer
             product: DVDRAM GT50N
             vendor: HL-DT-ST
             physical id: 0.0.0
             bus info: scsi@1:0.0.0
             logical name: /dev/sr0
             version: LT20
             capabilities: removable audio cd-r cd-rw dvd dvd-r dvd-ram
             configuration: ansiversion=5 status=nodisc
  *-battery
       product: 45N1001
       vendor: SANYO
       physical id: 1
       slot: Rear
       capacity: 56160mWh
       configuration: voltage=10.8V
  *-network DISABLED
       description: Ethernet interface
       physical id: 2
       logical name: virbr0-nic
       serial: 52:54:00:cc:4a:90
       size: 10Mbit/s
       capabilities: ethernet physical
       configuration: autonegotiation=off broadcast=yes driver=tun driverversion=1.6 duplex=full link=no multicast=yes port=twisted pair speed=10Mbit/s

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Alerts in SELinux

Post by aks » 2016/01/01 14:43:48

I didn't mean "please provide a description of the hardware", I meant "have you run any tests on your hardware"?
Also run a selinux re-label just to be sure.

yaoyansi
Posts: 23
Joined: 2014/08/24 07:10:22

Re: Alerts in SELinux

Post by yaoyansi » 2016/01/03 05:45:26

aks wrote:I didn't mean "please provide a description of the hardware", I meant "have you run any tests on your hardware"?
Also run a selinux re-label just to be sure.
Hi aks,
Thanks for your reply.

I run selinux relabel with the following commands:
touch /.autorelabel
reboot
I want to post the log here, but I don't know where is the log file located.


BTW, which tools would you like to use for hardware test on CentOS7?

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Alerts in SELinux

Post by aks » 2016/01/03 13:23:05

So there's several things here.

1) abrt-handler wants to open a file in /var/spool and wants to make a symlink in it (alert 1 & 2).
2) systemd-logind wants to open a directory and mount something in tmpfs.

So the concern is what's abort handler catching (if it is actually catching anything, rather than some initialisation issue)? We won't know until the SELinux thing is sorted out.
The re-label should have sorted everything SELinux-wise out.
Now whatever systemd-logind wanted to mount on tmpfs should now be mounted and abort should be working. The log is still the same: /var/log/audit/audit.log

Hardware tests are only necessary if abort is catching something, personally I'd use memtest+ (I think it's on the install CDROM available when you boot form it).

Another concern you had was that the CDROM ejected. What cased that we don't know.

And finally you where concerned you'd been hacked (why, because the CDROM ejected?). If you want to know if something's been altered rpm -Va will show what's changed between the RPM installation and now (warning: be prepared for a long list of false alerts!) On the other hand, if you have been hacked (and it would have to be pretty damn good hackers) they could have altered the RPM database so you'd get back a bunch of rubbish - I've never seen this in the field, the database is signed (well sort of) and that's part of the point about importing the RPM-KEY you you subscribe to a new repository.

yaoyansi
Posts: 23
Joined: 2014/08/24 07:10:22

Re: Alerts in SELinux

Post by yaoyansi » 2016/01/04 10:09:04

Hi aks,
Thanks for your reply.
aks wrote: The log is still the same: /var/log/audit/audit.log
OK, I'm going to post this file later.
aks wrote: If you want to know if something's been altered rpm -Va will show what's changed between the RPM installation and now
OK, I will list the result later. Thank you.




BTW, I have done the following things on my centos system since my first post here.
I think I'd better list these things here to let you know more about my system.
#1:
I ran selinux relabel with the following commands:

Code: Select all

touch /.autorelabel
reboot
#2
I hardened my centos system with the following two scripts:

Code: Select all

# centos7_hardening2.sh
#
# This CentOS7 hardening script is implemented with this guide:
# https://highon.coffee/blog/security-harden-centos-7/
#

timestamp="`date +%Y-%m-%d_%H-%M-%S`"

# backup this script
cp -p /home/user0/Documents/centos7_hardening2.sh /run/media/user0/HDDREG/tools/centos7_hardening2.sh

backupFile()
{
	originalFilePath="$1";

	if [ -f "$originalFilePath" ]
	then
		dir=`dirname $originalFilePath`;
		base=`basename $originalFilePath`;
		# cp command can't copy the file to the source directory, 
		# so I copy the source file to /tmp and then move it back with timestamp in 
		# file name  to source directory.
		# copy the file to /tmp
		cp -p $originalFilePath /tmp;

		# move the /tmp/$file back to src dir
		mv -f "/tmp/$base" "$originalFilePath-$timestamp";	
	else
		echo "$originalFilePath not found."
	fi
}

On_NTP()
{
	echo '|Install NTP'
	yum install ntp ntpdate
	chkconfig ntpd on
	ntpdate pool.ntp.org
	/etc/init.d/ntpd start

	backupFile /etc/ntp.conf;
	echo "server ntpserver" >> /etc/ntp.conf
}

Configure_System_for_AIDE()
{
	echo '|Configure System for AIDE'
	# Disable prelinking altogether
	#
	backupFile /etc/sysconfig/prelink
	if grep -q ^PRELINKING /etc/sysconfig/prelink
	then
	  sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
	else
	  echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink
	  echo "PRELINKING=no" >> /etc/sysconfig/prelink
	fi
	# Disable previous prelink changes to binaries
	/usr/sbin/prelink -ua
	
	#
	echo ''
	echo ''
	echo ''
	echo '|Install AIDE'
	yum install aide -y && /usr/sbin/aide --init && cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz && /usr/sbin/aide --check
	echo '|Configure periodic execution of AIDE, runs every morning at 20:30'
	echo "30 20 * * * /usr/sbin/aide --check" >> /etc/crontab
}

Enable_Secure_high_quality_Password_Policy()
{
	echo '|Enable Secure (high quality) Password Policy'
	authconfig --passalgo=sha512 --update
}

Verify_grub_Permissions()
{
	echo '|Verify /boot/grub2/grub.cfg Permissions'
	backupFile /boot/grub2/grub.cfg
	chmod 600 /boot/grub2/grub.cfg
}

