linux下的漏洞或者叫做不規範大致如下幾點：

用戶登錄，openssl， CA證書，GRUB加密，SMB密碼永不過期，無任何所屬用戶用戶組的文件，文件權限為777的，所使用到的軟件嚴重滯後，tcp timstamp， 數據庫的open access， ICMP redirection， ip forward，

umask值的默認設置，磁盤分區的weakness

1. 使用root用戶在終端登錄。

sed -i '/^tty[0-9]$/d' /etc/securetty

sed -i '/^vc\/[0-9]$/d' /etc/securetty

2. 使用ssh協議的root登錄

sed -i 's/#PermitRootLogin\ yes/PermitRootLogin\ no/' /etc/ssh/sshd_config

sed -i 's/#PermitRootLogin\ without-password/PermitRootLogin\ no/' /etc/ssh/sshd_config

3. ICMP redirection 問題

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

4. 數據庫的open access

使用iptables來加強數據庫的訪問認證。受信任的主機訪問，通過設置數據庫中的用戶主機名稱不使用%來匹配所有主機。

5. ssl使用的證書協議

不使用泛域名證書，使用至少2048bit以上的證書

The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting the certificate (e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority (CA) trusted by both the client and server.

Configure the server to require clients to use TLS version 1.2 using Authenticated Encryption with Associated Data (AEAD) capable ciphers.

There is no server-side mitigation available against the BEAST attack. The only option is to disable the affected protocols (SSLv3 and TLS 1.0). The only fully safe configuration is to use Authenticated Encryption with Associated Data (AEAD), e.g. AES-GCM, AES-CCM in TLS 1.2.

Send the HTTP response headers with X-Frame-Options that instruct the browser to restrict framing where it is not allowed.

Configure the server to disable support for 3DES suite.

6. TCP timestamp responses的問題

net.ipv4.tcp_timestamps=0

7. IP Source Routing

The host is configured to honor IP source routing options. Source routing is a feature of the IP protocol which allows the sender of a packet to specify which route the packet should take on the way to its destination (and on the way back). Source routing was originally designed to be used when a host did not have proper default routes in its routing table. However, source routing is rarely used for legitimate purposes nowadays. Attackers can abuse source routing to bypass firewalls or to map your network.

Disable IP source routing

For Linux systems ensure the following sysctl value is set:

net.ipv4.conf.all.accept_source_route=0

It is also advised that packet forwarding be disabled, unless there is a legitimate reason not to, by setting the following sysctl values:

net.ipv4.conf.all.forwarding=0

net.ipv6.conf.all.forwarding=0

net.ipv4.conf.all.mc_forwarding=0

net.ipv6.conf.all.mc_forwarding=0

More Linux information can be found at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Server_Security-Disable-Source-Routing.html

8. 設置grub密碼

Enable GRUB password

Configuration remediation steps

Set a password in the GRUB configuration file. This is often located in one of several locations, but can really be anywhere:

/etc/grub.conf
/boot/grub/grub.conf
/boot/grub/grub.cfg
/boot/grub/menu.lst

For all files mentioned above ensure that a password is set or that the files do not exist.

To set a plain-text password, edit your GRUB configuration file and add the following line before the first uncommented line:

password <password>

To set an encrypted password, run grub-md5-crypt and use its output when adding the following line before the first uncommented line:

password --md5 <encryptedpassword>

For either approach, choose an appropriately strong password.

9. 磁盤分區的掛載方式添加nodev參數

Partition Mounting Weakness

Configuration remediation steps

The specific way to modify the partition mount options varies from system to system. Consult your operating system's manual or mount man page.

The following issues were discovered:
/boot partition does not have 'nodev' option set.
/data partition does not have 'nodev' option set.

10. 內核參數的一般優化

net.core.rmem_default = 2569600

net.core.rmem_max = 2569600

net.core.wmem_default = 2569600

net.core.wmem_max = 2569600

net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_sack = 1

net.ipv4.tcp_window_scaling = 1

net.ipv4.tcp_keepalive_time = 600

kernel.sem = 500 64000 200 256

fs.file-max = 65536

net.ipv4.ip_local_port_range = 1024 65000

net.ipv4.ip_forward = 0

net.ipv4.conf.default.rp_filter = 1

kernel.sysrq = 0

kernel.core_uses_pid = 1

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_max_syn_backlog = 2048

net.ipv4.tcp_synack_retries = 2

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.lo.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.lo.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects=0

net.ipv4.conf.default.secure_redirects=0

net.ipv4.tcp_timestamps=0

11. iptables 防攻擊

-A FORWARD -p tcp --syn -m limit --limit 1de>de >/sde> de >--limit-burst 5 -j ACCEPT 限制每秒5個新連接de>

-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1de>de >/sde> de >-j ACCEPT 防端口掃描de>

-A FORWARD -p icmp --icmp-de>de >typede> de >echode>de >-request -m limit --limit 1de>de >/sde> de >-j ACCEPT de>防止洪水攻擊

linux系統安全標準規範