基线安全设定

最新推荐文章于 2024-08-24 22:16:54 发布

___Xu

最新推荐文章于 2024-08-24 22:16:54 发布

阅读量70

点赞数

文章标签：安全服务器 linux

本文链接：https://blog.csdn.net/hu_lianlian/article/details/132340936

版权

适用于一般Linux主机基线安全扫描设定

#!/bin/bash
#date:2021-11-13
#writed by Xu

null=>/dev/null 2>&1
date=`date +%F.%T`

useradd hdlh
echo "Hdlh@2605" | passwd  --stdin hdlh

echo "weihu	ALL=(ALL)	NOPASSWD:ALL" >>/etc/sudoers
echo "hdlh	ALL=(ALL)	NOPASSWD:ALL" >>/etc/sudoers


###账号管理###
#禁止登陆
usermod  -s  /bin/false  lp ${null}
usermod  -s  /bin/false  sync ${null}
usermod  -s  /bin/false  halt ${null}
usermod  -s  /bin/false  news ${null}
usermod  -s  /bin/false  uucp ${null}
usermod  -s  /bin/false  operator ${null}
usermod  -s  /bin/false  games ${null}
usermod  -s  /bin/false  gopher ${null}
usermod  -s  /bin/false  smmsp ${null}
usermod  -s  /bin/false  nfsnobody ${null}
usermod  -s  /bin/false  nobody ${null}

###口令策略###
#口令锁定
cp /etc/pam.d/system-auth  /etc/pam.d/system-auth_back
echo "auth required pam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=60 audit" >>/etc/pam.d/system-auth
#口令过期
cp -p  /etc/login.defs  /etc/login.defs_bak
sed  -i '/PASS_MAX_DAYS/s/99999/90/g' /etc/login.defs
sed  -i '/PASS_MIN_DAYS/s/0/10/g' /etc/login.defs
#口令复杂
cp /etc/pam.d/passwd /etc/pam.d/passwd.bak
echo "password    required     pam_pwquality.so retry=3" >> /etc/pam.d/passwd
cp /etc/security/pwquality.conf /etc/security/pwquality.conf.bak
echo "minlen=8" >>/etc/security/pwquality.conf
echo "dcredit=-1" >>/etc/security/pwquality.conf
echo "ucredit=-1" >>/etc/security/pwquality.conf
echo "lcredit=-1" >>/etc/security/pwquality.conf
echo "ocredit=-1" >>/etc/security/pwquality.conf
#口令重复锁定
cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
cp -p /etc/pam.d/passwd /etc/pam.d/passwd.bak
cp -p /etc/pam.d/common-password /etc/pam.d/common-password.bak
sed -i '/use_authtok/ s/$/ remember=5/' /etc/pam.d/system-auth

###认证授权###
echo "auth            required        pam_wheel.so use_uid">>/etc/pam.d/su
echo "SU_WHEEL_ONLY yes" >>/etc/login.defs
usermod -G wheel weihu
usermod -G wheel hdlh

###系统服务###
#限制root远程登录
sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
#修改ssh的banner信息
echo " Authorized users only. All activity may be monitored and reported " > /etc/motd
#修改ssh的banner警告信息
touch /etc/ssh_banner
chown bin:bin /etc/ssh_banner
chmod 644 /etc/ssh_banner
echo " Authorized only. All activity will be monitored and reported " > /etc/ssh_banner
echo " Banner /etc/ssh_banner" >>/etc/ssh_banner
#systemctl restart sshd

###文件权限###
#文件与目录权限
cp /etc/profile /etc/profile.bak
echo "umask 027" >> /etc/profile
#配置用户最小授权
chmod 644 /etc/passwd 
chmod 600 /etc/shadow 
chmod 644 /etc/group
chmod 644 /etc/services
chmod 600 /etc/xinetd.conf
chmod 600 /etc/security
#禁止ICMP重定向
cp -p /etc/sysctl.conf /etc/sysctl.conf_bak
echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.conf
sysctl -p

###日志审计###
#日志文件安全
chmod 640 filename
#远程日志
echo "*.*		@10.142.254.176" >>/etc/rsyslog.conf
#安全事件日志
mkdir -p /var/adm/messages
echo "*.err;kern.debug;daemon.notice /var/adm/messages" >> /var/adm/messages
chmod 640 /var/adm/messgaes
#systemctl restart rsyslog

###网络通信###
#远程访问的 IP
cp -p /etc/hosts.allow /etc/hosts.allow_bak
cp -p /etc/hosts.deny /etc/hosts.deny_bak
echo "all:10.142.254.*:allow" >> /etc/hosts.allow
echo "all:10.142.133.*:allow" >> /etc/hosts.allow
#IP源路由
for f in /proc/sys/net/ipv4/conf/*/accept_source_route 
do
echo 0 > $f
done
#主机解析地址的顺序
cp /etc/host.conf /etc/host.conf.bak
echo "order hosts,bind" >> /etc/host.conf
echo "multi on">> /etc/host.conf
echo "nospoof on" >> /etc/host.conf

###系统漏洞###
#系统core dump状态
echo "* soft core 0" >> /etc/security/limits.conf
echo "* hard core 0">> /etc/security/limits.conf
echo "#ulimit -S -c 0 > /dev/null 2>&1">>/etc/profile

###其他配置###
#登陆时间超时
echo "TMOUT=300"
source /etc/profile
#关机快捷键
rm -f /usr/lib/systemd/system/ctrl-alt-del.target
#屏幕锁定
yum install -y GConf2 ${null}
#    2、启用空闲激活
gconftool-2 --direct  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory  --type bool  --set /apps/gnome-screensaver/idle_activation_enabled true
#    3、启用屏幕锁定
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory  --type bool  --set /apps/gnome-screensaver/lock_enabled true 
#    4、设置屏保模式
gconftool-2 --direct   --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory    --type string   --set /apps/gnome-screensaver/mode blank-only  
#    5、设置空闲激活时间
gconftool-2 --direct  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory   --type int   --set /apps/gnome-screensaver/idle_delay 15
#关键文件的属性
chattr +a /var/log/messages
#历史命令设置
echo "HISTFILESIZE=5" >> /etc/profile
echo "HISTSIZE=5" >> /etc/profile
#对 root 为ls、rm设置别名
echo "alias ls='ls -al'">>~/.bashrc
echo "alias rm='rm -i'">>~/.bashrc