Require_Authentication_for_Single_User_Mode()
{
	echo '|Require Authentication for Single User Mode'
	backupFile /etc/sysconfig/init
	echo "SINGLE=/sbin/sulogin" >> /etc/sysconfig/init
}

Disable_Zeroconf_Networking()
{
	echo '|Disable Zeroconf Networking'
	backupFile /etc/sysconfig/network
	echo "NOZEROCONF=yes" >> /etc/sysconfig/network
}

Securing_root_Logins()
{
	echo '|Securing root Logins'
	backupFile /etc/securetty
	#echo "tty1" > /etc/securetty
	echo "console" > /etc/securetty
	chmod 700 /root
}

Enable_UMASK_077()
{
	echo '|Enable UMASK 077'
	perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc
	perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc
}

Prune_Idle_Users()
{
	echo '|Prune Idle Users'
	echo "Idle users will be removed after 15 minutes"
	backupFile /etc/profile.d/os-security.sh
	echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh
	echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
	chmod +x /etc/profile.d/os-security.sh
}

Securing_Cron()
{
	echo '|Securing Cron'
	echo "Locking down Cron"
	touch /etc/cron.allow
	chmod 600 /etc/cron.allow
	awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny
	echo "Locking down AT"
	touch /etc/at.allow
	chmod 600 /etc/at.allow
	awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny
}

Sysctl_Security()
{
	backupFile /etc/sysctl.conf

	echo '|Sysctl Security'
	echo "# my data" 					>> /etc/sysctl.conf
	echo "net.ipv4.ip_forward = 0" 				>> /etc/sysctl.conf
	echo "net.ipv4.conf.all.send_redirects = 0" 		>> /etc/sysctl.conf
	echo "net.ipv4.conf.default.send_redirects = 0" 	>> /etc/sysctl.conf
	echo "net.ipv4.tcp_max_syn_backlog = 1280" 		>> /etc/sysctl.conf
	echo "net.ipv4.conf.all.accept_source_route = 0" 	>> /etc/sysctl.conf
	echo "net.ipv4.conf.all.accept_redirects = 0" 		>> /etc/sysctl.conf
	echo "net.ipv4.conf.all.secure_redirects = 0" 		>> /etc/sysctl.conf
	echo "net.ipv4.conf.all.log_martians = 1" 		>> /etc/sysctl.conf
	echo "net.ipv4.conf.default.accept_source_route = 0" 	>> /etc/sysctl.conf
	echo "net.ipv4.conf.default.accept_redirects = 0" 	>> /etc/sysctl.conf
	echo "net.ipv4.conf.default.secure_redirects = 0" 	>> /etc/sysctl.conf
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" 	>> /etc/sysctl.conf
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" 	>> /etc/sysctl.conf
	echo "net.ipv4.tcp_syncookies = 1" 			>> /etc/sysctl.conf
	echo "net.ipv4.conf.all.rp_filter = 1" 			>> /etc/sysctl.conf
	echo "net.ipv4.conf.default.rp_filter = 1" 		>> /etc/sysctl.conf
	echo "net.ipv4.tcp_timestamps = 0" 			>> /etc/sysctl.conf

	# lynis warnings
	echo "kernel.kptr_restrict = 1" 			>> /etc/sysctl.conf
	echo "kernel.sysrq = 0" 				>> /etc/sysctl.conf
	echo "net.ipv4.conf.all.forwarding = 0" 		>> /etc/sysctl.conf
	echo "net.ipv4.conf.default.log_martians = 1" 		>> /etc/sysctl.conf
	echo "net.ipv6.conf.all.accept_redirects = 0" 		>> /etc/sysctl.conf
	echo "net.ipv6.conf.default.accept_redirects = 0" 	>> /etc/sysctl.conf

	echo 'Disable ping response'
	echo "net.ipv4.conf.icmp_echo_ignore_all = 1" 		>> /etc/sysctl.conf



	# On_core_dumps
	#
	# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0"
	#     else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf
	#
	backupFile /etc/sysctl.conf
	if grep --silent ^fs.suid_dumpable /etc/sysctl.conf ; then
	     sed -i 's/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g' /etc/sysctl.conf
	else
	     echo "" >> /etc/sysctl.conf
	     echo "# Set fs.suid_dumpable to 0 per security requirements" >> /etc/sysctl.conf
	     echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
	fi


	# Buffer_Overflow_Protection
	echo "Enable ExecShield. Helps prevent stack smashing / BOF"
	sysctl -w kernel.exec-shield=1
	echo "kernel.exec-shield = 1" >> /etc/sysctl.conf

	echo "Check / Enable ASLR"
	sysctl -q -n -w kernel.randomize_va_space=2
	echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf
	
	echo "---------------------------------------------------------"
	echo "Check BIOS>Power and ensure XD(Intel)/NX(AMD) is enabled."
	echo "---------------------------------------------------------"
}

Deny_All_TCP_Wrappers()
{
	echo "|Deny All TCP Wrappers"
	backupFile  /etc/hosts.deny
	backupFile  /etc/hosts.allow
	echo "ALL:ALL"  >> /etc/hosts.deny
	echo "sshd:ALL" >> /etc/hosts.allow
}

Verify_iptables_Enabled()
{
	echo "|Verify iptables Enabled"
	systemctl enable iptables
	systemctl start iptables.service
}

Disable_Uncommon_Protocols()
{
	echo "|Disable Uncommon Protocols"
	backupFile /etc/modprobe.d/dccp.conf
	backupFile /etc/modprobe.d/sctp.conf
	backupFile /etc/modprobe.d/rds.conf
	backupFile /etc/modprobe.d/tipc.conf
	echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf
	echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf
	echo "install rds /bin/false"  > /etc/modprobe.d/rds.conf
	echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf
}

Enable_Rsyslog()
{
	echo "|Ensure Rsyslog is installed"
	yum -y install rsyslog
	echo "|Enable Rsyslog"
	systemctl enable rsyslog.service
	systemctl start rsyslog.service
}

On_Auditd()
{
	echo '|Enable auditd Service'
	systemctl enable auditd.service
	systemctl start auditd.service

	# But /etc/grub.conf doesn't exist on my centos7
	#echo "kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1" >> /etc/grub.conf
	
	backupFile /etc/audit/auditd.conf
	echo "modify /etc/audit/auditd.conf"
	echo "num_logs = 5"
	echo "max_log_file = 30MB"            # default 6
	echo "max_log_file_action = rotate"
	echo "space_left_action = email"      # default SYSLOG
	echo "admin_space_left_action = halt" # default SUSPEND
	echo "action_mail_acct = root"        # add this line
	gedit /etc/audit/auditd.conf

	backupFile /etc/audisp/plugins.d/syslog.conf
	echo ""
	echo ""
	echo ""
	echo "| active = yes" # default no
	gedit /etc/audisp/plugins.d/syslog.conf
	service auditd restart

	backupFile /etc/audit/audit.rules
	echo "" >> /etc/audit/audit.rules
	echo "# audit_time_rules - Record attempts to alter time through adjtime" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules" >> /etc/audit/audit.rules

	echo "# audit_time_rules - Record attempts to alter time through settimeofday" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules" >> /etc/audit/audit.rules

	echo "# audit_time_rules - Record Attempts to Alter Time Through stime" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime" >> /etc/audit/audit.rules
	echo "-k audit_time_rules" >> /etc/audit/audit.rules

	echo "# audit_time_rules - Record Attempts to Alter Time Through clock_settime" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules" >> /etc/audit/audit.rules

	echo "# Record Attempts to Alter the localtime File" >> /etc/audit/audit.rules
	echo "-w /etc/localtime -p wa -k audit_time_rules" >> /etc/audit/audit.rules

	echo "# Record Events that Modify User/Group Information" >> /etc/audit/audit.rules
	echo "# audit_account_changes" >> /etc/audit/audit.rules
	echo "-w /etc/group -p wa -k audit_account_changes" >> /etc/audit/audit.rules
	echo "-w /etc/passwd -p wa -k audit_account_changes" >> /etc/audit/audit.rules
	echo "-w /etc/gshadow -p wa -k audit_account_changes" >> /etc/audit/audit.rules
	echo "-w /etc/shadow -p wa -k audit_account_changes" >> /etc/audit/audit.rules
	echo "-w /etc/security/opasswd -p wa -k audit_account_changes" >> /etc/audit/audit.rules

	echo "# Record Events that Modify the System's Network Environment" >> /etc/audit/audit.rules
	echo "# audit_network_modifications" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications" >> /etc/audit/audit.rules
	echo "-w /etc/issue -p wa -k audit_network_modifications" >> /etc/audit/audit.rules
	echo "-w /etc/issue.net -p wa -k audit_network_modifications" >> /etc/audit/audit.rules
	echo "-w /etc/hosts -p wa -k audit_network_modifications" >> /etc/audit/audit.rules
	echo "-w /etc/sysconfig/network -p wa -k audit_network_modifications" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Mandatory Access Controls" >> /etc/audit/audit.rules
	echo "-w /etc/selinux/ -p wa -k MAC-policy" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - chmod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S chmod  -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - chown" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - fchmod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - fchmodat" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - fchown" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - fchownat" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - fremovexattr" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - fsetxattr" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - lchown" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - lremovexattr" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - lsetxattr" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - removexattr" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - fchown" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - fchownat" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - fremovexattr" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - fsetxattr" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - removexattr" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Events that Modify the System's Discretionary Access Controls - setxattr" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules

	echo "#Record Attempts to Alter Logon and Logout Events" >> /etc/audit/audit.rules
	echo "-w /var/log/faillog -p wa -k logins" >> /etc/audit/audit.rules
	echo "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/audit.rules

	echo "#Record Attempts to Alter Process and Session Initiation Information" >> /etc/audit/audit.rules
	echo "-w /var/run/utmp -p wa -k session" >> /etc/audit/audit.rules
	echo "-w /var/log/btmp -p wa -k session" >> /etc/audit/audit.rules
	echo "-w /var/log/wtmp -p wa -k session" >> /etc/audit/audit.rules

	echo "#Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" >> /etc/audit/audit.rules

	echo "#Ensure auditd Collects Information on the Use of Privileged Commands" >> /etc/audit/audit.rules
	echo "#" >> /etc/audit/audit.rules
	echo "#  Find setuid / setgid programs then modify and uncomment the line below." >> /etc/audit/audit.rules
	echo "#" >> /etc/audit/audit.rules
	echo "##  sudo find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null" >> /etc/audit/audit.rules
	echo "#" >> /etc/audit/audit.rules
	echo "# -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" >> /etc/audit/audit.rules

	echo "#Ensure auditd Collects Information on Exporting to Media (successful)" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export" >> /etc/audit/audit.rules

	echo "#Ensure auditd Collects File Deletion Events by User" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete" >> /etc/audit/audit.rules

	echo "#Ensure auditd Collects System Administrator Actions" >> /etc/audit/audit.rules
	echo "-w /etc/sudoers -p wa -k actions" >> /etc/audit/audit.rules

	echo "#Ensure auditd Collects Information on Kernel Module Loading and Unloading" >> /etc/audit/audit.rules
	echo "-w /sbin/insmod -p x -k modules" >> /etc/audit/audit.rules
	echo "-w /sbin/rmmod -p x -k modules" >> /etc/audit/audit.rules
	echo "-w /sbin/modprobe -p x -k modules" >> /etc/audit/audit.rules
	echo "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" >> /etc/audit/audit.rules

	echo "#Make the auditd Configuration Immutable" >> /etc/audit/audit.rules
	echo "-e 2" >> /etc/audit/audit.rules
}

Remove_Services()
{
	echo "| Bulk Remove of Services"
	# Remove
	yum remove xinetd
	yum remove telnet-server
	yum remove rsh-server
	yum remove telnet
	yum remove rsh-server
	yum remove rsh
	yum remove ypbind
	yum remove ypserv
	yum remove tftp-server
	yum remove cronie-anacron
	yum remove bind
	yum remove vsftpd
	yum remove httpd
	yum remove dovecot
	yum remove squid
	yum remove net-snmpd
	
	echo "| Bulk Enable / Disable Services"
	#Disable / Enable
	systemctl disable xinetd #Failed to execute operation: Access denied
	systemctl disable rexec  #Failed to execute operation: Access denied
	systemctl disable rsh    #Failed to execute operation: Access denied
	systemctl disable rlogin #Failed to execute operation: Access denied
	systemctl disable ypbind #Failed to execute operation: Access denied
	systemctl disable tftp   #Failed to execute operation: Access denied
	systemctl disable certmonger
	systemctl disable cgconfig
	systemctl disable cgred
	systemctl disable cpuspeed #Failed to execute operation: Access denied
	systemctl enable irqbalance
	systemctl disable kdump
	systemctl disable mdmonitor
	systemctl disable messagebus
	systemctl disable netconsole #netconsole.service is not a native service, redirecting to /sbin/chkconfig.Executing /sbin/chkconfig netconsole off
	systemctl disable ntpdate
	systemctl disable oddjobd
	systemctl disable portreserve #Failed to execute operation: Access denied
	systemctl enable psacct
	systemctl disable qpidd #Failed to execute operation: Access denied
	systemctl disable quota_nld #Failed to execute operation: Access denied
	systemctl disable rdisc
	systemctl disable rhnsd #Failed to execute operation: Access denied
	systemctl disable rhsmcertd #Failed to execute operation: Access denied
	systemctl disable saslauthd
	systemctl disable smartd
	systemctl disable sysstat #Failed to execute operation: Access denied
	systemctl enable crond
	systemctl disable atd
	systemctl disable nfslock
	systemctl disable named #Failed to execute operation: Access denied
	systemctl disable httpd #Failed to execute operation: Access denied
	systemctl disable dovecot #Failed to execute operation: Access denied
	systemctl disable squid #Failed to execute operation: Access denied
	systemctl disable snmpd #Failed to execute operation: Access denied

	echo "| Disable Secure RPC Client Service"
	systemctl disable rpcgssd

	echo "| Disable Secure RPC Server Service"
	systemctl disable rpcsvcgssd

	echo "| Disable RPC ID Mapping Service"
	systemctl disable rpcidmapd
	systemctl disable netfs #Failed to execute operation: Access denied

	echo "| Disable Network File System (nfs)"
	systemctl disable nfs


	echo "| Remove Rsh Trust Files"
	backupFile /etc/hosts.equiv
	backupFile ~/.rhosts
	rm /etc/hosts.equiv
	rm ~/.rhosts

	echo "| Disable Avahi Server Software"
	systemctl disable avahi-daemon

	echo "| Disable the CUPS Service"
	systemctl disable cups

	echo "| Disable xinetd Service"
	systemctl disable xinetd #Failed to execute operation: Access denied

}

On_DHCP()
{
	echo "| Disable DHCP Service"
	systemctl disable dhcpd

	echo "| Uninstall DHCP Server Package"
	yum erase dhcp

	echo "| Disable DHCP Client"

echo "Open /etc/sysconfig/network-scripts/ifcfg-eth0 (if you have more interfaces, do this for each one) and make sure the address is statically assigned with the BOOTPROTO=none

Example:
BOOTPROTO=none
NETMASK=255.255.255.0
IPADDR=192.168.1.2
GATEWAY=192.168.1.1"

}

On_Postfix()
{

	systemctl enable postfix
	yum remove sendmail

	#Postfix Disable Network Listening
	backupFile /etc/postfix/main.cf
	echo "|/etc/postfix/main.cf. ensure the following inet_interfaces line appears:inet_interfaces = localhost"
	gedit  /etc/postfix/main.cf
}

Disable_autofs()
{
	echo "| Disable autofs"
	chkconfig --level 0123456 autofs off
	service autofs stop
}

Disable_uncommon_filesystems()
{
	echo "| Disable uncommon filesystems"
	backupFile /etc/modprobe.d/cramfs.conf
	backupFile /etc/modprobe.d/freevxfs.conf
	backupFile /etc/modprobe.d/jffs2.conf
	backupFile /etc/modprobe.d/hfs.conf
	backupFile /etc/modprobe.d/hfsplus.conf
	backupFile /etc/modprobe.d/squashfs.conf
	backupFile /etc/modprobe.d/udf.conf
	echo "install cramfs /bin/false"   > /etc/modprobe.d/cramfs.conf
	echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf
	echo "install jffs2 /bin/false"    > /etc/modprobe.d/jffs2.conf
	echo "install hfs /bin/false"      > /etc/modprobe.d/hfs.conf
	echo "install hfsplus /bin/false"  > /etc/modprobe.d/hfsplus.conf
	echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf
	echo "install udf /bin/false"      > /etc/modprobe.d/udf.conf
}

On_core_dumps()
{
	echo "| Disable core dumps for all users"
	backupFile /etc/security/limits.conf
	# 禁止创建core文件
	echo "* hard core 0"   >> /etc/security/limits.conf
	# 除root外,其他用户最多使用5M内存
	echo "* hard rss 5000" >> /etc/security/limits.conf
	# 最多进程数限制为20
	echo "* hard nproc 20" >> /etc/security/limits.conf

	echo "| Disable core dumps for SUID programs"
	# Set runtime for fs.suid_dumpable
	#
	sysctl -q -n -w fs.suid_dumpable=0
}


On_SELinux()
{
	backupFile /etc/grub.conf
	echo "| Confirm SELinux is not disabled"
	sed -i "s/selinux=0//gI"   /etc/grub.conf
	sed -i "s/enforcing=0//gI" /etc/grub.conf


	backupFile /etc/selinux/config
	echo "| Open /etc/selinux/config and check for SELINUXTYPE=targeted or SELINUXTYPE=enforcing, depending on your requirements."
	gedit /etc/selinux/config


	echo "| Enable the SELinux restorecond Service"
	echo "| Enable restorecond for all run levels:"
	chkconfig --level 0123456 restorecond on
	echo "| Start restorecond if not currently running:"
	service restorecond start


	echo "| Check no daemons are unconfined by SELinux"
	sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
	echo "| This should return no output."
}

Prevent_Log_Into_Accounts_With_Empty_Password()
{
	backupFile /etc/pam.d/system-auth
	sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth
}
On_SSH()
{
	echo "| Allow Only SSH Protocol 2"
	echo "| Open /etc/ssh/sshd_config and ensure the following line exists:Protocol 2"
	echo "| PermitRootLogin no"
	echo "| HostbasedAuthentication no"
	echo "| IgnoreRhosts yes"
	echo "| PermitEmptyPasswords no"
	echo "| PermitUserEnvironment no"
	echo "| ClientAliveInterval 300  #Set SSH Idle Timeout Interval(seconds)"
	echo "| ClientAliveCountMax 0         #指如果发现客户端没有相应,则判断一次超时,这个参数设置允许超时的次数"
	echo "| Banner /etc/issue"
	echo "| DenyUsers USER1 USER2         #Limit Users’ SSH Access"
	
	backupFile /etc/ssh/sshd_config
	gedit /etc/ssh/sshd_config

	echo "restart ssh"
	systemctl restart sshd.service 
}
On_Update()
{
	echo "| Prompt OS update installation"
	yum -y install yum-cron
	chkconfig yum-cron on
}

Passwd_For_SingleUserMode()
{
	echo "| Passwd_For_SingleUserMode"

	backupFile /etc/inittab
	echo "# Require the root pw when booting into single user mode" >> /etc/inittab
	echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
	echo "Don't allow any nut to kill the server"
	perl -npe 's/ca::ctrlaltdel:\/sbin\/shutdown/#ca::ctrlaltdel:\/sbin\/shutdown/' -i /etc/inittab
}

Install_Packages()
{
	echo "| Install clamav"
	yum install clamav clamav-daemon clamav-freshclam clamav-unofficial-sigs
	freshclam 
	service clamav-daemon start


	echo "| Install lynis"
	yum install lynis


	lynis audit system

	rpm -Uvh lux-release-7-1.noarch.rpm 
	yum install maldetect



}


echo '';echo '';echo ''
echo '-------------------------------------------'
echo 'Security Harden CentOS 7'
echo '-------------------------------------------'

echo '';echo '';echo ''
On_NTP;
#
echo '';echo '';echo ''
Configure_System_for_AIDE;
#
echo '';echo '';echo ''
Enable_Secure_high_quality_Password_Policy;
#
echo '';echo '';echo ''
Verify_grub_Permissions;
#
echo '';echo '';echo ''
Require_Authentication_for_Single_User_Mode;
#
echo '';echo '';echo ''
Disable_Zeroconf_Networking;
#
echo '';echo '';echo ''
Securing_root_Logins;
#
echo '';echo '';echo ''
Enable_UMASK_077;
#
echo '';echo '';echo ''
Prune_Idle_Users;
#
echo '';echo '';echo ''
Securing_Cron;
#
echo '';echo '';echo ''
Sysctl_Security;
#
echo '';echo '';echo ''
Deny_All_TCP_Wrappers;
#
echo '';echo '';echo ''
Verify_iptables_Enabled;
#
echo '';echo '';echo ''
Disable_Uncommon_Protocols;
#
echo '';echo '';echo ''
Enable_Rsyslog;
#
echo '';echo '';echo ''
On_Auditd;
#
echo '';echo '';echo ''
Remove_Services;
#
echo '';echo '';echo ''
On_DHCP;
#
echo '';echo '';echo ''
On_Postfix;
#
echo '';echo '';echo ''
Disable_autofs;
#
echo '';echo '';echo ''
Disable_uncommon_filesystems;
#
echo '';echo '';echo ''
On_core_dumps;
#
echo '';echo '';echo ''
On_SELinux;
#
echo '';echo '';echo ''
Prevent_Log_Into_Accounts_With_Empty_Password;
#
echo '';echo '';echo ''
On_SSH;
#
echo '';echo '';echo ''
On_Update;
#
echo '';echo '';echo ''
Passwd_For_SingleUserMode;
#
echo '';echo '';echo ''
Install_Packages;


echo '-------------------------------------------'
echo ' '
echo '-------------------------------------------'
echo ''
echo ''
echo ''
echo 'Disable ping response'
echo '/etc/sysctl.conf	set net.ipv4.conf.icmp_echo_ignore_all = 1'
#gedit /etc/sysctl.conf



Code: Select all

# centos7_hardening1.sh
#

timestamp="`date +%Y-%m-%d_%H-%M-%S`"

# backup this script
cp -p /home/user0/Documents/centos7_hardening1.sh /run/media/user0/HDDREG/tools/centos7_hardening1.sh

gLogFilePath="./centos7_hardening1.log"
echo "Begin" > $gLogFilePath

backupFile()
{
	originalFilePath="$1";

	if [ -f "$originalFilePath" ]
	then
		dir=`dirname $originalFilePath`;
		base=`basename $originalFilePath`;
		# cp command can't copy the file to the source directory, 
		# so I copy the source file to /tmp and then move it back with timestamp in 
		# file name  to source directory.
		# copy the file to /tmp
		cp -p $originalFilePath /tmp;

		# move the /tmp/$file back to src dir
		mv -f "/tmp/$base" "$originalFilePath-$timestamp";	
	else
		echo "$originalFilePath not found."
	fi
}

Setup_accunts()
{
	echo "| Setup_accunts"
	#account setup
	passwd -l xfs
	passwd -l news
	passwd -l nscd
	passwd -l dbus
	passwd -l vcsa
	passwd -l games
	passwd -l nobody
	passwd -l avahi
	passwd -l haldaemon
	passwd -l gopher
	passwd -l ftp
	passwd -l mailnull
	passwd -l pcap
	passwd -l mail
	passwd -l shutdown
	passwd -l halt
	passwd -l uucp
	passwd -l operator
	passwd -l sync
	passwd -l adm
	passwd -l lp
}

Remove_App()
{
	echo "| Remove_App"
	/etc/rc.d/init.d/apmd stop
	/etc/rc.d/init.d/sendmail stop
	/etc/rc.d/init.d/kudzu stop

	rpm  -e  pump
	rpm  -e  apmd
	rpm  -e  lsapnptools
	rpm  -e  redhat-logos
	rpm  -e  mt-st
	rpm  -e  kernel-pcmcia-cs
	rpm  -e  setserial
	rpm  -e  redhat-relese
	rpm  -e  eject
	rpm  -e  linuxconf
	rpm  -e  kudzu
	rpm  -e  gd
	rpm  -e  bc
	rpm  -e  getty_ps
	rpm  -e  raidtools
	rpm  -e  pciutils
	rpm  -e  mailcap
	rpm  -e  setconsole
	rpm  -e  gnupg

	
	chkconfig postfix off # echo "close Mail   Server "
	chkconfig --level 35 apmd off
	chkconfig --level 35 netfs off
	chkconfig --level 35 yppasswdd off
	chkconfig --level 35 ypserv off
	chkconfig --level 35 dhcpd off?
	chkconfig --level 35 portmap off
	chkconfig --level 35 lpd off
	chkconfig --level 35 nfs off
	chkconfig --level 35 sendmail off
	chkconfig --level 35 snmpd off
	chkconfig --level 35 rstatd off
	chkconfig --level 35 atd off
}
Remove_User()
{
	echo "| Remove_User"

	userdel adm
	userdel lp
	userdel sync
	userdel shutdown
	userdel halt
	userdel news
	userdel uucp
	userdel operator
	userdel games
	userdel gopher
	userdel ftp

	groupdel adm
	groupdel lp
	groupdel news
	groupdel uucp
	groupdel games
	groupdel dip

	chmod 0755 /etc/passwd
	chmod 0755 /etc/shadow
	chmod 0755 /etc/group
	chmod 0755 /etc/gshadow
	chattr +i /etc/passwd
	chattr +i /etc/shadow
	chattr +i /etc/group
	chattr +i /etc/gshadow

	chmod 600  /etc/services
	chown root /etc/services
	chattr +i  /etc/services

	# /etc, /usr/etc, /bin, /usr/bin, /sbin, /usr/sbin, /tmp and/var/tmp的属主是root,并且设置粘滞
	chown root /etc
	chown root /usr/etc
	chown root /bin
	chown root /usr/bin
	chown root /sbin
	chown root /usr/sbin
	chown root /tmp and/var/tmp
	chmod +t /etc
	chmod +t /usr/etc
	chmod +t /bin
	chmod +t /usr/bin
	chmod +t /sbin
	chmod +t /usr/sbin
	chmod +t /tmp and/var/tmp



	# 只有根用户允许在该目录下使用 Read、Write,和 Execute 脚本文件
	chmod -R 700 /etc/rc.d/init.d/* 
	chmod -R 700 /etc/init.d/*

	# limit chmod important commands
	chmod 700 /bin/ping
	chmod 700 /usr/bin/finger
	chmod 700 /usr/bin/who
	chmod 700 /usr/bin/w
	chmod 700 /usr/bin/locate
	chmod 700 /usr/bin/whereis
	chmod 700 /sbin/ifconfig
	chmod 700 /usr/bin/pico
	chmod 700 /bin/vi
	chmod 700 /usr/bin/which
	#chmod 700 /usr/bin/gcc
	#chmod 700 /usr/bin/make
	chmod 700 /bin/rpm

	# Narrow Down Permissions
	chmod 700 /root
	chmod 700 /var/log/audit
	chmod 740 /etc/rc.d/init.d/iptables
	chmod 740 /sbin/iptables
	chmod -R 700 /etc/skel
	chmod 600 /etc/rsyslog.conf
	chmod 640 /etc/security/access.conf
	chmod 600 /etc/sysctl.conf


	# history security
	chattr +a /root/.bash_history
	chattr +i /root/.bash_history

	chmod 600 /etc/grub.conf
	chattr +i /etc/grub.conf
}

Disable_Ping_Response()
{
	echo "| Disable_Ping_Response"

	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
	
	#将上述命令加到/etc/rc.d/rc.local中去,每次重启动将自动执行
	filepath="/etc/rc.d/rc.local"
	if [ -f "$filepath" ]
	then
		echo "$filepath found."
	else
		echo "$filepath not found."
		touch $filepath
	fi
	echo "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all" >> $filepath
}

Disable_IP_Source_Routing()
{
	echo "| Disable_IP_Source_Routing"

	for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
	#echo $f
	#cat $f
	echo 0 > $f
	done

	#将上述命令加到/etc/rc.d/rc.local中去,每次重启动将自动执行
	filepath="/etc/rc.d/rc.local"
	if [ -f "$filepath" ]
	then
		echo "$filepath found."
	else
		echo "$filepath not found."
		touch $filepath
	fi
	echo "for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do" >> $filepath
	echo "echo 0 > $f" >> $filepath
	echo "done"        >> $filepath
}
Res_limits()
{
	echo "prevent Dos attack"
	# in On_core_dumps() in centos7_hardening2.sh
	# 禁止创建core文件
	#echo "* hard core 0"   >> /etc/security/limits.conf
	# 除root外,其他用户最多使用5M内存
	#echo "* hard rss 5000" >> /etc/security/limits.conf
	# 最多进程数限制为20
	#echo "* hard nproc 20" >> /etc/security/limits.conf

	echo "session required /lib/security/pam_limits.so" >> /etc/pam.d/login
}
File_Rights()
{

	echo "查找任何人可写的文件和目录" >> $gLogFilePath
	echo "find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \;" >> $gLogFilePath
	      find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \;  >> $gLogFilePath
	echo "find / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \;">> $gLogFilePath
	      find / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \; >> $gLogFilePath
	
	echo "查找异常文件, 如..文件,...文件等"            >> $gLogFilePath
	echo "find / -name ".." -print -xdev"          >> $gLogFilePath
	      find / -name ".." -print -xdev	       >> $gLogFilePath
	echo "find / -name ".*" -print -xdev | cat -v" >> $gLogFilePath
	      find / -name ".*" -print -xdev | cat -v  >> $gLogFilePath

	echo "检查没有属主的文件"            >> $gLogFilePath
	echo "find / -nouser -o -nogroup" >> $gLogFilePath
	      find / -nouser -o -nogroup  >> $gLogFilePath

	echo "检查在/dev目录以外还有没有特殊的块文件"                          >> $gLogFilePath
	echo "find / \( -type b -o -type c \) -print | grep -v '^/dev/'" >> $gLogFilePath
	      find / \( -type b -o -type c \) -print | grep -v '^/dev/'  >> $gLogFilePath



}

remove_logon_msg()
{
	echo "remove_logon_msg"
	rm -f /etc/issue
	rm -f /etc/issue.net
	touch /etc/issue
	touch /etc/issue.net
}

prevent_IP_cheat()
{
	echo "prevent_IP_cheat"

	backupFile /etc/host.conf

	echo "order bind,hosts"	>  /etc/host.conf
	echo "multi off" 		>> /etc/host.conf
	echo "nospoof on"		>> /etc/host.conf
}
##########################################################################
echo '';echo '';echo ''
echo '-------------------------------------------'
echo 'Security Harden CentOS 7    1'
echo '-------------------------------------------'

echo '';echo '';echo ''
Setup_accunts;
echo '';echo '';echo ''
Remove_App;
echo '';echo '';echo ''
Remove_User;
echo '';echo '';echo ''
Disable_Ping_Response;
echo '';echo '';echo ''
Disable_IP_Source_Routing;
echo '';echo '';echo ''
Res_limits;
echo '';echo '';echo ''
File_Rights;
echo '';echo '';echo ''
remove_logon_msg;
echo '';echo '';echo ''
prevent_IP_cheat;

I run the centos7_hardening2.sh first, and then centos7_hardening1.sh


#3
yum install lynis
lynis audit system




Now, could I ask you some questions?

Question 1:
What is the best time to do selinux relabel?
a) install centos then do selinux relabel
b) install centos, harden the centos system then do selinux relabel
c) something else


Question 2:
When should I run memtest+ ?
a) install centos then run memtest+
b) run memtest+ after the cdrom is ejected
c) something else

Any suggestion is appreciated.

Cheers
yao
Last edited by yaoyansi on 2016/01/07 14:52:20, edited 1 time in total.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Alerts in SELinux

Post by aks » 2016/01/04 16:58:44

What is the best time to do selinux relabel?
c) - You should not have to relabel. The way SELinux works (at least at this level) is to write some data ("fcontext") in the extended attributes of every file/directory. When a program runs in memory it kind of "inherits" the context it'll run in from that fcontext label. When that program wishes to access a file/directory the SELinux context it's running from also looks at the fcontext of file to determine if access is allowed or not. This is a very good thing - imagine you have something running as root in a (completely made up context) system_u:system_r:myprog_t that get's compromised by some bad people, those bad people want to retireve the password hashes for offline cracking by accessing /etc/shadow (system_u:object_r:shadow_t). Without SELinux this would be allowed, with SELinux is is not allowed (unless you explicitly allow it).
In your case, something happened to screw up the fcontexts on your system (i.e.: partial rpm installation or "hardening" scripts that are downloaded from the internet).
When should I run memtest+ ?
c) - Boot from CDROM and run memtest.

yaoyansi
Posts: 23
Joined: 2014/08/24 07:10:22

Re: Alerts in SELinux

Post by yaoyansi » 2016/01/07 12:50:32

Here is the file content of my /var/log/audit/audit.log
http://www.cnblogs.com/yaoyansi/p/5111097.html

And here is the message after I running command rpm -Va

Code: Select all

S.5....T.  c /etc/cups/cups-browsed.conf
.M.......    /usr/bin/vi
.M.......    /etc/rc.d/init.d/README
S.5....T.  c /etc/rc.d/rc.local
missing     /var/run/pluto
.M.......    /etc
.M.......    /usr/bin/make
.M.......    /var/lib/nfs/rpc_pipefs
.M.......    /usr/bin/ping
.....UG..    /var/lib/clamav-unofficial-sigs
.....UG..    /var/lib/clamav-unofficial-sigs/ham-test
.....UG..    /var/log/clamav-unofficial-sigs
.M.......    /usr/bin/w
S.5....T.  c /etc/ssh/sshd_config
.......T.    /lib/modules/3.10.0-123.el7.x86_64/modules.devname
.......T.    /lib/modules/3.10.0-123.el7.x86_64/modules.softdep
.M.......    /etc
.M.......    /root
.M.......    /usr/bin
.M.......    /usr/etc
.M.......    /usr/sbin
.M.....T.    /boot/efi/EFI/BOOT/BOOTX64.EFI
.M.....T.    /boot/efi/EFI/BOOT/fallback.efi
.M.....T.    /boot/efi/EFI/centos/BOOT.CSV
.M.....T.    /boot/efi/EFI/centos/MokManager.efi
.M.....T.    /boot/efi/EFI/centos/shim-centos.efi
.M.....T.    /boot/efi/EFI/centos/shim.efi
S.5....T.  c /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.91-2.6.2.3.el7.x86_64/jre/lib/security/US_export_policy.jar
S.5....T.  c /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.91-2.6.2.3.el7.x86_64/jre/lib/security/local_policy.jar
S.5....T.  c /etc/audisp/plugins.d/syslog.conf
.M.......    /sbin/ifconfig
.M.......    /etc
S.5....T.  c /etc/cgrules.conf
.....UG..  c /var/lib/clamav/daily.cvd
.....UG..  c /var/lib/clamav/main.cvd
....L....  c /etc/pam.d/fingerprint-auth
....L....  c /etc/pam.d/password-auth
....L....  c /etc/pam.d/postlogin
....L....  c /etc/pam.d/smartcard-auth
....L....  c /etc/pam.d/system-auth
S.5....T.  c /etc/security/limits.conf
..5....T.  c /etc/bashrc
..5....T.  c /etc/csh.cshrc
S.5....T.  c /etc/hosts.allow
S.5....T.  c /etc/hosts.deny
S.5....T.  c /etc/securetty
.M.......  c /etc/services
S.5......  c /etc/freshclam.conf
S.5....T.    /usr/lib64/vlc/plugins/plugins.dat
.M.......    /usr/bin/whereis
missing     /var/run/wpa_supplicant
.M....G..    /var/log/gdm
S.5....T.  c /etc/at.deny
.......T.  c /etc/hba.conf
.M.......    /bin/rpm
.M.......    /etc/rc.d/init.d/functions
.M.......    /etc/rc.d/init.d/netconsole
.M.......    /etc/rc.d/init.d/network
S.5....T.  c /etc/sysconfig/init
S.5....T.  c /etc/sysctl.conf
.M.......    /usr/bin/who
......G..    /etc/cups
......G..  c /etc/cups/classes.conf
......G..  c /etc/cups/client.conf
......G..  c /etc/cups/cups-files.conf
......G..  c /etc/cups/cupsd.conf
......G..    /etc/cups/cupsd.conf.default
......G..  c /etc/cups/lpoptions
......G..    /etc/cups/ppd
......G..  c /etc/cups/printers.conf
......G..  c /etc/cups/snmp.conf
......G..    /etc/cups/ssl
.M....G..  c /etc/cups/subscriptions.conf
.....U...    /var/log/cups
missing     /var/run/cups
missing     /var/run/cups/certs
......G..    /var/spool/cups
......G..    /var/spool/cups/tmp
S.5....T.  c /etc/sysconfig/authconfig
S.5....T.  c /etc/plymouth/plymouthd.conf
.....UG..    /var/lib/clamav
......G..    /etc/cups
.M.......    /usr/bin/which
.M.......    /boot/efi/EFI/centos
.M.......    /boot/efi/EFI/centos/fonts
.M.....T.    /boot/efi/EFI/centos/fonts/unicode.pf2
.M.....T.    /boot/efi/EFI/centos/gcdx64.efi
.M.....T.    /boot/efi/EFI/centos/grubx64.efi
---------------------------------------------------------------------------------------------------------------------------------------
And there are some messages when I run my hardening scripts with root account:
Each of the following command complains: Failed to execute operation: Access denied

Code: Select all

systemctl disable xinetd 
systemctl disable rexec  
systemctl disable rsh    
systemctl disable rlogin 
systemctl disable ypbind 
systemctl disable tftp   
systemctl disable cpuspeed 
systemctl disable portreserve 
systemctl disable qpidd 
systemctl disable quota_nld 
systemctl disable rhnsd 
systemctl disable rhsmcertd 
systemctl disable sysstat 
systemctl disable named 
systemctl disable httpd 
systemctl disable dovecot 
systemctl disable squid 
systemctl disable snmpd 
systemctl disable netfs 
systemctl disable xinetd 
And the following command complains: netconsole.service is not a native service, redirecting to /sbin/chkconfig.Executing /sbin/chkconfig netconsole off

Code: Select all

systemctl disable netconsole
My question is:
Do these messages have any security issue?



And SELinux has another alert when I run my hardening scripts:

Code: Select all

SELinux is preventing /usr/sbin/audispd from open access on the file /etc/audisp/plugins.d/syslog.conf-2016-01-07_21-32-18.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/etc/audisp/plugins.d/syslog.conf-2016-01-07_21-32-18 default label should be etc_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/audisp/plugins.d/syslog.conf-2016-01-07_21-32-18

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that audispd should be allowed open access on the syslog.conf-2016-01-07_21-32-18 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep audispd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:audisp_t:s0
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                /etc/audisp/plugins.d/syslog.conf-2016-01-07_21-32
                              -18 [ file ]
Source                        audispd
Source Path                   /usr/sbin/audispd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              3.10.0-327.3.1.el7.x86_64 #1 SMP Wed Dec 9
                              14:09:15 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2016-01-07 21:32:28 CST
Last Seen                     2016-01-07 21:32:28 CST
Local ID                      6ff3b991-6656-4aa4-a420-7548da6028ff

Raw Audit Messages
type=AVC msg=audit(1452173548.352:537): avc:  denied  { open } for  pid=16812 comm="audispd" path="/etc/audisp/plugins.d/syslog.conf-2016-01-07_21-32-18" dev="dm-1" ino=1663980 scontext=system_u:system_r:audisp_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file


type=SYSCALL msg=audit(1452173548.352:537): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffc0920f4a0 a1=0 a2=7ffc0920f4d5 a3=1f items=0 ppid=16808 pid=16812 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=audispd exe=/usr/sbin/audispd subj=system_u:system_r:audisp_t:s0 key=(null)

Hash: audispd,audisp_t,user_tmp_t,file,open
Any suggestion is appreciated.


Cheers
yao

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Alerts in SELinux

Post by aks » 2016/01/07 19:29:34

Here is the file content of my /var/log/audit/audit.log
I didn't look, it's just to much ....
And there are some messages when I run my hardening scripts with root account:
Each of the following command complains: Failed to execute operation: Access denied
Are they installed? For example qpidd was deprecated around Centos 6.3 time....
And the following command complains: netconsole.service is not a native service, redirecting to /sbin/chkconfig.Executing /sbin/chkconfig netconsole off
Is it installed?
Do these messages have any security issue?
Maybe, maybe not.
How would anyone know? Clearly you've downloaded something off the Internet (that you trust for some reason), I certainly don't. And even if you said "I got it from here" I still wouldn't trust it. Even if I knew the poster, how would I be 100% sure that nobody has altered this at rest (stored on their server) or in transit? Hey, I have an MD5|SHA1 has of this file, so it wasn't altered in transit .... well google MD5 hash collisions, all these things are prone to Moore's law (and derivitives).
I guess the point is that security is actually hard. You do need to understand what is going on! IMO it's better for somebody to say (something like) "hey that service has numerous vulnerabilities and nobody will fix them so you're best to switch it off" than "run this magic script that'll fix everything."
We don't live in a world of unicorns, Disney and magic fairy dust y'know....

I'm not having a go as it were (and if I've offended you in any way, I apologise). You're now posting questions that I can't answer, and if anybody did, I'd be suspect of them, given the lack of context and so on ....

Post Reply